Gateway Route Service (Port 8000)¶

Overview¶

The Gateway Route Service is the central API gateway and single entry point for the entire Machine Agents platform. It acts as a reverse proxy, routing all incoming HTTP requests from the frontend to the appropriate backend microservices. This service consolidates 20+ microservices behind a unified API interface.

Port: 8000
Path: machineagents-be/gateway_route/src/main.py
Lines of Code: 3,604
Total Functions: 197 proxy endpoints
Framework: FastAPI
HTTP Client: httpx (async)

Architecture¶

graph TB
    subgraph "Frontend Layer"
        Web[Web Dashboard]
        Mobile[Mobile App]
        EmbedWidget[Embedded Chatbot Widget]
    end

    subgraph "Gateway Layer (Port 8000)"
        Gateway[Gateway Route Service<br/>3,604 lines<br/>197 endpoints]
    end

    subgraph "Backend Microservices (20+ services)"
        direction LR
        Auth[Auth Service<br/>:8001]
        User[User Service<br/>:8002]
        Create[Create Chatbot<br/>:8003]
        Selection[Selection<br/>:8004]
        Crawling[Data Crawling<br/>:8005]
        State3D[State 3D<br/>:8006]
        StateText[State Text<br/>:8007]
        StateVoice[State Voice<br/>:8008]
        SysPrompt[System Prompt<br/>:8009]
        Maintenance[Maintenance<br/>:8010]
        Response3D[Response 3D<br/>:8011]
        ResponseText[Response Text<br/>:8012]
        ResponseVoice[Response Voice<br/>:8013]
        ChatHistory[Chat History<br/>:8014]
        ClientData[Client Data<br/>:8015]
        LLM[LLM Model<br/>:8016]
        Homepage[Homepage<br/>:8017]
        RemotePhysio[Remote Physio<br/>:8018]
        Payment[Payment<br/>:8019]
        Superadmin[Superadmin<br/>:8020]
    end

    Web -->|All Requests| Gateway
    Mobile -->|All Requests| Gateway
    EmbedWidget -->|All Requests| Gateway

    Gateway -->|/v2/login| Auth
    Gateway -->|/v2/signup| User
    Gateway -->|/v2/create-chatbot| Create
    Gateway -->|/v2/select-*| Selection
    Gateway -->|/v2/fetch-urls| Crawling
    Gateway -->|/v2/save-3d-selection| State3D
    Gateway -->|/v2/save-text-selection| StateText
    Gateway -->|/v2/save-voice-selection| StateVoice
    Gateway -->|/v2/get-system-prompt| SysPrompt
    Gateway -->|/v2/delete-chatbot| Maintenance
    Gateway -->|/v2/get-response-3d| Response3D
    Gateway -->|/v2/get-response-text| ResponseText
    Gateway -->|/v2/get-response-voice| ResponseVoice
    Gateway -->|/v2/save-chat-history| ChatHistory
    Gateway -->|/v2/get-client-data| ClientData
    Gateway -->|/v2/call-model/*| LLM
    Gateway -->|/v2/homepage-*| Homepage
    Gateway -->|/v2/remote-physio-*| RemotePhysio
    Gateway -->|/v2/payment/*| Payment
    Gateway -->|/v2/admin/*| Superadmin

    style Gateway fill:#2196F3,color:#fff
    style Auth fill:#4CAF50,color:#fff
    style User fill:#4CAF50,color:#fff
    style Response3D fill:#FF9800,color:#fff
    style Payment fill:#F44336,color:#fff
    style Superadmin fill:#9C27B0,color:#fff

Core Functionality¶

The gateway performs the following functions:

1. Request Proxying - Forwards all requests to appropriate backend services
2. CORS Handling - Manages Cross-Origin Resource Sharing (overly permissive ⚠️)
3. Timeout Management - Configures timeouts for long-running operations
4. Connection Pooling - Manages HTTP connection pools for efficiency
5. Error Translation - Converts backend errors to frontend-friendly format
6. reCAPTCHA Verification - Validates Google reCAPTCHA tokens (for login endpoints)

Service URL Mapping¶

Backend Service URLs (Lines 37-56):

AUTH_SERVICE_URL = "http://auth-service:8001"
USER_SERVICE_URL = "http://user-service:8002"
CREATE_CHATBOT_SERVICE_URL = "http://create-chatbot-service:8003"
SELECTION_CHATBOT_SERVICE_URL = "http://selection-chatbot-service:8004"
DATA_CRAWLING_SERVICE_URL = "http://data-crawling-service:8005"
STATE_SELECTION_3D_CHATBOT_SERVICE_URL = "http://state-selection-3dchatbot-service:8006"
STATE_SELECTION_TEXT_CHATBOT_SERVICE_URL = "http://state-selection-textchatbot-service:8007"
STATE_SELECTION_VOICE_CHATBOT_SERVICE_URL = "http://state-selection-voicechatbot-service:8008"
SYSTEMPROMPT_SERVICE_URL = "http://systemprompt-service:8009"
CHATBOT_MAINTENCE_SERVICE_URL = "http://chatbot-maintenance-service:8010"
RESPONSE_3D_CHATBOT_SERVICE_URL = "http://response-3d-chatbot-service:8011"
RESPONSE_text_CHATBOT_SERVICE_URL = "http://response-text-chatbot-service:8012"
RESPONSE_voice_CHATBOT_SERVICE_URL = "http://response-voice-chatbot-service:8013"
CHAT_HISTORY_SERVICE_URL = "http://chathistory-service:8014"
DATA_COLLECTION_SERVICE_URL = "http://client-data-collection-service:8015"
LLM_MODEL_SERVICE = "http://llm-model-service:8016"
HOME_PAGE_SERVICE_URL = "http://homepage-chatbot-service:8017"
REMOTE_PHYSIO_SERVICE_URL = "http://remote-physio-service:8018"
PAYMENT_SERVICE_URL = "http://payment-service:8019"
SUPERADMIN_SERVICE_URL = "http://superadmin-service:8020"

⚠️ KEY OBSERVATION:

All services use Docker internal networking with service names as hostnames. This only works within Docker Compose networks. The gateway itself is exposed on Port 8000 to the external world.

Endpoint Categories¶

The 197 proxy endpoints are organized into the following functional categories:

1. Authentication & User Management (~20 endpoints)¶

Routes: /v2/login, /v2/login1, /v2/verify-login-otp, /v2/signup, /v2/verify-otp, /v2/forgot-password, /v2/reset-password, /v2/get-user-features/{user_id}

Proxies To: Auth Service (:8001), User Service (:8002)

Key Features:

• Plain login (Line 60-76)
• Login with reCAPTCHA verification (Line 82-112)
• OTP-based verification (Line 114-144)
• Password reset flow
• User feature retrieval

Example Proxy Pattern:

@app.post("/v2/login")
async def proxy_login(email: str = Form(...), password: str = Form(...)):
    logger.info(f"Proxying login request for email: {email}")
    timeout = httpx.Timeout(60.0)
    limits = httpx.Limits(max_connections=100, max_keepalive_connections=20)
    async with httpx.AsyncClient(timeout=timeout, limits=limits) as client:
        try:
            response = await client.post(
                f"{AUTH_SERVICE_URL}/v2/login",
                data={"email": email, "password": password}
            )
            response.raise_for_status()
            logger.info(f"✓ Login proxy successful for {email}")
            return response.json()
        except httpx.HTTPStatusError as exc:
            logger.error(f"✗ Login proxy failed for {email}: {exc.response.status_code}")
            raise HTTPException(status_code=exc.response.status_code, detail=exc.response.text)

2. Chatbot Creation & Management (~30 endpoints)¶

Routes: /v2/create-chatbot, /v2/get-chatbots/{user_id}, /v2/get-chatbot-status, /v2/delete-chatbot-selection, /v2/get-trashed-chatbots, etc.

Proxies To: Create Chatbot Service (:8003), Selection Service (:8004), Maintenance Service (:8010)

Key Features:

• Chatbot creation
• Chatbot listing (by user_id)
• Chatbot status tracking
• Chatbot deletion (moves to trash)
• Trash management (get trashed, restore)

3. Chatbot Configuration (~40 endpoints)¶

Routes: /v2/select-chatbot, /v2/select-purpose, /v2/select-avatar, /v2/select-voice, /v2/select-model, /v2/save-chatbot-selection, /v2/get-chatbot-selection, etc.

Proxies To: Selection Service (:8004), State Selection Services (:8006, :8007, :8008)

Key Features:

• Chatbot type selection (3D, Text, Voice)
• Purpose selection (Sales, Service, Informational)
• Avatar selection (Emma, Nova, Michael, etc.)
• Voice selection (Azure Neural voices)
• Model selection (GPT-4, GPT-3.5, Llama, etc.)
• System prompt configuration

Multiple Endpoints for Different Chatbot Types:

• /v2/save-3d-chatbot-selection → State Selection 3D Service (:8006)
• /v2/save-text-chatbot-selection → State Selection Text Service (:8007)
• /v2/save-voice-chatbot-selection → State Selection Voice Service (:8008)

4. Data Crawling & Knowledge Base (~25 endpoints)¶

Routes: /v2/fetch-urls, /v2/fetch-sitemap-urls, /v2/extract-contents, /v2/check-task-status, /v2/get-sitemap-urls, /v2/fetch-pdf, /v2/fetch-text, /v2/fetch-excel, /v2/update-document, etc.

Proxies To: Data Crawling Service (:8005)

Key Features:

• URL extraction from domain
• Sitemap parsing
• Content extraction with background processing
• Task status tracking (async crawling)
• PDF upload & processing
• Text/Excel file upload
• Document update & re-embedding
• Secondary data management (scraped content storage)

Example - Long-Running Task Pattern:

@app.post("/v2/extract-contents")
async def proxy_extract_contents(
    user_id: str = Form(...),
    project_id: str = Form(...),
    domain: str = Form(...),
    urls: str = Form(...)
):
    # High timeout for long-running crawl operations
    timeout = httpx.Timeout(600.0)  # 10 minutes!
    limits = httpx.Limits(max_connections=100, max_keepalive_connections=20)
    async with httpx.AsyncClient(timeout=timeout, limits=limits) as client:
        response = await client.post(
            f"{DATA_CRAWLING_SERVICE_URL}/v2/extract-contents",
            data={"user_id": user_id, "project_id": project_id, "domain": domain, "urls": urls}
        )
        response.raise_for_status()
        return response.json()  # Returns task_id

5. Chatbot Interactions (~50 endpoints)¶

Routes: /v2/get-response-3dchatbot/*, /v2/get-response-textchatbot/*, /v2/get-response-voicechatbot/*, /v2/save-chat-history, /v2/get-chat-history, etc.

Proxies To: Response Services (:8011, :8012, :8013), Chat History Service (:8014)

Key Features:

• 3D chatbot responses (with lip-sync, audio, avatar animation)
• Text chatbot responses
• Voice chatbot responses
• Chat history storage
• Chat history retrieval (by session, by project)
• Chat history deletion

Multiple Response Endpoint Versions:

For 3D chatbot alone, there are 10+ endpoint variations:

• /v2/get-response-3dchatbot (v1 - deprecated)
• /v2/get-response-3dchatbot-openai (v2)
• /v2/get-response-3dchatbot-openai-multi (v3)
• /v2/get-response-3dchatbot-openai-multi-v4 (v4)
• /v2/get-response-3dchatbot-v5 (v5)
• /v2/get-response-3dchatbot-v6-hybrid (v6 - current)
• /v2/get-response-3dchatbot-v7-live (v7)
• /v2/get-response-3dchatbot-v8-split (v8)

This versioning pattern suggests iterative development and backward compatibility concerns.

6. System Prompts & Configuration (~10 endpoints)¶

Routes: /v2/get-system-prompt, /v2/upload-text, /v2/get-uploaded-texts, /v2/reset-system-prompt, etc.

Proxies To: System Prompt Service (:8009)

Key Features:

• System prompt upload (custom prompts)
• System prompt retrieval (by agent_type)
• Prompt listing
• Prompt reset to defaults

7. Client Data Collection (~5 endpoints)¶

Routes: /v2/get-client-data, /v2/update-client-data/{item_id}, etc.

Proxies To: Client Data Collection Service (:8015)

Key Features:

• Client data extraction from chat history
• Data updates (embeddings re-generation)

8. LLM Model Service (~2 endpoints)¶

Routes: /v2/call-model/{model_name}

Proxies To: LLM Model Service (:8016)

Key Features:

• Unified API for calling 9 different LLMs (GPT-4, Llama, Claude, Gemini, etc.)

9. Homepage Chatbot (~10 endpoints)¶

Routes: /v2/homepage-get-response, /v2/homepage-save-chat-history, /v2/homepage-get-greeting, /v2/homepage-generate-greeting, /v2/homepage-save-lead, etc.

Proxies To: Homepage Chatbot Service (:8017)

Key Features:

• Dedicated homepage chatbot interactions
• Greeting generation with TTS+lip-sync
• UTM-based greeting personalization
• Lead collection from homepage

10. Remote Physio Service (~5 endpoints)¶

Routes: /v2/get-response-physio, /v2/remote_physio_history, /v2/check-profile/{session_id}, /v2/reset-session/{session_id}

Proxies To: Remote Physio Service (:8018)

Key Features:

• Client-specific physiotherapy chatbot
• Medical assessment with RAG
• Session management

11. Payment & Subscription (~15 endpoints)¶

Routes: /v2/payment/create-order, /v2/payment/verify-payment, /v2/payment/get-user-subscription, /v2/payment/cancel-subscription, /v2/payment/update-subscription, etc.

Proxies To: Payment Service (:8019)

Key Features:

• Razorpay order creation
• Payment verification
• Subscription management (create, cancel, update)
• Webhook handling
• Admin endpoints for plan management

12. Superadmin (~10 endpoints)¶

Routes: /v2/admin-login, /v2/admin/users, /v2/admin/get-user-history, /v2/subscriptions/plans, /v2/get-latest-terms-conditions, /v2/get-latest-privacy-policy, /v2/get-user-data/{user_id}, etc.

Proxies To: Superadmin Service (:8020)

Key Features:

• Admin authentication
• User management
• Subscription plan retrieval
• Legal document distribution (T&C, Privacy Policy)

Timeout Configuration¶

The gateway uses variable timeouts based on operation type:

Short Timeout (60 seconds) - Most endpoints:

timeout = httpx.Timeout(60.0)

Medium Timeout (120 seconds) - File uploads, admin operations:

timeout = httpx.Timeout(120.0)

Long Timeout (300-600 seconds) - Crawling, heavy processing:

timeout = httpx.Timeout(600.0)  # 10 minutes

Connection Limits (Consistent across all):

limits = httpx.Limits(max_connections=100, max_keepalive_connections=20)

reCAPTCHA Integration¶

Environment Variable (Lines 79-80):

RECAPTCHA_SECRET_KEY = os.getenv("RECAPTCHA_SECRET_KEY", "your_secret_key")
RECAPTCHA_VERIFY_URL = "https://www.google.com/recaptcha/api/siteverify"

Used In:

• /v2/login1 (Line 82-112)
• /v2/verify-login-otp (Line 114-144)

Verification Flow:

@app.post("/v2/login1")
async def proxy_login(
    email: str = Form(...),
    password: str = Form(...),
    recaptcha_token: str = Form(...)
):
    # Step 1: Verify reCAPTCHA with Google
    async with httpx.AsyncClient() as client:
        recaptcha_resp = await client.post(
            RECAPTCHA_VERIFY_URL,
            data={
                "secret": RECAPTCHA_SECRET_KEY,
                "response": recaptcha_token
            }
        )
        if not recaptcha_resp.json().get("success", False):
            raise HTTPException(status_code=400, detail="Invalid reCAPTCHA")

    # Step 2: Forward to Auth service
    timeout = httpx.Timeout(60.0)
    limits = httpx.Limits(max_connections=100, max_keepalive_connections=20)
    async with httpx.AsyncClient(timeout=timeout, limits=limits) as client:
        response = await client.post(
            f"{AUTH_SERVICE_URL}/v2/login",
            data={"email": email, "password": password}
        )
        response.raise_for_status()
        return response.json()

⚠️ SECURITY ISSUE: The RECAPTCHA_SECRET_KEY defaults to "your_secret_key" if not set in environment, which would fail reCAPTCHA verification but not raise an error during startup.

CORS Configuration¶

Lines 28-35:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],        # ⚠️ SECURITY ISSUE!
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

[!WARNING] > CRITICAL SECURITY VULNERABILITY: Permissive CORS allows requests from ANY origin (allow_origins=["*"]). This is a severe security risk and should be restricted to:

• Production frontend domain (e.g., https://machineagents.ai)
• Staging domain (e.g., https://staging.machineagents.ai)
• Local development (http://localhost:3000)

Recommended Fix:

ALLOWED_ORIGINS = os.getenv(
    "ALLOWED_ORIGINS",
    "https://machineagents.ai,https://staging.machineagents.ai,http://localhost:3000"
).split(",")

app.add_middleware(
    CORSMiddleware,
    allow_origins=ALLOWED_ORIGINS,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Error Handling Patterns¶

The gateway uses consistent error handling across all endpoints:

Pattern 1: Basic Error Forwarding (Most Common):

try:
    response = await client.post(url, data=data)
    response.raise_for_status()
    return response.json()
except httpx.HTTPStatusError as exc:
    raise HTTPException(
        status_code=exc.response.status_code,
        detail=exc.response.text
    )

Pattern 2: Enhanced Error Handling (Some Endpoints):

try:
    response = await client.get(url)
    response.raise_for_status()
    return JSONResponse(status_code=response.status_code, content=response.json())
except httpx.HTTPStatusError as exc:
    error_detail = exc.response.json().get("detail", str(exc))
    raise HTTPException(status_code=exc.response.status_code, detail=error_detail)
except httpx.RequestError as exc:
    raise HTTPException(status_code=503, detail=f"Service unavailable: {str(exc)}")
except Exception as e:
    raise HTTPException(status_code=500, detail=f"Gateway error: {str(e)}")

Key Points:

• Backend HTTP errors are forwarded directly to frontend with same status code
• No error transformation or sanitization
• No centralized error logging (handled by individual services)

File Upload Handling¶

For file upload endpoints, the gateway uses multipart form data proxying:

Example - PDF Upload (Lines 1065-1094):

@app.post("/v2/fetch-pdf")
async def proxy_fetch_pdf(
    user_id: str = Form(...),
    project_id: str = Form(...),
    files: List[UploadFile] = File(...)
):
    timeout = httpx.Timeout(120.0)
    limits = httpx.Limits(max_connections=100, max_keepalive_connections=20)
    async with httpx.AsyncClient(timeout=timeout, limits=limits) as client:
        # Read files and prepare multipart data
        files_data = []
        for file in files:
            file_content = await file.read()
            files_data.append(("files", (file.filename, io.BytesIO(file_content), file.content_type)))

        response = await client.post(
            f"{DATA_CRAWLING_SERVICE_URL}/v2/fetch-pdf",
            data={"user_id": user_id, "project_id": project_id},
            files=files_data
        )
        response.raise_for_status()
        return response.json()

Process:

1. Frontend sends files to gateway
2. Gateway reads files into memory (await file.read())
3. Gateway creates new multipart request to backend
4. Backend processes files

⚠️ PERFORMANCE CONCERN: Files are loaded entirely into memory in the gateway. For large files, this can cause memory issues. Consider streaming instead.

Dependencies¶

Path: gateway_route/requirements.txt

FastAPI
python-jose
uvicorn
httpx
python-multipart
pymongo
azure-storage-blob
python-dotenv
azure-storage-blob==12.18.2  # ⚠️ Duplicate!
pymilvus==2.3.4

Analysis:

1. FastAPI - Web framework ✅
2. python-jose - JWT handling (⚠️ NOT USED in current code!)
3. uvicorn - ASGI server ✅
4. httpx - Async HTTP client ✅
5. python-multipart - Form data parsing ✅
6. pymongo - MongoDB client (⚠️ NOT USED - gateway doesn't access DB directly!)
7. azure-storage-blob - Azure Blob Storage (⚠️ NOT USED!)
8. azure-storage-blob==12.18.2 - DUPLICATE! ⚠️
9. pymilvus==2.3.4 - Milvus client (⚠️ NOT USED!)

Recommended Cleanup:

FastAPI
uvicorn
httpx
python-multipart
python-dotenv

Remove: python-jose, pymongo, azure-storage-blob (duplicate), pymilvus (all unused)

Dockerfile Configuration¶

Path: gateway_route/Dockerfile

FROM python:3.11-slim

WORKDIR /app

COPY ./src /app

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

EXPOSE 8000

CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

Key Points:

• Base image: python:3.11-slim (newer than other services using 3.9)
• No system dependencies (no FFmpeg, etc.)
• Source code copied to /app
• Port exposed: 8000

Deployment Configuration¶

Docker Compose (Lines 7-24 in docker-compose_dev.yaml):

gateway:
  build:
    context: ./gateway_route
  container_name: gateway
  ports:
    - "8000:8000"
  depends_on:
    - auth-service
  networks:
    - app-network
  environment:
    - MONGO_URI=...
    - MONGO_DB_NAME=Machine_agent_dev
    - DEFAULT_DATABASE=milvus
    - MILVUS_HOST=milvus-standalone
    - MILVUS_PORT=19530
    - AZURE_SCREENSHOTS_CONTAINER_NAME=screenshots-dev

⚠️ ISSUES:

1. Unused Environment Variables: Gateway doesn't use MONGO_URI, MILVUS_HOST, etc.
2. Missing RECAPTCHA_SECRET_KEY: reCAPTCHA endpoints will fail without this
3. Missing ALLOWED_ORIGINS: CORS is permissive by default

Recommended Environment Variables:

environment:
  - RECAPTCHA_SECRET_KEY=${RECAPTCHA_SECRET_KEY}
  - ALLOWED_ORIGINS=https://machineagents.ai,http://localhost:3000

Security Issues Summary¶

🔴 CRITICAL Security Vulnerabilities¶

1. Overly Permissive CORS (Lines 28-35)

Issue: allow_origins=["*"] allows requests from any domain, enabling CSRF attacks.

Impact:

• Any website can make requests to your API
• User credentials can be stolen
• Sensitive data exposed to malicious sites

Recommended Fix: Whitelist specific domains (shown in CORS Configuration section).

2. Missing reCAPTCHA Secret Key Validation

Issue: RECAPTCHA_SECRET_KEY defaults to "your_secret_key" if not set.

Impact:

• reCAPTCHA verification will always fail
• No visual error during startup
• Login endpoints with reCAPTCHA become unusable

Recommended Fix:

RECAPTCHA_SECRET_KEY = os.getenv("RECAPTCHA_SECRET_KEY")
if not RECAPTCHA_SECRET_KEY or RECAPTCHA_SECRET_KEY == "your_secret_key":
    logger.warning("⚠️ RECAPTCHA_SECRET_KEY not configured - reCAPTCHA endpoints will fail!")

3. No Request Rate Limiting

Issue: No rate limiting on any endpoint.

Impact:

• Vulnerable to DDoS attacks
• Brute force attacks on login endpoints
• Resource exhaustion

Recommended Fix:

from slowapi import Limiter
from slowapi.util import get_remote_address

limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

@app.post("/v2/login")
@limiter.limit("5/minute")  # 5 login attempts per minute
async def proxy_login(...):
    ...

4. No Authentication/Authorization Middleware

Issue: Gateway forwards ALL requests without checking authentication.

Impact:

• Authentication is handled by individual backend services
• No centralized auth layer
• Potential for inconsistent auth logic

Recommended Enhancement:

from fastapi import Depends, Header

async def verify_token(authorization: str = Header(None)):
    if not authorization:
        raise HTTPException(status_code=401, detail="Missing authorization header")

    # Verify JWT token
    try:
        payload = jwt.decode(authorization.replace("Bearer ", ""), SECRET_KEY, algorithms=["HS256"])
        return payload
    except:
        raise HTTPException(status_code=401, detail="Invalid token")

@app.post("/v2/create-chatbot")
async def proxy_create_chatbot(
    user_id: str = Form(...),
    user: dict = Depends(verify_token)  # Require authentication
):
    ...

🟡 Medium Severity Issues¶

5. Memory Usage for File Uploads

Issue: Files are loaded entirely into memory before proxying.

Impact: Large file uploads can cause memory exhaustion.

Recommended Fix: Stream files instead of loading into memory.

6. No Request/Response Logging

Issue: No centralized logging of requests/responses.

Impact: Difficult to debug issues, track usage, or detect anomalies.

Recommended Enhancement:

@app.middleware("http")
async def log_requests(request: Request, call_next):
    start_time = time.time()
    response = await call_next(request)
    process_time = time.time() - start_time

    logger.info(
        f"{request.method} {request.url.path} "
        f"status={response.status_code} duration={process_time:.2f}s"
    )

    return response

Code Quality Issues¶

1. Massive Monolithic File (3,604 lines)¶

Issue: Single file with 197 functions is extremely difficult to maintain.

Recommendation: Split into modules:

gateway_route/src/
├── main.py (main app initialization)
├── routers/
│   ├── auth.py (authentication endpoints)
│   ├── chatbot.py (chatbot management)
│   ├── data_crawling.py (data crawling endpoints)
│   ├── chat_interaction.py (chat responses)
│   ├── admin.py (superadmin endpoints)
│   └── payment.py (payment endpoints)
├── middleware/
│   ├── cors.py
│   ├── logging.py
│   └── rate_limiting.py
└── config.py (service URLs, timeouts)

2. Duplicate Function Names¶

Issue: Many functions have the same name (e.g., proxy_login appears 3 times, proxy_save_chatbot_selection appears 3 times).

Impact: Confusing code, last definition overwrites previous ones.

Example (Lines 60-61 vs 82-87):

@app.post("/v2/login")
async def proxy_login(email: str = Form(...), password: str = Form(...)):
    ...

@app.post("/v2/login1")
async def proxy_login(  # ⚠️ Same function name!
    email: str = Form(...),
    password: str = Form(...),
    recaptcha_token: str = Form(...)
):
    ...

FastAPI Resolution: FastAPI uses the route decorator to identify endpoints, not function names. So this works, but is confusing for developers.

Recommended Fix: Use unique function names:

async def proxy_login_basic(...):
async def proxy_login_recaptcha(...):

3. Inconsistent Timeout Values¶

Issue: Timeouts vary from 60s to 600s without clear documentation.

Recommendation: Define timeout constants:

TIMEOUT_SHORT = 60.0      # Quick operations
TIMEOUT_MEDIUM = 120.0    # File uploads
TIMEOUT_LONG = 600.0      # Crawling, heavy processing

4. Unused Dependencies¶

Issue: python-jose, pymongo, azure-storage-blob, pymilvus are not used.

Recommendation: Remove from requirements.txt.

Performance Characteristics¶

Connection Pooling¶

Configuration (consistent across all endpoints):

limits = httpx.Limits(max_connections=100, max_keepalive_connections=20)

• max_connections=100: Maximum 100 concurrent connections to backend services
• max_keepalive_connections=20: Keep 20 connections alive for reuse

Impact:

• Efficient connection reuse
• Reduces latency for subsequent requests
• Handles high concurrency

Request Latency Breakdown¶

Typical Request Flow:

Client Request → Gateway (Port 8000) → Backend Service (Port 80XX) → Response
                  ~5-20ms overhead       actual processing time

Gateway Overhead:

• Request parsing: ~1-5ms
• Connection pooling: ~1-5ms (reused connection) or ~10-50ms (new connection)
• Response forwarding: ~5-10ms

Total Gateway Overhead: ~10-30ms (negligible compared to backend processing)

Throughput Capacity¶

Theoretical Maximum:

• Max connections: 100
• Max keepalive: 20
• Assuming avg request time: 200ms
• Throughput: ~500 requests/second (100 connections * 1000ms / 200ms)

Actual Throughput:

• Depends on backend service capacity
• Gateway is rarely the bottleneck

Integration with Frontend¶

Request Flow Example: 3D Chatbot Interaction¶

sequenceDiagram
    participant User as User's Browser
    participant Widget as Embedded Widget
    participant Gateway as Gateway (Port 8000)
    participant Response3D as Response 3D Service (Port 8011)
    participant ChatHistory as Chat History Service (Port 8014)

    User->>Widget: Types message
    Widget->>+Gateway: POST /v2/get-response-3dchatbot-v6-hybrid<br/>{user_id, project_id, session_id, question}

    Gateway->>+Response3D: Forward request (60s timeout)
    Response3D->>Response3D: RAG search (Milvus)
    Response3D->>Response3D: GPT-4 response
    Response3D->>Response3D: Azure TTS generation
    Response3D->>Response3D: Rhubarb lip-sync
    Response3D-->>-Gateway: {text, audio, mouthCues}

    Gateway-->>-Widget: Forward response

    Widget->>+Gateway: POST /v2/save-chat-history<br/>{user_id, project_id, session_id, input, output}
    Gateway->>+ChatHistory: Forward request
    ChatHistory->>ChatHistory: Save to MongoDB
    ChatHistory-->>-Gateway: {success: true}
    Gateway-->>-Widget: Confirmation

    Widget->>User: Display text + play audio + animate avatar

Summary¶

Service Statistics¶

• Total Lines: 3,604
• Total Functions: 197 proxy endpoints
• Backend Services Proxied: 20+
• Timeout Configurations: 3 tiers (60s, 120s, 600s)
• Connection Pool: 100 max connections, 20 keepalive

Key Features¶

✅ Centralized API Gateway - Single entry point for all frontend requests
✅ Request Proxying - Forwards to 20+ backend microservices
✅ CORS Handling - Manages cross-origin requests (⚠️ too permissive)
✅ Connection Pooling - Efficient HTTP client configuration
✅ File Upload Support - Handles multipart form data
✅ reCAPTCHA Integration - Bot protection for login endpoints

Critical Issues¶

🔴 CRITICAL - Permissive CORS - Allows requests from any origin
🔴 CRITICAL - No Rate Limiting - Vulnerable to DDoS and brute force
🔴 CRITICAL - No Authentication Middleware - No centralized auth layer
🟡 MEDIUM - Missing reCAPTCHA Key Validation - Endpoints will fail silently
🟡 MEDIUM - File Upload Memory Usage - Large files loaded into memory
🟡 MEDIUM - No Request Logging - Difficult to debug and monitor

Code Quality Issues¶

⚠️ Massive Monolithic File - 3,604 lines in single file
⚠️ Duplicate Function Names - Confusing code organization
⚠️ Inconsistent Timeouts - No clear timeout strategy
⚠️ Unused Dependencies - 4 unused packages in requirements.txt

Recommendations¶

Immediate Actions (Security):

1. ✅ Restrict CORS to specific domains
2. ✅ Add rate limiting to all endpoints
3. ✅ Implement centralized authentication middleware
4. ✅ Validate reCAPTCHA secret key on startup
5. ✅ Add request/response logging

Performance Improvements:

1. ✅ Stream file uploads instead of loading into memory
2. ✅ Add caching layer for frequently accessed data
3. ✅ Implement request compression

Code Quality:

1. ✅ Split into modular routers
2. ✅ Use unique function names
3. ✅ Define timeout constants
4. ✅ Remove unused dependencies
5. ✅ Add comprehensive unit tests

Performance Characteristics¶

• Gateway Overhead: ~10-30ms per request
• Theoretical Throughput: ~500 requests/second
• Connection Pooling: 100 max connections, 20 keepalive
• Timeout Tiers: 60s (short), 120s (medium), 600s (long)

Related Services¶

This gateway integrates with ALL 20 backend services:

• Port 8001 - Auth Service
• Port 8002 - User Service
• Port 8003 - Create Chatbot Service
• Port 8004 - Selection Chatbot Service
• Port 8005 - Data Crawling Service
• Port 8006 - State Selection 3D Service
• Port 8007 - State Selection Text Service
• Port 8008 - State Selection Voice Service
• Port 8009 - System Prompt Service
• Port 8010 - Chatbot Maintenance Service
• Port 8011 - Response 3D Chatbot Service
• Port 8012 - Response Text Chatbot Service
• Port 8013 - Response Voice Chatbot Service
• Port 8014 - Chat History Service
• Port 8015 - Client Data Collection Service
• Port 8016 - LLM Model Service
• Port 8017 - Homepage Chatbot Service
• Port 8018 - Remote Physio Service
• Port 8019 - Payment Service
• Port 8020 - Superadmin Service

Documentation Complete: Gateway Route Service (Port 8000) ✅