Documentation
¶
Index ¶
- Constants
- Variables
- func WithResolvedGateway(c *fiber.Ctx, r GatewayResolver) context.Context
- type APIKeyIdentityResolver
- type ChainedIdentityResolver
- type GatewayResolver
- type HeaderGatewayResolver
- type IdentityResolver
- type OAuth2IdentityResolver
- type OIDCIdentityResolver
- type PlaygroundIdentityResolver
- type ProxyRoute
- type SubdomainGatewayResolver
Constants ¶
const ( RouteChatCompletions = "/v1/chat/completions" RouteMessages = "/v1/messages" RouteResponses = "/v1/responses" )
const HeaderAPIKey = "X-AG-API-Key" // #nosec G101 -- HTTP header name, not a credential
const HeaderGatewaySlug = "X-AG-Gateway-Slug"
const HeaderPlaygroundToken = "X-AG-Playground-Token" // #nosec G101 -- HTTP header name, not a credential
HeaderPlaygroundToken carries a short-lived, server-minted JWT that lets the dashboard playground exercise a consumer route without that consumer's credentials. Minting requires SERVER_SECRET_KEY, so the trust boundary is the same as the admin API.
const ProxyRouteLocalsKey = "proxyRoute"
ProxyRouteLocalsKey stores the resolved ProxyRoute in fiber Locals so the proxy handler can reuse the parse done by the auth middleware.
Variables ¶
var ( ErrUnauthenticated = errors.New("unauthenticated") ErrForbidden = errors.New("forbidden") )
var ErrUnknownProxyPath = errors.New("no fixed proxy route matches the request path")
Functions ¶
func WithResolvedGateway ¶
func WithResolvedGateway(c *fiber.Ctx, r GatewayResolver) context.Context
WithResolvedGateway best-effort resolves the gateway addressed by the request (gateway-slug header or subdomain, per the configured discovery mode) and returns a context carrying it. On any resolution miss it returns the request context unchanged, so callers that can still operate without a pinned gateway keep working.
Types ¶
type APIKeyIdentityResolver ¶
type APIKeyIdentityResolver struct{}
func NewAPIKeyIdentityResolver ¶
func NewAPIKeyIdentityResolver() *APIKeyIdentityResolver
func (*APIKeyIdentityResolver) Resolve ¶
func (r *APIKeyIdentityResolver) Resolve( c *fiber.Ctx, gw *gatewaydomain.Gateway, rc *appconsumer.RoutableConsumer, ) (*appauth.AuthContext, error)
type ChainedIdentityResolver ¶
type ChainedIdentityResolver struct {
// contains filtered or unexported fields
}
func (ChainedIdentityResolver) Resolve ¶
func (r ChainedIdentityResolver) Resolve( c *fiber.Ctx, gw *gatewaydomain.Gateway, rc *appconsumer.RoutableConsumer, ) (*appauth.AuthContext, error)
type GatewayResolver ¶
type GatewayResolver interface {
Resolve(c *fiber.Ctx) (*gatewaydomain.Gateway, error)
}
func NewGatewayResolver ¶
func NewGatewayResolver(finder appgateway.Finder, mode, baseDomain string) GatewayResolver
func NewSubdomainGatewayResolver ¶
func NewSubdomainGatewayResolver(finder appgateway.Finder, baseDomain string) GatewayResolver
type HeaderGatewayResolver ¶
type HeaderGatewayResolver struct {
// contains filtered or unexported fields
}
func (*HeaderGatewayResolver) Resolve ¶
func (r *HeaderGatewayResolver) Resolve(c *fiber.Ctx) (*gatewaydomain.Gateway, error)
type IdentityResolver ¶
type IdentityResolver interface {
Resolve(c *fiber.Ctx, gw *gatewaydomain.Gateway, rc *appconsumer.RoutableConsumer) (*appauth.AuthContext, error)
}
func NewIdentityResolver ¶
func NewIdentityResolver( playground *PlaygroundIdentityResolver, apiKey *APIKeyIdentityResolver, oauth2 *OAuth2IdentityResolver, oidc *OIDCIdentityResolver, ) IdentityResolver
type OAuth2IdentityResolver ¶
type OAuth2IdentityResolver struct {
// contains filtered or unexported fields
}
func NewOAuth2IdentityResolver ¶
func NewOAuth2IdentityResolver(verifier appauth.OAuth2Verifier) *OAuth2IdentityResolver
func (*OAuth2IdentityResolver) Resolve ¶
func (r *OAuth2IdentityResolver) Resolve( c *fiber.Ctx, gw *gatewaydomain.Gateway, rc *appconsumer.RoutableConsumer, ) (*appauth.AuthContext, error)
type OIDCIdentityResolver ¶
type OIDCIdentityResolver struct {
// contains filtered or unexported fields
}
func NewOIDCIdentityResolver ¶
func NewOIDCIdentityResolver(finder appauth.OIDCFinder, verifier appauth.OIDCVerifier) *OIDCIdentityResolver
func (*OIDCIdentityResolver) Resolve ¶
func (r *OIDCIdentityResolver) Resolve( c *fiber.Ctx, gw *gatewaydomain.Gateway, rc *appconsumer.RoutableConsumer, ) (*appauth.AuthContext, error)
type PlaygroundIdentityResolver ¶
type PlaygroundIdentityResolver struct {
// contains filtered or unexported fields
}
PlaygroundIdentityResolver authenticates playground tokens: JWTs signed with the server secret, tagged with purpose "playground" and bound to a single consumer slug.
func NewPlaygroundIdentityResolver ¶
func NewPlaygroundIdentityResolver(jwtManager jwt.Manager) *PlaygroundIdentityResolver
func (*PlaygroundIdentityResolver) Resolve ¶
func (r *PlaygroundIdentityResolver) Resolve( c *fiber.Ctx, gw *gatewaydomain.Gateway, rc *appconsumer.RoutableConsumer, ) (*appauth.AuthContext, error)
type ProxyRoute ¶
ProxyRoute is the result of parsing a proxy request path of the form /{consumer_slug}/{fixed route}, where the fixed route determines the payload format the client speaks.
func ResolveProxyPath ¶
func ResolveProxyPath(path string) (ProxyRoute, error)
type SubdomainGatewayResolver ¶
type SubdomainGatewayResolver struct {
// contains filtered or unexported fields
}
func (*SubdomainGatewayResolver) Resolve ¶
func (r *SubdomainGatewayResolver) Resolve(c *fiber.Ctx) (*gatewaydomain.Gateway, error)