feat: support rewritten paths for auth handling

alukach · alukach · commit 22d606b3e6fa · 2026-04-07T13:17:20.000-07:00
diff --git a/crates/core/src/proxy.rs b/crates/core/src/proxy.rs
@@ -268,6 +268,7 @@ where
                 req.query,
                 req.headers,
                 req.source_ip,
+                req.signing_path,
             )
             .await;
 
@@ -362,7 +363,7 @@ where
         source_ip: Option<IpAddr>,
     ) -> HandlerAction {
         let (action, _metadata) = self
-            .resolve_request_with_metadata(method, path, query, headers, source_ip)
+            .resolve_request_with_metadata(method, path, query, headers, source_ip, None)
             .await;
         action
     }
@@ -376,6 +377,7 @@ where
         query: Option<&str>,
         headers: &HeaderMap,
         source_ip: Option<IpAddr>,
+        signing_path: Option<&str>,
     ) -> (HandlerAction, RequestMetadata) {
         let request_id = Uuid::new_v4().to_string();
 
@@ -397,10 +399,11 @@ where
         };
         tracing::debug!(operation = ?operation, "parsed S3 operation");
 
-        // Resolve identity
+        // Resolve identity — use the original client-facing path for signature
+        // verification when a signing_path is provided (e.g. path-mapping rewrites).
         let identity = match auth::resolve_identity(
             &method,
-            path,
+            signing_path.unwrap_or(path),
             query.unwrap_or(""),
             headers,
             &self.credential_registry,
diff --git a/crates/core/src/route_handler.rs b/crates/core/src/route_handler.rs
@@ -218,6 +218,12 @@ pub struct RequestInfo<'a> {
     /// Populated by the router when a route pattern matches. Empty when the
     /// request is constructed via [`RequestInfo::new`].
     pub params: Params,
+    /// The original path as seen by the client, used for SigV4 signature
+    /// verification when the proxy rewrites paths before dispatch.
+    ///
+    /// When `None`, `path` is used for both operation parsing and signature
+    /// verification.
+    pub signing_path: Option<&'a str>,
 }
 
 impl<'a> RequestInfo<'a> {
@@ -236,8 +242,18 @@ impl<'a> RequestInfo<'a> {
             headers,
             source_ip,
             params: Params::default(),
+            signing_path: None,
         }
     }
+
+    /// Set the original client-facing path for SigV4 signature verification.
+    ///
+    /// Use this when the proxy rewrites paths (e.g. path-mapping) so that
+    /// signature verification uses the path the client actually signed.
+    pub fn with_signing_path(mut self, signing_path: &'a str) -> Self {
+        self.signing_path = Some(signing_path);
+        self
+    }
 }
 
 /// A pluggable handler that can intercept requests before proxy dispatch.
diff --git a/crates/core/src/router.rs b/crates/core/src/router.rs
@@ -66,6 +66,7 @@ impl Router {
             query: req.query,
             headers: req.headers,
             source_ip: req.source_ip,
+            signing_path: req.signing_path,
         };
         matched
             .value
