Skip to content

refactor(http-middleware): consolidate server-side HTTP middleware into shared crate#4173

Draft
mattgarmon wants to merge 1 commit into
constructorfabric:mainfrom
mattgarmon:middleware
Draft

refactor(http-middleware): consolidate server-side HTTP middleware into shared crate#4173
mattgarmon wants to merge 1 commit into
constructorfabric:mainfrom
mattgarmon:middleware

Conversation

@mattgarmon

Copy link
Copy Markdown
Contributor

Closes #4169

Move api-gateway's inbound HTTP middleware into the shared
cf-gears-toolkit-http-middleware crate so every HTTP-serving gear installs the
same layers from one place, and make those layers transport- and gear-agnostic.

toolkit-http-middleware:

  • Home for all server-side layers: request_id, access_log, http_metrics,
    mime_validation, license_validation, rate_limit, scope_enforcement, and
    two-plane authentication (security_context + internal_auth).
  • Layers operate on neutral lookup tables/rules and render rejections under a
    GTS scope supplied by the consumer, so the crate carries no gear-specific
    spec/config/error identity.
  • Own the config schemas for the config-driven middleware (RateLimitConfig,
    ScopeEnforcementConfig).
  • Add MatchitRouteAuthPolicy: a reusable RouteAuthPolicy over per-method matchit
    routers (explicit authenticated/public route sets with a require_auth_by_default
    fallback), usable by any gear's HTTP edge.

toolkit-canonical-errors:

  • Add runtime-scope constructors (scoped_invalid_argument,
    scoped_permission_denied, scoped_resource_exhausted) so shared middleware can
    emit gear-scoped canonical errors without reaching a gear's #[resource_error]
    type.

api-gateway:

  • Retain only gear-specific glue: the AuthN Resolver bearer adapter (keeps the
    AuthN SDK out of the shared crate), the gateway's GTS error scopes, and the
    projection from OperationSpecs + config into the neutral middleware inputs.
  • Type-alias the relocated config schemas (RateLimitDefaults,
    RoutePoliciesConfig) so config lives with the middleware it configures.

docs:

  • Document the crate's middleware surface and MatchitRouteAuthPolicy in the
    README/rustdoc, and refresh cross-references to the relocated modules.

No behavior or wire-format change.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 44935951-a0bf-41d1-8069-dedfd19e98e3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

…to shared crate

Signed-off-by: matt.garmon <mjg2790@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Consolidate gateway middlewares into toolkit-http-middleware

1 participant