refactor: optimize middleware with pure ASGI implementation and enhance security measures

- Replace BaseHTTPMiddleware with pure ASGI implementation in plugin middleware for better streaming response handling - Add trusted proxy count configuration for client IP extraction in reverse proxy environments - Implement audit log cleanup scheduler with configurable retention period - Replace plaintext token logging with SHA256 hash fingerprints for security - Fix database session lifecycle management in middleware - Improve request tracing and error logging throughout the system - Add comprehensive tests for pipeline architecture
2026-01-02 15:52:26 +08:00 · 2025-12-18 19:07:20 +08:00
parent c7b971cfe7
commit 7b932d7afb
24 changed files with 497 additions and 219 deletions
--- a/tests/api/test_pipeline.py
+++ b/tests/api/test_pipeline.py
@@ -361,3 +361,61 @@ class TestPipelineAdminAuth:

        assert result == mock_user
        assert mock_request.state.user_id == "admin-123"
+
+    @pytest.mark.asyncio
+    async def test_authenticate_admin_lowercase_bearer(self, pipeline: ApiRequestPipeline) -> None:
+        """测试 bearer (小写) 前缀也能正确解析"""
+        mock_user = MagicMock()
+        mock_user.id = "admin-123"
+        mock_user.is_active = True
+
+        mock_request = MagicMock()
+        mock_request.headers = {"authorization": "bearer valid-token"}
+        mock_request.state = MagicMock()
+
+        mock_db = MagicMock()
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_user
+
+        with patch.object(
+            pipeline.auth_service,
+            "verify_token",
+            new_callable=AsyncMock,
+            return_value={"user_id": "admin-123"},
+        ) as mock_verify:
+            result = await pipeline._authenticate_admin(mock_request, mock_db)
+
+        mock_verify.assert_awaited_once_with("valid-token", token_type="access")
+        assert result == mock_user
+
+
+class TestPipelineUserAuth:
+    """测试普通用户 JWT 认证"""
+
+    @pytest.fixture
+    def pipeline(self) -> ApiRequestPipeline:
+        return ApiRequestPipeline()
+
+    @pytest.mark.asyncio
+    async def test_authenticate_user_lowercase_bearer(self, pipeline: ApiRequestPipeline) -> None:
+        """测试 bearer (小写) 前缀也能正确解析"""
+        mock_user = MagicMock()
+        mock_user.id = "user-123"
+        mock_user.is_active = True
+
+        mock_request = MagicMock()
+        mock_request.headers = {"authorization": "bearer valid-token"}
+        mock_request.state = MagicMock()
+
+        mock_db = MagicMock()
+        mock_db.query.return_value.filter.return_value.first.return_value = mock_user
+
+        with patch.object(
+            pipeline.auth_service,
+            "verify_token",
+            new_callable=AsyncMock,
+            return_value={"user_id": "user-123"},
+        ) as mock_verify:
+            result = await pipeline._authenticate_user(mock_request, mock_db)
+
+        mock_verify.assert_awaited_once_with("valid-token", token_type="access")
+        assert result == mock_user