middleware

package
v0.0.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CORSMiddleware added in v0.0.2 

func CORSMiddleware(config CORSConfig) forge.Middleware

CORSMiddleware creates a CORS middleware with the given configuration

Types

type APIKeyStrategy added in v0.0.5 

type APIKeyStrategy struct {
	// contains filtered or unexported fields
}

APIKeyStrategy implements authentication via API keys Supports multiple extraction methods: - Authorization: ApiKey <key> - Authorization: Bearer <key> (if key has pk_/sk_/rk_ prefix) - X-API-Key: <key> - Query param (if enabled, not recommended)

func NewAPIKeyStrategy added in v0.0.5 

func NewAPIKeyStrategy(service *apikey.Service, allowInQuery bool) *APIKeyStrategy

NewAPIKeyStrategy creates a new API key authentication strategy

func (*APIKeyStrategy) Authenticate added in v0.0.5 

func (s *APIKeyStrategy) Authenticate(ctx context.Context, credentials interface{}) (*contexts.AuthContext, error)

Authenticate validates the API key and builds auth context

func (*APIKeyStrategy) Extract added in v0.0.5 

func (s *APIKeyStrategy) Extract(c forge.Context) (interface{}, bool)

Extract attempts to extract an API key from the request

func (*APIKeyStrategy) ID added in v0.0.5 

func (s *APIKeyStrategy) ID() string

ID returns the strategy identifier

func (*APIKeyStrategy) Priority added in v0.0.5 

func (s *APIKeyStrategy) Priority() int

Priority returns the strategy priority (10 = high priority for API keys)

type AuthMiddleware 

type AuthMiddleware struct {
	// contains filtered or unexported fields
}

AuthMiddleware handles authentication via API keys and sessions Following production patterns like Clerk, this middleware supports: - API key authentication (pk/sk/rk keys) - Session-based authentication (cookies + bearer tokens) - Dual authentication (both API key and user session) - Pluggable authentication strategies

func NewAuthMiddleware 

func NewAuthMiddleware(
	apiKeySvc *apikey.Service,
	sessionSvc session.ServiceInterface,
	userSvc user.ServiceInterface,
	config AuthMiddlewareConfig,
	cookieConfig *session.CookieConfig,
	strategyRegistry *AuthStrategyRegistry,
) *AuthMiddleware

NewAuthMiddleware creates a new authentication middleware

func (*AuthMiddleware) Authenticate 

func (m *AuthMiddleware) Authenticate(next forge.Handler) forge.Handler

Authenticate is the main middleware function that populates auth context This middleware is optional by default - it populates context but doesn't block It tries authentication strategies in priority order

func (*AuthMiddleware) RequireAPIKey 

func (m *AuthMiddleware) RequireAPIKey(next forge.Handler) forge.Handler

RequireAPIKey middleware that requires an API key

func (*AuthMiddleware) RequireAdmin 

func (m *AuthMiddleware) RequireAdmin(next forge.Handler) forge.Handler

RequireAdmin middleware that requires admin privileges

func (*AuthMiddleware) RequireAllPermissions 

func (m *AuthMiddleware) RequireAllPermissions(permissions ...string) forge.Middleware

RequireAllPermissions middleware that requires all of the specified permissions

func (*AuthMiddleware) RequireAllScopes 

func (m *AuthMiddleware) RequireAllScopes(scopes ...string) forge.Middleware

RequireAllScopes middleware that requires all of the specified scopes

func (*AuthMiddleware) RequireAnyPermission 

func (m *AuthMiddleware) RequireAnyPermission(permissions ...string) forge.Middleware

RequireAnyPermission middleware that requires any of the specified permissions

func (*AuthMiddleware) RequireAnyScope 

func (m *AuthMiddleware) RequireAnyScope(scopes ...string) forge.Middleware

RequireAnyScope middleware that requires any of the specified scopes

func (*AuthMiddleware) RequireAuth 

func (m *AuthMiddleware) RequireAuth(next forge.Handler) forge.Handler

RequireAuth middleware that rejects unauthenticated requests

func (*AuthMiddleware) RequireCanAccess 

func (m *AuthMiddleware) RequireCanAccess(action, resource string) forge.Middleware

RequireCanAccess middleware that checks if auth context can access a resource This is flexible - accepts EITHER legacy scopes OR RBAC permissions Recommended for backward compatibility

func (*AuthMiddleware) RequirePublishableKey 

func (m *AuthMiddleware) RequirePublishableKey(next forge.Handler) forge.Handler

RequirePublishableKey middleware that requires a publishable (pk_) API key

func (*AuthMiddleware) RequireRBACPermission 

func (m *AuthMiddleware) RequireRBACPermission(action, resource string) forge.Middleware

RequireRBACPermission middleware that requires a specific RBAC permission Checks only RBAC permissions (not legacy scopes)

func (*AuthMiddleware) RequireScope 

func (m *AuthMiddleware) RequireScope(scope string) forge.Middleware

RequireScope middleware that requires a specific API key scope

func (*AuthMiddleware) RequireSecretKey 

func (m *AuthMiddleware) RequireSecretKey(next forge.Handler) forge.Handler

RequireSecretKey middleware that requires a secret (sk_) API key

func (*AuthMiddleware) RequireUser 

func (m *AuthMiddleware) RequireUser(next forge.Handler) forge.Handler

RequireUser middleware that requires a logged-in user (session)

type AuthMiddlewareConfig 

type AuthMiddlewareConfig struct {
	// Cookie name for session token
	SessionCookieName string

	// Allow unauthenticated requests to pass through
	// If false, middleware will return 401 for unauthenticated requests
	Optional bool

	// Header names to check for API keys
	APIKeyHeaders []string

	// Allow API key in query params (NOT recommended for production)
	AllowAPIKeyInQuery bool

	// Allow query param session tokens (NOT recommended for production)
	AllowSessionInQuery bool

	// Context configuration for app/environment population
	Context ContextConfig
}

AuthMiddlewareConfig configures the authentication middleware behavior

type AuthStrategy added in v0.0.5 

type AuthStrategy interface {
	// ID returns the unique strategy identifier (e.g., "bearer", "apikey", "cookie")
	ID() string

	// Priority determines the order strategies are tried
	// Lower values are tried first. Recommended ranges:
	//   0-9:   Reserved for system
	//   10-19: API keys and machine auth
	//   20-29: Bearer tokens
	//   30-39: Cookie sessions
	//   40-49: Basic auth
	//   50+:   Custom strategies
	Priority() int

	// Extract attempts to extract credentials from the request
	// Returns credentials (strategy-specific type) and whether they were found
	// If no credentials are present for this strategy, return (nil, false)
	Extract(c forge.Context) (credentials interface{}, found bool)

	// Authenticate validates the credentials and returns an AuthContext
	// This method is only called if Extract returned found=true
	// On success, return a fully populated AuthContext
	// On failure, return an error (auth will try next strategy)
	Authenticate(ctx context.Context, credentials interface{}) (*contexts.AuthContext, error)
}

AuthStrategy defines the interface for pluggable authentication strategies Each strategy is responsible for: 1. Extracting credentials from the request 2. Validating those credentials 3. Building an AuthContext on success

Strategies are tried in priority order (lower number = higher priority) until one successfully authenticates or all fail.

type AuthStrategyError added in v0.0.5 

type AuthStrategyError struct {
	Strategy string
	Message  string
	Err      error
}

AuthStrategyError represents an authentication strategy error

func (*AuthStrategyError) Error added in v0.0.5 

func (e *AuthStrategyError) Error() string

func (*AuthStrategyError) Unwrap added in v0.0.5 

func (e *AuthStrategyError) Unwrap() error

type AuthStrategyRegistry added in v0.0.5 

type AuthStrategyRegistry struct {
	// contains filtered or unexported fields
}

AuthStrategyRegistry manages registered authentication strategies

func NewAuthStrategyRegistry added in v0.0.5 

func NewAuthStrategyRegistry() *AuthStrategyRegistry

NewAuthStrategyRegistry creates a new strategy registry

func (*AuthStrategyRegistry) Get added in v0.0.5 

func (r *AuthStrategyRegistry) Get(id string) (AuthStrategy, bool)

Get retrieves a strategy by ID

func (*AuthStrategyRegistry) List added in v0.0.5 

func (r *AuthStrategyRegistry) List() []AuthStrategy

List returns all registered strategies in priority order

func (*AuthStrategyRegistry) Register added in v0.0.5 

func (r *AuthStrategyRegistry) Register(strategy AuthStrategy) error

Register adds a new authentication strategy Strategies are automatically sorted by priority after registration

type CORSConfig added in v0.0.2 

type CORSConfig struct {
	AllowedOrigins   []string
	AllowCredentials bool
	AllowedMethods   []string
	AllowedHeaders   []string
	ExposeHeaders    []string
	MaxAge           int
}

CORSConfig holds CORS middleware configuration

type ContextConfig added in v0.0.2 

type ContextConfig struct {
	// DefaultAppID is used when no app ID is found in headers or API key
	// Should be a valid xid string (e.g., "c7ndh411g9k8pdunveeg")
	DefaultAppID string

	// DefaultEnvironmentID is used when no environment ID is found
	// Should be a valid xid string (e.g., "c7ndh411g9k8pdunveeg")
	DefaultEnvironmentID string

	// AppIDHeader is the header name to check for app ID (default: X-App-ID)
	AppIDHeader string

	// EnvironmentIDHeader is the header name to check for environment ID (default: X-Environment-ID)
	EnvironmentIDHeader string

	// AutoDetectFromConfig enables auto-detection of app/environment from AuthSome config
	// When enabled in standalone mode, uses the default app automatically
	AutoDetectFromConfig bool

	// AutoDetectFromAPIKey enables inferring app/environment from verified API key
	// This is the most common pattern - API key contains app and environment context
	AutoDetectFromAPIKey bool
}

ContextConfig configures how app and environment context is populated

func DefaultContextConfig added in v0.0.2 

func DefaultContextConfig() ContextConfig

DefaultContextConfig returns a ContextConfig with sensible defaults

type ContextResolution added in v0.0.2 

type ContextResolution struct {
	AppID               xid.ID
	AppIDSource         ContextSource
	EnvironmentID       xid.ID
	EnvironmentIDSource ContextSource
}

ContextResolution tracks how context values were resolved

type ContextSource added in v0.0.2 

type ContextSource string

ContextSource indicates where the context value came from 

const (
	ContextSourceNone       ContextSource = "none"
	ContextSourceExisting   ContextSource = "existing"    // Already in request context
	ContextSourceHeader     ContextSource = "header"      // From HTTP header
	ContextSourceAPIKey     ContextSource = "api_key"     // From verified API key
	ContextSourceDefault    ContextSource = "default"     // From default config
	ContextSourceAutoDetect ContextSource = "auto_detect" // From AuthSome config
)

type SessionStrategy added in v0.0.5 

type SessionStrategy struct {
	// contains filtered or unexported fields
}

SessionStrategy implements authentication via session cookies This is the traditional cookie-based session authentication

func NewSessionStrategy added in v0.0.5 

func NewSessionStrategy(
	sessionSvc session.ServiceInterface,
	userSvc user.ServiceInterface,
	cookieName string,
	allowInQuery bool,
) *SessionStrategy

NewSessionStrategy creates a new session cookie authentication strategy

func (*SessionStrategy) Authenticate added in v0.0.5 

func (s *SessionStrategy) Authenticate(ctx context.Context, credentials interface{}) (*contexts.AuthContext, error)

Authenticate validates the session and builds auth context

func (*SessionStrategy) Extract added in v0.0.5 

func (s *SessionStrategy) Extract(c forge.Context) (interface{}, bool)

Extract attempts to extract a session token from cookies

func (*SessionStrategy) ID added in v0.0.5 

func (s *SessionStrategy) ID() string

ID returns the strategy identifier

func (*SessionStrategy) Priority added in v0.0.5 

func (s *SessionStrategy) Priority() int

Priority returns the strategy priority (30 = medium priority for cookies)

type StrategyAlreadyRegisteredError added in v0.0.5 

type StrategyAlreadyRegisteredError struct {
	ID string
}

StrategyAlreadyRegisteredError is returned when attempting to register a duplicate strategy

func (*StrategyAlreadyRegisteredError) Error added in v0.0.5 

func (e *StrategyAlreadyRegisteredError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.