[DOM-75514] feat: core HTTP layer enhancements + debug middleware#14
Merged
ddl-subir-m merged 9 commits intomainfrom Mar 24, 2026
Merged
[DOM-75514] feat: core HTTP layer enhancements + debug middleware#14ddl-subir-m merged 9 commits intomainfrom
ddl-subir-m merged 9 commits intomainfrom
Conversation
…aming download and debug middleware - Add params, files, headers, base_url parameters to domino_request() - Add domino_download() for streaming file downloads from Domino APIs - Add resolve_domino_nucleus_host() for direct nucleus-frontend access - Add _get_api_key() helper for X-Domino-Api-Key auth - Add DebugLoggingMiddleware (opt-in via AUTOML_DEBUG_LOGGING=true) - Use fresh httpx client per request to avoid proxy idle disconnects - Add debug_logging setting to config Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Mar 20, 2026
Stop the sidecar token from overwriting the user's forwarded JWT. When a user token is present (from the Extension-injected Authorization header), outbound calls to datasetrw, jobs, and model registry now run as the visiting user instead of the App owner. The sidecar token is only used as fallback for background tasks and health checks.
Addresses review comment: use the actual header name x-domino-api-key instead of the incorrect domino-api-key.
Remove use_api_key parameter and _get_api_key() helper. All downloads now use the standard auth chain which preserves the user's forwarded token and falls back to sidecar when needed.
Switch project_resolver from raw domino_request(/v4/projects) to the generated get_project_by_id endpoint (/api/projects/v1/projects). Returns typed ProjectEnvelopeV1 instead of parsing raw JSON dicts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ddl-subir-m
changed the title
3 tasks
…esent The sidecar proxy (localhost:8899) returns 500 HTML error pages when a forwarded user JWT is passed through to datasetrw. Fix by calling nucleus-frontend directly with the user JWT (for RBAC), falling back to the sidecar only for background tasks with no user context. Also removes temporary debug logging from domino_dataset_api.py.
The datasetrw 500 was caused by the browser JWT having narrow scopes (aud: "apps"), not by the sidecar. Fix is to enable extended identity propagation on the app which provides a full-scoped JWT. Revert to the original get_domino_public_api_client_sync() implementation.
…l Domino API calls Sidecar token and static API key fallbacks silently escalated to the App-owner identity when no user JWT was forwarded, bypassing Domino's per-user RBAC. Now all outbound Domino API calls require the visiting user's forwarded token and raise MissingUserTokenError if absent. Background job syncs already capture the user token before detaching, so they are unaffected. Job runner workers run in separate containers with their own env and don't import these functions. Addresses Ryan's review comment on PR #25. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
niole
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The existing
domino_request()only supports JSON payloads with a fixed base URL. Upcoming work to replace the domino-py SDK with direct API calls (dataset listing, chunked file upload, storage resolver, job launcher) requires support for query params, multipart file uploads, custom headers, and configurable base URLs. This PR lays that foundation.Additionally, the Domino App proxy closes idle HTTP connections server-side, causing "Server disconnected" errors with a shared connection pool. Switching to fresh clients per request matches the behavior of the original SDK and eliminates these intermittent failures.
The debug middleware was added because diagnosing Domino API issues in production Apps requires visibility into request/response details that standard logging doesn't capture.
Summary
domino_request()withparams,files,headers, andbase_urlparametersdomino_download()for streaming file downloads from Domino APIsresolve_domino_nucleus_host()for direct nucleus-frontend access, bypassing the local proxyget_sync_auth_headers()/get_domino_auth_headers()with user token preservationDebugLoggingMiddlewarewith header redactionFile → consumer mapping
domino_http.pyextensionsdomino_dataset_api.pycallsdomino_requestwith new params)middleware.pymain.py) — shared infrastructure, introduced here alongside the HTTP layer it logsproject_resolver.pydataset_manager.pycallsresolve_project) — refactored here because it touchesdomino_httpimportsconfig.pydebug_loggingmain.py)Test plan
test_domino_http.pypassestest_domino_http_auth_context.pypassestest_middleware.pypassesAUTOML_DEBUG_LOGGING=true