Documentation
¶
Index ¶
- Constants
- Variables
- func DeviceRateLimit(mutPerMin, mutBurst, readPerMin, readBurst int) gin.HandlerFunc
- func DeviceTPMAuth(deviceStore *store.DeviceStore, nonceStore *NonceStore, verifier tpm.Verifier, ...) gin.HandlerFunc
- func NexusAuth(cfg *config.Config, clientCAs *x509.CertPool, logger *slog.Logger) gin.HandlerFunc
- func RateLimit(globalRPS, globalBurst, perIPRPS, perIPBurst int) gin.HandlerFunc
- func RequestIDMiddleware() gin.HandlerFunc
- type NonceStore
Constants ¶
const ( ContextKeyDeviceID = "device_id" ContextKeyDevice = "device" ContextKeyRequestID = "request_id" )
ContextKeys for values stored in Gin context
Variables ¶
var ( ErrNonceNotFound = errors.New("nonce not found or expired") ErrNonceCapacity = errors.New("nonce store at capacity") )
Functions ¶
func DeviceRateLimit ¶ added in v0.1.1
func DeviceRateLimit(mutPerMin, mutBurst, readPerMin, readBurst int) gin.HandlerFunc
DeviceRateLimit implements per-device rate limiting with separate limits for mutations (POST, DELETE) and reads (GET, PATCH, etc.). PATCH is intentionally classified as a read — it is idempotent and infrequent (hostname changes).
func DeviceTPMAuth ¶
func DeviceTPMAuth(deviceStore *store.DeviceStore, nonceStore *NonceStore, verifier tpm.Verifier, lastSeenBatcher *store.LastSeenBatcher, logger *slog.Logger) gin.HandlerFunc
DeviceTPMAuth validates per-request TPM attestation. If lastSeenBatcher is non-nil, last-seen updates are batched instead of fire-and-forget.
func RateLimit ¶
func RateLimit(globalRPS, globalBurst, perIPRPS, perIPBurst int) gin.HandlerFunc
RateLimit implements global + per-IP token bucket rate limiting.
func RequestIDMiddleware ¶
func RequestIDMiddleware() gin.HandlerFunc
RequestIDMiddleware adds a unique request ID to each request.
Types ¶
type NonceStore ¶
type NonceStore struct {
// contains filtered or unexported fields
}
NonceStore is a sharded in-memory store for one-time-use nonces. Sharding eliminates the single-mutex bottleneck at high concurrency.
func NewNonceStore ¶
NewNonceStore creates a sharded nonce store with the given capacity and TTL.
func (*NonceStore) CleanupLoop ¶
func (s *NonceStore) CleanupLoop(ctx context.Context)
CleanupLoop removes expired nonces periodically.
func (*NonceStore) Consume ¶
func (s *NonceStore) Consume(nonce string) error
Consume validates and removes a nonce (one-time use).
func (*NonceStore) Count ¶ added in v0.1.6
func (s *NonceStore) Count() int64
Count returns the current number of nonces in the store.
func (*NonceStore) Generate ¶
func (s *NonceStore) Generate() (string, time.Time, error)
Generate creates a new nonce and returns it as a base64-encoded string.
func (*NonceStore) MaxNonces ¶ added in v0.1.6
func (s *NonceStore) MaxNonces() int
MaxNonces returns the configured capacity limit.
Source Files