phase 1 core platform

Milestone 1.2.1: Proxy Auth Client and Middleware — complete.

Milestone 1.2.1: Proxy Auth Client and Middleware

Status: Complete
Goal: 1.2 Proxy platform integration
Phase: 1 — Core Platform

Summary

Connect the proxy to auth via gRPC ValidateToken, HTTP auth middleware on protected routes, request context with org_id + permissions, minimal stable error envelope, and integration/CI coverage. Bloom/LRU cache deferred to Phase 2 optional 2.2.1.

Branch

feature/m1-2-1-proxy-auth-client

PR title

feat(proxy): auth gRPC client (m1.2.1)

Prerequisites

  • 1.1.31.1.6 merged
  • packages/permissions, make proto-gen
  • Auth + Postgres via compose for local/integration tests

Tasks

  • ADR-0011
  • services/proxy/internal/auth/TokenValidator, GRPCValidator, bearer parse, context
  • services/proxy/internal/errors/ — minimal stable envelope
  • Auth middleware + routes: /v1/internal/auth-probe, /v1/orgs/{org_id}/auth-probe, POST /v1/chat/completions (501 stub)
  • Config: IBEX_AUTH_GRPC_ADDR, IBEX_AUTH_VALIDATE_TIMEOUT
  • Metrics: auth validate total/duration (no org_id label)
  • Unit tests (mock validator) + integration tests (real auth gRPC + Postgres)
  • CI proxy-auth-smoke job
  • Contributor execution materials prepared

Files affected

PathAction
docs/adr/ADR-0011-proxy-auth-client.mdAdd
services/proxy/internal/auth/Add
services/proxy/internal/errors/Add
services/proxy/internal/http/auth_middleware.go, router.goAdd / extend
services/proxy/internal/config/Extend
services/proxy/internal/metrics/Extend
services/proxy/cmd/proxy/main.goWire gRPC dial
services/proxy/proxy_auth_integration_test.goAdd
services/auth/integrationtest/grpc.goAdd (shared test helper)
services/proxy/.env.exampleAuth vars
.github/workflows/ci.ymlproxy-auth-smoke

Testing requirements

bash
make proto-gen
go test ./services/proxy/...
go test -tags=integration ./services/proxy/...

Integration cases: missing token, valid/invalid/revoked PAT, cross-tenant path, permission on chat stub, auth down → 503.

Definition of done

  • Protected routes return 401 without Authorization
  • Valid PAT → 200 on auth-probe; chat stub → 501 with ProxyChatCompletion
  • Auth service down → 503 fail closed
  • Cross-tenant path → 403
  • Revoke → proxy rejects
  • proxy-auth-smoke CI green

Risks

RiskMitigation
Auth latency on hot path50ms timeout; Phase 2 cache via TokenValidator wrapper
Circular dependencyAuth never calls proxy
Error envelope drift vs 1.2.3Shared internal/errors package

Deferred

  • Bloom filter + LRU cache → Phase 2 optional 2.2.1-auth-cache-bloom
  • Full validation middleware → 1.2.3
  • Request body parsing → 1.2.2
← Back to roadmap overview
Edit on GitHub

Last updated on

Previous1.1.7 Users AgentsNext1.2.2 Proxy Request

On this page

0%