chi

package

v2.1.0 Latest Latest Go to latest Published: May 2, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aatuh/api-toolkit

Links

Open Source Insights

Documentation ¶

Overview ¶

Package chi adapts the chi router to api-toolkit HTTP ports.

Route bootstrap validation --------------------------

Use authz route bootstrap validation during startup to ensure route-level authz coverage is complete before serving traffic.

Example:

router := chi.New()
adminMw, err := authz.NewRequireRoleMiddlewareChecked("admin", roleResolver)
if err != nil {
	return fmt.Errorf("admin authz middleware: %w", err)
}
opsMw, err := authz.NewRequireRoleMiddlewareChecked("ops", roleResolver)
if err != nil {
	return fmt.Errorf("ops authz middleware: %w", err)
}
router.Get("/admin", adminHandler)
router.Post("/ops", opsHandler)
router.Get("/public", publicHandler)

if err := chiAdapter.ValidateRequireRoleMiddlewareRoutes(router, func(method, route string, _ http.Handler) *authz.RequireRoleMiddleware {
	switch route {
	case "/admin":
		return adminMw
	case "/ops":
		return opsMw
	case "/public":
		return nil
	}
	return nil
}); err != nil {
	return fmt.Errorf("route contract scan failed: %w", err)
}

// Use strict-by-default startup bootstrap policy for mixed-route rollouts in CI
// and production-like deployments.
if err := chiAdapter.ValidateRequireRoleMiddlewareRoutesAuto(router, func(method, route string, _ http.Handler) *authz.RequireRoleMiddleware {
	switch route {
	case "/admin", "/ops":
		return adminMw
	case "/public":
		return nil
	}
	return nil
}); err != nil {
	return fmt.Errorf("route bootstrap strict-policy check failed: %w", err)
}

// Override bootstrap strictness explicitly from CI or environment signals:
// API_TOOLKIT_AUTHZ_BOOTSTRAP_STRICT=1|true|strict|enabled
// API_TOOLKIT_AUTHZ_BOOTSTRAP_STRICT=0|false|permissive|disabled

// Mixed public/protected routes can be validated with explicit coverage
// control when strict coverage is desired only for protected routes.
if err := chiAdapter.ValidateRequireRoleMiddlewareRoutesWithCoverage(
	router,
	func(method, route string, _ http.Handler) MiddlewareSpecResolution {
		switch route {
		case "/admin", "/ops":
			return MiddlewareSpecResolution{Middleware: adminMw}
		case "/public":
			return MiddlewareSpecResolution{SkipFromValidation: true}
		default:
			return MiddlewareSpecResolution{}
		}
	},
); err != nil {
	return fmt.Errorf("route contract scan with mixed coverage failed: %w", err)
}

// Recommended rollout policy:
// - Use ValidateRequireRoleMiddlewareRoutesAuto as the default startup policy.
// - Keep strict mode enabled in CI/production-like environments via
//   API_TOOLKIT_AUTHZ_BOOTSTRAP_STRICT or explicit strict profile signals.
// - Use MiddlewareSpecResolution SkipFromValidation for explicit public routes while
//   retaining strict validation for protected routes.

if err := chiAdapter.ValidateRequireRoleMiddlewareRoutesStrict(router, func(method, route string, _ http.Handler) *authz.RequireRoleMiddleware {
	if route == "/public" {
		return nil
	}
	return adminMw
}); err != nil {
	return fmt.Errorf("strict route contract scan failed: %w", err)
}

Index ¶

func New() ports.HTTPRouter
func NewMiddleware() ports.HTTPMiddleware
func NewMux() *chi.Mux
func NewURLParamExtractor() ports.URLParamExtractor
func URLParam(r *http.Request, key string) string
func ValidateRequireRoleMiddlewareRoutes(router *chi.Mux, resolve MiddlewareSpecResolver) error
func ValidateRequireRoleMiddlewareRoutesAuto(router *chi.Mux, resolve MiddlewareSpecResolver) error
func ValidateRequireRoleMiddlewareRoutesAutoWithLogger(router *chi.Mux, resolve MiddlewareSpecResolver, log ports.Logger) error
func ValidateRequireRoleMiddlewareRoutesStrict(router *chi.Mux, resolve MiddlewareSpecResolver) error
func ValidateRequireRoleMiddlewareRoutesWithCoverage(router *chi.Mux, resolve MiddlewareSpecResolverWithCoverage) error
func ValidateRequireRoleMiddlewareRoutesWithCoverageAndLogger(router *chi.Mux, resolve MiddlewareSpecResolverWithCoverage, log ports.Logger) error
type ChiRouter
type Middleware
type MiddlewareSpecResolution
type MiddlewareSpecResolver
type MiddlewareSpecResolverWithCoverage
type URLParamExtractor
- func (u *URLParamExtractor) URLParam(r *http.Request, key string) string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func New ¶

func New() ports.HTTPRouter

New creates a new chi router that implements ports.HTTPRouter.

func NewMiddleware ¶

func NewMiddleware() ports.HTTPMiddleware

NewMiddleware creates a new middleware instance that implements ports.HTTPMiddleware.

func NewMux ¶

func NewMux() *chi.Mux

NewMux creates a new chi.Mux directly.

func NewURLParamExtractor ¶

func NewURLParamExtractor() ports.URLParamExtractor

NewURLParamExtractor creates a new URL parameter extractor.

func URLParam ¶

func URLParam(r *http.Request, key string) string

URLParam is a convenience function for direct usage.

func ValidateRequireRoleMiddlewareRoutes ¶ added in v2.1.0

func ValidateRequireRoleMiddlewareRoutes(router *chi.Mux, resolve MiddlewareSpecResolver) error

ValidateRequireRoleMiddlewareRoutes validates authz middleware coverage for chi routes.

The helper traverses chi's registered route tree, converts each method+pattern pair into a RequireRoleRouteSpec, and validates all entries in one startup pass.

By default, returning nil from the legacy resolver skips validation for that route to support mixed public/protected routers.

func ValidateRequireRoleMiddlewareRoutesAuto ¶ added in v2.1.0

func ValidateRequireRoleMiddlewareRoutesAuto(router *chi.Mux, resolve MiddlewareSpecResolver) error

ValidateRequireRoleMiddlewareRoutesAuto validates authz route coverage using the default deployment policy.

The default is permissive in local/dev and strict in CI-like environments. Set API_TOOLKIT_AUTHZ_BOOTSTRAP_STRICT to explicitly override.

func ValidateRequireRoleMiddlewareRoutesAutoWithLogger ¶ added in v2.1.0

func ValidateRequireRoleMiddlewareRoutesAutoWithLogger(router *chi.Mux, resolve MiddlewareSpecResolver, log ports.Logger) error

ValidateRequireRoleMiddlewareRoutesAutoWithLogger validates authz route coverage using the default deployment policy and emits startup intent logs.

func ValidateRequireRoleMiddlewareRoutesStrict ¶ added in v2.1.0

func ValidateRequireRoleMiddlewareRoutesStrict(router *chi.Mux, resolve MiddlewareSpecResolver) error

ValidateRequireRoleMiddlewareRoutesStrict validates authz middleware coverage and treats nil middleware as a validation failure.

This is useful during migration windows when every checked route must declare a middleware explicitly.

func ValidateRequireRoleMiddlewareRoutesWithCoverage ¶ added in v2.1.0

func ValidateRequireRoleMiddlewareRoutesWithCoverage(router *chi.Mux, resolve MiddlewareSpecResolverWithCoverage) error

ValidateRequireRoleMiddlewareRoutesWithCoverage validates routes using an explicit resolver that can distinguish protected routes from public routes.

func ValidateRequireRoleMiddlewareRoutesWithCoverageAndLogger ¶ added in v2.1.0

func ValidateRequireRoleMiddlewareRoutesWithCoverageAndLogger(
	router *chi.Mux,
	resolve MiddlewareSpecResolverWithCoverage,
	log ports.Logger,
) error

ValidateRequireRoleMiddlewareRoutesWithCoverageAndLogger validates routes using an explicit resolver and emits startup intent logs.

Types ¶

type ChiRouter ¶

type ChiRouter struct {
	*chi.Mux
}

ChiRouter wraps chi.Router to implement our interface.

type Middleware ¶

type Middleware struct{}

Middleware provides common middleware functions.

func (*Middleware) RealIP ¶

func (m *Middleware) RealIP() func(http.Handler) http.Handler

RealIP returns the real IP middleware.

func (*Middleware) Recoverer ¶

func (m *Middleware) Recoverer() func(http.Handler) http.Handler

Recoverer returns the recoverer middleware.

func (*Middleware) RequestID ¶

func (m *Middleware) RequestID() func(http.Handler) http.Handler

RequestID returns the request ID middleware.

type MiddlewareSpecResolution ¶ added in v2.1.0

type MiddlewareSpecResolution struct {
	// Middleware is the resolved route middleware.
	Middleware *authz.RequireRoleMiddleware
	// SkipFromValidation skips this route during authz contract validation.
	SkipFromValidation bool
}

MiddlewareSpecResolution allows explicit classification for route-level validation.

type MiddlewareSpecResolver ¶ added in v2.1.0

type MiddlewareSpecResolver func(method, route string, handler http.Handler) *authz.RequireRoleMiddleware

MiddlewareSpecResolver resolves a Chi route handler to an authorization middleware.

Route and method context are provided for actionable diagnostics and stable migration checks.

Returning nil means the route is treated as unprotected and skipped unless ValidateRequireRoleMiddlewareRoutesStrict is used.

type MiddlewareSpecResolverWithCoverage ¶ added in v2.1.0

type MiddlewareSpecResolverWithCoverage func(method, route string, handler http.Handler) MiddlewareSpecResolution

MiddlewareSpecResolverWithCoverage resolves a Chi route handler with explicit include/exclude intent.

Return SkipFromValidation=true for public routes and false with a concrete middleware for protected routes.

type URLParamExtractor ¶

type URLParamExtractor struct{}

URLParamExtractor implements ports.URLParamExtractor.

func (*URLParamExtractor) URLParam ¶

func (u *URLParamExtractor) URLParam(r *http.Request, key string) string

URLParam extracts URL parameters from the request context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL