Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClientIP ¶
ClientIP returns the client IP resolved by the chi ClientIPFrom* middleware wired in the server, falling back to the connecting RemoteAddr when none was set (no proxy in front, or the XFF chain too short to trust).
func NewAuth ¶
NewAuth returns the HTTP authentication middleware. Mode and trusted-network settings come from the config singleton (auth.mode, auth.trusted_networks, auth.trusted_role). excludePaths bypass auth entirely (e.g. "/health"); paths ending in "/" match as prefix.
In "disabled" mode all requests pass through without auth. In "trusted-network" mode requests from trusted CIDRs are assigned the configured role; others must authenticate. In "full" mode requests under /api/v1/ must carry a valid Bearer token, X-API-Key header, or — for same-origin browser requests (Sec-Fetch-Site: same-origin) — a valid streamline_session cookie (401 on failure). All other paths must carry a valid streamline_session cookie (302 redirect to /login on failure).
func Recoverer ¶
Recoverer catches panics in downstream handlers, logs them via the process default slog logger (which fans out to stderr + the OTel logs bridge), marks the current span as errored, and returns a 500 to the client.
Replaces chi's middleware.Recoverer so panic reports flow through the same observability pipeline as every other log line: context-aware (so trace_id is auto-attached by otelslog) and span-linked.
func RouteTagger ¶
RouteTagger rewrites the outer otelhttp span name to the chi route pattern once routing has resolved. Without this, span names contain concrete paths ("/api/v1/movies/42") which blow up cardinality in trace/metric backends. After this middleware the span is named "<METHOD> <pattern>" ("GET /api/v1/movies/{id}") and carries http.route as a semantic attribute.
Must run *after* chi has at least entered its matching phase. chi populates RoutePattern() progressively, so the final value is only stable once the inner handler has returned. We therefore rewrite post-hoc; the enclosing otelhttp span is still open (span.End is called by the outer wrapper after our chain returns) so SetName/SetAttributes take effect.
Types ¶
type Authenticator ¶
type Authenticator interface {
ValidateAPIKey(ctx context.Context, key string) (*ent.User, error)
ValidateToken(token string) (*auth.Claims, error)
ValidateSession(ctx context.Context, jti string) error
TouchSessionAsync(jti string)
}
Authenticator is the minimum surface the middleware needs from the auth service. Defined here (consumer side) so unit tests can mock it without depending on the full Manager.