mockforge-http 0.3.116

HTTP/REST protocol support for MockForge
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290

//! Authentication middleware
//!
//! This module provides the Axum middleware for handling authentication
//! across HTTP requests.

use axum::body::Body;
use axum::http::header::HeaderValue;
use axum::http::{Request, StatusCode};
use axum::{extract::State, middleware::Next, response::Response};
use tracing::{debug, error, warn};

use super::authenticator::authenticate_request;
use super::state::AuthState;
use super::types::AuthResult;
use mockforge_core::security::{
    emit_security_event, EventActor, EventOutcome, EventTarget, SecurityEvent, SecurityEventType,
};

/// Authentication middleware function
pub async fn auth_middleware(
    State(state): State<AuthState>,
    req: Request<Body>,
    next: Next,
) -> Response {
    let path = req.uri().path().to_string();
    let _method = req.method().clone();

    // Skip authentication for health checks and admin endpoints
    if path.starts_with("/health") || path.starts_with("/__mockforge") {
        return next.run(req).await;
    }

    // Extract authentication information from request
    let auth_header = req
        .headers()
        .get("authorization")
        .and_then(|h| h.to_str().ok())
        .map(|s| s.to_string());

    let api_key_header = req
        .headers()
        .get(
            state
                .config
                .api_key
                .as_ref()
                .map(|c| c.header_name.clone())
                .unwrap_or_else(|| "X-API-Key".to_string()),
        )
        .and_then(|h| h.to_str().ok())
        .map(|s| s.to_string());

    let api_key_query = req.uri().query().and_then(|q| {
        state
            .config
            .api_key
            .as_ref()
            .and_then(|c| c.query_name.as_ref())
            .and_then(|param| {
                url::form_urlencoded::parse(q.as_bytes())
                    .find(|(k, _)| k == param)
                    .map(|(_, v)| v.to_string())
            })
    });

    // Extract IP address and user agent for security events
    let ip_address = req
        .headers()
        .get("x-forwarded-for")
        .or_else(|| req.headers().get("x-real-ip"))
        .and_then(|h| h.to_str().ok())
        .map(|s| s.to_string())
        .or_else(|| {
            req.extensions()
                .get::<axum::extract::ConnectInfo<std::net::SocketAddr>>()
                .map(|addr| addr.ip().to_string())
        });

    let user_agent = req
        .headers()
        .get("user-agent")
        .and_then(|h| h.to_str().ok())
        .map(|s| s.to_string());

    // Try to authenticate using various methods
    let auth_result =
        authenticate_request(&state, &auth_header, &api_key_header, &api_key_query).await;

    match auth_result {
        AuthResult::Success(claims) => {
            debug!("Authentication successful for user: {:?}", claims.sub);

            // Emit security event for successful authentication
            let event = SecurityEvent::new(SecurityEventType::AuthSuccess, None, None)
                .with_actor(EventActor {
                    user_id: claims.sub.clone(),
                    username: claims.sub.clone(),
                    ip_address: ip_address.clone(),
                    user_agent: user_agent.clone(),
                })
                .with_target(EventTarget {
                    resource_type: Some("api".to_string()),
                    resource_id: Some(path.clone()),
                    method: Some(req.method().to_string()),
                })
                .with_outcome(EventOutcome {
                    success: true,
                    reason: None,
                })
                .with_metadata("auth_method".to_string(), serde_json::json!("jwt"));
            emit_security_event(event).await;

            // Add claims to request extensions for downstream handlers
            // Wrap in Extension for Axum extractor compatibility
            use axum::extract::Extension;
            let mut req = req;
            req.extensions_mut().insert(Extension(claims));
            next.run(req).await
        }
        AuthResult::Failure(reason) => {
            warn!("Authentication failed: {}", reason);

            // Emit security event for authentication failure
            let event = SecurityEvent::new(SecurityEventType::AuthFailure, None, None)
                .with_actor(EventActor {
                    user_id: None,
                    username: auth_header
                        .as_ref()
                        .and_then(|h| h.strip_prefix("Bearer "))
                        .or_else(|| auth_header.as_ref().and_then(|h| h.strip_prefix("Basic ")))
                        .map(|s| s.to_string()),
                    ip_address: ip_address.clone(),
                    user_agent: user_agent.clone(),
                })
                .with_target(EventTarget {
                    resource_type: Some("api".to_string()),
                    resource_id: Some(path.clone()),
                    method: Some(req.method().to_string()),
                })
                .with_outcome(EventOutcome {
                    success: false,
                    reason: Some(reason.clone()),
                })
                .with_metadata("failure_reason".to_string(), serde_json::json!(reason));
            emit_security_event(event).await;
            let mut res = Response::new(Body::from(
                serde_json::json!({
                    "error": "Authentication failed",
                    "message": reason
                })
                .to_string(),
            ));
            *res.status_mut() = StatusCode::UNAUTHORIZED;
            res.headers_mut().insert("www-authenticate", HeaderValue::from_static("Bearer"));
            res
        }
        AuthResult::NetworkError(reason) => {
            error!("Authentication network error: {}", reason);
            let mut res = Response::new(Body::from(
                serde_json::json!({
                    "error": "Authentication service unavailable",
                    "message": "Unable to verify token due to network issues"
                })
                .to_string(),
            ));
            *res.status_mut() = StatusCode::SERVICE_UNAVAILABLE;
            res
        }
        AuthResult::ServerError(reason) => {
            error!("Authentication server error: {}", reason);
            let mut res = Response::new(Body::from(
                serde_json::json!({
                    "error": "Authentication service error",
                    "message": "Unable to verify token due to server issues"
                })
                .to_string(),
            ));
            *res.status_mut() = StatusCode::BAD_GATEWAY;
            res
        }
        AuthResult::TokenExpired => {
            warn!("Token expired");

            // Emit security event for token expiration
            let event = SecurityEvent::new(SecurityEventType::AuthTokenExpired, None, None)
                .with_actor(EventActor {
                    user_id: None,
                    username: None,
                    ip_address: ip_address.clone(),
                    user_agent: user_agent.clone(),
                })
                .with_target(EventTarget {
                    resource_type: Some("api".to_string()),
                    resource_id: Some(path.clone()),
                    method: Some(req.method().to_string()),
                })
                .with_outcome(EventOutcome {
                    success: false,
                    reason: Some("Token expired".to_string()),
                });
            emit_security_event(event).await;
            let mut res = Response::new(Body::from(
                serde_json::json!({
                    "error": "Token expired",
                    "message": "The provided token has expired"
                })
                .to_string(),
            ));
            *res.status_mut() = StatusCode::UNAUTHORIZED;
            res.headers_mut().insert(
                "www-authenticate",
                HeaderValue::from_static(
                    "Bearer error=\"invalid_token\", error_description=\"The token has expired\"",
                ),
            );
            res
        }
        AuthResult::TokenInvalid(reason) => {
            warn!("Token invalid: {}", reason);

            // Emit security event for invalid token
            let event = SecurityEvent::new(SecurityEventType::AuthFailure, None, None)
                .with_actor(EventActor {
                    user_id: None,
                    username: None,
                    ip_address: ip_address.clone(),
                    user_agent: user_agent.clone(),
                })
                .with_target(EventTarget {
                    resource_type: Some("api".to_string()),
                    resource_id: Some(path.clone()),
                    method: Some(req.method().to_string()),
                })
                .with_outcome(EventOutcome {
                    success: false,
                    reason: Some(format!("Invalid token: {}", reason)),
                })
                .with_metadata("token_invalid".to_string(), serde_json::json!(true));
            emit_security_event(event).await;
            let mut res = Response::new(Body::from(
                serde_json::json!({
                    "error": "Invalid token",
                    "message": reason
                })
                .to_string(),
            ));
            *res.status_mut() = StatusCode::UNAUTHORIZED;
            res.headers_mut().insert(
                "www-authenticate",
                HeaderValue::from_static("Bearer error=\"invalid_token\""),
            );
            res
        }
        AuthResult::None => {
            if state.config.require_auth {
                // Emit security event for missing authentication
                let event = SecurityEvent::new(SecurityEventType::AuthzAccessDenied, None, None)
                    .with_actor(EventActor {
                        user_id: None,
                        username: None,
                        ip_address: ip_address.clone(),
                        user_agent: user_agent.clone(),
                    })
                    .with_target(EventTarget {
                        resource_type: Some("api".to_string()),
                        resource_id: Some(path.clone()),
                        method: Some(req.method().to_string()),
                    })
                    .with_outcome(EventOutcome {
                        success: false,
                        reason: Some("Authentication required but not provided".to_string()),
                    });
                emit_security_event(event).await;

                let mut res = Response::new(Body::from(
                    serde_json::json!({
                        "error": "Authentication required"
                    })
                    .to_string(),
                ));
                *res.status_mut() = StatusCode::UNAUTHORIZED;
                res.headers_mut().insert("www-authenticate", HeaderValue::from_static("Bearer"));
                res
            } else {
                debug!("No authentication provided, proceeding without auth");
                next.run(req).await
            }
        }
    }
}