Documentation
¶
Index ¶
- func AESEncrypt(data, key []byte) ([]byte, error)
- func APIKey(cfg APIKeyConfig) fiber.Handler
- func Breaker() fiber.Handler
- func BuildCSP(cfg CSPConfig) string
- func CORS(cfg CORSConfig) fiber.Handler
- func CSRF(cfg CSRFConfig) fiber.Handler
- func ContentSecurity(key *rsa.PublicKey, strict bool) fiber.Handler
- func Cryption(key []byte) fiber.Handler
- func GenerateNonce() string
- func Gunzip() fiber.Handler
- func HeaderSanitize() fiber.Handler
- func JWT(cfg JWTConfig) fiber.Handler
- func JWTWithZitadel(cfg JWTConfig, zClient *zitadel.Client) fiber.Handler
- func Logger() fiber.Handler
- func MaxBytes(limit int) fiber.Handler
- func MaxConns(limit int) fiber.Handler
- func OpenFGA(cfg OpenFGAConfig) fiber.Handler
- func Ory(cfg OryConfig) fiber.Handler
- func ParseObject(object string) (objType, objID string, err error)
- func ParsePublicKey(pemStr string) (*rsa.PublicKey, error)
- func Prometheus() fiber.Handler
- func PrometheusHandler() fiber.Handler
- func RateLimit(cfg RateLimitConfig) fiber.Handler
- func Recovery() fiber.Handler
- func RegisterValidation(name string, input any)
- func SSE() fiber.Handler
- func SecurityHeaders(cfg SecurityHeadersConfig) fiber.Handler
- func Shedding() fiber.Handler
- func SignBody(key *rsa.PrivateKey, body []byte) (string, error)
- func Timeout(d time.Duration) fiber.Handler
- func TokenRefreshHandler(cfg TokenRefreshConfig) fiber.Handler
- func Trace(cfg TraceConfig) fiber.Handler
- func ValidateInput(modelName string) fiber.Handler
- func WebSocket(handler func(*websocket.Conn)) fiber.Handler
- func WebSocketWithConfig(cfg WebSocketConfig, handler func(*websocket.Conn)) fiber.Handler
- type APIKeyConfig
- type AuthContext
- type CORSConfig
- type CSPConfig
- type CSPLevel
- type CSRFConfig
- type JWTConfig
- type OpenFGAConfig
- type OryConfig
- type RateLimitConfig
- type RateLimitEntry
- type SSRFConfig
- type SafeHTTPClient
- type SecurityHeadersConfig
- type TokenRefreshConfig
- type TraceConfig
- type WebSocketConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AESEncrypt ¶
func APIKey ¶ added in v0.3.0
func APIKey(cfg APIKeyConfig) fiber.Handler
APIKey creates a middleware that validates API keys against OpenFGA. The API key is treated as a subject in OpenFGA (apikey:<key_id>).
func CORS ¶
func CORS(cfg CORSConfig) fiber.Handler
func CSRF ¶ added in v0.1.0
func CSRF(cfg CSRFConfig) fiber.Handler
func GenerateNonce ¶ added in v0.1.0
func GenerateNonce() string
GenerateNonce creates a CSP nonce (base64 random 32 bytes).
func HeaderSanitize ¶ added in v0.1.0
func JWTWithZitadel ¶ added in v0.3.0
JWTWithZitadel validates JWT tokens using Zitadel's JWKS (RS256). Used in "openfga-zitadel" auth mode.
func OpenFGA ¶ added in v0.3.0
func OpenFGA(cfg OpenFGAConfig) fiber.Handler
OpenFGA creates a middleware that checks authorization against OpenFGA. It requires AuthContext to be present (set by JWT middleware).
func Ory ¶ added in v0.3.0
Ory creates a middleware that checks authorization via Ory Keto. It requires AuthContext to be present (set by JWT middleware).
func ParseObject ¶ added in v0.3.0
func Prometheus ¶
func PrometheusHandler ¶
func RateLimit ¶ added in v0.1.0
func RateLimit(cfg RateLimitConfig) fiber.Handler
func RegisterValidation ¶ added in v0.1.0
func SecurityHeaders ¶ added in v0.1.0
func SecurityHeaders(cfg SecurityHeadersConfig) fiber.Handler
func TokenRefreshHandler ¶ added in v0.3.0
func TokenRefreshHandler(cfg TokenRefreshConfig) fiber.Handler
TokenRefreshHandler returns a handler that delegates token refresh to the configured identity provider, or re-signs the JWT in manual mode.
func Trace ¶
func Trace(cfg TraceConfig) fiber.Handler
func ValidateInput ¶ added in v0.1.0
func WebSocketWithConfig ¶
func WebSocketWithConfig(cfg WebSocketConfig, handler func(*websocket.Conn)) fiber.Handler
Types ¶
type APIKeyConfig ¶ added in v0.3.0
type APIKeyConfig struct {
// Prefix identifies API keys (e.g., "sk-"). Empty means no prefix check.
Prefix string
// Client is the OpenFGA client for authorization checks.
Client *openfga.Client
// Relation is the required relation (e.g., "can_access", "can_write").
Relation string
// Object is the resource object (e.g., "webhook:stripe").
Object string
// Header is the header to look for the API key (default: "Authorization").
Header string
}
APIKeyConfig configures API key authentication for an entry.
type AuthContext ¶ added in v0.3.0
type AuthContext struct {
UserID string
OrgID string
Roles []string
Permissions []string
RawToken string
Claims jwt.MapClaims
}
func AuthFromContext ¶ added in v0.3.0
func AuthFromContext(ctx context.Context) *AuthContext
func GetAuth ¶ added in v0.3.0
func GetAuth(c *fiber.Ctx) *AuthContext
type CORSConfig ¶
type CORSConfig struct {
AllowedOrigins string
AllowedMethods string
AllowedHeaders string
AllowCredentials bool
MaxAge int
}
func DefaultCORSConfig ¶
func DefaultCORSConfig() CORSConfig
type CSPConfig ¶ added in v0.1.0
type CSPConfig struct {
Level CSPLevel `json:"level" config:",default=basic"`
DefaultSrc []string `json:"default_src" config:",optional"`
ScriptSrc []string `json:"script_src" config:",optional"`
StyleSrc []string `json:"style_src" config:",optional"`
ImgSrc []string `json:"img_src" config:",optional"`
ConnectSrc []string `json:"connect_src" config:",optional"`
FontSrc []string `json:"font_src" config:",optional"`
FrameSrc []string `json:"frame_src" config:",optional"`
FrameAncestors []string `json:"frame_ancestors" config:",optional"`
ObjectSrc []string `json:"object_src" config:",optional"`
BaseURI []string `json:"base_uri" config:",optional"`
FormAction []string `json:"form_action" config:",optional"`
UpgradeInsecureReq bool `json:"upgrade_insecure_requests" config:",optional"`
}
CSPConfig configures Content-Security-Policy generation.
type CSRFConfig ¶ added in v0.1.0
type CSRFConfig struct {
Enabled bool `json:"enabled" config:",optional"`
CookieName string `json:"cookie_name" config:",optional"`
HeaderName string `json:"header_name" config:",optional"`
SameSite string `json:"same_site" config:",optional"`
Secure bool `json:"secure" config:",optional"`
ExcludePaths []string `json:"exclude_paths" config:",optional"`
JSONCheck bool `json:"json_check" config:",optional"`
}
type JWTConfig ¶
type JWTConfig struct {
Secret string
PrevSecret string
ContextKey string
TokenLookup string
Algorithm string
Issuer string
Audience string
}
func DefaultJWTConfig ¶
func DefaultJWTConfig() JWTConfig
type OpenFGAConfig ¶ added in v0.3.0
type OpenFGAConfig struct {
Client openfga.Checker // interface (supports caching)
Relation string // e.g., "can_read", "can_write", "can_delete"
Object string // e.g., "product:123", "order:456"
Roles []string // YAML-defined roles to check
Permissions []string // YAML-defined permissions to check
}
OpenFGAConfig defines the configuration for OpenFGA authorization middleware.
type OryConfig ¶ added in v0.3.0
type OryConfig struct {
Client *ory.Client
Roles []string // YAML-defined roles to check
Permissions []string // YAML-defined permissions to check
}
OryConfig defines the configuration for Ory authorization middleware.
type RateLimitConfig ¶ added in v0.1.0
type RateLimitConfig struct {
Enabled bool `json:"enabled" config:",optional"`
Driver string `json:"driver" config:",default=memory"`
RedisURL string `json:"redis_url" config:",optional"`
Global *RateLimitEntry `json:"global" config:",optional"`
PerIP *RateLimitEntry `json:"per_ip" config:",optional"`
PerUser *RateLimitEntry `json:"per_user" config:",optional"`
}
type RateLimitEntry ¶ added in v0.1.0
type SSRFConfig ¶ added in v0.1.0
type SSRFConfig struct {
Enabled bool `json:"enabled"`
BlockPrivate bool `json:"block_private" config:",optional"`
BlockLoopback bool `json:"block_loopback" config:",optional"`
BlockMetadata bool `json:"block_metadata" config:",optional"`
AllowedHosts []string `json:"allowed_hosts" config:",optional"`
AllowAll bool `json:"allow_all" config:",optional"`
}
type SafeHTTPClient ¶ added in v0.1.0
type SafeHTTPClient struct {
// contains filtered or unexported fields
}
SafeHTTPClient wraps an HTTP client with SSRF protection.
func NewSafeHTTPClient ¶ added in v0.1.0
func NewSafeHTTPClient(cfg SSRFConfig) *SafeHTTPClient
NewSafeHTTPClient creates an HTTP client protected against SSRF.
type SecurityHeadersConfig ¶ added in v0.1.0
type SecurityHeadersConfig struct {
FrameOptions string `json:"frame_options" config:",optional"`
ReferrerPolicy string `json:"referrer_policy" config:",optional"`
PermissionsPolicy string `json:"permissions_policy" config:",optional"`
HSTS bool `json:"hsts" config:",optional"`
HSTSMaxAge int `json:"hsts_max_age" config:",optional"`
HSTSIncludeSubs bool `json:"hsts_include_subdomains" config:",optional"`
CSP string `json:"csp" config:",optional"`
COOP string `json:"coop" config:",optional"`
COEP string `json:"coep" config:",optional"`
CORP string `json:"corp" config:",optional"`
CacheControl string `json:"cache_control" config:",optional"`
CSPReportPath string `json:"csp_report_path" config:",optional"`
}
type TokenRefreshConfig ¶ added in v0.3.0
type TokenRefreshConfig struct {
// RefreshTokenTTL is how long the refresh token is valid (manual mode).
RefreshTokenTTL time.Duration
// JWTSecret used to sign new tokens (manual mode).
JWTSecret string
// ZitadelTokenURL is the Zitadel token endpoint URL (openfga-zitadel mode).
ZitadelTokenURL string
// ZitadelClientID is the Zitadel OAuth2 client ID.
ZitadelClientID string
// KratosRefreshURL is the Kratos session refresh URL (ory mode).
KratosRefreshURL string
}
TokenRefreshConfig configures the token refresh endpoint behavior.
type TraceConfig ¶
Source Files
¶
- apikey.go
- auth_context.go
- breaker.go
- content_security.go
- cors.go
- cryption.go
- csp.go
- csrf.go
- gunzip.go
- header_sanitize.go
- jwt.go
- jwt_zitadel.go
- logger.go
- maxbytes.go
- maxconns.go
- openfga.go
- ory.go
- prometheus.go
- rate_limit.go
- recover.go
- security_headers.go
- shedding.go
- sse.go
- ssrf.go
- timeout.go
- tokenrefresh.go
- trace.go
- validate.go
- websocket.go