Skip to content

fix: internal microservice authentication for Gmail/Outlook scanning APIs#212

Merged
Userunknown84 merged 1 commit into
Userunknown84:mainfrom
onkar0127:fix-microservice-auth
Jun 23, 2026
Merged

fix: internal microservice authentication for Gmail/Outlook scanning APIs#212
Userunknown84 merged 1 commit into
Userunknown84:mainfrom
onkar0127:fix-microservice-auth

Conversation

@onkar0127

@onkar0127 onkar0127 commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

fixes #147

Description

This Pull Request introduces a secure internal shared-secret authentication mechanism (Option A) between the Node.js API Gateway and the Python Flask ML API.

Previously, several endpoints (including /gmail/callback, /gmail/emails, /outlook/callback, /outlook/emails, and /scan-emails) were decorated with @jwt_required(). Because the Node.js backend does not forward a Flask-signed JWT token, all internal requests initiated by the Node backend failed immediately with 401 Unauthorized responses.

By implementing a shared internal secret checking mechanism:

  • Node.js requests automatically forward the internal secret header X-Internal-Secret.
  • Flask validates the secret, bypasses the JWT check if the secret is valid, and resolves the user identity using the X-User-Username header instead of get_jwt_identity().
  • Unchanged client-facing JWT endpoints continue to work as expected.
  • Added internal secret verification to the /imap/... routes, which previously had no validation.

Key Changes

  • Node.js Gateway (backend/server.js):
    • Configured a global request interceptor for Axios to automatically append the X-Internal-Secret header on all outgoing Flask API calls.
  • Python Flask ML API (backend/api.py):
    • Implemented the @jwt_or_secret_required() custom decorator.
    • Implemented the get_current_user_identity() helper to resolve identity from X-User-Username when the secret matches, falling back to standard get_jwt_identity() otherwise.
    • Updated /imap endpoints' identity check (_require_username()) to also verify X-Internal-Secret for consistency.
  • Unit Tests (backend/tests/test_internal_secret.py):
    • Created a new test suite confirming valid shared secret access, standard JWT access, invalid secrets, missing credentials, and secure IMAP validations.

Verification Results

All tests ran successfully with zero regressions:

  • pytest backend/tests/test_internal_secret.py: 6 passed / 6 total
  • pytest backend/tests: 59 passed / 59 total

@vercel

vercel Bot commented Jun 22, 2026

Copy link
Copy Markdown

@onkar0127 is attempting to deploy a commit to the Aditya Sharma's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added SSoC26 bug Something isn't working Hard labels Jun 22, 2026
@Userunknown84 Userunknown84 merged commit a26c63b into Userunknown84:main Jun 23, 2026
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Userunknown84 Userunknown84 Userunknown84 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working Hard SSoC26

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Broken OAuth Flow between Node.js and Flask due to JWT Verification Mismatch

2 participants

@onkar0127 @Userunknown84