middleware

package

v0.14.1 Latest Latest Go to latest Published: Apr 28, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/blnkfinance/blnk

Links

Documentation ¶

Index ¶

Constants
func BuildScope(resource Resource, action Action) string
func HasPermission(scopes []string, resource Resource, method string) bool
func MetricsAuth(secure bool, token string) gin.HandlerFunc
func MetricsAuthHandler(secure bool, token string, next http.Handler) http.Handler
func ParseScope(scope string) (Resource, Action)
func RateLimitMiddleware(conf *config.Configuration) gin.HandlerFunc
func SecurityHeaders() gin.HandlerFunc
type Action
type AuthMiddleware
- func NewAuthMiddleware(blnk *blnk.Blnk) *AuthMiddleware
- func (m *AuthMiddleware) Authenticate() gin.HandlerFunc
type Resource

Constants ¶

View Source

const (
	// Actions
	ActionRead   Action = "read"
	ActionWrite  Action = "write"
	ActionDelete Action = "delete"
	ActionAll    Action = "*"

	// Resources
	ResourceLedgers         Resource = "ledgers"
	ResourceBalances        Resource = "balances"
	ResourceAccounts        Resource = "accounts"
	ResourceIdentities      Resource = "identities"
	ResourceTransactions    Resource = "transactions"
	ResourceBalanceMonitors Resource = "balance-monitors"
	ResourceHooks           Resource = "hooks"
	ResourceAPIKeys         Resource = "api-keys"
	ResourceSearch          Resource = "search"
	ResourceReconciliation  Resource = "reconciliation"
	ResourceMetadata        Resource = "metadata"
	ResourceBackup          Resource = "backup"
	ResourceAll             Resource = "*"
)

View Source

const (
	KeyHeader = "X-Blnk-Key"
)

Variables ¶

This section is empty.

Functions ¶

func BuildScope ¶

func BuildScope(resource Resource, action Action) string

BuildScope creates a scope string from resource and action

func HasPermission ¶

func HasPermission(scopes []string, resource Resource, method string) bool

HasPermission checks if a set of scopes has permission for a given resource and HTTP method

func MetricsAuth ¶ added in v0.14.0

func MetricsAuth(secure bool, token string) gin.HandlerFunc

MetricsAuth returns a middleware that controls access to the /metrics endpoint.

Behavior based on secure mode and token configuration:

Secure mode OFF, no token: open access (no auth required)
Secure mode OFF, token set: require bearer token
Secure mode ON, token set: require bearer token
Secure mode ON, no token: block all access (misconfiguration)

When authentication is required, requests must include "Authorization: Bearer <token>". This uses the standard Authorization header that Prometheus natively supports via its scrape_configs authorization block.

func MetricsAuthHandler ¶ added in v0.14.0

func MetricsAuthHandler(secure bool, token string, next http.Handler) http.Handler

MetricsAuthHandler wraps an http.Handler with bearer token authentication. This is the non-Gin equivalent of MetricsAuth, used for the worker monitoring server which uses a standard http.ServeMux instead of Gin. Same secure mode logic as MetricsAuth: blocks access when secure=true and token is empty.

func ParseScope ¶

func ParseScope(scope string) (Resource, Action)

ParseScope parses a scope string into resource and action

func RateLimitMiddleware ¶

func RateLimitMiddleware(conf *config.Configuration) gin.HandlerFunc

RateLimitMiddleware creates a middleware for rate limiting using Tollbooth. It sets up rate limiting based on the configuration parameters and applies it to incoming requests.

Parameters: - conf: The configuration object containing rate limit settings.

Returns: - gin.HandlerFunc: A middleware function that applies rate limiting to requests.

func SecurityHeaders ¶ added in v0.13.0

func SecurityHeaders() gin.HandlerFunc

SecurityHeaders sets security headers to the response. It sets the following headers: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy: default-src 'none'; frame-ancestors 'none' - Cache-Control: no-store - Strict-Transport-Security: max-age=31536000; includeSubDomains

Returns: - gin.HandlerFunc: A middleware function that sets security headers to the response.

Types ¶

type Action ¶

type Action string

Action represents the allowed actions on a resource. Actions include read, write, delete, and wildcard (*).

type AuthMiddleware ¶

type AuthMiddleware struct {
	// contains filtered or unexported fields
}

AuthMiddleware handles authentication and authorization for API routes. It supports both master key and API key authentication using the X-Blnk-Key header.

func NewAuthMiddleware ¶

func NewAuthMiddleware(blnk *blnk.Blnk) *AuthMiddleware

NewAuthMiddleware creates a new instance of AuthMiddleware.

Parameters: - blnk: The Blnk service used to validate API keys.

Returns: - *AuthMiddleware: A new instance of the authentication middleware.

func (*AuthMiddleware) Authenticate ¶

func (m *AuthMiddleware) Authenticate() gin.HandlerFunc

Authenticate returns a middleware function that handles authentication and authorization for all routes. It checks for the X-Blnk-Key header and validates it against either the master key or API keys. For API keys, it verifies the key's validity and checks permissions based on the resource and HTTP method. For POST requests with API keys, it injects the API key ID into the metadata of the request body.

Returns: - gin.HandlerFunc: A middleware function that performs the authentication.

Responses: - 200 OK: When authentication succeeds. - 401 Unauthorized: When the API key is missing or invalid. - 403 Forbidden: When the API key lacks sufficient permissions.

type Resource ¶

type Resource string

Resource represents a protected API resource that can be accessed via API keys. Each resource corresponds to a specific API endpoint category.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL