Caddy internal route

[gocanto]

Summary by CodeRabbit

• Chores
  • Restricted the /api/generate-signature/* endpoint to localhost in production, preventing external access. Other routes remain unchanged.
• Refactor
  • Removed IP-based checks from public middleware; public endpoints still validate timestamps and deduplicate requests but are no longer blocked by IP allowlists. No user action required.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

A new Caddy route adds IP-gated handling for /api/generate-signature/*, allowing only localhost. Concurrently, IP-based validation logic was removed from PublicMiddleware, eliminating the HasInvalidIP method and related checks. Other middleware validations (timestamp, duplicate request) remain unchanged.

Changes

Cohort / File(s)	Summary
Edge routing (Caddy) caddy/Caddyfile.prod	Added route /api/generate-signature/* with matcher @allowed (ip_range 127.0.0.1 ::1) and abort not @allowed, enforcing localhost-only access before general /api/* handling.
HTTP middleware pkg/middleware/public_middleware.go	Removed IP-based access control from Handle; deleted HasInvalidIP method. Middleware now retains timestamp validation and duplicate-request protection without IP gating.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant Caddy
  participant Upstream as App/API

  rect rgba(230,245,255,0.6)
  note over Caddy: New route-level gating for /api/generate-signature/*
  Client->>Caddy: HTTP request /api/generate-signature/...
  alt IP in {127.0.0.1, ::1}
    Caddy-->>Upstream: Forward request
    Upstream-->>Caddy: Response
    Caddy-->>Client: 2xx/4xx/5xx
  else IP not allowed
    Caddy-->>Client: Abort (e.g., 403/close)
  end
  end

Loading

sequenceDiagram
  autonumber
  actor Client
  participant App as App/API
  participant MW as PublicMiddleware

  Client->>App: HTTP request /api/public-endpoint
  App->>MW: Invoke middleware
  note over MW: IP validation removed
  MW->>MW: Validate timestamp
  MW->>MW: Deduplicate via requestID TTL
  MW-->>App: Proceed
  App-->>Client: Response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Apply public middleware to signature route #91 — Adjusts access control for the signature-generation route by enforcing IP whitelist in middleware; related to this PR’s shift of IP gating into the Caddyfile.

Poem

A rabbit taps ports with careful delight,
Caddy stands guard, local-only at night.
Middleware sheds its IP-check coat,
Timestamps and IDs still keep us afloat.
Hop, hop—routes align, secure and bright. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65f946d and 559b7b7.

📒 Files selected for processing (2)

• caddy/Caddyfile.prod (1 hunks)
• pkg/middleware/public_middleware.go (0 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hotfix/internal-path

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}