Module auth_middleware 

Defensive middleware for the /api/v1/auth/* sub-router.

Two layers, applied in this order:

1. rate_limit — per-source-IP token-bucket. Drops requests that exceed [server].auth_rate_limit_per_minute with a 429 response. Source IP comes from the connection (after the optional X-Forwarded-For handling that ConnectInfo gives us). Operators are still expected to terminate at a reverse proxy and rate-limit there too — this is defence in depth.

2. strip_body_for_logs — explicit, even though the request-logger in super::log_requests only logs method + uri + status today. Treat it as a hard guarantee that credentials submitted to /auth/token never end up in a log line, regardless of what the logger middleware grows into in future.

Structs

AuthRateLimiter

In-memory rate-limit table, sized by the number of distinct source IPs that hit /auth/* in the last minute. For typical CLI fleets this is small; entries older than two windows are pruned on every check.

Functions

rate_limit

Per-source-IP rate limit middleware. Reads [server].auth_rate_limit_per_minute from ServerState; when None, the middleware is a no-op (operators rate-limit at the proxy).

strip_body_for_logs

Belt-and-braces: ensure no /auth/* request body ever reaches a logger. The runtime cost is one logger-scoped tracing span with the body field redacted; the body itself is forwarded to the handler untouched.