1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
//! Router-level authentication gate (AAASM-3125).
//!
//! Historically every protected handler had to opt in to authentication by
//! declaring an `AuthenticatedCaller` / `RequireScope` extractor. Handlers
//! that forgot to do so (e.g. the alert-rule CRUD endpoints, AAASM-3129)
//! silently shipped unauthenticated. This module provides a single
//! deny-by-default [`require_authentication`] middleware that is applied as a
//! `route_layer` over the protected sub-router in the consuming service's
//! router, so a new route is authenticated unless it is explicitly mounted on
//! the public router.
//!
//! The gate reuses the existing [`AuthenticatedCaller`] extractor, so it
//! honours `AuthMode::Off` (bypass) and the API-key / JWT validation and
//! per-key rate-limit logic exactly as the per-handler extractors do.
use ;
use Next;
use ;
use Parts;
use crateAuthenticatedCaller;
/// Deny-by-default authentication middleware.
///
/// Resolves [`AuthenticatedCaller`] from the request parts. On success the
/// request proceeds to the inner service; on failure the [`AuthError`] is
/// rendered (401 / 403 / 429) and the inner handler is never reached.
///
/// [`AuthError`]: crate::AuthError
pub async