mirror of
https://github.com/DeBrosOfficial/orama.git
synced 2026-06-16 23:14:13 +00:00
872c553d1c
Root-cause hardening for bug #240 and #249's "intermittent 401 over WS" reports. handleNamespaceGatewayRequest previously had a third code path beyond "auth ok" and "auth error": when validateAuthForNamespaceProxy returned empty namespace AND empty error (i.e. "no credentials found"), the request fell through to a silent forward to the namespace gateway WITHOUT internal-auth headers. The namespace gateway then rejected with 401 "missing API key" in ~60µs. From the client's perspective: opaque 401. From our side: only the namespace gateway logged it, and that tier can't validate API keys (they live in the main cluster RQLite), so the operator had no signal that the main gateway had even seen the request. AnChat's intermittent 401-on-WS reports went unsolved for this exact reason. Fix: - Explicit reject at main when no credentials extracted AND path isn't public. Returns 401 with WWW-Authenticate: Bearer realm and a clear message naming the three accepted credential sources. - Rich structured logging on every WS upgrade auth outcome: presence of api_key/token/jwt query params, Authorization + X-API-Key headers, Connection/Upgrade headers, Origin, User-Agent, client IP, raw query length. Steady-state stays low-noise: success path logs at debug, reject paths log at warn. - Namespace-mismatch reject (existing branch) now also logs. VERSION bumped to 0.122.19.