middleware

package
v0.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2026 License: MIT Imports: 41 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AESEncrypt

func AESEncrypt(data, key []byte) ([]byte, error)

func APIKey added in v0.3.0

func APIKey(cfg APIKeyConfig) fiber.Handler

APIKey creates a middleware that validates API keys against OpenFGA. The API key is treated as a subject in OpenFGA (apikey:<key_id>).

func Breaker

func Breaker() fiber.Handler

func BuildCSP added in v0.1.0

func BuildCSP(cfg CSPConfig) string

BuildCSP generates a Content-Security-Policy string from config.

func CORS

func CORS(cfg CORSConfig) fiber.Handler

func CSRF added in v0.1.0

func CSRF(cfg CSRFConfig) fiber.Handler

func ContentSecurity

func ContentSecurity(key *rsa.PublicKey, strict bool) fiber.Handler

func Cryption

func Cryption(key []byte) fiber.Handler

func GenerateNonce added in v0.1.0

func GenerateNonce() string

GenerateNonce creates a CSP nonce (base64 random 32 bytes).

func Gunzip

func Gunzip() fiber.Handler

func HeaderSanitize added in v0.1.0

func HeaderSanitize() fiber.Handler

func JWT

func JWT(cfg JWTConfig) fiber.Handler

func JWTWithZitadel added in v0.3.0

func JWTWithZitadel(cfg JWTConfig, zClient *zitadel.Client) fiber.Handler

JWTWithZitadel validates JWT tokens using Zitadel's JWKS (RS256). Used in "openfga-zitadel" auth mode.

func Logger

func Logger() fiber.Handler

func MaxBytes

func MaxBytes(limit int) fiber.Handler

func MaxConns

func MaxConns(limit int) fiber.Handler

func OpenFGA added in v0.3.0

func OpenFGA(cfg OpenFGAConfig) fiber.Handler

OpenFGA creates a middleware that checks authorization against OpenFGA. It requires AuthContext to be present (set by JWT middleware).

func Ory added in v0.3.0

func Ory(cfg OryConfig) fiber.Handler

Ory creates a middleware that checks authorization via Ory Keto. It requires AuthContext to be present (set by JWT middleware).

func ParseObject added in v0.3.0

func ParseObject(object string) (objType, objID string, err error)

func ParsePublicKey

func ParsePublicKey(pemStr string) (*rsa.PublicKey, error)

func Prometheus

func Prometheus() fiber.Handler

func PrometheusHandler

func PrometheusHandler() fiber.Handler

func RateLimit added in v0.1.0

func RateLimit(cfg RateLimitConfig) fiber.Handler

func Recovery

func Recovery() fiber.Handler

func RegisterValidation added in v0.1.0

func RegisterValidation(name string, input any)

func SSE

func SSE() fiber.Handler

func SecurityHeaders added in v0.1.0

func SecurityHeaders(cfg SecurityHeadersConfig) fiber.Handler

func Shedding

func Shedding() fiber.Handler

func SignBody

func SignBody(key *rsa.PrivateKey, body []byte) (string, error)

func Timeout

func Timeout(d time.Duration) fiber.Handler

func TokenRefreshHandler added in v0.3.0

func TokenRefreshHandler(cfg TokenRefreshConfig) fiber.Handler

TokenRefreshHandler returns a handler that delegates token refresh to the configured identity provider, or re-signs the JWT in manual mode.

func Trace

func Trace(cfg TraceConfig) fiber.Handler

func ValidateInput added in v0.1.0

func ValidateInput(modelName string) fiber.Handler

func WebSocket

func WebSocket(handler func(*websocket.Conn)) fiber.Handler

func WebSocketWithConfig

func WebSocketWithConfig(cfg WebSocketConfig, handler func(*websocket.Conn)) fiber.Handler

Types

type APIKeyConfig added in v0.3.0

type APIKeyConfig struct {
	// Prefix identifies API keys (e.g., "sk-"). Empty means no prefix check.
	Prefix string
	// Client is the OpenFGA client for authorization checks.
	Client *openfga.Client
	// Relation is the required relation (e.g., "can_access", "can_write").
	Relation string
	// Object is the resource object (e.g., "webhook:stripe").
	Object string
	// Header is the header to look for the API key (default: "Authorization").
	Header string
}

APIKeyConfig configures API key authentication for an entry.

type AuthContext added in v0.3.0

type AuthContext struct {
	UserID      string
	OrgID       string
	Roles       []string
	Permissions []string
	RawToken    string
	Claims      jwt.MapClaims
}

func AuthFromContext added in v0.3.0

func AuthFromContext(ctx context.Context) *AuthContext

func GetAuth added in v0.3.0

func GetAuth(c fiber.Ctx) *AuthContext

type CORSConfig

type CORSConfig struct {
	AllowedOrigins   string
	AllowedMethods   string
	AllowedHeaders   string
	AllowCredentials bool
	MaxAge           int
}

func DefaultCORSConfig

func DefaultCORSConfig() CORSConfig

type CSPConfig added in v0.1.0

type CSPConfig struct {
	Level              CSPLevel `json:"level" config:",default=basic"`
	DefaultSrc         []string `json:"default_src" config:",optional"`
	ScriptSrc          []string `json:"script_src" config:",optional"`
	StyleSrc           []string `json:"style_src" config:",optional"`
	ImgSrc             []string `json:"img_src" config:",optional"`
	ConnectSrc         []string `json:"connect_src" config:",optional"`
	FontSrc            []string `json:"font_src" config:",optional"`
	FrameSrc           []string `json:"frame_src" config:",optional"`
	FrameAncestors     []string `json:"frame_ancestors" config:",optional"`
	ObjectSrc          []string `json:"object_src" config:",optional"`
	BaseURI            []string `json:"base_uri" config:",optional"`
	FormAction         []string `json:"form_action" config:",optional"`
	UpgradeInsecureReq bool     `json:"upgrade_insecure_requests" config:",optional"`
}

CSPConfig configures Content-Security-Policy generation.

type CSPLevel added in v0.1.0

type CSPLevel string

CSPLevel defines pre-built CSP policies.

const (
	CSPLevelBasic  CSPLevel = "basic"
	CSPLevelStrict CSPLevel = "strict"
)

type CSRFConfig added in v0.1.0

type CSRFConfig struct {
	Enabled      bool     `json:"enabled" config:",optional"`
	CookieName   string   `json:"cookie_name" config:",optional"`
	HeaderName   string   `json:"header_name" config:",optional"`
	SameSite     string   `json:"same_site" config:",optional"`
	Secure       bool     `json:"secure" config:",optional"`
	ExcludePaths []string `json:"exclude_paths" config:",optional"`
	JSONCheck    bool     `json:"json_check" config:",optional"`
}

type JWTConfig

type JWTConfig struct {
	Secret      string
	PrevSecret  string
	ContextKey  string
	TokenLookup string
	Algorithm   string
	Issuer      string
	Audience    string
}

func DefaultJWTConfig

func DefaultJWTConfig() JWTConfig

type OpenFGAConfig added in v0.3.0

type OpenFGAConfig struct {
	Client      openfga.Checker // interface (supports caching)
	Relation    string          // e.g., "can_read", "can_write", "can_delete"
	Object      string          // e.g., "product:123", "order:456"
	Roles       []string        // YAML-defined roles to check
	Permissions []string        // YAML-defined permissions to check
}

OpenFGAConfig defines the configuration for OpenFGA authorization middleware.

type OryConfig added in v0.3.0

type OryConfig struct {
	Client      *ory.Client
	Roles       []string // YAML-defined roles to check
	Permissions []string // YAML-defined permissions to check
}

OryConfig defines the configuration for Ory authorization middleware.

type RateLimitConfig added in v0.1.0

type RateLimitConfig struct {
	Enabled  bool            `json:"enabled" config:",optional"`
	Driver   string          `json:"driver" config:",default=memory"`
	RedisURL string          `json:"redis_url" config:",optional"`
	Global   *RateLimitEntry `json:"global" config:",optional"`
	PerIP    *RateLimitEntry `json:"per_ip" config:",optional"`
	PerUser  *RateLimitEntry `json:"per_user" config:",optional"`
}

type RateLimitEntry added in v0.1.0

type RateLimitEntry struct {
	RequestsPerSecond int `json:"requests_per_second"`
	Burst             int `json:"burst"`
}

type SSRFConfig added in v0.1.0

type SSRFConfig struct {
	Enabled       bool     `json:"enabled"`
	BlockPrivate  bool     `json:"block_private" config:",optional"`
	BlockLoopback bool     `json:"block_loopback" config:",optional"`
	BlockMetadata bool     `json:"block_metadata" config:",optional"`
	AllowedHosts  []string `json:"allowed_hosts" config:",optional"`
	AllowAll      bool     `json:"allow_all" config:",optional"`
}

type SafeHTTPClient added in v0.1.0

type SafeHTTPClient struct {
	// contains filtered or unexported fields
}

func NewSafeHTTPClient added in v0.1.0

func NewSafeHTTPClient(cfg SSRFConfig) *SafeHTTPClient

func (*SafeHTTPClient) DoURL added in v0.3.3

func (c *SafeHTTPClient) DoURL(ctx context.Context, urlStr, method string, body io.Reader) (*http.Response, error)

type SecurityHeadersConfig added in v0.1.0

type SecurityHeadersConfig struct {
	FrameOptions      string `json:"frame_options" config:",optional"`
	ReferrerPolicy    string `json:"referrer_policy" config:",optional"`
	PermissionsPolicy string `json:"permissions_policy" config:",optional"`
	HSTS              bool   `json:"hsts" config:",optional"`
	HSTSMaxAge        int    `json:"hsts_max_age" config:",optional"`
	HSTSIncludeSubs   bool   `json:"hsts_include_subdomains" config:",optional"`
	CSP               string `json:"csp" config:",optional"`
	COOP              string `json:"coop" config:",optional"`
	COEP              string `json:"coep" config:",optional"`
	CORP              string `json:"corp" config:",optional"`
	CacheControl      string `json:"cache_control" config:",optional"`
	CSPReportPath     string `json:"csp_report_path" config:",optional"`
}

type TokenRefreshConfig added in v0.3.0

type TokenRefreshConfig struct {
	// RefreshTokenTTL is how long the refresh token is valid (manual mode).
	RefreshTokenTTL time.Duration
	// JWTSecret used to sign new tokens (manual mode).
	JWTSecret string
	// ZitadelTokenURL is the Zitadel token endpoint URL (openfga-zitadel mode).
	ZitadelTokenURL string
	// ZitadelClientID is the Zitadel OAuth2 client ID.
	ZitadelClientID string
	// KratosRefreshURL is the Kratos session refresh URL (ory mode).
	KratosRefreshURL string
}

TokenRefreshConfig configures the token refresh endpoint behavior.

type TraceConfig

type TraceConfig struct {
	Name     string
	Endpoint string
	Sampler  float64
	Batcher  string
}

type WebSocketConfig

type WebSocketConfig struct {
	Origins          []string
	HandshakeTimeout time.Duration
	ReadBufferSize   int
	WriteBufferSize  int
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL