veza/veza-backend-api/internal/config/middlewares_init.go

package config

import (
	"time"

	"github.com/gin-gonic/gin"
	"veza-backend-api/internal/middleware"
)

// InitMiddlewaresForTest initializes middlewares for integration/E2E tests.
// Exported for use by internal/integration and tests packages.
func (c *Config) InitMiddlewaresForTest() error {
	return c.initMiddlewares()
}

// initMiddlewares initialise tous les middlewares
func (c *Config) initMiddlewares() error {
	// Rate limiter global (avec Redis)
	// En développement, augmenter les limites pour éviter les erreurs lors des tests
	ipLimit := getEnvInt("RATE_LIMIT_IP_PER_MINUTE", 200) // Augmenté de 100 à 200 en dev
	ipBurst := getEnvInt("RATE_LIMIT_IP_BURST", 20)       // Augmenté de 10 à 20 en dev
	userLimit := getEnvInt("RATE_LIMIT_USER_PER_MINUTE", 1000)
	userBurst := getEnvInt("RATE_LIMIT_USER_BURST", 100)

	rateLimiterConfig := &middleware.RateLimiterConfig{
		IPRequestsPerMinute:   ipLimit,
		IPBurst:               ipBurst,
		UserRequestsPerMinute: userLimit,
		UserBurst:             userBurst,
		RedisClient:           c.RedisClient,
		KeyPrefix:             "veza:rate_limit",
	}
	c.RateLimiter = middleware.NewRateLimiter(rateLimiterConfig)

	// Simple rate limiter (T0015) - sans dépendance Redis
	window := time.Duration(c.RateLimitWindow) * time.Second
	c.SimpleRateLimiter = middleware.NewSimpleRateLimiter(c.RateLimitLimit, window)

	// Rate limiter par endpoint
	endpointLimiterConfig := &middleware.EndpointLimiterConfig{
		RedisClient: c.RedisClient,
		KeyPrefix:   "veza:endpoint_limit",
	}
	endpointLimits := middleware.DefaultEndpointLimits()
	// Override defaults with config (PR-3)
	endpointLimits.LoginAttempts = c.AuthRateLimitLoginAttempts
	endpointLimits.LoginWindow = time.Duration(c.AuthRateLimitLoginWindow) * time.Minute
	// A04: Limites register assouplies en dev (20/heure au lieu de 3/heure)
	endpointLimits.RegisterAttempts = getDefaultRegisterAttempts(c.Env)
	endpointLimits.RegisterWindow = time.Hour

	c.EndpointLimiter = middleware.NewEndpointLimiter(endpointLimiterConfig, endpointLimits)

	// BE-SVC-002: Initialize per-user rate limiter
	userRateLimiterConfig := &middleware.UserRateLimiterConfig{
		RequestsPerMinute: getEnvAsInt("USER_RATE_LIMIT_PER_MINUTE", 1000), // Default: 1000 requests per minute per user
		Burst:             getEnvAsInt("USER_RATE_LIMIT_BURST", 100),       // Default: 100 burst
		Window:            time.Minute,
		RedisClient:       c.RedisClient,
		KeyPrefix:         "user_rate_limit",
		Logger:            c.Logger,
	}
	c.UserRateLimiter = middleware.NewUserRateLimiter(userRateLimiterConfig)

	// Middleware d'authentification (supports JWT and X-API-Key for developer keys)
	c.AuthMiddleware = middleware.NewAuthMiddleware(
		c.SessionService,
		c.AuditService,
		c.PermissionService,
		c.JWTService,
		c.UserService,
		c.APIKeyService,
		c.TokenBlacklist, // VEZA-SEC-006: nil if Redis unavailable (implements TokenBlacklistChecker)
		c.Logger,
	)
	if c.PresenceService != nil {
		c.AuthMiddleware.SetPresenceService(c.PresenceService)
	}

	return nil
}

// SetupMiddleware configure les middlewares globaux
// DÉPRÉCIÉ : Cette méthode est conservée pour compatibilité mais ne fait plus rien
// Les middlewares globaux sont maintenant configurés dans internal/api/router.go via APIRouter.Setup()
// NOTE: CORS could use c.CORSOrigins from config in api/router.go
func (c *Config) SetupMiddleware(router *gin.Engine) {
	// No-op : Les middlewares sont configurés dans api/router.go
	// Cette méthode existe uniquement pour compatibilité avec cmd/main.go (legacy)
	// qui sera désactivé dans le Chantier 1 - Étape 2
}
refactor(config): découper config.go par domaine (audit 2.7) - env_helpers.go: getEnv*, parseLogAggregationLabels - db_init.go: initDatabaseWithRetry - redis_init.go: initRedis, filteredRedisLogger - rabbitmq.go: getRabbitMQURL - cors.go: CORS, cookies - rate_limit.go: rate limit defaults - services_init.go: initServices - middlewares_init.go: initMiddlewares, SetupMiddleware - config.go réduit de ~1487 à ~550 LOC 2026-02-15 13:44:33 +00:00			`package config`

			`import (`
			`"time"`

			`"github.com/gin-gonic/gin"`
			`"veza-backend-api/internal/middleware"`
			`)`

test: add 5 cross-service E2E integration tests INT-03: Tests for health endpoint, auth flow, track upload auth, webhook HTTPS-only, and rate limit headers. Build-tagged 'integration' to avoid running in regular test suite. 2026-02-22 16:52:50 +00:00			`// InitMiddlewaresForTest initializes middlewares for integration/E2E tests.`
			`// Exported for use by internal/integration and tests packages.`
			`func (c *Config) InitMiddlewaresForTest() error {`
			`return c.initMiddlewares()`
			`}`

refactor(config): découper config.go par domaine (audit 2.7) - env_helpers.go: getEnv*, parseLogAggregationLabels - db_init.go: initDatabaseWithRetry - redis_init.go: initRedis, filteredRedisLogger - rabbitmq.go: getRabbitMQURL - cors.go: CORS, cookies - rate_limit.go: rate limit defaults - services_init.go: initServices - middlewares_init.go: initMiddlewares, SetupMiddleware - config.go réduit de ~1487 à ~550 LOC 2026-02-15 13:44:33 +00:00			`// initMiddlewares initialise tous les middlewares`
			`func (c *Config) initMiddlewares() error {`
			`// Rate limiter global (avec Redis)`
			`// En développement, augmenter les limites pour éviter les erreurs lors des tests`
			`ipLimit := getEnvInt("RATE_LIMIT_IP_PER_MINUTE", 200) // Augmenté de 100 à 200 en dev`
			`ipBurst := getEnvInt("RATE_LIMIT_IP_BURST", 20) // Augmenté de 10 à 20 en dev`
			`userLimit := getEnvInt("RATE_LIMIT_USER_PER_MINUTE", 1000)`
			`userBurst := getEnvInt("RATE_LIMIT_USER_BURST", 100)`

			`rateLimiterConfig := &middleware.RateLimiterConfig{`
			`IPRequestsPerMinute: ipLimit,`
			`IPBurst: ipBurst,`
			`UserRequestsPerMinute: userLimit,`
			`UserBurst: userBurst,`
			`RedisClient: c.RedisClient,`
			`KeyPrefix: "veza:rate_limit",`
			`}`
			`c.RateLimiter = middleware.NewRateLimiter(rateLimiterConfig)`

			`// Simple rate limiter (T0015) - sans dépendance Redis`
			`window := time.Duration(c.RateLimitWindow) * time.Second`
			`c.SimpleRateLimiter = middleware.NewSimpleRateLimiter(c.RateLimitLimit, window)`

			`// Rate limiter par endpoint`
			`endpointLimiterConfig := &middleware.EndpointLimiterConfig{`
			`RedisClient: c.RedisClient,`
			`KeyPrefix: "veza:endpoint_limit",`
			`}`
			`endpointLimits := middleware.DefaultEndpointLimits()`
			`// Override defaults with config (PR-3)`
			`endpointLimits.LoginAttempts = c.AuthRateLimitLoginAttempts`
			`endpointLimits.LoginWindow = time.Duration(c.AuthRateLimitLoginWindow) * time.Minute`
			`// A04: Limites register assouplies en dev (20/heure au lieu de 3/heure)`
			`endpointLimits.RegisterAttempts = getDefaultRegisterAttempts(c.Env)`
			`endpointLimits.RegisterWindow = time.Hour`

			`c.EndpointLimiter = middleware.NewEndpointLimiter(endpointLimiterConfig, endpointLimits)`

			`// BE-SVC-002: Initialize per-user rate limiter`
			`userRateLimiterConfig := &middleware.UserRateLimiterConfig{`
			`RequestsPerMinute: getEnvAsInt("USER_RATE_LIMIT_PER_MINUTE", 1000), // Default: 1000 requests per minute per user`
			`Burst: getEnvAsInt("USER_RATE_LIMIT_BURST", 100), // Default: 100 burst`
			`Window: time.Minute,`
			`RedisClient: c.RedisClient,`
			`KeyPrefix: "user_rate_limit",`
			`Logger: c.Logger,`
			`}`
			`c.UserRateLimiter = middleware.NewUserRateLimiter(userRateLimiterConfig)`

feat(developer): add API keys backend (Lot C) - Migration 082: api_keys table (user_id, name, prefix, hashed_key, scopes, last_used_at, expires_at) - APIKey model, APIKeyService (Create, List, Delete, ValidateAPIKey) - APIKeyHandler: GET/POST/DELETE /api/v1/developer/api-keys - AuthMiddleware: X-API-Key and Bearer vza_* accepted as alternative to JWT - CSRF: skip for API key auth (stateless) - Key format: vza_ prefix, SHA-256 hashed storage 2026-02-19 23:18:36 +00:00			`// Middleware d'authentification (supports JWT and X-API-Key for developer keys)`
refactor(config): découper config.go par domaine (audit 2.7) - env_helpers.go: getEnv*, parseLogAggregationLabels - db_init.go: initDatabaseWithRetry - redis_init.go: initRedis, filteredRedisLogger - rabbitmq.go: getRabbitMQURL - cors.go: CORS, cookies - rate_limit.go: rate limit defaults - services_init.go: initServices - middlewares_init.go: initMiddlewares, SetupMiddleware - config.go réduit de ~1487 à ~550 LOC 2026-02-15 13:44:33 +00:00			`c.AuthMiddleware = middleware.NewAuthMiddleware(`
			`c.SessionService,`
			`c.AuditService,`
			`c.PermissionService,`
			`c.JWTService,`
			`c.UserService,`
feat(developer): add API keys backend (Lot C) - Migration 082: api_keys table (user_id, name, prefix, hashed_key, scopes, last_used_at, expires_at) - APIKey model, APIKeyService (Create, List, Delete, ValidateAPIKey) - APIKeyHandler: GET/POST/DELETE /api/v1/developer/api-keys - AuthMiddleware: X-API-Key and Bearer vza_* accepted as alternative to JWT - CSRF: skip for API key auth (stateless) - Key format: vza_ prefix, SHA-256 hashed storage 2026-02-19 23:18:36 +00:00			`c.APIKeyService,`
feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities - OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001) - Remove PasswordService.GenerateJWT (VEZA-SEC-002) - Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005) - Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006) - Waveform: ValidateExecPath before exec (VEZA-SEC-007) 2026-02-26 18:34:45 +00:00			`c.TokenBlacklist, // VEZA-SEC-006: nil if Redis unavailable (implements TokenBlacklistChecker)`
refactor(config): découper config.go par domaine (audit 2.7) - env_helpers.go: getEnv*, parseLogAggregationLabels - db_init.go: initDatabaseWithRetry - redis_init.go: initRedis, filteredRedisLogger - rabbitmq.go: getRabbitMQURL - cors.go: CORS, cookies - rate_limit.go: rate limit defaults - services_init.go: initServices - middlewares_init.go: initMiddlewares, SetupMiddleware - config.go réduit de ~1487 à ~550 LOC 2026-02-15 13:44:33 +00:00			`c.Logger,`
			`)`
feat(presence): PresenceService and GET /users/:id/presence (P1.2) 2026-02-21 04:22:43 +00:00			`if c.PresenceService != nil {`
			`c.AuthMiddleware.SetPresenceService(c.PresenceService)`
			`}`
refactor(config): découper config.go par domaine (audit 2.7) - env_helpers.go: getEnv*, parseLogAggregationLabels - db_init.go: initDatabaseWithRetry - redis_init.go: initRedis, filteredRedisLogger - rabbitmq.go: getRabbitMQURL - cors.go: CORS, cookies - rate_limit.go: rate limit defaults - services_init.go: initServices - middlewares_init.go: initMiddlewares, SetupMiddleware - config.go réduit de ~1487 à ~550 LOC 2026-02-15 13:44:33 +00:00
			`return nil`
			`}`

			`// SetupMiddleware configure les middlewares globaux`
			`// DÉPRÉCIÉ : Cette méthode est conservée pour compatibilité mais ne fait plus rien`
			`// Les middlewares globaux sont maintenant configurés dans internal/api/router.go via APIRouter.Setup()`
release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 - ORDER BY dynamiques : whitelist explicite, fallback created_at DESC - Login/register soumis au rate limiter global - VERSION sync + check CI - Nettoyage références veza-chat-server - Go 1.24 partout (Dockerfile, workflows) - TODO/FIXME/HACK convertis en issues ou résolus 2026-02-27 08:43:25 +00:00			`// NOTE: CORS could use c.CORSOrigins from config in api/router.go`
refactor(config): découper config.go par domaine (audit 2.7) - env_helpers.go: getEnv*, parseLogAggregationLabels - db_init.go: initDatabaseWithRetry - redis_init.go: initRedis, filteredRedisLogger - rabbitmq.go: getRabbitMQURL - cors.go: CORS, cookies - rate_limit.go: rate limit defaults - services_init.go: initServices - middlewares_init.go: initMiddlewares, SetupMiddleware - config.go réduit de ~1487 à ~550 LOC 2026-02-15 13:44:33 +00:00			`func (c Config) SetupMiddleware(router gin.Engine) {`
			`// No-op : Les middlewares sont configurés dans api/router.go`
			`// Cette méthode existe uniquement pour compatibilité avec cmd/main.go (legacy)`
			`// qui sera désactivé dans le Chantier 1 - Étape 2`
			`}`