data_access_api.utils.internal_auth
Trust-internal service authentication for the data-access-api.
The data-access-api executes arbitrary SQL against the OMOP database via a
service account. Without caller authentication, any container on the trust
Docker network or any operator with SSM port-forward access can run the same
queries as the service account. This module enforces a shared-secret check on
the /cohort router: callers (trust-api, imaging-api, fl-client) send the
plaintext TRUST_INTERNAL_SERVICE_KEY in a header, and data-access-api
compares it to its own copy of the same key using constant-time comparison.
The key is held in plaintext by every trust-internal service (sender or
receiver). See imaging_api/utils/internal_auth.py for the rationale —
the same module-level docstring applies here.
Attributes
Functions
|
Authenticate a trust-internal caller (trust-api, imaging-api, fl-client). |
Module Contents
- data_access_api.utils.internal_auth._settings
- data_access_api.utils.internal_auth.internal_key_header_scheme
- data_access_api.utils.internal_auth.authenticate_internal_service(api_key: str | None = Security(internal_key_header_scheme)) None
Authenticate a trust-internal caller (trust-api, imaging-api, fl-client).
- Parameters:
api_key (str | None) – The plaintext key from the request header.
- Raises:
HTTPException – 401 if the key is missing, unconfigured, or invalid.