auth

package

v0.1.6 Latest Latest Go to latest Published: Mar 29, 2026 License: AGPL-3.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/AtDexters-Lab/namek-server

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func DeviceRateLimit(mutPerMin, mutBurst, readPerMin, readBurst int) gin.HandlerFunc
func DeviceTPMAuth(deviceStore *store.DeviceStore, nonceStore *NonceStore, verifier tpm.Verifier, ...) gin.HandlerFunc
func NexusAuth(cfg *config.Config, clientCAs *x509.CertPool, logger *slog.Logger) gin.HandlerFunc
func RateLimit(globalRPS, globalBurst, perIPRPS, perIPBurst int) gin.HandlerFunc
func RequestIDMiddleware() gin.HandlerFunc
type NonceStore
- func NewNonceStore(logger *slog.Logger, maxNonces int, ttl time.Duration) *NonceStore

Constants ¶

View Source

const (
	ContextKeyDeviceID  = "device_id"
	ContextKeyDevice    = "device"
	ContextKeyRequestID = "request_id"
)

ContextKeys for values stored in Gin context

Variables ¶

View Source

var (
	ErrNonceNotFound = errors.New("nonce not found or expired")
	ErrNonceCapacity = errors.New("nonce store at capacity")
)

Functions ¶

func DeviceRateLimit ¶ added in v0.1.1

func DeviceRateLimit(mutPerMin, mutBurst, readPerMin, readBurst int) gin.HandlerFunc

DeviceRateLimit implements per-device rate limiting with separate limits for mutations (POST, DELETE) and reads (GET, PATCH, etc.). PATCH is intentionally classified as a read — it is idempotent and infrequent (hostname changes).

func DeviceTPMAuth ¶

func DeviceTPMAuth(deviceStore *store.DeviceStore, nonceStore *NonceStore, verifier tpm.Verifier, lastSeenBatcher *store.LastSeenBatcher, logger *slog.Logger) gin.HandlerFunc

DeviceTPMAuth validates per-request TPM attestation. If lastSeenBatcher is non-nil, last-seen updates are batched instead of fire-and-forget.

func NexusAuth ¶

func NexusAuth(cfg *config.Config, clientCAs *x509.CertPool, logger *slog.Logger) gin.HandlerFunc

NexusAuth validates mTLS client certificates for Nexus registration.

func RateLimit ¶

func RateLimit(globalRPS, globalBurst, perIPRPS, perIPBurst int) gin.HandlerFunc

RateLimit implements global + per-IP token bucket rate limiting.

func RequestIDMiddleware ¶

func RequestIDMiddleware() gin.HandlerFunc

RequestIDMiddleware adds a unique request ID to each request.

Types ¶

type NonceStore ¶

type NonceStore struct {
	// contains filtered or unexported fields
}

NonceStore is a sharded in-memory store for one-time-use nonces. Sharding eliminates the single-mutex bottleneck at high concurrency.

func NewNonceStore ¶

func NewNonceStore(logger *slog.Logger, maxNonces int, ttl time.Duration) *NonceStore

NewNonceStore creates a sharded nonce store with the given capacity and TTL.

func (*NonceStore) CleanupLoop ¶

func (s *NonceStore) CleanupLoop(ctx context.Context)

CleanupLoop removes expired nonces periodically.

func (*NonceStore) Consume ¶

func (s *NonceStore) Consume(nonce string) error

Consume validates and removes a nonce (one-time use).

func (*NonceStore) Count ¶ added in v0.1.6

func (s *NonceStore) Count() int64

Count returns the current number of nonces in the store.

func (*NonceStore) Generate ¶

func (s *NonceStore) Generate() (string, time.Time, error)

Generate creates a new nonce and returns it as a base64-encoded string.

func (*NonceStore) MaxNonces ¶ added in v0.1.6

func (s *NonceStore) MaxNonces() int

MaxNonces returns the configured capacity limit.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL