interceptors

package

v1.6.0 Latest Latest Go to latest Published: Apr 26, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/jesse0michael/pkg

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func AdminStreamServerInterceptor() grpc.StreamServerInterceptor
func AdminUnaryServerInterceptor() grpc.UnaryServerInterceptor
func AuthStreamServerInterceptor(a Authenticator) grpc.StreamServerInterceptor
func AuthUnaryServerInterceptor(a Authenticator) grpc.UnaryServerInterceptor
func HasAdminOnly(fullMethod string) bool
func HasNoAuth(fullMethod string) bool
func HasRejectReadOnly(fullMethod string) bool
func LogStreamServerInterceptor() grpc.StreamServerInterceptor
func LogUnaryServerInterceptor() grpc.UnaryServerInterceptor
func MethodBoolOption(md protoreflect.MethodDescriptor, ext *protoimpl.ExtensionInfo) bool
func ResolveMethod(fullMethod string) (protoreflect.ServiceDescriptor, protoreflect.MethodDescriptor)
func RevokedTokenStreamServerInterceptor(checker auth.RevokedTokenChecker) grpc.StreamServerInterceptor
func RevokedTokenUnaryServerInterceptor(checker auth.RevokedTokenChecker) grpc.UnaryServerInterceptor
func ServiceBoolOption(sd protoreflect.ServiceDescriptor, ext *protoimpl.ExtensionInfo) bool
type Authenticator
type RateLimitConfig
type RateLimiter
- func NewRateLimiter(cfg RateLimitConfig) *RateLimiter
- func (rl *RateLimiter) StreamServerInterceptor() grpc.StreamServerInterceptor
- func (rl *RateLimiter) UnaryServerInterceptor() grpc.UnaryServerInterceptor

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrUnauthenticated  = status.Error(codes.Unauthenticated, "unauthenticated")
	ErrPermissionDenied = status.Error(codes.PermissionDenied, "permission denied")
)

View Source

var ErrRateLimited = status.Error(codes.ResourceExhausted, "rate limit exceeded")

Functions ¶

func AdminStreamServerInterceptor ¶ added in v1.4.0

func AdminStreamServerInterceptor() grpc.StreamServerInterceptor

AdminStreamServerInterceptor returns a gRPC stream server interceptor that requires the caller to have Admin claims. It expects the auth interceptor to have already populated the context with claims.

func AdminUnaryServerInterceptor ¶ added in v1.4.0

func AdminUnaryServerInterceptor() grpc.UnaryServerInterceptor

AdminUnaryServerInterceptor returns a gRPC unary server interceptor that requires the caller to have Admin claims. It expects the auth interceptor to have already populated the context with claims.

func AuthStreamServerInterceptor ¶

func AuthStreamServerInterceptor(a Authenticator) grpc.StreamServerInterceptor

AuthStreamServerInterceptor returns a gRPC stream server interceptor that authenticates and authorizes requests using the provided Authenticator. RPCs respect no_auth, admin_only, and reject_read_only method/service options.

func AuthUnaryServerInterceptor ¶

func AuthUnaryServerInterceptor(a Authenticator) grpc.UnaryServerInterceptor

AuthUnaryServerInterceptor returns a gRPC unary server interceptor that authenticates and authorizes requests using the provided Authenticator. RPCs respect no_auth, admin_only, and reject_read_only method/service options.

func HasAdminOnly ¶ added in v1.2.0

func HasAdminOnly(fullMethod string) bool

HasAdminOnly returns true if the method or its parent service requires admin access.

func HasNoAuth ¶ added in v1.2.0

func HasNoAuth(fullMethod string) bool

HasNoAuth returns true if the method or its parent service opts out of authentication.

func HasRejectReadOnly ¶ added in v1.2.0

func HasRejectReadOnly(fullMethod string) bool

HasRejectReadOnly returns true if the method rejects read-only users.

func LogStreamServerInterceptor ¶ added in v1.3.0

func LogStreamServerInterceptor() grpc.StreamServerInterceptor

LogStreamServerInterceptor returns a gRPC stream server interceptor that logs errors returned by handlers.

func LogUnaryServerInterceptor ¶ added in v1.3.0

func LogUnaryServerInterceptor() grpc.UnaryServerInterceptor

LogUnaryServerInterceptor returns a gRPC unary server interceptor that logs errors returned by handlers.

func MethodBoolOption ¶ added in v1.2.0

func MethodBoolOption(md protoreflect.MethodDescriptor, ext *protoimpl.ExtensionInfo) bool

MethodBoolOption reads a bool extension from the method's options.

func ResolveMethod ¶ added in v1.2.0

func ResolveMethod(fullMethod string) (protoreflect.ServiceDescriptor, protoreflect.MethodDescriptor)

ResolveMethod parses a gRPC full method name and returns the service and method descriptors from the global proto registry.

func RevokedTokenStreamServerInterceptor ¶ added in v1.6.0

func RevokedTokenStreamServerInterceptor(checker auth.RevokedTokenChecker) grpc.StreamServerInterceptor

RevokedTokenStreamServerInterceptor returns a stream interceptor that rejects requests whose JWT (by JTI) has been revoked. RPCs annotated with the no_auth option are skipped.

func RevokedTokenUnaryServerInterceptor ¶ added in v1.6.0

func RevokedTokenUnaryServerInterceptor(checker auth.RevokedTokenChecker) grpc.UnaryServerInterceptor

RevokedTokenUnaryServerInterceptor returns a unary interceptor that rejects requests whose JWT (by JTI) has been revoked. RPCs annotated with the no_auth option are skipped.

func ServiceBoolOption ¶ added in v1.2.0

func ServiceBoolOption(sd protoreflect.ServiceDescriptor, ext *protoimpl.ExtensionInfo) bool

ServiceBoolOption reads a bool extension from the service's options.

Types ¶

type Authenticator ¶

type Authenticator interface {
	VerifyAccessToken(token string) (*auth.Claim, error)
}

Authenticator verifies access tokens and returns claims.

type RateLimitConfig ¶ added in v1.3.0

type RateLimitConfig struct {
	// Rate is the token refill rate (per second) for authenticated users.
	// Default ~1.67/s = 100 requests per minute.
	Rate rate.Limit `envconfig:"RATE_LIMIT_RATE" default:"1.67"`
	// Burst is the maximum burst size for authenticated users.
	Burst int `envconfig:"RATE_LIMIT_BURST" default:"100"`
	// NoAuthRate is the token refill rate for unauthenticated requests,
	// keyed by peer address. Default ~0.17/s = 10 requests per minute.
	NoAuthRate rate.Limit `envconfig:"RATE_LIMIT_NO_AUTH_RATE" default:"0.17"`
	// NoAuthBurst is the maximum burst size for unauthenticated requests, keyed by peer address.
	NoAuthBurst int `envconfig:"RATE_LIMIT_NO_AUTH_BURST" default:"20"`
}

RateLimitConfig configures the rate limiting interceptor.

type RateLimiter ¶ added in v1.3.0

type RateLimiter struct {
	// contains filtered or unexported fields
}

RateLimiter provides in-memory rate limiting for gRPC RPCs. Authenticated users are keyed by auth.Subject; unauthenticated requests are keyed by peer address.

TODO: The rates sync.Map will grow throughout the lifetime of the server. Eviction or a periodic fresh swap should be considered.

func NewRateLimiter ¶ added in v1.3.0

func NewRateLimiter(cfg RateLimitConfig) *RateLimiter

NewRateLimiter creates a RateLimiter with the given configuration.

func (*RateLimiter) StreamServerInterceptor ¶ added in v1.3.0

func (rl *RateLimiter) StreamServerInterceptor() grpc.StreamServerInterceptor

StreamServerInterceptor returns a gRPC stream server interceptor that rate limits requests. Authenticated users get per-subject limits; unauthenticated requests get per-peer limits.

func (*RateLimiter) UnaryServerInterceptor ¶ added in v1.3.0

func (rl *RateLimiter) UnaryServerInterceptor() grpc.UnaryServerInterceptor

UnaryServerInterceptor returns a gRPC unary server interceptor that rate limits requests. Authenticated users get per-subject limits; unauthenticated requests get per-peer limits.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL