trading/services/api_gateway/auth/middleware.py

"""Auth middleware — FastAPI dependency for JWT-based authentication."""

from __future__ import annotations

from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer

import jwt as pyjwt

from services.api_gateway.auth.jwt import decode_token
from services.api_gateway.config import ApiGatewayConfig

# Shared config instance — injected via FastAPI dependency override in tests.
_config: ApiGatewayConfig | None = None

security = HTTPBearer(auto_error=False)


def get_config() -> ApiGatewayConfig:
    """Return the singleton config.  Overridden in tests."""
    global _config
    if _config is None:
        _config = ApiGatewayConfig()
    return _config


_DEV_USER = {
    "sub": "00000000-0000-0000-0000-000000000000",
    "username": "dev",
    "type": "access",
}


async def get_current_user(
    credentials: HTTPAuthorizationCredentials | None = Depends(security),
    config: ApiGatewayConfig = Depends(get_config),
) -> dict:
    """FastAPI dependency that extracts and validates a Bearer JWT.

    Returns the decoded token payload (contains ``sub``, ``username``, etc.)
    on success.  Raises a 401 ``HTTPException`` for missing, expired, or
    invalid tokens.

    When ``config.dev_mode`` is ``True``, authentication is bypassed and a
    synthetic dev user is returned.
    """
    if config.dev_mode:
        return _DEV_USER

    if credentials is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Missing authorization header",
            headers={"WWW-Authenticate": "Bearer"},
        )

    token = credentials.credentials
    try:
        payload = decode_token(token, config)
    except pyjwt.ExpiredSignatureError:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Token has expired",
            headers={"WWW-Authenticate": "Bearer"},
        )
    except pyjwt.InvalidTokenError:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token",
            headers={"WWW-Authenticate": "Bearer"},
        )

    if payload.get("type") != "access":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token type",
            headers={"WWW-Authenticate": "Bearer"},
        )

    return payload
feat: API gateway with passkey (WebAuthn) authentication 2026-02-22 15:53:48 +00:00			`"""Auth middleware — FastAPI dependency for JWT-based authentication."""`

			`from __future__ import annotations`

			`from fastapi import Depends, HTTPException, status`
			`from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer`

			`import jwt as pyjwt`

			`from services.api_gateway.auth.jwt import decode_token`
			`from services.api_gateway.config import ApiGatewayConfig`

			`# Shared config instance — injected via FastAPI dependency override in tests.`
			`_config: ApiGatewayConfig \| None = None`

			`security = HTTPBearer(auto_error=False)`


			`def get_config() -> ApiGatewayConfig:`
			`"""Return the singleton config. Overridden in tests."""`
			`global _config`
			`if _config is None:`
			`_config = ApiGatewayConfig()`
			`return _config`


fix: resolve all remaining TODOs, add dev mode auth bypass - Learning engine: expand default weights from 3 to all 9 strategies - Learning engine: resolve placeholder strategy_id with DB lookup - Learning engine: pass strategy_sources from trade execution - Trade executor: respect trading:paused Redis flag in RiskManager - Portfolio sync: compute actual daily P&L from day-start snapshot - Portfolio API: cumulative P&L from first snapshot, read pause flag - Portfolio metrics: compute max drawdown and avg hold duration - Add strategy_sources field to TradeExecution schema - Add dev_mode config (TRADING_DEV_MODE) to bypass auth for local dev - Dashboard: VITE_DEV_MODE bypasses ProtectedRoute and 401 redirects - Vite proxy target configurable via VITE_API_TARGET - Add top-level README.md and remaining-work-plan.md - Update CLAUDE.md with correct counts and remove stale TODOs - 404 tests passing Made-with: Cursor 2026-02-25 22:02:25 +00:00			`_DEV_USER = {`
			`"sub": "00000000-0000-0000-0000-000000000000",`
			`"username": "dev",`
			`"type": "access",`
			`}`


feat: API gateway with passkey (WebAuthn) authentication 2026-02-22 15:53:48 +00:00			`async def get_current_user(`
			`credentials: HTTPAuthorizationCredentials \| None = Depends(security),`
			`config: ApiGatewayConfig = Depends(get_config),`
			`) -> dict:`
			`"""FastAPI dependency that extracts and validates a Bearer JWT.`

			Returns the decoded token payload (contains ``sub``, ``username``, etc.)
			on success. Raises a 401 ``HTTPException`` for missing, expired, or
			`invalid tokens.`
fix: resolve all remaining TODOs, add dev mode auth bypass - Learning engine: expand default weights from 3 to all 9 strategies - Learning engine: resolve placeholder strategy_id with DB lookup - Learning engine: pass strategy_sources from trade execution - Trade executor: respect trading:paused Redis flag in RiskManager - Portfolio sync: compute actual daily P&L from day-start snapshot - Portfolio API: cumulative P&L from first snapshot, read pause flag - Portfolio metrics: compute max drawdown and avg hold duration - Add strategy_sources field to TradeExecution schema - Add dev_mode config (TRADING_DEV_MODE) to bypass auth for local dev - Dashboard: VITE_DEV_MODE bypasses ProtectedRoute and 401 redirects - Vite proxy target configurable via VITE_API_TARGET - Add top-level README.md and remaining-work-plan.md - Update CLAUDE.md with correct counts and remove stale TODOs - 404 tests passing Made-with: Cursor 2026-02-25 22:02:25 +00:00
			When ``config.dev_mode`` is ``True``, authentication is bypassed and a
			`synthetic dev user is returned.`
feat: API gateway with passkey (WebAuthn) authentication 2026-02-22 15:53:48 +00:00			`"""`
fix: resolve all remaining TODOs, add dev mode auth bypass - Learning engine: expand default weights from 3 to all 9 strategies - Learning engine: resolve placeholder strategy_id with DB lookup - Learning engine: pass strategy_sources from trade execution - Trade executor: respect trading:paused Redis flag in RiskManager - Portfolio sync: compute actual daily P&L from day-start snapshot - Portfolio API: cumulative P&L from first snapshot, read pause flag - Portfolio metrics: compute max drawdown and avg hold duration - Add strategy_sources field to TradeExecution schema - Add dev_mode config (TRADING_DEV_MODE) to bypass auth for local dev - Dashboard: VITE_DEV_MODE bypasses ProtectedRoute and 401 redirects - Vite proxy target configurable via VITE_API_TARGET - Add top-level README.md and remaining-work-plan.md - Update CLAUDE.md with correct counts and remove stale TODOs - 404 tests passing Made-with: Cursor 2026-02-25 22:02:25 +00:00			`if config.dev_mode:`
			`return _DEV_USER`

feat: API gateway with passkey (WebAuthn) authentication 2026-02-22 15:53:48 +00:00			`if credentials is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Missing authorization header",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

			`token = credentials.credentials`
			`try:`
			`payload = decode_token(token, config)`
			`except pyjwt.ExpiredSignatureError:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Token has expired",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`
			`except pyjwt.InvalidTokenError:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Invalid token",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

			`if payload.get("type") != "access":`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Invalid token type",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

			`return payload`