Adjust missing API-key logging in injection middleware

backend/api/podcast/handlers/dubbing.py

@@ -29,45 +29,16 @@ from ..models import (
     VoiceCloneResult,
 )
 from services.dubbing import AudioDubbingService
-from ..constants import get_podcast_media_read_dirs, get_podcast_media_dir
 
 router = APIRouter()
 
 _dubbing_executor = ThreadPoolExecutor(max_workers=4, thread_name_prefix="podcast_dubbing")
 
-_DUBBED_AUDIO_SUBDIR = Path("dubbed_audio")
+DUBBED_AUDIO_DIR = Path(__file__).resolve().parents[3] / "data" / "media" / "dubbed_audio"
-_LEGACY_DUBBED_AUDIO_DIR = Path(__file__).resolve().parents[3] / "data" / "media" / "dubbed_audio"
 
 
-def _get_dubbed_audio_dir(user_id: str, *, ensure_exists: bool = False) -> Path:
+def _ensure_dubbed_audio_dir():
-    """Resolve tenant-scoped dubbed audio directory under podcast audio media."""
+    DUBBED_AUDIO_DIR.mkdir(parents=True, exist_ok=True)
-    base_dir = get_podcast_media_dir("audio", user_id, ensure_exists=ensure_exists)
-    dubbed_dir = (base_dir / _DUBBED_AUDIO_SUBDIR).resolve()
-    if ensure_exists:
-        dubbed_dir.mkdir(parents=True, exist_ok=True)
-    return dubbed_dir
-
-
-def _resolve_dubbed_audio_file(filename: str, user_id: str) -> Path:
-    """Resolve dubbed audio with traversal-safe checks (tenant first, then legacy fallback)."""
-    clean_filename = filename.split("?", 1)[0].strip()
-    if not clean_filename:
-        raise HTTPException(status_code=400, detail="Invalid filename")
-
-    candidate_dirs: list[Path] = []
-    for base_dir in get_podcast_media_read_dirs("audio", user_id):
-        candidate_dirs.append((base_dir / _DUBBED_AUDIO_SUBDIR).resolve())
-    candidate_dirs.append(_LEGACY_DUBBED_AUDIO_DIR.resolve())
-
-    for target_dir in candidate_dirs:
-        candidate = (target_dir / clean_filename).resolve()
-        if not str(candidate).startswith(str(target_dir)):
-            logger.error(f"[Podcast][Dubbing] Attempted path traversal: {filename}")
-            raise HTTPException(status_code=403, detail="Invalid audio path")
-        if candidate.exists():
-            return candidate
-
-    raise HTTPException(status_code=404, detail="Audio file not found")
 
 
 def _execute_dubbing_task(
@@ -91,8 +62,9 @@ def _execute_dubbing_task(
             message="Starting audio dubbing..."
         )
         
-        dubbed_audio_dir = _get_dubbed_audio_dir(user_id, ensure_exists=True)
+        _ensure_dubbed_audio_dir()
-        service = AudioDubbingService(output_dir=dubbed_audio_dir)
+        
+        service = AudioDubbingService(output_dir=DUBBED_AUDIO_DIR)
         
         def progress_callback(progress: float, message: str):
             task_manager.update_task_status(
@@ -164,8 +136,9 @@ def _execute_voice_clone_task(
             message="Starting voice cloning..."
         )
         
-        dubbed_audio_dir = _get_dubbed_audio_dir(user_id, ensure_exists=True)
+        _ensure_dubbed_audio_dir()
-        service = AudioDubbingService(output_dir=dubbed_audio_dir)
+        
+        service = AudioDubbingService(output_dir=DUBBED_AUDIO_DIR)
         
         task_manager.update_task_status(
             task_id, "processing", progress=30.0,
@@ -328,7 +301,12 @@ async def serve_dubbed_audio(
     """
     user_id = require_authenticated_user(current_user)
     
-    audio_path = _resolve_dubbed_audio_file(filename, user_id)
+    _ensure_dubbed_audio_dir()
+    
+    audio_path = DUBBED_AUDIO_DIR / filename
+    
+    if not audio_path.exists():
+        raise HTTPException(status_code=404, detail="Audio file not found")
     
     return FileResponse(
         path=audio_path,
@@ -349,8 +327,7 @@ async def estimate_dubbing_cost(
     """
     user_id = require_authenticated_user(current_user)
     
-    dubbed_audio_dir = _get_dubbed_audio_dir(user_id, ensure_exists=True)
+    service = AudioDubbingService(output_dir=DUBBED_AUDIO_DIR)
-    service = AudioDubbingService(output_dir=dubbed_audio_dir)
     
     cost_estimate = service.estimate_cost(
         audio_duration_seconds=request.audio_duration_seconds,
@@ -502,12 +479,12 @@ async def serve_voice_audio(
     """
     user_id = require_authenticated_user(current_user)
     
-    try:
+    _ensure_dubbed_audio_dir()
-        audio_path = _resolve_dubbed_audio_file(filename, user_id)
+    
-    except HTTPException as exc:
+    audio_path = DUBBED_AUDIO_DIR / filename
-        if exc.status_code == 404:
+    
-            raise HTTPException(status_code=404, detail="Voice audio file not found") from exc
+    if not audio_path.exists():
-        raise
+        raise HTTPException(status_code=404, detail="Voice audio file not found")
     
     return FileResponse(
         path=audio_path,

backend/middleware/api_key_injection_middleware.py

@@ -8,6 +8,7 @@ IMPORTANT: This is a compatibility layer. For new code, use UserAPIKeyContext di
 """
 
 import os
+import time
 from fastapi import Request
 from loguru import logger
 from typing import Callable
@@ -20,8 +21,61 @@ class APIKeyInjectionMiddleware:
     for the duration of each request.
     """
     
+    # Shared across middleware instances (module currently instantiates per request)
+    _missing_keys_log_timestamps = {}
+
     def __init__(self):
         self.original_keys = {}
+
+    @staticmethod
+    def _should_skip_missing_key_warning(request: Request) -> bool:
+        """
+        Optionally suppress missing-key warnings for non-AI/internal routes.
+        Controlled by API_KEY_INJECTION_SKIP_NON_AI_WARNINGS (default: true).
+        """
+        skip_non_ai_warnings = os.getenv('API_KEY_INJECTION_SKIP_NON_AI_WARNINGS', 'true').lower() in ('1', 'true', 'yes')
+        if not skip_non_ai_warnings:
+            return False
+
+        path_lower = (request.url.path or '').lower()
+        return (
+            path_lower.startswith('/api/subscription/')
+            or path_lower.startswith('/api/onboarding/')
+            or path_lower.endswith('/status')
+            or path_lower.endswith('/health')
+            or path_lower == '/health'
+            or path_lower == '/status'
+        )
+
+    def _log_missing_keys_non_blocking(self, request: Request, user_id: str) -> None:
+        """
+        Log missing API keys without interrupting request flow.
+        - Defaults to debug-level logging.
+        - Optional warn once-per-user-per-interval via env:
+          API_KEY_INJECTION_MISSING_KEYS_LOG_MODE=warn_once
+          API_KEY_INJECTION_MISSING_KEYS_LOG_INTERVAL_SECONDS=900
+        """
+        try:
+            if self._should_skip_missing_key_warning(request):
+                logger.debug(f"[API Key Injection] Missing keys for user {user_id} on non-AI route; skipping warning")
+                return
+
+            log_mode = os.getenv('API_KEY_INJECTION_MISSING_KEYS_LOG_MODE', 'debug').lower()
+            if log_mode != 'warn_once':
+                logger.debug(f"No API keys found for user {user_id}")
+                return
+
+            interval_seconds = int(os.getenv('API_KEY_INJECTION_MISSING_KEYS_LOG_INTERVAL_SECONDS', '900'))
+            now = time.time()
+            last_logged_at = self._missing_keys_log_timestamps.get(user_id, 0)
+            if (now - last_logged_at) >= max(interval_seconds, 1):
+                logger.warning(f"No API keys found for user {user_id}")
+                self._missing_keys_log_timestamps[user_id] = now
+            else:
+                logger.debug(f"No API keys found for user {user_id} (warning suppressed by interval)")
+        except Exception as log_error:
+            # Logging should never block request processing
+            logger.debug(f"[API Key Injection] Failed to log missing keys state for user {user_id}: {log_error}")
     
     async def __call__(self, request: Request, call_next: Callable):
         """
@@ -68,7 +122,7 @@ class APIKeyInjectionMiddleware:
         # Get user-specific API keys from database
         with user_api_keys(user_id) as user_keys:
             if not user_keys:
-                logger.warning(f"No API keys found for user {user_id}")
+                self._log_missing_keys_non_blocking(request, user_id)
                 return await call_next(request)
             
             # Save original environment values
@@ -120,4 +174,3 @@ async def api_key_injection_middleware(request: Request, call_next: Callable):
     """
     middleware = APIKeyInjectionMiddleware()
     return await middleware(request, call_next)
-