feat(router): add engine.require_request_tracing_auth toggle for ART

[ekroon]

Summary by CodeRabbit

Release Notes

• New Features

  • Added configuration flag ENGINE_REQUIRE_REQUEST_TRACING_AUTH (YAML: engine.require_request_tracing_auth) to control request tracing authentication behavior. Defaults to enabled.

• Tests

  • Added test coverage for the new configuration option and its behavior.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

This is a proposal for #2555

[coderabbitai]

Walkthrough

The PR introduces a new RequireRequestTracingAuth configuration flag that controls whether authentication is required for Automated Request Tracing (ART) when development mode is off. The flag is wired through the engine execution configuration, pre-handler options, and request parsing logic with corresponding schema, test fixtures, and test coverage.

Changes

Cohort / File(s)	Summary
Configuration Definition router/pkg/config/config.go, router/pkg/config/config.schema.json	Added RequireRequestTracingAuth boolean field to EngineExecutionConfiguration struct with environment variable and YAML mappings; schema defines it as boolean with default true.
Configuration Fixtures & Test Data router/pkg/config/fixtures/full.yaml, router/pkg/config/testdata/config_*.json	Added RequireRequestTracingAuth: true to test configuration files under engine sections.
Pre-handler Implementation router/core/graphql_prehandler.go, router/core/graph_server.go	Added RequireRequestTracingAuth field to PreHandlerOptions struct and private field to PreHandler; updated NewPreHandler initialization and internalParseRequestOptions control flow to bypass request tracing/auth validation when flag is false and not in development mode.
Configuration Tests router/pkg/config/config_test.go	Added test suite covering default behavior (true), YAML override, and YAML precedence over environment variables for RequireRequestTracingAuth.
Pre-handler Tests router/core/graphql_prehandler_request_options_test.go	Added tests verifying request options behavior with require_request_tracing_auth disabled (allows ART options) and enabled (restricts ART options).
Metrics router/core/router_config.go	Added engine_execution_configuration_require_request_tracing_auth to usage statistics.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related issues

• Independent configuration for Advanced Request Tracing (ART) #2555: This PR directly implements the requested independent ART configuration by adding the RequireRequestTracingAuth flag with full wiring through configuration, pre-handler, and test coverage.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: adding a new configuration toggle 'engine.require_request_tracing_auth' for ART (Authenticated Request Tracing).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

router/core/graphql_prehandler.go (1)

1264-1267: Consider surfacing a warning when unauthenticated ART is enabled.

When require_request_tracing_auth=false, non-dev requests can enable ART/query-plan options without token validation. A startup warning or config-health warning would make accidental exposure easier to catch.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/core/graphql_prehandler.go` around lines 1264 - 1267, The code
currently allows unauthenticated ART when requireRequestTracingAuth is false but
does not warn operators; add a clear warning when this config is set to false so
accidental exposure is visible. Modify the initialization path that sets
h.requireRequestTracingAuth (or the constructor/new-handler function that
creates this handler) to log a startup warning via the existing logger or
config-health mechanism indicating "requireRequestTracingAuth=false allows
unauthenticated ART/query-plan access" and, if you prefer runtime visibility,
emit a single (once-only) warning the first time the branch in the request
prehandler (the block guarding requireRequestTracingAuth where
parseRequestExecutionOptions and parseRequestTraceOptions are returned) is hit;
use an atomic boolean or once.Do to avoid flooding logs and include clear
context about the setting and recommended secure alternatives.

router/core/graphql_prehandler_request_options_test.go (1)

31-47: Add a positive auth-path subtest for requireRequestTracingAuth=true.

Please add one case with a valid WGRequestToken + routerPublicKey to assert ART options are enabled when auth is required and valid. That closes the remaining branch in internalParseRequestOptions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/core/graphql_prehandler_request_options_test.go` around lines 31 - 47,
Add a new subtest alongside the existing one that exercises the auth-success
path for internalParseRequestOptions: create an httptest request with the same
ART query params (e.g. wg_include_query_plan=1 and wg_trace=...) and include a
valid WGRequestToken header signed with a matching routerPublicKey; construct
the PreHandler with enableRequestTracing: true, developmentMode: false,
requireRequestTracingAuth: true and set routerPublicKey to the public key that
verifies the token; call h.internalParseRequestOptions(req, &ClientInfo{},
zap.NewNop()) and assert no error and that
executionOptions.IncludeQueryPlanInResponse and traceOptions.Enable are true
(and check traceOptions.ExcludeOutput matches the provided wg_trace behavior) so
the authenticated branch is covered.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@router/core/graphql_prehandler_request_options_test.go`:
- Around line 31-47: Add a new subtest alongside the existing one that exercises
the auth-success path for internalParseRequestOptions: create an httptest
request with the same ART query params (e.g. wg_include_query_plan=1 and
wg_trace=...) and include a valid WGRequestToken header signed with a matching
routerPublicKey; construct the PreHandler with enableRequestTracing: true,
developmentMode: false, requireRequestTracingAuth: true and set routerPublicKey
to the public key that verifies the token; call
h.internalParseRequestOptions(req, &ClientInfo{}, zap.NewNop()) and assert no
error and that executionOptions.IncludeQueryPlanInResponse and
traceOptions.Enable are true (and check traceOptions.ExcludeOutput matches the
provided wg_trace behavior) so the authenticated branch is covered.

In `@router/core/graphql_prehandler.go`:
- Around line 1264-1267: The code currently allows unauthenticated ART when
requireRequestTracingAuth is false but does not warn operators; add a clear
warning when this config is set to false so accidental exposure is visible.
Modify the initialization path that sets h.requireRequestTracingAuth (or the
constructor/new-handler function that creates this handler) to log a startup
warning via the existing logger or config-health mechanism indicating
"requireRequestTracingAuth=false allows unauthenticated ART/query-plan access"
and, if you prefer runtime visibility, emit a single (once-only) warning the
first time the branch in the request prehandler (the block guarding
requireRequestTracingAuth where parseRequestExecutionOptions and
parseRequestTraceOptions are returned) is hit; use an atomic boolean or once.Do
to avoid flooding logs and include clear context about the setting and
recommended secure alternatives.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc360a6 and 1ceb989.

📒 Files selected for processing (10)

• router/core/graph_server.go
• router/core/graphql_prehandler.go
• router/core/graphql_prehandler_request_options_test.go
• router/core/router_config.go
• router/pkg/config/config.go
• router/pkg/config/config.schema.json
• router/pkg/config/config_test.go
• router/pkg/config/fixtures/full.yaml
• router/pkg/config/testdata/config_defaults.json
• router/pkg/config/testdata/config_full.json