Back-compat shim for legacy auth Settings; fix js wheel exclude

[emilybarrettp72]

Summary

• Restores Settings.AUTHENTICATE / Settings.API_KEY as deprecated compatibility shims so pre-2.5 configs keep working.
• Adds Gateway._apply_legacy_auth_settings() to forward those values onto MountAPIKeyMiddleware at start() with a DeprecationWarning.
• Anchors the wheel js exclude pattern with a leading slash so nested csp_gateway/server/web/templates/js/common.js ships — login/logout pages reference it.

Background

In csp-gateway 2.4.x, auth was configured via two fields on Settings:

settings:
  AUTHENTICATE: true
  API_KEY: "secret"

In 2.5 those moved onto MountAPIKeyMiddleware as module fields:

modules:
  - _target_: csp_gateway.server.MountAPIKeyMiddleware
    api_key: "secret"

The move itself was intentional, but nothing bridged the gap — configs written against the old layout still validated, but no code read them. Old configs silently deployed with auth effectively off.

Changes

1. csp_gateway/server/settings.py — deprecated AUTHENTICATE / API_KEY

Both reintroduced as Optional[...] with default=None. None is the sentinel for "user didn't set this"; a concrete value (False, True, or a string) is what the shim acts on. Field descriptions mark them as deprecated and redirect users to the middleware.

2. csp_gateway/server/gateway/gateway.py — _apply_legacy_auth_settings()

Called at the top of Gateway.start(). Four cases:

Settings	Behavior
Neither set	No-op, no warning.
AUTHENTICATE=False	Strip any MountAPIKeyMiddleware from self.modules. Emit DeprecationWarning. (Wins over API_KEY.)
API_KEY="..." with middleware	Forward onto middleware.api_key. Emit DeprecationWarning.
AUTHENTICATE=True without middleware	Emit DeprecationWarning — the flag alone can't materialize a middleware; users need to add one to modules.

3. pyproject.toml — wheel js exclude is now anchored

Old pattern:

[tool.hatch.build.targets.wheel]
exclude = ["docs", "examples", "js"]

Hatchling's gitignore-style matcher treats unanchored "js" as any directory named js at any depth. That matched both the top-level /js/ (the React app source, which we do want excluded) AND csp_gateway/server/web/templates/js/, which holds common.js referenced from login.html.j2 / logout.html.j2. Installed wheels therefore shipped login/logout pages pointing at a file that wasn't in the wheel.

New pattern:

exclude = ["docs", "examples", "/js"]

/js anchors to the build root — top-level source is still excluded; nested templates/js/ ships as intended.

4. csp_gateway/tests/server/gateway/test_gateway.py — TestLegacyAuthCompat

Five tests, one per branch of the shim:

• test_no_legacy_settings_is_quiet_no_op
• test_authenticate_false_strips_middleware
• test_api_key_forwarded_onto_middleware
• test_authenticate_false_without_middleware_is_harmless
• test_authenticate_true_without_middleware_warns

Migration notes

Users on the old layout will now get a DeprecationWarning at start() time that points at the new layout. No behavioral change for anyone already on the 2.5+ shape.

Long-term: when we drop the shim, remove AUTHENTICATE / API_KEY from Settings and delete _apply_legacy_auth_settings() + its call site. The method docstring says the same.

Test plan

• pytest csp_gateway/tests/server/gateway/test_gateway.py::TestLegacyAuthCompat -vv
• Build the wheel (hatch build) and confirm the login/logout template asset ships: unzip -l dist/*.whl | grep templates/js/common.js
• Smoke: run a Gateway with pre-2.5 Settings(AUTHENTICATE=False, ...) and confirm (a) DeprecationWarning is emitted and (b) the middleware is stripped from modules.

---

Drive-by fix (separate commit)

Commit 6c450b6 fixes an unrelated failing test introduced by #257 (tkp/idgen):

csp_gateway/tests/utils/test_id_generator.py::test_base_uses_utc_midnight hardcoded fake_now = datetime(2026, 4, 15, 1, 0, 0, tzinfo=timezone.utc). Python's mocked datetime.now() doesn't propagate to Rust's Utc::now() used by Counter.current(), so the counter measures real_now - mocked_midnight — which grows without bound as the wall clock walks forward. The assertion value < 200_000 * 1e9 (~2.3 days) starts failing about two days after the hardcoded date.

Fix: derive fake_now from datetime.now(timezone.utc) and .replace(hour=1, ...), so the '01:00 UTC / 9 PM EDT previous evening' scenario is preserved but the delta stays bounded. Test passes locally; main's CI is currently red for the same reason.

Happy to split into a separate PR if preferred — it's self-contained and doesn't touch anything our auth shim cares about.

[github-actions]

Test Results

624 tests   616 ✅  6m 53s ⏱️
  1 suites    8 💤
  1 files      0 ❌

Results for commit 0f447dd.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

❌ Patch coverage is 98.38710% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 84.91%. Comparing base (18cf629) to head (0f447dd).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
csp_gateway/server/gateway/gateway.py	95.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #261      +/-   ##
==========================================
+ Coverage   84.85%   84.91%   +0.05%     
==========================================
  Files         139      139              
  Lines       14169    14229      +60     
  Branches     1396     1402       +6     
==========================================
+ Hits        12023    12082      +59     
  Misses       1706     1706              
- Partials      440      441       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.