Skip to main content

build_router_with_audit

Function build_router_with_audit 

Source
pub fn build_router_with_audit(
    state: Arc<AppState>,
    auth: AuthConfig,
    tenant: TenantConfig,
    limiter: RateLimiter,
    audit: AuditConfig,
    cors: CorsConfig,
) -> Router
Expand description

Build the router with full configuration including the audit sink and the CORS allowlist.

The outer ServiceBuilder is layered top-to-bottom: host_validate (with its TrustedHosts extension) is the outermost pair — T19 perf — so hostile Host probes are rejected with 400 before any trace span is allocated or any propagator hop runs. The trace layer wraps the rest of the stack, followed by inject_trace_id_header, the CORS layer (so cross-origin preflight short-circuits before any expensive downstream work), the body limit (which guards every downstream layer from oversized payloads), the per-request timeout and the global concurrency cap. Auth and tenant resolution are from_fn middleware that run after the size cap (so a request that would be rejected with 413 does not consume an auth slot). The per-token rate limiter runs after bearer auth so it can read the AuthContext the auth layer inserts. The audit middleware sits innermost, after every other layer has resolved the actor / tenant / scope, so the synthesised record captures the same identity the handler saw.