Documentation
¶
Overview ¶
Package middleware provides HTTP middleware for the Sequify server.
Index ¶
- func APIKeyMiddleware(validKey string) (func(http.Handler) http.Handler, func())
- func Logger(_ *slog.Logger) func(http.Handler) http.Handler
- func MetricsMiddleware(duration *prometheus.HistogramVec, total *prometheus.CounterVec) func(http.Handler) http.Handler
- func Recovery(logger *slog.Logger) func(http.Handler) http.Handler
- func RequestBodyLimit(maxBytes int64) func(http.Handler) http.Handler
- func SecurityHeaders() func(http.Handler) http.Handler
- type RateLimiter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func APIKeyMiddleware ¶
APIKeyMiddleware returns middleware that validates the API key against the provided validKey. It checks two headers (in order):
- X-API-Key — exact match against validKey
- Authorization — matches "Bearer <key>" or raw <key>
If validKey is empty, authentication is disabled and all requests pass through (no-op middleware).
On mismatch or missing key, the middleware responds with 401 Unauthorized and a JSON error body. Failed auth attempts are rate-limited per IP address (10 req/min, burst 5) to mitigate brute-force attacks.
Returns the middleware function and a cleanup function that must be called during shutdown to stop the background cleanup goroutine.
func Logger ¶
Logger returns middleware that logs request completion with method, path, remote_addr, status_code, and duration_ms. Uses log.From(ctx) to get the context-aware logger.
Note: does NOT call log.Inject -- user_id/conn_id are not available at HTTP middleware stage (injected during WebSocket handshake).
func MetricsMiddleware ¶
func MetricsMiddleware(duration *prometheus.HistogramVec, total *prometheus.CounterVec) func(http.Handler) http.Handler
MetricsMiddleware returns middleware that records HTTP request duration and count. Uses chi route pattern as the path label to avoid high cardinality.
func Recovery ¶
Recovery returns middleware that recovers from panics. It logs the panic value and stack trace via slog at Error level, then returns HTTP 500 with a JSON error body to the client. http.ErrAbortHandler is re-panic'd (not captured).
func RequestBodyLimit ¶
RequestBodyLimit returns middleware that limits the HTTP request body size to maxBytes. If maxBytes <= 0, no limit is applied (pass-through). When the limit is exceeded, the response is 413 Request Entity Too Large.
Types ¶
type RateLimiter ¶
type RateLimiter struct {
// contains filtered or unexported fields
}
RateLimiter provides per-IP rate limiting using a token bucket algorithm. Keys are derived solely from the connection-level RemoteAddr; client-supplied headers (X-Sequify-User-ID, X-Forwarded-For, X-Real-IP) are intentionally ignored to prevent bypass attacks.
A background goroutine periodically purges entries that have not been accessed recently to prevent unbounded memory growth. Call Stop() to terminate the goroutine during graceful shutdown.
func NewRateLimiter ¶
func NewRateLimiter(rps float64, burst int) *RateLimiter
NewRateLimiter creates a RateLimiter with the given requests-per-second and burst size. A background cleanup goroutine is started automatically; call Stop() to terminate it.
func (*RateLimiter) Middleware ¶
func (rl *RateLimiter) Middleware(next http.Handler) http.Handler
Middleware returns an HTTP middleware that enforces rate limits. Requests exceeding the limit receive 429 Too Many Requests.
func (*RateLimiter) Stop ¶
func (rl *RateLimiter) Stop()
Stop terminates the background cleanup goroutine.