hobokenchicken/GopherGate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "feat(auth): refactor token resolution into shared TokenResolution and centralize in middleware; simplify AuthenticatedClient to carry resolved DB ID"
Some checks failed
CI / Check (push) Has been cancelled
Details
CI / Clippy (push) Has been cancelled
Details
CI / Formatting (push) Has been cancelled
Details
CI / Test (push) Has been cancelled
Details
CI / Release Build (push) Has been cancelled
Details

Browse Source 
This reverts commit 5ddf284b8f.
This commit is contained in:
Dustin Newkirk
2026-03-05 19:53:50 +00:00
parent 5ddf284b8f
commit 90ef026c96
4 changed files with 3 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -3,4 +3,3 @@
/*.db /*.db
/*.db-shm /*.db-shm
/*.db-wal /*.db-wal
/data/

95
src/auth/mod.rs
View File

@@ -1,76 +1,11 @@
use axum::{extract::FromRequestParts, http::request::Parts}; use axum::{extract::FromRequestParts, http::request::Parts};
<<<<<<< HEAD
=======
use axum_extra::TypedHeader;
use axum_extra::headers::Authorization;
use headers::authorization::Bearer;
use sqlx;
>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
use crate::errors::AppError; use crate::errors::AppError;
use crate::state::AppState;
/// Token resolution result stored in request extensions
/// This avoids duplicate database queries for token resolution
#[derive(Debug, Clone)]
pub struct TokenResolution {
/// The raw bearer token from Authorization header
pub token: String,
/// Client ID for rate limiting (from DB lookup or token prefix derivation)
pub client_id_for_rate_limit: String,
/// Client ID from database if token was found in client_tokens table
pub db_client_id: Option<String>,
}
impl TokenResolution {
/// Resolve a token to client ID, checking database first, then falling back to token prefix
pub async fn resolve(token: Option<String>, state: &AppState) -> Self {
match token {
Some(token) => {
// Try DB token lookup first
let db_client_id = match sqlx::query_scalar::<_, String>(
"SELECT client_id FROM client_tokens WHERE token = ? AND is_active = TRUE",
)
.bind(&token)
.fetch_optional(&state.db_pool)
.await
{
Ok(Some(cid)) => Some(cid),
Ok(None) => None,
Err(_) => None, // Log error? For now, treat as not found
};
let client_id_for_rate_limit = if let Some(ref cid) = db_client_id {
cid.clone()
} else {
// Fallback to token-prefix derivation
format!("client_{}", &token[..8.min(token.len())])
};
Self {
token,
client_id_for_rate_limit,
db_client_id,
}
}
None => {
// No token — anonymous
Self {
token: String::new(),
client_id_for_rate_limit: "anonymous".to_string(),
db_client_id: None,
}
}
}
}
}
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
pub struct AuthInfo { pub struct AuthInfo {
pub token: String, pub token: String,
pub client_id: String, pub client_id: String,
/// Client ID from database if token was found in client_tokens table
pub db_client_id: Option<String>,
} }
pub struct AuthenticatedClient { pub struct AuthenticatedClient {
@@ -83,7 +18,6 @@ where
{ {
type Rejection = AppError; type Rejection = AppError;
<<<<<<< HEAD
async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> { async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
// Retrieve AuthInfo from request extensions, where it was placed by rate_limit_middleware // Retrieve AuthInfo from request extensions, where it was placed by rate_limit_middleware
let info = parts let info = parts
@@ -91,27 +25,6 @@ where
.get::<AuthInfo>() .get::<AuthInfo>()
.cloned() .cloned()
.ok_or_else(|| AppError::AuthError("Authentication info not found in request".to_string()))?; .ok_or_else(|| AppError::AuthError("Authentication info not found in request".to_string()))?;
=======
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
// Check if TokenResolution is already in extensions (set by rate limit middleware)
if let Some(resolution) = parts.extensions.get::<TokenResolution>() {
// Use the resolved token and client_id
let token = resolution.token.clone();
let client_id = resolution.client_id_for_rate_limit.clone();
return Ok(AuthenticatedClient {
token,
client_id,
db_client_id: resolution.db_client_id.clone(),
});
}
// Fallback: extract token from Authorization header directly
// (this shouldn't happen if rate limit middleware is applied)
let TypedHeader(Authorization(bearer)) = TypedHeader::<Authorization<Bearer>>::from_request_parts(parts, state)
.await
.map_err(|_| AppError::AuthError("Missing or invalid bearer token".to_string()))?;
>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
Ok(AuthenticatedClient { info }) Ok(AuthenticatedClient { info })
} }
@@ -120,16 +33,8 @@ where
impl std::ops::Deref for AuthenticatedClient { impl std::ops::Deref for AuthenticatedClient {
type Target = AuthInfo; type Target = AuthInfo;
<<<<<<< HEAD
fn deref(&self) -> &Self::Target { fn deref(&self) -> &Self::Target {
&self.info &self.info
=======
Ok(AuthenticatedClient {
token,
client_id,
db_client_id: None,
})
>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
} }
} }

16
src/rate_limiting/mod.rs
View File

@@ -305,6 +305,7 @@ pub mod middleware {
middleware::Next, middleware::Next,
response::Response, response::Response,
}; };
use sqlx;
/// Rate limiting middleware /// Rate limiting middleware
pub async fn rate_limit_middleware( pub async fn rate_limit_middleware(
@@ -315,20 +316,12 @@ pub mod middleware {
// Extract token synchronously from headers (avoids holding &Request across await) // Extract token synchronously from headers (avoids holding &Request across await)
let token = extract_bearer_token(&request); let token = extract_bearer_token(&request);
<<<<<<< HEAD
// Resolve client_id and populate AuthInfo: DB token lookup, then prefix fallback // Resolve client_id and populate AuthInfo: DB token lookup, then prefix fallback
let auth_info = resolve_auth_info(token, &state).await; let auth_info = resolve_auth_info(token, &state).await;
let client_id = auth_info.client_id.clone(); let client_id = auth_info.client_id.clone();
=======
// Resolve token to client ID (with DB lookup if applicable)
let resolution = crate::auth::TokenResolution::resolve(token, &state).await;
>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
// Store resolution in request extensions for downstream handlers // Check rate limits
request.extensions_mut().insert(resolution.clone()); if !state.rate_limit_manager.check_client_request(&client_id).await? {
// Check rate limits using the rate-limit client ID
if !state.rate_limit_manager.check_client_request(&resolution.client_id_for_rate_limit).await? {
return Err(AppError::RateLimitError("Rate limit exceeded".to_string())); return Err(AppError::RateLimitError("Rate limit exceeded".to_string()));
} }
@@ -346,7 +339,6 @@ pub mod middleware {
.map(|t| t.to_string()) .map(|t| t.to_string())
} }
<<<<<<< HEAD
/// Resolve auth info: try DB token first, then fall back to token-prefix derivation /// Resolve auth info: try DB token first, then fall back to token-prefix derivation
async fn resolve_auth_info(token: Option<String>, state: &AppState) -> AuthInfo { async fn resolve_auth_info(token: Option<String>, state: &AppState) -> AuthInfo {
if let Some(token) = token { if let Some(token) = token {
@@ -382,8 +374,6 @@ pub mod middleware {
} }
} }
=======
>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
/// Circuit breaker middleware for provider requests /// Circuit breaker middleware for provider requests
pub async fn circuit_breaker_middleware(provider_name: &str, state: &AppState) -> Result<(), AppError> { pub async fn circuit_breaker_middleware(provider_name: &str, state: &AppState) -> Result<(), AppError> {
if !state.rate_limit_manager.check_provider_request(provider_name).await? { if !state.rate_limit_manager.check_provider_request(provider_name).await? {

23
src/server/mod.rs
View File

@@ -121,7 +121,6 @@ async fn chat_completions(
auth: AuthenticatedClient, auth: AuthenticatedClient,
Json(mut request): Json<ChatCompletionRequest>, Json(mut request): Json<ChatCompletionRequest>,
) -> Result<axum::response::Response, AppError> { ) -> Result<axum::response::Response, AppError> {
<<<<<<< HEAD
let client_id = auth.client_id.clone(); let client_id = auth.client_id.clone();
let token = auth.token.clone(); let token = auth.token.clone();
@@ -132,28 +131,6 @@ async fn chat_completions(
return Err(AppError::AuthError("Invalid authentication token".to_string())); return Err(AppError::AuthError("Invalid authentication token".to_string()));
} }
} }
=======
// Use the db_client_id from the AuthenticatedClient (already resolved by middleware)
let db_client_id = auth.db_client_id.clone();
let client_id = if let Some(cid) = db_client_id {
// Update last_used_at in background (fire-and-forget) for DB tokens
let pool = state.db_pool.clone();
let token = auth.token.clone();
tokio::spawn(async move {
let _ = sqlx::query("UPDATE client_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE token = ?")
.bind(&token)
.execute(&pool)
.await;
});
cid
} else if state.auth_tokens.is_empty() || state.auth_tokens.contains(&auth.token) {
// Env token match or permissive mode (no env tokens configured)
auth.client_id.clone()
} else {
return Err(AppError::AuthError("Invalid authentication token".to_string()));
};
>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
let start_time = std::time::Instant::now(); let start_time = std::time::Instant::now();
let model = request.model.clone(); let model = request.model.clone();