athena_rs 3.26.3

Hyper performant polyglot Database driver
//! `/debug/schema` handler auth-gate helpers.
//!
//! This module isolates request authorization policy for the debug-schema
//! handler so handler orchestration remains focused on flow control.

use actix_web::{HttpRequest, HttpResponse};

use crate::AppState;

use super::context_auth::authorize_schema_read;

/// Authorizes one `/debug/schema` request before response orchestration.
pub(super) async fn authorize_debug_schema_request(
    req: &HttpRequest,
    app_state: &AppState,
) -> Result<(), HttpResponse> {
    authorize_schema_read(req, app_state, None).await
}

#[cfg(test)]
mod tests {
    use actix_web::http::StatusCode;
    use actix_web::test::TestRequest;

    use super::*;
    use crate::api::schema::debug_response_test_helpers::{
        assert_error_payload_for_tests, response_json_for_tests,
    };
    use crate::test_support::{ATHENA_TEST_ADMIN_KEY, AthAdminKeyGuard};

    #[actix_web::test]
    /// Ensures unauthorized debug-schema requests return the stable auth error envelope.
    async fn auth_gate_rejects_missing_admin_key_with_unauthorized_envelope() {
        let _admin = AthAdminKeyGuard::new();
        let request = TestRequest::get().uri("/debug/schema").to_http_request();
        let app_state = AppState::default();

        let result = authorize_debug_schema_request(&request, &app_state).await;
        let response = result.expect_err("request without admin key should be rejected");
        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
        let body = response_json_for_tests(response, "auth-gate unauthorized envelope").await;

        assert_error_payload_for_tests(
            &body,
            "Authentication required",
            &["Invalid or missing API key"],
            "auth-gate unauthorized envelope",
        );
    }

    #[actix_web::test]
    /// Ensures debug-schema auth-gate accepts valid static admin-key requests.
    async fn auth_gate_allows_valid_admin_key() {
        let _admin = AthAdminKeyGuard::new();
        let request = TestRequest::get()
            .uri("/debug/schema")
            .insert_header(("x-athena-key", ATHENA_TEST_ADMIN_KEY))
            .to_http_request();
        let app_state = AppState::default();

        let result = authorize_debug_schema_request(&request, &app_state).await;
        assert!(
            result.is_ok(),
            "request with valid admin key should be authorized"
        );
    }
}