middleware

package
v0.0.0-...-5ed4770 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2026 License: MIT Imports: 17 Imported by: 0

Documentation

Overview

Package middleware provides HTTP middleware for the Sequify server.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func APIKeyMiddleware

func APIKeyMiddleware(validKey string) (func(http.Handler) http.Handler, func())

APIKeyMiddleware returns middleware that validates the API key against the provided validKey. It checks two headers (in order):

  1. X-API-Key — exact match against validKey
  2. Authorization — matches "Bearer <key>" or raw <key>

If validKey is empty, authentication is disabled and all requests pass through (no-op middleware).

On mismatch or missing key, the middleware responds with 401 Unauthorized and a JSON error body. Failed auth attempts are rate-limited per IP address (10 req/min, burst 5) to mitigate brute-force attacks.

Returns the middleware function and a cleanup function that must be called during shutdown to stop the background cleanup goroutine.

func Logger

func Logger(_ *slog.Logger) func(http.Handler) http.Handler

Logger returns middleware that logs request completion with method, path, remote_addr, status_code, and duration_ms. Uses log.From(ctx) to get the context-aware logger.

Note: does NOT call log.Inject -- user_id/conn_id are not available at HTTP middleware stage (injected during WebSocket handshake).

func MetricsMiddleware

func MetricsMiddleware(duration *prometheus.HistogramVec, total *prometheus.CounterVec) func(http.Handler) http.Handler

MetricsMiddleware returns middleware that records HTTP request duration and count. Uses chi route pattern as the path label to avoid high cardinality.

func Recovery

func Recovery(logger *slog.Logger) func(http.Handler) http.Handler

Recovery returns middleware that recovers from panics. It logs the panic value and stack trace via slog at Error level, then returns HTTP 500 with a JSON error body to the client. http.ErrAbortHandler is re-panic'd (not captured).

func RequestBodyLimit

func RequestBodyLimit(maxBytes int64) func(http.Handler) http.Handler

RequestBodyLimit returns middleware that limits the HTTP request body size to maxBytes. If maxBytes <= 0, no limit is applied (pass-through). When the limit is exceeded, the response is 413 Request Entity Too Large.

func SecurityHeaders

func SecurityHeaders() func(http.Handler) http.Handler

SecurityHeaders returns middleware that adds standard security headers to all responses.

Types

type RateLimiter

type RateLimiter struct {
	// contains filtered or unexported fields
}

RateLimiter provides per-IP rate limiting using a token bucket algorithm. Keys are derived solely from the connection-level RemoteAddr; client-supplied headers (X-Sequify-User-ID, X-Forwarded-For, X-Real-IP) are intentionally ignored to prevent bypass attacks.

A background goroutine periodically purges entries that have not been accessed recently to prevent unbounded memory growth. Call Stop() to terminate the goroutine during graceful shutdown.

func NewRateLimiter

func NewRateLimiter(rps float64, burst int) *RateLimiter

NewRateLimiter creates a RateLimiter with the given requests-per-second and burst size. A background cleanup goroutine is started automatically; call Stop() to terminate it.

func (*RateLimiter) Middleware

func (rl *RateLimiter) Middleware(next http.Handler) http.Handler

Middleware returns an HTTP middleware that enforces rate limits. Requests exceeding the limit receive 429 Too Many Requests.

func (*RateLimiter) Stop

func (rl *RateLimiter) Stop()

Stop terminates the background cleanup goroutine.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL