feat: make proxy/auth and routes async

app/api/deps.py

@@ -29,12 +29,12 @@ def get_bearer_token(
     return credentials.credentials
 
 
-def require_authentication(
+async def require_authentication(
     token: str = Depends(get_bearer_token),
     client: AuthServiceClient = Depends(get_auth_service_client),
 ) -> AuthContext:
     try:
-        claims = client.validate_token(token)
+        claims = await client.validate_token(token)
     except AuthServiceError as exc:
         headers = (
             {"WWW-Authenticate": "Bearer"}
@@ -50,12 +50,12 @@ def require_authentication(
 
 
 def require_authorization(permission: str):
-    def dependency(
+    async def dependency(
         context: AuthContext = Depends(require_authentication),
         client: AuthServiceClient = Depends(get_auth_service_client),
     ) -> AuthContext:
         try:
-            client.authorize(context.token, permission)
+            await client.authorize(context.token, permission)
         except AuthServiceError as exc:
             headers = (
                 {"WWW-Authenticate": "Bearer"}

app/api/routes/gateway.py

@@ -1,3 +1,4 @@
+from anyio import to_thread
 from fastapi import APIRouter, Depends, status
 
 from app.api.deps import require_authorization
@@ -13,35 +14,39 @@
 
 
 @router.get("/routes", response_model=list[RouteConfig])
-def list_routes(store: RouteStore = Depends(get_route_store)) -> list[RouteConfig]:
-    return store.list_routes()
+async def list_routes(
+    store: RouteStore = Depends(get_route_store),
+) -> list[RouteConfig]:
+    return await to_thread.run_sync(store.list_routes)
 
 
 @router.get("/routes/{route_id}", response_model=RouteConfig)
-def get_route(
+async def get_route(
     route_id: str, store: RouteStore = Depends(get_route_store)
 ) -> RouteConfig:
-    return store.get_route(route_id)
+    return await to_thread.run_sync(store.get_route, route_id)
 
 
 @router.post(
     "/routes",
     response_model=RouteConfig,
     status_code=status.HTTP_201_CREATED,
 )
-def create_route(
+async def create_route(
     payload: RouteCreate, store: RouteStore = Depends(get_route_store)
 ) -> RouteConfig:
-    return store.create_route(payload)
+    return await to_thread.run_sync(store.create_route, payload)
 
 
 @router.put("/routes/{route_id}", response_model=RouteConfig)
-def update_route(
+async def update_route(
     route_id: str, payload: RouteUpdate, store: RouteStore = Depends(get_route_store)
 ) -> RouteConfig:
-    return store.update_route(route_id, payload)
+    return await to_thread.run_sync(store.update_route, route_id, payload)
 
 
 @router.delete("/routes/{route_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_route(route_id: str, store: RouteStore = Depends(get_route_store)) -> None:
-    store.delete_route(route_id)
+async def delete_route(
+    route_id: str, store: RouteStore = Depends(get_route_store)
+) -> None:
+    await to_thread.run_sync(store.delete_route, route_id)

app/api/routes/health.py

@@ -4,5 +4,5 @@
 
 
 @router.get("/health")
-def health_check() -> dict:
+async def health_check() -> dict:
     return {"status": "ok"}

app/api/routes/proxy.py

@@ -2,6 +2,7 @@
 
 from urllib.parse import urlsplit, urlunsplit
 
+from anyio import to_thread
 import httpx
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import Response
@@ -42,13 +43,13 @@ async def proxy_request(
     auth_client: AuthServiceClient = Depends(get_auth_service_client),
 ) -> Response:
     raw_path = f"/{path}" if path else "/"
-    route = store.match_route(request.method, raw_path)
+    route = await to_thread.run_sync(store.match_route, request.method, raw_path)
     if not route:
         raise HTTPException(
             status_code=status.HTTP_404_NOT_FOUND, detail="route_not_found"
         )
 
-    _maybe_authorize(route, request, auth_client)
+    await _maybe_authorize(route, request, auth_client)
 
     upstream_path = _normalize_path(route.rewrite_path(raw_path))
     upstream_url = _build_upstream_url(route.upstream_base_url, upstream_path)
@@ -81,7 +82,7 @@ async def proxy_request(
     )
 
 
-def _maybe_authorize(
+async def _maybe_authorize(
     route: RouteConfig, request: Request, auth_client: AuthServiceClient
 ) -> dict:
     auth_config = route.auth or RouteAuth()
@@ -91,9 +92,9 @@ def _maybe_authorize(
 
     token = _extract_bearer_token(request)
     try:
-        claims = auth_client.validate_token(token)
+        claims = await auth_client.validate_token(token)
         if auth_config.permission:
-            auth_client.authorize(token, auth_config.permission)
+            await auth_client.authorize(token, auth_config.permission)
         if auth_config.roles:
             _ensure_roles(claims, auth_config.roles)
     except AuthServiceError as exc:

app/services/auth_service.py

@@ -30,16 +30,16 @@ def __init__(
         timeout: float,
         validate_path: str,
         authorize_path: str,
-        transport: httpx.BaseTransport | None = None,
+        transport: httpx.AsyncBaseTransport | None = None,
     ) -> None:
         self._base_url = base_url.rstrip("/")
         self._timeout = timeout
         self._validate_path = _normalize_path(validate_path)
         self._authorize_path = _normalize_path(authorize_path)
         self._transport = transport
 
-    def validate_token(self, token: str) -> dict[str, Any]:
-        response = self._request("POST", self._validate_path, token, payload=None)
+    async def validate_token(self, token: str) -> dict[str, Any]:
+        response = await self._request("POST", self._validate_path, token, payload=None)
         if response.status_code == status.HTTP_200_OK:
             return self._parse_claims(response)
         if response.status_code in (
@@ -49,8 +49,8 @@ def validate_token(self, token: str) -> dict[str, Any]:
             raise AuthServiceError(response.status_code, "invalid_token")
         raise AuthServiceError(status.HTTP_502_BAD_GATEWAY, "auth_service_error")
 
-    def authorize(self, token: str, permission: str) -> None:
-        response = self._request(
+    async def authorize(self, token: str, permission: str) -> None:
+        response = await self._request(
             "POST",
             self._authorize_path,
             token,
@@ -67,7 +67,7 @@ def authorize(self, token: str, permission: str) -> None:
             raise AuthServiceError(status.HTTP_403_FORBIDDEN, "not_authorized")
         raise AuthServiceError(status.HTTP_502_BAD_GATEWAY, "auth_service_error")
 
-    def _request(
+    async def _request(
         self,
         method: str,
         path: str,
@@ -76,12 +76,12 @@ def _request(
     ) -> httpx.Response:
         headers = {"Authorization": f"Bearer {token}"}
         try:
-            with httpx.Client(
+            async with httpx.AsyncClient(
                 base_url=self._base_url,
                 timeout=self._timeout,
                 transport=self._transport,
             ) as client:
-                return client.request(method, path, headers=headers, json=payload)
+                return await client.request(method, path, headers=headers, json=payload)
         except httpx.RequestError as exc:
             raise AuthServiceError(
                 status.HTTP_503_SERVICE_UNAVAILABLE,

app/tests/test_auth.py

@@ -18,13 +18,13 @@ def _build_app(client: AuthServiceClient) -> FastAPI:
     app.dependency_overrides[get_auth_service_client] = lambda: client
 
     @app.get("/protected")
-    def protected(
+    async def protected(
         context: AuthContext = Depends(require_authentication),
     ) -> dict[str, Any]:
         return {"subject": context.claims.get("sub")}
 
     @app.get("/admin")
-    def admin(
+    async def admin(
         context: AuthContext = Depends(require_authorization("admin:read")),
     ) -> dict[str, Any]:
         return {"ok": True}
@@ -39,7 +39,7 @@ def _json_payload(request: httpx.Request) -> dict[str, Any]:
 
 
 def _mock_transport() -> httpx.MockTransport:
-    def handler(request: httpx.Request) -> httpx.Response:
+    async def handler(request: httpx.Request) -> httpx.Response:
         auth_header = request.headers.get("Authorization", "")
         token = auth_header.replace("Bearer ", "", 1)
 
@@ -64,7 +64,7 @@ def handler(request: httpx.Request) -> httpx.Response:
     return httpx.MockTransport(handler)
 
 
-def _auth_client(transport: httpx.BaseTransport) -> AuthServiceClient:
+def _auth_client(transport: httpx.AsyncBaseTransport) -> AuthServiceClient:
     return AuthServiceClient(
         base_url="http://auth-service.local",
         timeout=1.0,
@@ -122,7 +122,7 @@ def test_authorization_allows_admin() -> None:
 
 
 def test_auth_service_unavailable_returns_503() -> None:
-    def handler(request: httpx.Request) -> httpx.Response:
+    async def handler(request: httpx.Request) -> httpx.Response:
         raise httpx.ConnectError("boom", request=request)
 
     app = _build_app(_auth_client(httpx.MockTransport(handler)))

app/tests/test_proxy.py

@@ -12,7 +12,7 @@
 
 
 def _auth_client() -> AuthServiceClient:
-    def handler(request: httpx.Request) -> httpx.Response:
+    async def handler(request: httpx.Request) -> httpx.Response:
         auth_header = request.headers.get("Authorization", "")
         token = auth_header.replace("Bearer ", "", 1)
 
@@ -42,7 +42,7 @@ def handler(request: httpx.Request) -> httpx.Response:
 
 
 def _proxy_client(record: dict) -> ProxyClient:
-    def handler(request: httpx.Request) -> httpx.Response:
+    async def handler(request: httpx.Request) -> httpx.Response:
         record["path"] = request.url.path
         record["query"] = request.url.query
         return httpx.Response(200, json={"proxied": True})

app/tests/test_routes_admin.py

@@ -10,7 +10,7 @@
 
 
 def _auth_client() -> AuthServiceClient:
-    def handler(request: httpx.Request) -> httpx.Response:
+    async def handler(request: httpx.Request) -> httpx.Response:
         auth_header = request.headers.get("Authorization", "")
         token = auth_header.replace("Bearer ", "", 1)