Documentation
¶
Index ¶
- func AdminMiddleware(logger *slog.Logger) func(http.Handler) http.Handler
- func AuthMiddleware(verifier *auth.Verifier, logger *slog.Logger) func(http.Handler) http.Handler
- func CheckChainPermission(apiKey *types.APIKey, chainType types.ChainType) bool
- func CheckSignerPermission(apiKey *types.APIKey, signerAddress string) bool
- func CheckSignerPermissionWithHDWallets(apiKey *types.APIKey, signerAddress string, hdMgr HDWalletDerivedLister) bool
- func GetAPIKey(ctx context.Context) *types.APIKey
- func IPRateLimitMiddleware(limiter *RateLimiter, ipWhitelist *IPWhitelist, limit int) func(http.Handler) http.Handler
- func IPWhitelistMiddleware(whitelist *IPWhitelist) func(http.Handler) http.Handler
- func LoggingMiddleware(logger *slog.Logger) func(http.Handler) http.Handler
- func PermissionMiddleware(logger *slog.Logger) func(http.Handler) http.Handler
- func RateLimitMiddleware(limiter *RateLimiter) func(http.Handler) http.Handler
- func RecoveryMiddleware(logger *slog.Logger) func(http.Handler) http.Handler
- func SecurityHeadersMiddleware() func(http.Handler) http.Handler
- type ContextKey
- type HDWalletDerivedLister
- type IPWhitelist
- type RateLimiter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AdminMiddleware ¶
AdminMiddleware creates a middleware that requires admin permissions. Must be used after AuthMiddleware as it depends on the API key in context.
func AuthMiddleware ¶
AuthMiddleware creates an authentication middleware Authentication format: timestamp|nonce|method|path|sha256(body) Nonce is required when NonceRequired is configured (recommended for production)
func CheckChainPermission ¶
CheckChainPermission checks if the API key is allowed to access the given chain type
func CheckSignerPermission ¶
CheckSignerPermission checks if the API key is allowed to use the given signer
func CheckSignerPermissionWithHDWallets ¶ added in v0.1.0
func CheckSignerPermissionWithHDWallets(apiKey *types.APIKey, signerAddress string, hdMgr HDWalletDerivedLister) bool
CheckSignerPermissionWithHDWallets checks AllowedSigners first, then AllowedHDWallets. hdMgr may be nil (treated as no HD wallet check).
func IPRateLimitMiddleware ¶ added in v0.1.0
func IPRateLimitMiddleware(limiter *RateLimiter, ipWhitelist *IPWhitelist, limit int) func(http.Handler) http.Handler
IPRateLimitMiddleware creates a pre-auth rate limiting middleware based on client IP. Protects against unauthenticated flood attacks (e.g. brute-force with invalid API keys). If limit <= 0, IP rate limiting is disabled (pass-through).
func IPWhitelistMiddleware ¶
func IPWhitelistMiddleware(whitelist *IPWhitelist) func(http.Handler) http.Handler
IPWhitelistMiddleware creates an IP whitelist middleware This should be applied as the outermost middleware (before auth)
func LoggingMiddleware ¶
LoggingMiddleware creates a request logging middleware
func PermissionMiddleware ¶
PermissionMiddleware checks if the API key has permission for the request
func RateLimitMiddleware ¶
func RateLimitMiddleware(limiter *RateLimiter) func(http.Handler) http.Handler
RateLimitMiddleware creates a rate limiting middleware
func RecoveryMiddleware ¶
RecoveryMiddleware recovers from panics and logs them
func SecurityHeadersMiddleware ¶
SecurityHeadersMiddleware adds standard security response headers to all responses. These headers protect against common web attacks:
- X-Content-Type-Options: nosniff — prevents MIME type sniffing
- X-Frame-Options: DENY — prevents clickjacking via iframe embedding
- Cache-Control: no-store — prevents caching of sensitive API responses
- Content-Security-Policy: default-src 'none' — restricts resource loading (API-only server)
Types ¶
type ContextKey ¶
type ContextKey string
ContextKey is the type for context keys
const ( // APIKeyContextKey is the context key for the authenticated API key APIKeyContextKey ContextKey = "api_key" )
type HDWalletDerivedLister ¶ added in v0.1.0
type HDWalletDerivedLister interface {
ListDerivedAddresses(primaryAddr string) ([]types.SignerInfo, error)
}
HDWalletDerivedLister can list derived addresses for an HD wallet. Extracted to avoid importing the full evm package in middleware.
type IPWhitelist ¶
type IPWhitelist struct {
// contains filtered or unexported fields
}
IPWhitelist holds the parsed IP whitelist configuration
func NewIPWhitelist ¶
func NewIPWhitelist(cfg config.IPWhitelistConfig, logger *slog.Logger) (*IPWhitelist, error)
NewIPWhitelist creates a new IP whitelist from configuration
func (*IPWhitelist) GetClientIP ¶
func (w *IPWhitelist) GetClientIP(r *http.Request) string
GetClientIP extracts the client IP from the request. If trustProxy is enabled AND the direct connection comes from a trusted proxy, it checks X-Forwarded-For and X-Real-IP headers. Otherwise, it uses RemoteAddr directly (fail-closed).
func (*IPWhitelist) IsAllowed ¶
func (w *IPWhitelist) IsAllowed(ipStr string) bool
IsAllowed checks if an IP address is in the whitelist
type RateLimiter ¶
type RateLimiter struct {
// contains filtered or unexported fields
}
RateLimiter implements a simple sliding window rate limiter
func NewRateLimiter ¶
func NewRateLimiter(logger *slog.Logger) *RateLimiter
NewRateLimiter creates a new rate limiter
func (*RateLimiter) Allow ¶
func (r *RateLimiter) Allow(key string, limit int) bool
Allow checks if a request is allowed under the rate limit limit is requests per minute
func (*RateLimiter) Cleanup ¶
func (r *RateLimiter) Cleanup()
Cleanup removes expired windows (should be called periodically)
func (*RateLimiter) StartCleanupRoutine ¶
func (r *RateLimiter) StartCleanupRoutine(interval time.Duration, stop <-chan struct{})
StartCleanupRoutine starts a goroutine to periodically clean up expired windows
Source Files