diff --git a/veza-backend-api/internal/api/router.go b/veza-backend-api/internal/api/router.go index 8ea4c8797..64aa9d2a4 100644 --- a/veza-backend-api/internal/api/router.go +++ b/veza-backend-api/internal/api/router.go @@ -175,23 +175,9 @@ func (r *APIRouter) Setup(router *gin.Engine) error { r.logger.Info("Monitoring service disabled (PROMETHEUS_URL not configured)") } - // Middlewares globaux - router.Use(middleware.RequestLogger(r.logger)) // Utilisation du structured logger - router.Use(middleware.Metrics()) // Prometheus Metrics - router.Use(middleware.SentryRecover(r.logger)) // Sentry error tracking - router.Use(middleware.SecurityHeaders()) // MOD-P2-005: Security headers (HSTS, CSP, etc.) - - // INT-021: Add API monitoring middleware to track failures and trigger alerts - router.Use(middleware.APIMonitoringMiddleware(r.logger, r.monitoringService)) - - // MOD-P1-005: Determine if stack traces should be included in logs - // Stack traces only in dev/DEBUG mode (not in production) - // Include if: APP_ENV=development OR LOG_LEVEL=DEBUG - // MOD-P1-005: Determine if stack traces should be included in logs - // Stack traces only in dev/DEBUG mode (not in production) - includeStackTrace := r.config.Env == config.EnvDevelopment || r.config.LogLevel == "DEBUG" - router.Use(middleware.ErrorHandler(r.logger, r.config.ErrorMetrics, includeStackTrace)) - router.Use(middleware.Recovery(r.logger, includeStackTrace)) + // P1.1: CORS middleware MUST be first to ensure headers are always present + // Even if subsequent middlewares reject the request (panic, timeout, error), + // the CORS headers will be set, preventing intermittent CORS errors // SECURITY: CORS configuration - use config.CORSOrigins strictly (P0-SECURITY) // No fallback to CORSDefault() to avoid wildcard in production // MOD-P0-001: Apply CORS middleware even if CORSOrigins is empty (strict mode - reject all origins) @@ -218,6 +204,24 @@ func (r *APIRouter) Setup(router *gin.Engine) error { router.Use(middleware.CORS([]string{})) r.logger.Warn("Config is nil - CORS middleware applied in strict mode (reject all origins).") } + + // Middlewares globaux (after CORS) + router.Use(middleware.RequestLogger(r.logger)) // Utilisation du structured logger + router.Use(middleware.Metrics()) // Prometheus Metrics + router.Use(middleware.SentryRecover(r.logger)) // Sentry error tracking + router.Use(middleware.SecurityHeaders()) // MOD-P2-005: Security headers (HSTS, CSP, etc.) + + // INT-021: Add API monitoring middleware to track failures and trigger alerts + router.Use(middleware.APIMonitoringMiddleware(r.logger, r.monitoringService)) + + // MOD-P1-005: Determine if stack traces should be included in logs + // Stack traces only in dev/DEBUG mode (not in production) + // Include if: APP_ENV=development OR LOG_LEVEL=DEBUG + // MOD-P1-005: Determine if stack traces should be included in logs + // Stack traces only in dev/DEBUG mode (not in production) + includeStackTrace := r.config.Env == config.EnvDevelopment || r.config.LogLevel == "DEBUG" + router.Use(middleware.ErrorHandler(r.logger, r.config.ErrorMetrics, includeStackTrace)) + router.Use(middleware.Recovery(r.logger, includeStackTrace)) router.Use(middleware.RequestID()) // Global Timeout middleware (PR-6) // MOD-P0-003: Removed duplicate timeout middleware registration