Skip to content

Fix: [UN-2941] Added InternalAPIAuthMiddleware to Django middleware stack#1628

Merged
muhammad-ali-e merged 1 commit into
v0.138.16-hotfixfrom
fix/UN-2941-HOT-FIX_Add_internal_API_authentication_middleware
Nov 2, 2025
Merged

Fix: [UN-2941] Added InternalAPIAuthMiddleware to Django middleware stack#1628
muhammad-ali-e merged 1 commit into
v0.138.16-hotfixfrom
fix/UN-2941-HOT-FIX_Add_internal_API_authentication_middleware

Conversation

@muhammad-ali-e

Copy link
Copy Markdown
Contributor

What

  • Added InternalAPIAuthMiddleware to Django middleware stack in backend/backend/settings/base.py
  • Positioned the middleware after TENANT_MIDDLEWARE to ensure proper organization context handling

Why

  • To secure internal API endpoints that are called by workers
  • To properly handle X-Organization-ID header from workers for authentication and authorization
  • To prevent unauthorized access to internal backend APIs

How

  • Added middleware.internal_api_auth.InternalAPIAuthMiddleware to the MIDDLEWARE list
  • Placed it strategically after organization middleware but before security middleware
  • The middleware validates internal API requests using the X-Organization-ID header

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

No, this should not break existing features because:

  • The middleware is positioned to work with the existing tenant/organization middleware
  • It only affects internal API endpoints that require the X-Organization-ID header
  • External API calls and user-facing endpoints are not affected
  • Workers already send the X-Organization-ID header, so this provides the missing authentication layer

Potential considerations:

  • If any internal API calls are made without proper authentication headers, they may now be rejected (which is the intended security behavior)
  • Worker-backend communication must include the INTERNAL_SERVICE_API_KEY environment variable

Database Migrations

  • No database migrations required

Env Config

  • Ensure INTERNAL_SERVICE_API_KEY is configured in both backend and worker environments
  • This key should already be set for worker authentication

Relevant Docs

  • Internal API Security documentation may need to be updated (if exists)
  • Worker architecture documentation should reference this authentication mechanism

Related Issues or PRs

  • Related to UN-2941 Jira ticket
  • Part of the workers architecture implementation

Dependencies Versions

  • No dependency changes required

Notes on Testing

  • Verify that workers can successfully authenticate to internal backend APIs
  • Test that external API calls continue to work without authentication headers
  • Confirm that unauthorized internal API calls are properly rejected
  • Test organization-scoped data access through internal APIs

Screenshots

N/A - Backend middleware configuration change

Checklist

I have read and understood the Contribution Guidelines.

@coderabbitai

coderabbitai Bot commented Nov 2, 2025

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/UN-2941-HOT-FIX_Add_internal_API_authentication_middleware

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented Nov 2, 2025

Copy link
Copy Markdown

@muhammad-ali-e muhammad-ali-e merged commit 6d761de into v0.138.16-hotfix Nov 2, 2025
5 checks passed
@muhammad-ali-e muhammad-ali-e deleted the fix/UN-2941-HOT-FIX_Add_internal_API_authentication_middleware branch November 2, 2025 10:56
vishnuszipstack pushed a commit that referenced this pull request Nov 2, 2025
* Fix/un 2910 fix prevent task duplication while warm shutdown heartbeatkeeper and resolve sigsegv issues (#1616)

* UN-2910 [FIX] Prevent task duplication during Kubernetes warm shutdown with HeartbeatKeeper

Implemented HeartbeatKeeper bootstep to maintain RabbitMQ connection during
Celery warm shutdown, preventing task requeuing and duplication during
Kubernetes rolling updates and graceful pod terminations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* structuretool-for-testing

* handling envs

* sonar issue addressing

* forksafe gcs and gdrive connectors

* updated grpc imports

* fork safty in shared internal client session

* reverted forksafty fropm baseclient, addressed coderabbitai comments

* minor changes

* reverted structure tool changes that was changed for tetsing

* plugin registry changes for .so file comaptibility

* added default value for heartbeat

---------

Co-authored-by: Claude <noreply@anthropic.com>

* Fix: Added InternalAPIAuthMiddleware to Django middleware stack (#1628)

---------

Co-authored-by: Claude <noreply@anthropic.com>
ritwik-g pushed a commit that referenced this pull request Nov 3, 2025
…atibility (#1637)

* Fix/un 2910 fix prevent task duplication while warm shutdown heartbeatkeeper and resolve sigsegv issues (#1616)

* UN-2910 [FIX] Prevent task duplication during Kubernetes warm shutdown with HeartbeatKeeper

Implemented HeartbeatKeeper bootstep to maintain RabbitMQ connection during
Celery warm shutdown, preventing task requeuing and duplication during
Kubernetes rolling updates and graceful pod terminations.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* structuretool-for-testing

* handling envs

* sonar issue addressing

* forksafe gcs and gdrive connectors

* updated grpc imports

* fork safty in shared internal client session

* reverted forksafty fropm baseclient, addressed coderabbitai comments

* minor changes

* reverted structure tool changes that was changed for tetsing

* plugin registry changes for .so file comaptibility

* added default value for heartbeat

---------

Co-authored-by: Claude <noreply@anthropic.com>

* Fix: Added InternalAPIAuthMiddleware to Django middleware stack (#1628)

* UN-2942 [HOT-FIX] API deployments now properly clean up execution directories after completion (#1635)

UN-2942 [FIX] API deployments now properly clean up execution directories after completion

* UN-2942 [FIX] Fix API deployment directory cleanup and MinIO compatibility (#1636)

* Added boto3 version pin to match backend

* Added uvlock

* fix execution directory for api

---------

Signed-off-by: ali <117142933+muhammad-ali-e@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
@muhammad-ali-e muhammad-ali-e changed the title Fix: Added InternalAPIAuthMiddleware to Django middleware stack Fix: [UN-2941] Added InternalAPIAuthMiddleware to Django middleware stack Nov 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants