middleware

package

v1.3.4 Latest Latest Go to latest Published: May 4, 2026 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sarathsp06/sparrow

Links

Open Source Insights

Documentation ¶

Overview ¶

Package middleware provides HTTP and gRPC middleware for the Sparrow server.

Index ¶

Constants
func SecurityHeaders(next http.Handler) http.Handler
type APIKeyAuth

Constants ¶

View Source

const (
	// APIKeyHeader is the HTTP header used to pass the API key.
	APIKeyHeader = "X-API-Key"
)

Variables ¶

This section is empty.

Functions ¶

func SecurityHeaders ¶ added in v1.0.0

func SecurityHeaders(next http.Handler) http.Handler

SecurityHeaders is HTTP middleware that sets defensive security headers on every response. These headers provide defense-in-depth against common web attacks (clickjacking, MIME sniffing, information leakage).

CSP is intentionally omitted here because the embedded UI injects an inline <script> for runtime config. A nonce-based CSP would require coordination with the UI handler; this can be added later if Sparrow is exposed beyond an internal network.

Types ¶

type APIKeyAuth ¶

type APIKeyAuth struct {
	// APIKey is the expected key. Empty means authentication is disabled.
	APIKey string

	// ExcludedPathPrefixes are HTTP path prefixes that bypass authentication
	// (e.g., "/health", "/ready").
	ExcludedPathPrefixes []string
}

APIKeyAuth holds the configuration for API key authentication. When APIKey is empty, all requests are allowed through (no-op mode).

func (*APIKeyAuth) Enabled ¶

func (a *APIKeyAuth) Enabled() bool

Enabled reports whether API key authentication is active.

func (*APIKeyAuth) HTTPMiddleware ¶

func (a *APIKeyAuth) HTTPMiddleware(next http.Handler) http.Handler

HTTPMiddleware returns an http.Handler that enforces API key authentication. When the API key is not configured (empty), requests pass through unchanged.

The key can be provided via:

Header: X-API-Key: <key>
Query parameter: ?api_key=<key> (useful for browser/curl convenience)

Excluded paths (health, ready, static UI files) are never checked.

func (*APIKeyAuth) StreamServerInterceptor ¶

func (a *APIKeyAuth) StreamServerInterceptor() grpc.StreamServerInterceptor

StreamServerInterceptor returns a gRPC stream interceptor that enforces API key authentication via the "x-api-key" metadata header.

func (*APIKeyAuth) UnaryServerInterceptor ¶

func (a *APIKeyAuth) UnaryServerInterceptor() grpc.UnaryServerInterceptor

UnaryServerInterceptor returns a gRPC unary interceptor that enforces API key authentication via the "x-api-key" metadata header. When the API key is not configured (empty), requests pass through unchanged.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL