auth

func IsPublicPath ¶

func IsPublicPath(requestPath string, publicPaths []string) bool

IsPublicPath checks if a path should bypass authentication. It performs secure path matching by: 1. Rejecting paths with encoded path separators to prevent double-encoding attacks 2. Normalizing the path to prevent traversal attacks (e.g., /health/../registry/v0.1/servers) 3. Using segment-aware matching so /health matches /health and /health/check but NOT /healthcheck

func NewAuthMiddleware ¶

func NewAuthMiddleware(
	ctx context.Context,
	cfg *config.AuthConfig,
	factory validatorFactory,
) (func(http.Handler) http.Handler, http.Handler, error)

NewAuthMiddleware creates authentication middleware based on config. Returns: (middleware, authInfoHandler, error)

By default, authentication is ENABLED and requires OAuth configuration. To disable authentication for development, either:

• Use --auth-mode=anonymous flag
• Set auth.mode: anonymous in the config file

This function validates the auth configuration before creating the middleware.

func WrapWithPublicPaths ¶

func WrapWithPublicPaths(
	authMw func(http.Handler) http.Handler,
	publicPaths []string,
) func(http.Handler) http.Handler

WrapWithPublicPaths wraps an auth middleware to bypass authentication for public paths. It checks each request path against the provided list of public paths using IsPublicPath. Requests to public paths are passed directly to the next handler without authentication, while all other requests go through the provided auth middleware.