webhook/middleware.py

"""鉴权中间件：校验请求中的 API Key。"""

import uuid

from aiohttp import web

from .config import WEBHOOK_API_KEY
from .response import error


@web.middleware
async def auth_middleware(request: web.Request, handler):
    """对需要鉴权的路径校验 API Key。/healthz 和 /admin/ 及 /api/ 开头的路径不需要鉴权。"""
    # 不需要鉴权的路径
    if request.path == "/healthz" or request.path.startswith("/admin") or request.path.startswith("/api/"):
        return await handler(request)

    auth_header = request.headers.get("Authorization", "")
    if auth_header.startswith("Bearer "):
        key = auth_header[len("Bearer "):]
    else:
        key = request.headers.get("X-API-Key", "")

    if key != WEBHOOK_API_KEY:
        return error("unauthorized", code=401, status=401)

    return await handler(request)


@web.middleware
async def request_id_middleware(request: web.Request, handler):
    """为每个请求附加唯一 request_id，便于日志追踪。"""
    request_id = request.headers.get("X-Request-ID", uuid.uuid4().hex[:12])
    request["request_id"] = request_id
    response = await handler(request)
    response.headers["X-Request-ID"] = request_id
    return response