🚨 Jira Linter Failed

Commit: 3016ef6
Failed at: 2026-02-10 14:36:58 UTC

The Jira linter failed to validate your PR. Please check the error details below:

failed to validate branch and PR title rules: branch name 'fix/otel-alias-multiauth-span-propagation' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.

API Changes

no api changes detected

This PR fixes a bug where OpenTelemetry (OTEL) span attributes, such as tyk.api.apikey.alias, were not correctly propagated when using multi-factor authentication (e.g., JWT or API Key) in compliant mode. The inner authentication middlewares were setting span attributes under their own names, but the TraceMiddleware expected them under the AuthORWrapper's name, causing them to be omitted from OTEL spans.

The fix introduces logic within the AuthORWrapper to collect any span attributes set by a successful inner authentication middleware and re-associate them with the AuthORWrapper's context key. This ensures that the downstream TraceMiddleware can correctly find and apply these attributes to the request's OTEL span, improving observability for multi-auth APIs.

Files Changed Analysis

• gateway/mw_auth_or_wrapper.go: Contains the core fix, adding 15 lines of code to propagate the OTEL attributes after a successful authentication.
• gateway/mw_auth_or_wrapper_test.go: Adds a comprehensive new unit test (TestCompliantMode_OtelAliasAttribute) with 206 lines to validate the fix for both JWT and API key authentication paths, ensuring the attributes are correctly passed up.

Architecture & Impact Assessment

What this PR accomplishes:
This PR rectifies a bug that resulted in the loss of crucial observability data (OTEL span attributes) for APIs configured with compliant mode multi-authentication. This ensures that request traces contain the correct metadata, such as the API key alias, for accurate monitoring and debugging.

Key technical changes introduced:

• After a successful authentication within the AuthORWrapper, the code now iterates through the configured security schemes.
• It retrieves span attributes set by the successful inner middleware from the request's context.
• It then sets these collected attributes back into the context under the AuthORWrapper's name, making them accessible to the TraceMiddleware.

Affected system components:

• Gateway Authentication: Specifically the AuthORWrapper middleware.
• Observability: The OpenTelemetry tracing functionality, which will now receive the correct attributes.

Flow Diagram:

sequenceDiagram
    participant Client
    participant AuthORWrapper
    participant "InnerAuth (e.g., APIKey Middleware)" as InnerAuth
    participant TraceMiddleware

    Client->>AuthORWrapper: Request with API Key
    AuthORWrapper->>InnerAuth: ProcessRequest()
    InnerAuth-->>AuthORWrapper: Success, sets span attributes under its own context key
    Note over AuthORWrapper: **New Logic:** Copies attributes from InnerAuth's key to its own key
    AuthORWrapper->>TraceMiddleware: Continue request processing
    TraceMiddleware->>TraceMiddleware: Creates OTEL span, reads attributes from AuthORWrapper's key
    Note over TraceMiddleware: Span now correctly includes `tyk.api.apikey.alias`

Scope Discovery & Context Expansion

The change is well-contained within the AuthORWrapper middleware and primarily affects how context is passed between authentication middlewares and the TraceMiddleware. The core mechanism relies on the helper functions ctxGetSpanAttributes and ctxSetSpanAttributes located in gateway/api.go, which manage data within the http.Request context.

The impact is limited to APIs using the compliant security processing mode with multiple authentication schemes (OR logic). Other authentication configurations are unaffected. The addition of a targeted integration test confirms the fix without causing regressions in existing compliant mode tests.

Powered by Visor from Probelabs

Last updated: 2026-02-10T14:44:06.079Z | Triggered by: pr_opened | Commit: 3016ef6

💡 TIP: You can chat with Visor using /visor ask <your question>

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

Performance Issues (1)

// Collect attributes and calculate total size in one pass
var allAttrs [][]otel.SpanAttribute
totalAttrs := 0
for _, schemeName := range requirement {
	if mw := a.getMiddlewareForScheme(schemeName); mw != nil {
		if attrs := ctxGetSpanAttributes(r, mw.Name()); len(attrs) > 0 {
			allAttrs = append(allAttrs, attrs)
			totalAttrs += len(attrs)
		}
	}
}

if totalAttrs > 0 {
	spanAttrs := make([]otel.SpanAttribute, 0, totalAttrs)
	for _, attrs := range allAttrs {
		spanAttrs = append(spanAttrs, attrs...)
	}
	ctxSetSpanAttributes(r, a.Name(), spanAttrs...)
}

Quality Issues (2)

Powered by Visor from Probelabs

Last updated: 2026-02-10T14:44:13.075Z | Triggered by: pr_opened | Commit: 3016ef6

💡 TIP: You can chat with Visor using /visor ask <your question>