Documentation
¶
Index ¶
- func AuditLog(lgr logr.Logger, trustProxy bool) func(http.Handler) http.Handler
- func GzipEncoderFunc(w io.Writer, level int) io.Writer
- func MaxBodySize(maxSize int64) func(http.Handler) http.Handler
- func Metrics() func(http.Handler) http.Handler
- func NewAzureOIDCAuth(tenantID, clientID string, lgr logr.Logger) (func(http.Handler) http.Handler, error)
- func RateLimit(ctx context.Context, maxRequests int, window time.Duration, trustProxy bool) func(http.Handler) http.Handler
- func RedactJSON(v any) any
- func RequestLogging(lgr logr.Logger) func(http.Handler) http.Handler
- func SecurityHeaders(tlsEnabled bool) func(http.Handler) http.Handler
- func Tracing() func(http.Handler) http.Handler
- type AuthClaims
- type GzipResponseWriter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuditLog ¶
AuditLog returns middleware that writes structured audit log entries. Request bodies for mutation methods are captured and redacted before logging to prevent sensitive data (passwords, tokens, secrets) from leaking into logs. Set trustProxy true only when a trusted reverse proxy sanitizes X-Forwarded-For and X-Real-IP; leave false (the safe default) to use RemoteAddr for the audit source IP and prevent clients from spoofing their identity in audit logs.
func GzipEncoderFunc ¶
GzipEncoderFunc is a chi-compatible EncoderFunc that creates a gzip writer. The compression level is validated by the chi Compressor before this function is called, so gzip.NewWriterLevel only returns an error for invalid levels.
func MaxBodySize ¶
MaxBodySize returns middleware that rejects requests with bodies larger than maxSize.
func NewAzureOIDCAuth ¶
func NewAzureOIDCAuth(tenantID, clientID string, lgr logr.Logger) (func(http.Handler) http.Handler, error)
NewAzureOIDCAuth creates authentication middleware for Azure AD OIDC JWT validation.
func RateLimit ¶
func RateLimit(ctx context.Context, maxRequests int, window time.Duration, trustProxy bool) func(http.Handler) http.Handler
RateLimit returns middleware that limits requests per IP using a sliding window. ctx controls the lifetime of the background cleanup goroutine; cancel it (e.g. on server shutdown) to stop the goroutine and prevent leaks. Set trustProxy true only when a trusted reverse proxy sanitizes X-Forwarded-For and X-Real-IP; otherwise leave false to use RemoteAddr and prevent IP spoofing.
func RedactJSON ¶
RedactJSON round-trips v through JSON and redacts sensitive field values in any map keys that match the sensitiveKeys list (e.g. password, secret, token). Arrays of objects are recursively redacted. Non-JSON-serializable values are returned unchanged. Intended for use in API response sanitization.
func RequestLogging ¶
RequestLogging returns middleware that logs every request.
func SecurityHeaders ¶
SecurityHeaders returns middleware that sets standard security headers.
Types ¶
type AuthClaims ¶
type AuthClaims struct {
Subject string `json:"sub"`
Name string `json:"name"`
Email string `json:"email"`
TenantID string `json:"tid"`
ObjectID string `json:"oid"`
Groups []string `json:"groups"`
Roles []string `json:"roles"`
Audience string `json:"aud"`
Issuer string `json:"iss"`
ExpiresAt int64 `json:"exp"`
}
AuthClaims holds the validated JWT claims extracted from an Entra OIDC token.
func ClaimsFromContext ¶
func ClaimsFromContext(ctx context.Context) *AuthClaims
ClaimsFromContext extracts auth claims from the request context.
type GzipResponseWriter ¶
type GzipResponseWriter struct {
Writer io.Writer
ResponseWriter http.ResponseWriter
}
GzipResponseWriter wraps an http.ResponseWriter with a gzip writer.
func (*GzipResponseWriter) Close ¶
func (g *GzipResponseWriter) Close() error
Close closes the underlying gzip writer.
func (*GzipResponseWriter) Flush ¶
func (g *GzipResponseWriter) Flush()
Flush flushes the underlying gzip writer and response writer.
func (*GzipResponseWriter) Header ¶
func (g *GzipResponseWriter) Header() http.Header
Header returns the header map.
func (*GzipResponseWriter) Write ¶
func (g *GzipResponseWriter) Write(b []byte) (int, error)
Write writes the compressed data.
func (*GzipResponseWriter) WriteHeader ¶
func (g *GzipResponseWriter) WriteHeader(code int)
WriteHeader sends an HTTP response header with the provided status code.
Source Files