feat(m7.1): wire tenant claims, status enforcement, and db scoping helper #82
@@ -8,7 +8,7 @@ use tower_http::set_header::SetResponseHeaderLayer;
|
|||||||
use tower_http::trace::TraceLayer;
|
use tower_http::trace::TraceLayer;
|
||||||
|
|
||||||
use crate::agent::ComplianceAgent;
|
use crate::agent::ComplianceAgent;
|
||||||
use crate::api::auth_middleware::{require_jwt_auth, JwksState};
|
use crate::api::auth_middleware::{require_jwt_auth, require_tenant_status, JwksState};
|
||||||
use crate::api::routes;
|
use crate::api::routes;
|
||||||
use crate::error::AgentError;
|
use crate::error::AgentError;
|
||||||
|
|
||||||
@@ -44,9 +44,14 @@ pub async fn start_api_server(agent: ComplianceAgent, port: u16) -> Result<(), A
|
|||||||
jwks_url,
|
jwks_url,
|
||||||
};
|
};
|
||||||
tracing::info!("Keycloak JWT auth enabled for realm '{kc_realm}'");
|
tracing::info!("Keycloak JWT auth enabled for realm '{kc_realm}'");
|
||||||
|
// Layers execute outermost-first. The Extension must run before
|
||||||
|
// require_jwt_auth so that middleware can read JwksState from
|
||||||
|
// request extensions, and the status gate must run after the
|
||||||
|
// JWT auth so TenantContext is in extensions.
|
||||||
app = app
|
app = app
|
||||||
.layer(Extension(jwks_state))
|
.layer(middleware::from_fn(require_tenant_status))
|
||||||
.layer(middleware::from_fn(require_jwt_auth));
|
.layer(middleware::from_fn(require_jwt_auth))
|
||||||
|
.layer(Extension(jwks_state));
|
||||||
} else {
|
} else {
|
||||||
tracing::warn!("Keycloak not configured - API endpoints are unprotected");
|
tracing::warn!("Keycloak not configured - API endpoints are unprotected");
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user