feat(http): implement shared Bearer auth middleware (resolve_from_token, stash Identity in request extensions)

Add src/server/auth.rs with bearer_auth_middleware axum layer that
extracts the Authorization: Bearer header, resolves via
IdentityProvider::resolve_from_token, and stashes Option<Identity> in
request extensions. Shared by HTTP gateway routes and the to_mcp rmcp
service (research §4.4). No token, malformed header, or failed
resolution all yield None (unauthenticated, not an error) — Bearer-only
auth mechanism (ADR-004).

Includes ResolvedIdentity axum extractor reading from extensions, and
wires the middleware into the HttpAdapter router around the
gateway/openapi/mcp routes (excluding the raw /healthz route).
This commit is contained in:
2026-07-01 18:48:00 +00:00
parent a65afb0dfb
commit 36f74dd31b
6 changed files with 328 additions and 6 deletions

1
Cargo.lock generated
View File

@@ -122,6 +122,7 @@ dependencies = [
"serde_json",
"thiserror 2.0.18",
"tokio",
"tower",
"tracing",
"url",
"uuid",