gateway and broker auth

Author: CaptainAril

src/api/constants/queues.py

@@ -0,0 +1,12 @@
+from typing import TypedDict
+
+
+class QueueNames(TypedDict):
+    USER_REGISTRATION: str
+    EMAIL_VALIDATION: str
+
+
+QUEUE_NAMES: QueueNames = {
+    "USER_REGISTRATION": "create_user",
+    "EMAIL_VALIDATION": "validate_email",
+}

src/api/constants/signature_sources.py

@@ -0,0 +1,12 @@
+from typing import TypedDict
+
+
+class SignatureSources(TypedDict):
+    gateway: str
+    queue: str
+
+
+SIGNATURE_SOURCES: SignatureSources = {
+    "gateway": "Gateway",
+    "queue": "Broker Queue",
+}

src/api/middlewares/BrokerMiddleware.py

@@ -0,0 +1,76 @@
+from types import CoroutineType
+from typing import Any
+from collections.abc import Callable, Awaitable
+
+from faststream import BaseMiddleware
+from faststream.broker.message import StreamMessage
+from faststream.rabbit.message import RabbitMessage
+
+from src.env import queue
+from src.utils.logger import Logger
+from src.api.services.UtilityService import UtilityService
+from src.api.constants.signature_sources import SIGNATURE_SOURCES
+
+
+class PublishMiddleware(BaseMiddleware):
+    """
+    Middleware to handle subscription messages.
+    """
+
+    async def publish_scope(
+        self,
+        call_next: Callable[..., Awaitable[Any]],
+        msg: RabbitMessage,
+        *args: tuple[Any, ...],
+        **kwargs: dict[str, Any],
+    ) -> CoroutineType:
+        timestamp = UtilityService.get_timestamp()
+        signature = UtilityService.generate_signature(queue["key"], timestamp)
+
+        headers = {}
+
+        headers["X-BROKER-SIGNATURE"] = signature
+        headers["X-BROKER-TIMESTAMP"] = timestamp
+        headers["X-BROKER-KEY"] = queue["key"]
+
+        kwargs["headers"] = headers
+        return await super().publish_scope(call_next, msg, *args, **kwargs)
+
+
+class SubscribeMiddleware(BaseMiddleware):
+    async def consume_scope(
+        self, call_next: Callable[[Any], Awaitable[Any]], msg: StreamMessage
+    ) -> CoroutineType | None:
+        logger = Logger(__name__)
+        try:
+            UtilityService.verify_signature(
+                logger=logger,
+                signature_data={
+                    "signature": msg.headers["X-BROKER-SIGNATURE"],
+                    "timestamp": msg.headers["X-BROKER-TIMESTAMP"],
+                    "key": queue["key"],
+                    "ttl": queue["ttl"],
+                    "title": SIGNATURE_SOURCES["gateway"],
+                },
+            )
+
+            return await super().consume_scope(call_next, msg)
+        except KeyError as e:
+            message = f"Missing required header: {e}"
+            logger.error(
+                {
+                    "activity_type": "Authenticate GatewaBroker Queue Request",
+                    "message": message,
+                    "metadata": {"headers": msg.headers},
+                }
+            )
+        except Exception as e:
+            queue_operation = msg.raw_message.routing_key
+            message = f"`{queue_operation}` operation failed: {e}"
+            logger.error(
+                {
+                    "activity_type": "Authenticate GatewaBroker Queue Request",
+                    "message": message,
+                    "metadata": {"headers": msg.headers, "message": msg._decoded_body},
+                }
+            )

src/api/middlewares/GateWayMiddleware.py

@@ -0,0 +1,84 @@
+from django.http import HttpRequest
+from ninja.errors import AuthenticationError
+from ninja.security import APIKeyHeader
+from ninja.openapi.schema import OpenAPISchema
+
+from src.env import api_gateway
+from src.utils.logger import Logger
+from src.api.services.UtilityService import SignatureData, UtilityService
+from src.api.constants.signature_sources import SIGNATURE_SOURCES
+
+
+class GateWayAuth(APIKeyHeader):
+    def __init__(self, logger: Logger) -> None:
+        self.logger = logger
+        super().__init__()
+
+    def authenticate(self, request: HttpRequest, key: str | None) -> str | None:
+        try:
+            api_key = request.headers["X-API-GATEWAY-KEY"]
+            api_timestamp = request.headers["X-API-GATEWAY-TIMESTAMP"]
+            api_signature = request.headers["X-API-GATEWAY-SIGNATURE"]
+        except KeyError as e:
+            message = f"Missing required header: {e}"
+            self.logger.error(
+                {
+                    "activity_type": "Authenticate Gateway Request",
+                    "message": message,
+                    "metadata": {"headers": request.headers},
+                }
+            )
+            raise AuthenticationError(message=message)
+
+        valid_api_key = api_gateway["key"]
+        if api_key != valid_api_key:
+            message = "Invalid API key!"
+            self.logger.error(
+                {
+                    "activity_type": "Authenticate Gateway Request",
+                    "message": message,
+                    "metadata": {"headers": request.headers},
+                }
+            )
+            raise AuthenticationError(message=message)
+
+        signature_data: SignatureData = {
+            "signature": api_signature,
+            "timestamp": api_timestamp,
+            "key": valid_api_key,
+            "ttl": 5,
+            "title": SIGNATURE_SOURCES["gateway"],
+        }
+
+        UtilityService.verify_signature(
+            logger=self.logger, signature_data=signature_data
+        )
+
+        self.logger.debug(
+            {
+                "activity_type": "Authenticate Gateway Request",
+                "message": "Successfully authenticated gateway request",
+                "metadata": {
+                    "headers": request.headers,
+                },
+            }
+        )
+
+        return api_signature
+
+
+def get_authentication() -> GateWayAuth:
+    gateway_auth = GateWayAuth(Logger("Authentication"))
+    return gateway_auth
+
+
+def add_global_headers(schema: OpenAPISchema) -> OpenAPISchema:
+    for path in schema["paths"]:
+        for method in schema["paths"][path]:
+            operation = schema["paths"][path][method]
+            if operation.get("security"):
+                operation["security"] = schema["security"]
+    return schema
+
+
+authentication = get_authentication()

src/api/routes/__init__.py

@@ -1,10 +1,9 @@
-from django.http import HttpRequest
 from ninja import NinjaAPI
+from django.http import HttpRequest
 from ninja.openapi.schema import OpenAPISchema
 
-from src.api.middlewares.GateWayMiddleware import (add_global_headers,
-                                                   authentication)
 from src.env import app
+from src.api.middlewares.GateWayMiddleware import authentication, add_global_headers
 
 api: NinjaAPI = NinjaAPI(
     version=app["version"],
@@ -36,25 +35,13 @@ def custom_openapi_schema(path_params: dict | None = None) -> OpenAPISchema:
             "in": "header",
             "name": "X-API-GATEWAY-SIGNATURE",
         },
-        # "User ID": {
-        #     "type": "apiKey",
-        #     "in": "header",
-        #     "name": "X-USER-ID",
-        # },
-        # "User Email": {
-        #     "type": "apiKey",
-        #     "in": "header",
-        #     "name": "X-USER-EMAIL",
-        # },
     }
 
     schema["security"] = [
         {
             "Gateway Key": [],
             "API Timestamp": [],
             "API Signature": [],
-            # "User ID": [],
-            # "User Email": [],
         }
     ]
 

src/api/services/AuthService.py

@@ -1,24 +1,25 @@
 from typing import Annotated
 
-from src.api.constants.activity_types import ACTIVITY_TYPES
-from src.api.constants.messages import DYNAMIC_MESSAGES, MESSAGES
-from src.api.constants.queues import QUEUE_NAMES
-from src.api.models.payload.requests.AuthenticateUserOtp import \
-    AuthenticateUserOtp
-from src.api.models.payload.requests.AuthenticateUserRequest import \
-    AuthenticateUserRequest
-from src.api.models.payload.requests.ChangeUserPasswordRequest import \
-    ChangeUserPasswordRequest
-from src.api.models.payload.requests.CreateUserRequest import CreateUserRequest
-from src.api.models.payload.requests.JWT import JWT
-from src.api.models.payload.requests.ResendUserOtp import ResendUserOtp
-from src.api.repositories.UserRepository import UserRepository
+from src.utils.svcs import Service
+from src.config.asgi import broker
+from src.utils.logger import Logger
 from src.api.typing.JWT import JWTSuccess
+from src.api.constants.queues import QUEUE_NAMES
 from src.api.typing.UserExists import UserExists
+from src.api.constants.messages import MESSAGES, DYNAMIC_MESSAGES
 from src.api.typing.UserSuccess import UserSuccess
-from src.config.asgi import broker
-from src.utils.logger import Logger
-from src.utils.svcs import Service
+from src.api.constants.activity_types import ACTIVITY_TYPES
+from src.api.models.payload.requests.JWT import JWT
+from src.api.repositories.UserRepository import UserRepository
+from src.api.models.payload.requests.ResendUserOtp import ResendUserOtp
+from src.api.models.payload.requests.CreateUserRequest import CreateUserRequest
+from src.api.models.payload.requests.AuthenticateUserOtp import AuthenticateUserOtp
+from src.api.models.payload.requests.AuthenticateUserRequest import (
+    AuthenticateUserRequest,
+)
+from src.api.models.payload.requests.ChangeUserPasswordRequest import (
+    ChangeUserPasswordRequest,
+)
 
 from .OtpService import OtpService
 from .UtilityService import UtilityService

src/api/services/UtilityService.py

@@ -1,33 +1,35 @@
-import hashlib
 import hmac
-from datetime import datetime, timedelta
-from typing import TypedDict
+import hashlib
 from uuid import uuid4
+from typing import TypedDict
+from datetime import datetime, timedelta
 
-import bcrypt
 import jwt
-from django.utils import timezone
+import bcrypt
 from faker import Faker
+from django.utils import timezone
 from ninja.errors import AuthenticationError
 
-from src.api.enums.CharacterCasing import CharacterCasing
-from src.api.models.postgres import User
-from src.api.typing.ExpireUUID import ExpireUUID
-from src.api.typing.JWT import JWTData
 from src.env import jwt_config
-from src.utils.logger import Logger
 from src.utils.svcs import Service
+from src.utils.logger import Logger
+from src.api.typing.JWT import JWTData
+from src.api.models.postgres import User
+from src.api.typing.ExpireUUID import ExpireUUID
+from src.api.enums.CharacterCasing import CharacterCasing
 
 DEFAULT_CHARACTER_LENGTH = 12
 fake = Faker()
 
+
 class SignatureData(TypedDict):
     title: str
     signature: str
     timestamp: str
     key: str
     ttl: int | float
 
+
 @Service()
 class UtilityService:
     @staticmethod
@@ -114,17 +116,14 @@ def generate_signature(key: str, timestamp: str) -> str:
         ).hexdigest()
         return signature
 
-
     @staticmethod
     def verify_signature(signature_data: SignatureData, logger: Logger) -> bool:
-        
         signature = signature_data["signature"]
         timestamp = signature_data["timestamp"]
         key = signature_data["key"]
         ttl = signature_data["ttl"]
         title = signature_data["title"]
 
-
         valid_signature = UtilityService.generate_signature(key, timestamp)
         is_valid = hmac.compare_digest(valid_signature, signature)
 

src/config/asgi.py

@@ -11,8 +11,8 @@
 
 from django.core.asgi import get_asgi_application
 from faststream.rabbit import RabbitBroker
-from starlette.applications import Starlette
 from starlette.routing import Mount
+from starlette.applications import Starlette
 
 from src.env import rabbitmq_config
 
@@ -22,9 +22,11 @@
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "src.config.settings")
 
 
-def setup_broker_middlewares():
-    from src.api.middlewares.BrokerMiddleware import (PublishMiddleware,
-                                                      SubscribeMiddleware)
+def setup_broker_middlewares() -> None:
+    from src.api.middlewares.BrokerMiddleware import (
+        PublishMiddleware,
+        SubscribeMiddleware,
+    )
 
     broker.add_middleware(SubscribeMiddleware)
     broker.add_middleware(PublishMiddleware)
@@ -37,5 +39,4 @@ def setup_broker_middlewares():
 )
 
 
-from src.api.services.external import \
-    RabbitMQRoutes as RabbitMQRoutes  # noqa: E402
+from src.api.services.external import RabbitMQRoutes as RabbitMQRoutes  # noqa: E402

src/config/settings.py

@@ -2,11 +2,11 @@
 
 from .apps import INSTALLED_APPS as INSTALLED_APPS
 from .caches import CACHES as CACHES
-from .databases import DATABASE_ROUTERS as DATABASE_ROUTERS
-from .databases import DATABASES as DATABASES
 from .logger import LOGGING as LOGGING
-from .middleware import MIDDLEWARE as MIDDLEWARE
+from .databases import DATABASES as DATABASES
+from .databases import DATABASE_ROUTERS as DATABASE_ROUTERS
 from .templates import TEMPLATES as TEMPLATES
+from .middleware import MIDDLEWARE as MIDDLEWARE
 
 SECRET_KEY = app["secret_key"]
 DEBUG = app["debug"]
@@ -19,10 +19,10 @@
 STATIC_URL = "static/"
 MEDIA_URL = "media/"
 
-LANGUAGE_CODE = 'en-us'
+LANGUAGE_CODE = "en-us"
 
-TIME_ZONE = 'UTC'
+TIME_ZONE = "UTC"
 
 USE_I18N = True
 
-USE_TZ = True
+USE_TZ = True