Class: Fluence::Gateway::Auth::Middleware

Inherits:

Object

• Object
• Fluence::Gateway::Auth::Middleware

Defined in:

lib/fluence/gateway/auth/middleware.rb

Overview

Rack middleware that verifies HMAC-signed requests coming from the Fluence API Gateway.

For every request the middleware recomputes the expected signature from the HTTP verb, timestamp, client ID, user ID, full request path (including query string) and SHA-256 digest of the body, then compares it in constant time to the value of the X-Gateway-Signature header. Requests with missing, expired (older than MAX_TIMESTAMP_DRIFT seconds) or mismatched signatures are rejected with 403 Forbidden before they reach the application.

The middleware is inserted automatically by Railtie in Rails applications; add it manually when running on plain Rack.

Examples:

Manual insertion (plain Rack)

use Fluence::Gateway::Auth::Middleware

Insertion with an explicit secret (bypasses configuration)

use Fluence::Gateway::Auth::Middleware, hmac_secret: 'shared-secret'

Constant Summary

MAX_TIMESTAMP_DRIFT =

Maximum allowed drift between the gateway timestamp and the backend clock, in seconds. Past this window the request is rejected as potentially replayed.

30

MESSAGES =

Mapping of machine-readable error codes to human-readable rejection messages. The diagnostic body is only exposed in development and test (see #expose_diagnostics?) — production always returns the generic "Forbidden" string to avoid leaking details.

{
  'missing_gateway_headers' => 'Missing gateway authentication headers ' \
                               '(X-Gateway-Timestamp, X-Gateway-Signature, X-Client-Id)',
  'timestamp_out_of_window' => "Gateway timestamp outside the allowed #{MAX_TIMESTAMP_DRIFT}s window",
  'invalid_signature' => 'Invalid gateway HMAC signature'
}.freeze

Instance Method Summary

• #call(env) ⇒ Array(Integer, Hash{String => String}, #each)

  Rack entry point.

• #initialize(app, hmac_secret: nil) ⇒ void constructor

  Wraps a Rack application with HMAC verification.

Constructor Details

#initialize(app, hmac_secret: nil) ⇒ void

Wraps a Rack application with HMAC verification.

Parameters:

• app (#call) —

  the downstream Rack application.

• hmac_secret (String, nil) (defaults to: nil) —

  optional override of the shared secret. When nil, Configuration#hmac_secret is resolved lazily on every request.

Instance Method Details

#call(env) ⇒ Array(Integer, Hash{String => String}, #each)

Rack entry point. Verifies the HMAC signature and either forwards to the next middleware or short-circuits with 403.

When Configuration#skip_middleware is true (typically in tests loaded via TestHelpers), signature verification is bypassed entirely.

Parameters:

• env (Hash{String => Object}) —

  the Rack environment.

Returns:

• (Array(Integer, Hash{String => String}, #each)) —

  a Rack response tuple.