middleware

package
v0.1.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AdminMiddleware 

func AdminMiddleware(logger *slog.Logger) func(http.Handler) http.Handler

AdminMiddleware creates a middleware that requires admin permissions. Must be used after AuthMiddleware as it depends on the API key in context.

func AuthMiddleware 

func AuthMiddleware(verifier *auth.Verifier, logger *slog.Logger) func(http.Handler) http.Handler

AuthMiddleware creates an authentication middleware Authentication format: timestamp|nonce|method|path|sha256(body) Nonce is required when NonceRequired is configured (recommended for production)

func CheckChainPermission 

func CheckChainPermission(apiKey *types.APIKey, chainType types.ChainType) bool

CheckChainPermission checks if the API key is allowed to access the given chain type

func CheckSignerPermission 

func CheckSignerPermission(apiKey *types.APIKey, signerAddress string) bool

CheckSignerPermission checks if the API key is allowed to use the given signer

func CheckSignerPermissionWithHDWallets added in v0.1.0 

func CheckSignerPermissionWithHDWallets(apiKey *types.APIKey, signerAddress string, hdMgr HDWalletDerivedLister) bool

CheckSignerPermissionWithHDWallets checks allow_all_signers / AllowedSigners, then allow_all_hd_wallets / AllowedHDWallets (derived). hdMgr may be nil (treated as no HD wallet check).

func ClientIPMiddleware added in v0.1.11 

func ClientIPMiddleware(whitelist *IPWhitelist) func(http.Handler) http.Handler

ClientIPMiddleware sets the resolved client IP in request context (key ClientIPContextKey). Place before Logging and IPRateLimit so they can read from context.

func GetAPIKey 

func GetAPIKey(ctx context.Context) *types.APIKey

GetAPIKey retrieves the API key from the request context

func IPRateLimitMiddleware added in v0.1.0 

func IPRateLimitMiddleware(limiter *RateLimiter, ipWhitelist *IPWhitelist, limit int) func(http.Handler) http.Handler

IPRateLimitMiddleware creates a pre-auth rate limiting middleware based on client IP. Protects against unauthenticated flood attacks (e.g. brute-force with invalid API keys). If limit <= 0, IP rate limiting is disabled (pass-through).

func IPWhitelistMiddleware 

func IPWhitelistMiddleware(whitelist *IPWhitelist) func(http.Handler) http.Handler

IPWhitelistMiddleware creates an IP whitelist middleware This should be applied as the outermost middleware (before auth)

func LoggingMiddleware 

func LoggingMiddleware(logger *slog.Logger) func(http.Handler) http.Handler

LoggingMiddleware creates a request logging middleware

func PermissionMiddleware 

func PermissionMiddleware(logger *slog.Logger) func(http.Handler) http.Handler

PermissionMiddleware checks if the API key has permission for the request

func RateLimitMiddleware 

func RateLimitMiddleware(limiter *RateLimiter) func(http.Handler) http.Handler

RateLimitMiddleware creates a rate limiting middleware

func RecoveryMiddleware 

func RecoveryMiddleware(logger *slog.Logger) func(http.Handler) http.Handler

RecoveryMiddleware recovers from panics and logs them

func ResolveClientIP added in v0.1.11 

func ResolveClientIP(r *http.Request, whitelist *IPWhitelist) string

ResolveClientIP returns the client IP for the request. If whitelist is non-nil, uses whitelist.GetClientIP (trust_proxy + X-Forwarded-For aware); otherwise uses host from RemoteAddr. Use this (or context from ClientIPMiddleware) so logging, rate limit, audit and request detail all use the same value.

func SecurityHeadersMiddleware 

func SecurityHeadersMiddleware() func(http.Handler) http.Handler

SecurityHeadersMiddleware adds standard security response headers to all responses. These headers protect against common web attacks:

  • X-Content-Type-Options: nosniff — prevents MIME type sniffing
  • X-Frame-Options: DENY — prevents clickjacking via iframe embedding
  • Cache-Control: no-store — prevents caching of sensitive API responses
  • Content-Security-Policy: default-src 'none' — restricts resource loading (API-only server)

Types

type ContextKey 

type ContextKey string

ContextKey is the type for context keys 

const (
	// APIKeyContextKey is the context key for the authenticated API key
	APIKeyContextKey ContextKey = "api_key"
	// ClientIPContextKey is the context key for the resolved client IP (set by ClientIPMiddleware)
	ClientIPContextKey ContextKey = "client_ip"
)

type HDWalletDerivedLister added in v0.1.0 

type HDWalletDerivedLister interface {
	ListPrimaryAddresses() []string
	ListDerivedAddresses(primaryAddr string) ([]types.SignerInfo, error)
}

HDWalletDerivedLister can list primary HD wallet addresses and their derived addresses. Extracted to avoid importing the full evm package in middleware.

type IPWhitelist 

type IPWhitelist struct {
	// contains filtered or unexported fields
}

IPWhitelist holds the parsed IP whitelist configuration

func NewIPWhitelist 

func NewIPWhitelist(cfg config.IPWhitelistConfig, logger *slog.Logger) (*IPWhitelist, error)

NewIPWhitelist creates a new IP whitelist from configuration

func (*IPWhitelist) GetClientIP 

func (w *IPWhitelist) GetClientIP(r *http.Request) string

GetClientIP extracts the client IP from the request. If trustProxy is enabled AND the direct connection comes from a trusted proxy, it checks X-Forwarded-For and X-Real-IP headers. Otherwise, it uses RemoteAddr directly (fail-closed).

func (*IPWhitelist) IsAllowed 

func (w *IPWhitelist) IsAllowed(ipStr string) bool

IsAllowed checks if an IP address is in the whitelist

type RateLimiter 

type RateLimiter struct {
	// contains filtered or unexported fields
}

RateLimiter implements a simple sliding window rate limiter

func NewRateLimiter 

func NewRateLimiter(logger *slog.Logger) *RateLimiter

NewRateLimiter creates a new rate limiter

func (*RateLimiter) Allow 

func (r *RateLimiter) Allow(key string, limit int) bool

Allow checks if a request is allowed under the rate limit limit is requests per minute

func (*RateLimiter) Cleanup 

func (r *RateLimiter) Cleanup()

Cleanup removes expired windows (should be called periodically)

func (*RateLimiter) StartCleanupRoutine 

func (r *RateLimiter) StartCleanupRoutine(interval time.Duration, stop <-chan struct{})

StartCleanupRoutine starts a goroutine to periodically clean up expired windows

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.