auth

package

v0.1.4 Latest Latest Go to latest Published: Mar 23, 2026 License: AGPL-3.0 Imports: 18 Imported by: 0

Details

View Source

const (
	ContextKeyDeviceID  = "device_id"
	ContextKeyDevice    = "device"
	ContextKeyRequestID = "request_id"
)

ContextKeys for values stored in Gin context

View Source

var (
	ErrNonceNotFound = errors.New("nonce not found or expired")
	ErrNonceCapacity = errors.New("nonce store at capacity")
)

func DeviceRateLimit(mutationPerMin, readPerMin int) gin.HandlerFunc

DeviceRateLimit implements per-device rate limiting with separate limits for mutations and reads.

func DeviceTPMAuth(deviceStore *store.DeviceStore, nonceStore *NonceStore, verifier tpm.Verifier, logger *slog.Logger) gin.HandlerFunc

DeviceTPMAuth validates per-request TPM attestation.

func NexusAuth(cfg *config.Config, clientCAs *x509.CertPool, logger *slog.Logger) gin.HandlerFunc

NexusAuth validates mTLS client certificates for Nexus registration.

func RateLimit(globalRPS, perIPRPS int) gin.HandlerFunc

RateLimit implements a simple token bucket rate limiter with periodic cleanup.

func RequestIDMiddleware() gin.HandlerFunc

RequestIDMiddleware adds a unique request ID to each request.

type NonceStore struct {
	// contains filtered or unexported fields
}

func NewNonceStore(logger *slog.Logger) *NonceStore

func (s *NonceStore) CleanupLoop(ctx context.Context)

CleanupLoop removes expired nonces periodically.

func (s *NonceStore) Consume(nonce string) error

Consume validates and removes a nonce (one-time use).

func (s *NonceStore) Generate() (string, time.Time, error)

Generate creates a new nonce and returns it as base64-encoded string.