Documentation
¶
Overview ¶
Package middleware provides shared HTTP middleware and context helpers.
Index ¶
- Constants
- func CSPNonceFromContext(ctx context.Context) string
- func Chain(h http.Handler, middleware ...func(http.Handler) http.Handler) http.Handler
- func DevStubAuthFromContext(ctx context.Context) bool
- func IsAllowedDevRole(role string) bool
- func IsPublicRoute(r *http.Request, exact []PublicRoute, prefixes []string) bool
- func ModuleFlagsMiddleware(cache *ModuleFlagsCache) func(http.Handler) http.Handler
- func RequireAuth(next http.Handler) http.Handler
- func RequireLoginExcept(exact []PublicRoute, prefixes []string) func(http.Handler) http.Handler
- func RequireModule(name string) func(http.Handler) http.Handler
- func SecurityHeaders(hstsEnabled bool) func(http.Handler) http.Handler
- func SetUser(ctx context.Context, u SessionUser) context.Context
- func StubDBMiddleware(q db.Querier) func(http.Handler) http.Handler
- func StubMiddleware(next http.Handler) http.Handler
- func TopOrgNameFromContext(ctx context.Context) string
- type IPRateLimiter
- type ModuleFlags
- type ModuleFlagsCache
- type ModuleFlagsSnapshot
- type PublicRoute
- type SessionUser
Constants ¶
const DevRoleCookieName = "vigil_dev_role"
DevRoleCookieName stores selected role for development stub auth mode.
const DevUserCookieName = "vigil_dev_user"
DevUserCookieName stores selected seeded development user ID.
Variables ¶
This section is empty.
Functions ¶
func CSPNonceFromContext ¶
CSPNonceFromContext returns the per-request CSP nonce for script tags.
func Chain ¶
Chain applies multiple middleware functions to a handler in order, so that the first listed is the outermost wrapper (runs first on request).
func DevStubAuthFromContext ¶
DevStubAuthFromContext reports whether request was authenticated by stub auth.
func IsAllowedDevRole ¶
IsAllowedDevRole reports whether role can be selected in dev stub auth.
func IsPublicRoute ¶
func IsPublicRoute(r *http.Request, exact []PublicRoute, prefixes []string) bool
IsPublicRoute reports whether request matches the allowed exact routes or path prefixes (GET exact routes also allow HEAD).
func ModuleFlagsMiddleware ¶
func ModuleFlagsMiddleware(cache *ModuleFlagsCache) func(http.Handler) http.Handler
ModuleFlagsMiddleware injects the current module flag snapshot into request context without hitting the database. Refresh is performed separately by startup/background loops and explicit invalidation paths.
func RequireAuth ¶
RequireAuth redirects to / if no session user is present in context. Must be placed after an auth or stub middleware that sets the user.
func RequireLoginExcept ¶
RequireLoginExcept redirects anonymous requests to /login unless they match one of the allowed exact routes or path prefixes.
func RequireModule ¶
RequireModule returns a middleware that responds with 404 if the named module is disabled. name must be "compliance", "risk", "activities", "assets", or "avvik".
func SecurityHeaders ¶
SecurityHeaders adds HTTP security headers to every response. hstsEnabled is evaluated once at startup (not per-request) to avoid env var reads on the hot path and case-sensitivity bugs. Must be outermost middleware so headers are set even on error responses.
func SetUser ¶
func SetUser(ctx context.Context, u SessionUser) context.Context
SetUser returns a context with the SessionUser stored.
func StubDBMiddleware ¶
StubDBMiddleware injects a seeded development user from DB on every request. Intended only for DevStubAuth mode.
func StubMiddleware ¶
StubMiddleware injects a dev admin user on every request. Never use in production.
func TopOrgNameFromContext ¶
TopOrgNameFromContext returns top-level organisation name for UI copy. Falls back to a sensible default when no top org is configured.
Types ¶
type IPRateLimiter ¶
type IPRateLimiter struct {
// contains filtered or unexported fields
}
IPRateLimiter is a fixed-window per-IP rate limiter with no external dependencies.
func NewIPRateLimiter ¶
func NewIPRateLimiter(limit int, window time.Duration) *IPRateLimiter
func NewIPRateLimiterWithKey ¶
func NewIPRateLimiterWithKey(limit int, window time.Duration, requestKey func(*http.Request) string) *IPRateLimiter
NewIPRateLimiterWithKey returns a fixed-window rate limiter that uses requestKey to derive the bucket key. Empty keys fall back to RemoteAddr host parsing.
func (*IPRateLimiter) Wrap ¶
func (l *IPRateLimiter) Wrap(next http.HandlerFunc) http.HandlerFunc
Wrap returns a HandlerFunc that applies the rate limit keyed on request key. Empty keys fall back to RemoteAddr host parsing.
type ModuleFlags ¶
type ModuleFlags struct {
ComplianceEnabled bool
RiskEnabled bool
ActivitiesEnabled bool
AssetsEnabled bool
AvvikEnabled bool
}
ModuleFlags holds the per-request feature-toggle state for optional modules.
func ModuleFlagsFromContext ¶
func ModuleFlagsFromContext(ctx context.Context) ModuleFlags
ModuleFlagsFromContext retrieves ModuleFlags from the request context. Returns all-enabled defaults if not set (safe for tests without the middleware).
type ModuleFlagsCache ¶ added in v1.0.1
type ModuleFlagsCache struct {
// contains filtered or unexported fields
}
ModuleFlagsCache maintains an atomic snapshot of module flags and top org name. Refresh is expected to run in background and on explicit invalidation paths; request middleware should only perform atomic loads.
func NewModuleFlagsCache ¶ added in v1.0.1
func NewModuleFlagsCache(q db.Querier) *ModuleFlagsCache
func (*ModuleFlagsCache) Refresh ¶ added in v1.0.1
func (c *ModuleFlagsCache) Refresh(ctx context.Context) error
func (*ModuleFlagsCache) Snapshot ¶ added in v1.0.1
func (c *ModuleFlagsCache) Snapshot() (ModuleFlagsSnapshot, bool)
type ModuleFlagsSnapshot ¶ added in v1.0.1
type ModuleFlagsSnapshot struct {
Flags ModuleFlags
TopOrgName string
}
ModuleFlagsSnapshot is the cached view served to request handlers.
type PublicRoute ¶
type SessionUser ¶
SessionUser holds the authenticated user in the request context.
func FromContext ¶
func FromContext(ctx context.Context) (SessionUser, bool)
FromContext retrieves the SessionUser from the request context.
Source Files