From 113f44b95781f80807fe8caee141d382b4e63bab Mon Sep 17 00:00:00 2001 From: "Rodrigo Rodriguez (Pragmatismo)" Date: Sat, 10 Jan 2026 14:07:23 -0300 Subject: [PATCH] fix(middleware): correct order - Auth runs BEFORE RBAC In Axum, layers are applied bottom-to-top (last added runs first). So Auth middleware must be added AFTER RBAC in the chain to run BEFORE it. Previous order (wrong): RBAC -> Auth -> Handler New order (correct): Auth -> RBAC -> Handler --- src/main.rs | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/main.rs b/src/main.rs index 6f66111ad..0161e1a65 100644 --- a/src/main.rs +++ b/src/main.rs @@ -500,6 +500,14 @@ async fn run_axum_server( .layer(rate_limit_extension) // Request ID tracking for all requests .layer(middleware::from_fn(request_id_middleware)) + // Authentication middleware using provider registry + // NOTE: In Axum, layers are applied bottom-to-top, so this runs BEFORE RBAC + .layer(middleware::from_fn(move |req: axum::http::Request, next: axum::middleware::Next| { + let state = auth_middleware_state.clone(); + async move { + botserver::security::auth_middleware_with_providers(req, next, state).await + } + })) // RBAC middleware - checks permissions AFTER authentication .layer(middleware::from_fn(move |req: axum::http::Request, next: axum::middleware::Next| { let rbac = Arc::clone(&rbac_manager_for_middleware); @@ -507,13 +515,6 @@ async fn run_axum_server( botserver::security::rbac_middleware_fn(req, next, rbac).await } })) - // Authentication middleware using provider registry - .layer(middleware::from_fn(move |req: axum::http::Request, next: axum::middleware::Next| { - let state = auth_middleware_state.clone(); - async move { - botserver::security::auth_middleware_with_providers(req, next, state).await - } - })) // Panic handler catches panics and returns safe 500 responses .layer(middleware::from_fn(move |req, next| { let config = panic_config.clone();