Documentation
¶
Overview ¶
Package protection builds the edge-guard runtime config from a user's protection spec. It is deliberately decoupled from the config (YAML) layer — callers map config.CFProtection → protection.Config — so the normalizer and the emitted JSON contract can be unit-tested in isolation and reused by the nextcompile runtime without importing the whole config package.
The output (Runtime) is serialized to _nextdeploy/protection.json and read by runtime_src/guard.mjs at the edge. All defaults are resolved here so the JS side never has to guess.
Index ¶
Constants ¶
const ( DefaultSecretEnv = "AUTH_SECRET" DefaultCookieName = "session" DefaultLoginPath = "/login" DefaultKVBinding = "RATE_LIMIT" DefaultRequestsPerM = 60 )
Defaults applied when the user leaves a field blank.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Enabled bool
PublicPaths []string
Auth *Auth
RateLimit *RateLimit
Allow []string
Deny []string
}
Config is the decoupled mirror of config.CFProtection.
type RateLimitRT ¶
type Runtime ¶
type Runtime struct {
Version int `json:"version"`
PublicPaths []string `json:"publicPaths"`
Allow []string `json:"allow,omitempty"`
Deny []string `json:"deny,omitempty"`
Auth *AuthRT `json:"auth,omitempty"`
RateLimit *RateLimitRT `json:"rateLimit,omitempty"`
}
Runtime is the normalized, fully-defaulted shape guard.mjs consumes.
func BuildRuntime ¶
BuildRuntime validates c and resolves defaults. Returns (nil, nil) when protection is absent or disabled (caller emits no guard). Returns an error when Enabled but no actual rule (auth / rate-limit / allow / deny) is set — a guard that does nothing is almost always a config mistake.