diff --git a/src/middleware/admin.rs b/src/middleware/layers/admin.rs similarity index 99% rename from src/middleware/admin.rs rename to src/middleware/layers/admin.rs index f29f7c8..6c95f66 100644 --- a/src/middleware/admin.rs +++ b/src/middleware/layers/admin.rs @@ -24,10 +24,10 @@ use axum::{ use tower_cookies::Cookies; use uuid::Uuid; -use super::{ClientInfo, RequestId}; use crate::{ AppState, auth::{AuthError, AuthenticatedRequest, Identity, IdentityKind}, + middleware::{ClientInfo, RequestId}, observability::metrics, services::audit_logs::{AuthEventParams, auth_events}, }; @@ -647,7 +647,7 @@ async fn try_api_key_admin_auth( headers: &axum::http::HeaderMap, state: &AppState, ) -> Result, AuthError> { - let api_key_auth = match super::combined::try_api_key_auth(headers, state).await? { + let api_key_auth = match super::api::try_api_key_auth(headers, state).await? { Some(auth) => auth, None => return Ok(None), }; diff --git a/src/middleware/combined.rs b/src/middleware/layers/api.rs similarity index 99% rename from src/middleware/combined.rs rename to src/middleware/layers/api.rs index 66b6b52..e722c92 100644 --- a/src/middleware/combined.rs +++ b/src/middleware/layers/api.rs @@ -8,20 +8,22 @@ use axum::{ use chrono::Utc; use super::{ - RequestId, - budget::{BudgetCheckResult, BudgetError, adjust_budget_reservation}, rate_limit::{ RateLimitError, TokenRateLimitCheckResult, TokenRateLimitResult, TokenReservation, add_rate_limit_headers, add_token_rate_limit_headers, adjust_token_reservation, }, - scope::required_scope_for_path, - usage::{UsageTracker, extract_full_usage_from_response, tracker_from_headers}, + request_id::RequestId, }; use crate::{ AppState, auth::{ApiKeyAuth, AuthError, AuthenticatedRequest, Identity, IdentityKind}, cache::{BudgetCheckParams, Cache, CacheKeys, RateLimitCheckParams, RateLimitResult}, events::{BudgetType, ServerEvent}, + middleware::util::{ + budget::{BudgetCheckResult, BudgetError, adjust_budget_reservation}, + scope::required_scope_for_path, + usage::{UsageTracker, extract_full_usage_from_response, tracker_from_headers}, + }, models::{AuditActorType, BudgetPeriod, CreateAuditLog, has_valid_prefix, hash_api_key}, observability::metrics, }; @@ -584,7 +586,7 @@ pub async fn api_middleware( .map(|ci| ci.0.ip()); // Insert client info for audit logging - let client_info = super::ClientInfo { + let client_info = crate::middleware::ClientInfo { ip_address: connecting_ip.map(|ip| ip.to_string()), user_agent: headers .get(axum::http::header::USER_AGENT) diff --git a/src/middleware/authz.rs b/src/middleware/layers/authz.rs similarity index 99% rename from src/middleware/authz.rs rename to src/middleware/layers/authz.rs index fbd0bc0..e5cbb48 100644 --- a/src/middleware/authz.rs +++ b/src/middleware/layers/authz.rs @@ -596,7 +596,8 @@ pub async fn permissive_authz_middleware( }; // Insert ClientInfo for unprotected routes (no admin middleware to extract it). - req.extensions_mut().insert(super::ClientInfo::default()); + req.extensions_mut() + .insert(crate::middleware::ClientInfo::default()); // Insert a default AdminAuth with system identity for unprotected routes. // This allows handlers to extract AdminAuth for audit logging purposes. diff --git a/src/middleware/layers/mod.rs b/src/middleware/layers/mod.rs new file mode 100644 index 0000000..5feb611 --- /dev/null +++ b/src/middleware/layers/mod.rs @@ -0,0 +1,6 @@ +pub mod admin; +pub mod api; +pub mod authz; +pub mod rate_limit; +pub mod request_id; +pub mod security_headers; diff --git a/src/middleware/rate_limit.rs b/src/middleware/layers/rate_limit.rs similarity index 100% rename from src/middleware/rate_limit.rs rename to src/middleware/layers/rate_limit.rs diff --git a/src/middleware/request_id.rs b/src/middleware/layers/request_id.rs similarity index 100% rename from src/middleware/request_id.rs rename to src/middleware/layers/request_id.rs diff --git a/src/middleware/security_headers.rs b/src/middleware/layers/security_headers.rs similarity index 100% rename from src/middleware/security_headers.rs rename to src/middleware/layers/security_headers.rs diff --git a/src/middleware/mod.rs b/src/middleware/mod.rs index 73030d6..58bc299 100644 --- a/src/middleware/mod.rs +++ b/src/middleware/mod.rs @@ -21,30 +21,23 @@ //! ## Unprotected admin routes (login, session info) //! - [`permissive_authz_middleware`] — Injects allow-all authz context -// ── Middleware layers ────────────────────────────────────────────────────────── -mod admin; -mod authz; -mod combined; -mod rate_limit; -mod request_id; -mod security_headers; +// ── True middleware (Axum middleware layers) ──────────────────────────────────── +mod layers; -// ── Internal helpers (used only by combined.rs) ──────────────────────────────── -mod budget; -mod scope; -mod usage; +// ── Internal utilities (budget, scope, usage helpers for combined middleware) ── +pub(crate) mod util; // ── Middleware layer exports ─────────────────────────────────────────────────── -pub use admin::{AdminAuth, admin_auth_middleware}; -pub use authz::{ - AuthzContext, api_authz_middleware, authz_middleware, permissive_authz_middleware, -}; -pub use combined::api_middleware; #[cfg(feature = "sso")] -pub use rate_limit::extract_client_ip_from_parts; -pub use rate_limit::rate_limit_middleware; -pub use request_id::{RequestId, request_id_middleware}; -pub use security_headers::security_headers_middleware; +pub use layers::rate_limit::extract_client_ip_from_parts; +pub use layers::{ + admin::{AdminAuth, admin_auth_middleware}, + api::api_middleware, + authz::{AuthzContext, api_authz_middleware, authz_middleware, permissive_authz_middleware}, + rate_limit::rate_limit_middleware, + request_id::{RequestId, request_id_middleware}, + security_headers::security_headers_middleware, +}; // ── Types extracted by middleware (used by route handlers via Extension) ──── diff --git a/src/middleware/budget.rs b/src/middleware/util/budget.rs similarity index 100% rename from src/middleware/budget.rs rename to src/middleware/util/budget.rs diff --git a/src/middleware/util/mod.rs b/src/middleware/util/mod.rs new file mode 100644 index 0000000..e2eddda --- /dev/null +++ b/src/middleware/util/mod.rs @@ -0,0 +1,3 @@ +pub mod budget; +pub mod scope; +pub mod usage; diff --git a/src/middleware/scope.rs b/src/middleware/util/scope.rs similarity index 100% rename from src/middleware/scope.rs rename to src/middleware/util/scope.rs diff --git a/src/middleware/usage.rs b/src/middleware/util/usage.rs similarity index 100% rename from src/middleware/usage.rs rename to src/middleware/util/usage.rs