Skip to content

Add public middleware with basic rate limiting and timestamp checks #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 8, 2025
Merged

Add public middleware with basic rate limiting and timestamp checks #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
10cbc68
Add public middleware for basic rate limiting and timestamp validation
gocanto Sep 8, 2025
7942c60
Add HMAC signature and IP-bound key to public middleware
gocanto Sep 8, 2025
46dbc4e
use VerifySignature for public middleware
gocanto Sep 8, 2025
ea21cce
Simplify public middleware to rate limiting and timestamp checks
gocanto Sep 8, 2025
0ab31f0
Improve public middleware error handling and tests
gocanto Sep 8, 2025
e41af96
docs: refresh middleware docs
gocanto Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions docs/middleware/public_middleware.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Public middleware

The `PublicMiddleware` protects openly accessible endpoints with
lightweight in-memory defenses. It is defined in
`pkg/middleware/public_middleware.go` and provides:

- **Rate limiting** – `limiter.MemoryLimiter` caps requests per client
IP within a sliding window.
- **Timestamp validation** – `ValidTimestamp` ensures the
`X-API-Timestamp` header is within an allowed skew (5 minutes by
default).
- **Replay protection** – a `cache.TTLCache` tracks used request IDs and
rejects duplicates using a composite key of
`limiterKey|requestID|ip` (rate limiter key, request ID and client IP).
- **Dependency checks** – missing caches or limiters are logged and cause
a generic 500 Internal Server Error.

### Required headers

- `X-Request-ID`
- `X-API-Timestamp`

Requests lacking these headers, using an unparsable client IP, or failing
validation are rejected with an authentication error. Valid requests pass
through to the next handler.
312 changes: 0 additions & 312 deletions docs/middleware/token_analysis_v1.md
View file
Open in desktop

This file was deleted.

12 changes: 8 additions & 4 deletions docs/middleware/token_analysis_v2.md → docs/middleware/token_middleware.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# Token middleware analysis (v2)
# Token middleware

Date: 2025-08-11
Scope: pkg/middleware/token_middleware.go and related helpers (valid_timestamp.go, pkg/portal/support.go)
This document describes the TokenCheckMiddleware found in
`pkg/middleware/token_middleware.go` and its supporting helpers such as
`valid_timestamp.go` and `pkg/portal/support.go`.

---

Expand All @@ -24,7 +25,10 @@ Main steps:
- X-API-Nonce (unique per request)

2) Dependency guard
- Ensures ApiKeys repo, TokenHandler, nonce cache, and rate limiter exist. If missing, fails with 401.
- Ensures ApiKeys repo, TokenHandler, nonce cache, and rate limiter
exist. If any dependency is missing the middleware now logs the
configuration error and returns a generic 500 Internal Server
Error.

3) Header validation
- Rejects if any required header is missing (401: "Invalid authentication headers").
Expand Down
Loading
Loading