feat: BreakPilot PWA - Full codebase (clean push without large binaries)

All services: admin-v2, studio-v2, website, ai-compliance-sdk, consent-service, klausur-service, voice-service, and infrastructure. Large PDFs and compiled binaries excluded via .gitignore.
2026-02-11 13:25:58 +01:00
commit 19855efacc
2512 changed files with 933814 additions and 0 deletions
--- a/backend/llm_gateway/middleware/init.py
+++ b/backend/llm_gateway/middleware/init.py
@@ -0,0 +1,7 @@
+"""
+LLM Gateway Middleware.
+"""
+
+from .auth import verify_api_key
+
+__all__ = ["verify_api_key"]
--- a/backend/llm_gateway/middleware/auth.py
+++ b/backend/llm_gateway/middleware/auth.py
@@ -0,0 +1,96 @@
+"""
+Auth Middleware für LLM Gateway.
+
+Unterstützt:
+- API Key Auth (X-API-Key Header oder Authorization Bearer)
+- JWT Token Auth (vom Consent Service)
+"""
+
+import logging
+from typing import Optional
+from fastapi import HTTPException, Header, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+import jwt
+
+from ..config import get_config
+
+logger = logging.getLogger(__name__)
+
+security = HTTPBearer(auto_error=False)
+
+
+async def verify_api_key(
+    x_api_key: Optional[str] = Header(None, alias="X-API-Key"),
+    authorization: Optional[HTTPAuthorizationCredentials] = Depends(security),
+) -> str:
+    """
+    Verifiziert den API Key oder JWT Token.
+
+    Akzeptiert:
+    - X-API-Key Header
+    - Authorization: Bearer <token>
+
+    Returns:
+        str: User ID oder "api_key" bei API Key Auth
+    """
+    config = get_config()
+
+    # 1. Prüfe X-API-Key Header
+    if x_api_key:
+        if x_api_key in config.api_keys:
+            return "api_key"
+        logger.warning(f"Invalid API key attempted")
+        raise HTTPException(
+            status_code=401,
+            detail={"error": "unauthorized", "message": "Invalid API key"},
+        )
+
+    # 2. Prüfe Authorization Header
+    if authorization:
+        token = authorization.credentials
+
+        # Prüfe ob es ein API Key ist
+        if token in config.api_keys:
+            return "api_key"
+
+        # Versuche JWT zu dekodieren
+        if config.jwt_secret:
+            try:
+                payload = jwt.decode(
+                    token,
+                    config.jwt_secret,
+                    algorithms=["HS256"],
+                )
+                user_id = payload.get("user_id") or payload.get("sub")
+                if user_id:
+                    return str(user_id)
+            except jwt.ExpiredSignatureError:
+                raise HTTPException(
+                    status_code=401,
+                    detail={"error": "token_expired", "message": "Token has expired"},
+                )
+            except jwt.InvalidTokenError as e:
+                logger.warning(f"Invalid JWT token: {e}")
+                raise HTTPException(
+                    status_code=401,
+                    detail={"error": "invalid_token", "message": "Invalid token"},
+                )
+
+    # 3. In Development Mode ohne Auth erlauben
+    if config.debug:
+        logger.warning("Auth bypassed in debug mode")
+        return "debug_user"
+
+    # 4. Keine gültige Auth gefunden
+    raise HTTPException(
+        status_code=401,
+        detail={
+            "error": "unauthorized",
+            "message": "API key or valid token required",
+        },
+    )
+
+
+def get_current_user_id(user_id: str = Depends(verify_api_key)) -> str:
+    """Dependency um die aktuelle User ID zu bekommen."""
+    return user_id