httputil

package
v0.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package httputil provides shared HTTP server primitives used across eyrie's API surfaces. Centralizing these eliminates drift in auth comparison, body decoding, JSON responses, security headers, and loopback validation that previously existed as duplicated copies in internal/api/server.go and other handlers.

Index

Constants

View Source
const MaxRequestBodyBytes = 1 << 20

MaxRequestBodyBytes is the default maximum request body size (1 MiB).

Variables

This section is empty.

Functions

func ConstantTimeEqual

func ConstantTimeEqual(a, b string) bool

ConstantTimeEqual compares two strings in constant time. The shorter value is padded with NUL bytes so comparison time does not leak token length. This is the preferred bearer-token comparison for API servers.

func DecodeJSONBody

func DecodeJSONBody(w http.ResponseWriter, r *http.Request, dst any) bool

DecodeJSONBody decodes a JSON request body into dst with a size limit and strict unknown-field rejection. Returns true on success. On failure it writes a 400 JSON error response and returns false.

func DecodeJSONBodyWithLimit

func DecodeJSONBodyWithLimit(w http.ResponseWriter, r *http.Request, dst any, maxBytes int64) bool

DecodeJSONBodyWithLimit is like DecodeJSONBody but with a custom body size limit.

func ExtractBearerToken

func ExtractBearerToken(r *http.Request) string

ExtractBearerToken extracts a bearer/API-key token from request headers. It checks "Authorization: Bearer ..." first, then "X-API-Key". The Bearer scheme is matched case-insensitively per RFC 7235.

func IsLoopbackHost

func IsLoopbackHost(host string) bool

IsLoopbackHost reports whether host is a loopback address: 127.0.0.0/8, ::1, or "localhost". An empty string is treated as non-loopback (fail-safe).

func SecurityHeaders

func SecurityHeaders(next http.Handler) http.Handler

SecurityHeaders wraps an http.Handler with standard security headers (X-Content-Type-Options, X-Frame-Options, Cache-Control).

func ValidateAuthConfig

func ValidateAuthConfig(addr, apiKey string) error

ValidateAuthConfig refuses to start a server with no API key on a non-loopback bind. Returns nil if the API key is set or the bind address is loopback.

func WriteJSON

func WriteJSON(w http.ResponseWriter, status int, v interface{})

WriteJSON writes a JSON response with the given status code.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL