data_access_api.utils.internal_auth
===================================

.. py:module:: data_access_api.utils.internal_auth

.. autoapi-nested-parse::

   Trust-internal service authentication for the data-access-api.

   The data-access-api executes arbitrary SQL against the OMOP database via a
   service account. Without caller authentication, any container on the trust
   Docker network or any operator with SSM port-forward access can run the same
   queries as the service account. This module enforces a shared-secret check on
   the ``/cohort`` router: callers (trust-api, imaging-api, fl-client) send the
   plaintext ``TRUST_INTERNAL_SERVICE_KEY`` in a header, and data-access-api
   compares it to its own copy of the same key using constant-time comparison.

   The key is held in plaintext by every trust-internal service (sender or
   receiver). See ``imaging_api/utils/internal_auth.py`` for the rationale —
   the same module-level docstring applies here.



Attributes
----------

.. autoapisummary::

   data_access_api.utils.internal_auth._settings
   data_access_api.utils.internal_auth.internal_key_header_scheme


Functions
---------

.. autoapisummary::

   data_access_api.utils.internal_auth.authenticate_internal_service


Module Contents
---------------

.. py:data:: _settings

.. py:data:: internal_key_header_scheme

.. py:function:: authenticate_internal_service(api_key: str | None = Security(internal_key_header_scheme)) -> None

   Authenticate a trust-internal caller (trust-api, imaging-api, fl-client).

   :param api_key: The plaintext key from the request header.
   :type api_key: str | None

   :raises HTTPException: 401 if the key is missing, unconfigured, or invalid.