feat: Enable authentication in all services

[elmorem]

Summary

• Enables authentication middleware in API Gateway, Sessions, and Memory services
• Adds comprehensive authentication configuration to .env.example
• Implements user identity forwarding from Gateway to downstream services
• Authentication is disabled by default for development (AUTH_REQUIRE_AUTH=false)

What's Included

API Gateway Authentication

• services/gateway/app/main.py: Integrated AuthenticationMiddleware
  • Validates JWT Bearer tokens and API keys
  • Configurable exempt paths from auth settings
  • Forwards authenticated user identity to downstream services
  • Adds X-User-ID and X-Org-ID headers when user is authenticated
  • Logs authentication status on startup

Sessions Service Authentication

• services/sessions/app/main.py: Integrated AuthenticationMiddleware
  • Same authentication configuration as Gateway
  • Protects all session endpoints when enabled
  • Logs authentication status on startup

Memory Service Authentication

• services/memory/app/main.py: Integrated AuthenticationMiddleware
  • Same authentication configuration as Gateway
  • Protects all memory endpoints when enabled
  • Logs authentication status on startup

Environment Configuration

• .env.example: Added comprehensive auth configuration
  • JWT settings (secret, algorithm, expiration, issuer)
  • API key settings
  • Authentication enforcement toggle (AUTH_REQUIRE_AUTH)
  • Exempt paths configuration
  • Default: AUTH_REQUIRE_AUTH=false for development

How It Works

Development Mode (Default)

# Authentication disabled by default
AUTH_REQUIRE_AUTH=false

• All endpoints accessible without authentication
• Useful for local development and testing

Production Mode

# Enable authentication
AUTH_REQUIRE_AUTH=true
AUTH_JWT_SECRET_KEY=your-generated-secret

# Generate secret with:
python scripts/generate_auth_config.py

• All endpoints require valid JWT or API key
• Exempt paths still accessible (health, docs, metrics)

User Identity Forwarding

Gateway extracts user identity from authentication and forwards to services:

Authorization: Bearer <jwt-token>
  ↓
Gateway authenticates and adds:
  X-User-ID: user_123
  X-Org-ID: org_456
  ↓
Sessions/Memory services receive user context

Configuration

Quick Start

# 1. Copy environment file
cp .env.example .env

# 2. Generate auth secrets (optional for dev)
python scripts/generate_auth_config.py

# 3. For production, enable auth in .env
AUTH_REQUIRE_AUTH=true
AUTH_JWT_SECRET_KEY=<generated-secret>

Exempt Paths

These paths don't require authentication:

• /health, /health/live, /health/ready, /health/detailed, /health/services
• /docs, /redoc, /openapi.json
• /metrics

Test Plan

• Authentication middleware added to Gateway
• Authentication middleware added to Sessions service
• Authentication middleware added to Memory service
• User identity forwarding implemented in Gateway
• Environment configuration updated with auth settings
• Default AUTH_REQUIRE_AUTH=false for development
• All services log authentication status on startup
• Code formatted with black
• Type checking passed with mypy

Next Steps

Once merged, developers can:

1. Run services with auth disabled (default)
2. Enable auth by setting AUTH_REQUIRE_AUTH=true
3. Generate JWT tokens using scripts/generate_auth_config.py
4. Use JWT or API keys for authenticated requests

🤖 Generated with Claude Code