Checkpoint: auth, engine, seal, server, grpc updates

Co-authored-by: Junie <junie@jetbrains.com>

internal/server/middleware.go

@@ -42,9 +42,11 @@ func (s *Server) requireUnseal(next http.HandlerFunc) http.HandlerFunc {
 		state := s.seal.State()
 		switch state {
 		case seal.StateUninitialized:
+			s.logger.Debug("request rejected: service uninitialized", "path", r.URL.Path)
 			http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
 			return
 		case seal.StateSealed, seal.StateInitializing:
+			s.logger.Debug("request rejected: service sealed", "path", r.URL.Path)
 			http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
 			return
 		}
@@ -57,16 +59,19 @@ func (s *Server) requireAuth(next http.HandlerFunc) http.HandlerFunc {
 	return s.requireUnseal(func(w http.ResponseWriter, r *http.Request) {
 		token := extractToken(r)
 		if token == "" {
+			s.logger.Debug("request rejected: missing token", "path", r.URL.Path)
 			http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
 			return
 		}
 
 		info, err := s.auth.ValidateToken(token)
 		if err != nil {
+			s.logger.Debug("request rejected: invalid token", "path", r.URL.Path, "error", err)
 			http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
 			return
 		}
 
+		s.logger.Debug("request authenticated", "path", r.URL.Path, "username", info.Username)
 		ctx := context.WithValue(r.Context(), tokenInfoKey, info)
 		next(w, r.WithContext(ctx))
 	})
@@ -77,9 +82,11 @@ func (s *Server) requireAdmin(next http.HandlerFunc) http.HandlerFunc {
 	return s.requireAuth(func(w http.ResponseWriter, r *http.Request) {
 		info := TokenInfoFromContext(r.Context())
 		if info == nil || !info.IsAdmin {
+			s.logger.Debug("request rejected: admin required", "path", r.URL.Path)
 			http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
 			return
 		}
+		s.logger.Debug("admin request authorized", "path", r.URL.Path, "username", info.Username)
 		next(w, r)
 	})
 }