Documentation ¶
Overview ¶
Package garcon is a server for API and static website including middlewares to manage rate-limit, Cookies, JWT, CORS, OPA, web traffic, Prometheus export and PProf.
Index ¶
- Constants
- Variables
- func DefaultContactSettings() map[string][2]int
- func DefaultFileSettings() map[string][2]int
- func DevOrigins() []*url.URL
- func FingerprintMD(r *http.Request) string
- func InsertSchema(urls []string)
- func InvalidPath(w http.ResponseWriter, r *http.Request)
- func ListenAndServe(server *http.Server) error
- func LogVersion()
- func MiddlewareCORS(origins, methods, headers []string, debug bool) func(next http.Handler) http.Handler
- func MiddlewareLogDuration(next http.Handler) http.Handler
- func MiddlewareLogDurationSafe(next http.Handler) http.Handler
- func MiddlewareLogFingerprint(next http.Handler) http.Handler
- func MiddlewareLogFingerprintSafe(next http.Handler) http.Handler
- func MiddlewareLogRequest(next http.Handler) http.Handler
- func MiddlewareLogRequestSafe(next http.Handler) http.Handler
- func MiddlewareRejectUnprintableURI(next http.Handler) http.Handler
- func MiddlewareSecureHTTPHeader(secure bool) func(next http.Handler) http.Handler
- func MiddlewareServerHeader(version string) func(next http.Handler) http.Handler
- func NewAccessToken(maxTTL, user string, groups, orgs []string, hexKey string) string
- func NewCookie(tokenizer tokens.Tokenizer, name, plan, user string, secure bool, ...) http.Cookie
- func NotImplemented(w http.ResponseWriter, r *http.Request)
- func PrintVersion(program string)
- func ProbeCPU() interface{ ... }
- func ServeVersion() func(w http.ResponseWriter, r *http.Request)
- func Server(h http.Handler, port int, connState ...func(net.Conn, http.ConnState)) http.Server
- func SetCustomVersionFlag(fs *flag.FlagSet, flagName, program string)
- func SetVersionFlag()
- func StartMetricsServer(port int, namespace ServerName) (gg.Chain, func(net.Conn, http.ConnState))
- func StartPProfServer(port int)
- func StatusCodeStr(code int) string
- func Version(serverName string) string
- func WriteErr(w http.ResponseWriter, r *http.Request, statusCode int, kv ...any)
- func WriteOK(w http.ResponseWriter, kv ...any)
- type AdaptiveRate
- type Garcon
- func (g *Garcon) IncorruptibleChecker(secretKeyHex string, maxAge int, setIP bool) *incorruptible.Incorruptible
- func (g *Garcon) IncorruptibleCheckerBin(secretKeyBin []byte, maxAge int, setIP bool) *incorruptible.Incorruptible
- func (g Garcon) IsDevMode() bool
- func (g *Garcon) JWTChecker(secretKeyHex string, planPerm ...any) *JWTChecker
- func (g *Garcon) MiddlewareCORS() gg.Middleware
- func (g *Garcon) MiddlewareCORSWithMethodsHeaders(methods, headers []string) gg.Middleware
- func (g *Garcon) MiddlewareLogDuration(safe ...bool) gg.Middleware
- func (g *Garcon) MiddlewareLogRequest(settings ...string) gg.Middleware
- func (g *Garcon) MiddlewareRateLimiter(settings ...int) gg.Middleware
- func (Garcon) MiddlewareRejectUnprintableURI() gg.Middleware
- func (g *Garcon) MiddlewareServerHeader(serverName ...string) gg.Middleware
- func (g *Garcon) NewContactForm(redirectURL string) WebForm
- func (g *Garcon) NewStaticWebServer(dir string) StaticWebServer
- func (g *Garcon) StartMetricsServer(expPort int) (gg.Chain, func(net.Conn, http.ConnState))
- type JWTChecker
- func (ck *JWTChecker) Chk(next http.Handler) http.Handler
- func (ck *JWTChecker) Cookie(i int) *http.Cookie
- func (ck *JWTChecker) PermFromBearerOrCookie(r *http.Request) (Perm, []any)
- func (ck *JWTChecker) PermFromCookie(r *http.Request) (Perm, []any)
- func (ck *JWTChecker) PermFromJWT(JWT string) (Perm, []any)
- func (ck *JWTChecker) Set(next http.Handler) http.Handler
- func (ck *JWTChecker) Vet(next http.Handler) http.Handler
- type Muter
- type Option
- type Perm
- type ReqLimiter
- type ServerName
- type StaticWebServer
- func (ws *StaticWebServer) ServeAssets() func(w http.ResponseWriter, r *http.Request)
- func (ws *StaticWebServer) ServeDir(contentType string) func(w http.ResponseWriter, r *http.Request)
- func (ws *StaticWebServer) ServeFile(urlPath, contentType string) func(w http.ResponseWriter, r *http.Request)
- func (ws *StaticWebServer) ServeImages() func(w http.ResponseWriter, r *http.Request)
- type TokenChecker
- type WebForm
- type Writer
- func (gw Writer) InvalidPath(w http.ResponseWriter, r *http.Request)
- func (gw Writer) NotImplemented(w http.ResponseWriter, r *http.Request)
- func (gw Writer) TraversalPath(w http.ResponseWriter, r *http.Request) bool
- func (gw Writer) WriteErr(w http.ResponseWriter, r *http.Request, statusCode int, kv ...any)
- func (gw Writer) WriteOK(w http.ResponseWriter, kv ...any)
Constants ¶
const ( // DefaultPlan is the plan name in absence of "permissions" parametric parameters. DefaultPlan = "VIP" // DefaultPerm is the perm value in absence of "permissions" parametric parameters. DefaultPerm = 1 )
const FingerprintExplanation = `` /* 683-byte string literal not displayed */
FingerprintExplanation provides a description of the logged HTTP headers.
Variables ¶
var ( ErrExpiredToken = errors.New("expired or invalid access token") ErrJWTSignature = errors.New("JWT signature mismatch") ErrNoAuthorization = errors.New("provide your JWT within the 'Authorization Bearer' HTTP header") ErrNoBase64JWT = errors.New("the token claims (second part of the JWT) is not base64-valid") ErrNoBearer = errors.New("malformed HTTP Authorization, must be Bearer") ErrNoValidJWT = errors.New("cannot find a valid JWT in either the cookie or the first 'Authorization' HTTP header") )
var V string
V is set at build time using the `-ldflags` build flag:
v="$(git describe --tags --always --broken)" go build -ldflags="-X 'github.com/teal-finance/garcon.V=$v'" ./cmd/main/package
The following commands provide a semver-like version format such as "v1.2.0-my-branch+3" where "+3" is the number of commits since "v1.2.0". If no tag in the Git repo, $t is the long SHA1 of the last commit.
t="$(git describe --tags --abbrev=0 --always)" b="$(git branch --show-current)" [ _$b = _main ] && b="" || b="-$b" n="$(git rev-list --count "$t"..)" [ "$n" -eq 0 ] && n="" || n="+$n" go build -ldflags="-X 'github.com/teal-finance/garcon.V=$t$b$n'" ./cmd/main/package
Functions ¶
func DefaultContactSettings ¶ added in v0.16.0
DefaultContactSettings is compliant with standard names for web form input fields: https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#inappropriate-for-the-control
func DefaultFileSettings ¶ added in v0.16.0
DefaultFileSettings sets FileLimits with only "file".
func DevOrigins ¶ added in v0.4.3
DevOrigins provides the development origins: - yarn run vite --port 3000 - yarn run vite preview --port 5000 - localhost:8085 on multi devices: web auto-reload using https://github.com/synw/fwr - flutter run --web-port=8080 - 192.168.1.x + any port on tablet: mobile app using fast builtin auto-reload.
func FingerprintMD ¶ added in v0.17.0
FingerprintMD provide the browser fingerprint in markdown format. Attention: read the .
func InsertSchema ¶ added in v0.17.0
func InsertSchema(urls []string)
InsertSchema inserts "http://" when HTTP schema is missing.
func InvalidPath ¶ added in v0.17.0
func InvalidPath(w http.ResponseWriter, r *http.Request)
func ListenAndServe ¶ added in v0.23.0
ListenAndServe runs the HTTP server(s) in foreground. Optionally it also starts a metrics server in background (if export port > 0). The metrics server is for use with Prometheus or another compatible monitoring tool.
func LogVersion ¶ added in v0.20.0
func LogVersion()
LogVersion logs the version and (Git) commit information.
func MiddlewareCORS ¶ added in v0.23.0
func MiddlewareCORS(origins, methods, headers []string, debug bool) func(next http.Handler) http.Handler
MiddlewareCORS uses restrictive CORS values.
func MiddlewareLogDuration ¶ added in v0.23.0
MiddlewareLogDuration logs the requested URL along with the time to handle it.
func MiddlewareLogDurationSafe ¶ added in v0.23.0
MiddlewareLogDurationSafe is similar to MiddlewareLogDurations but also sanitizes the URL.
func MiddlewareLogFingerprint ¶ added in v0.23.0
MiddlewareLogFingerprint is the middleware to log incoming HTTP request and browser fingerprint.
func MiddlewareLogFingerprintSafe ¶ added in v0.23.0
MiddlewareLogFingerprintSafe is similar to MiddlewareLogFingerprints but sanitize the URL.
func MiddlewareLogRequest ¶ added in v0.23.0
MiddlewareLogRequest is the middleware to log the requester IP and the requested URL.
func MiddlewareLogRequestSafe ¶ added in v0.23.0
MiddlewareLogRequestSafe is similar to LogRequest but sanitize the URL.
func MiddlewareRejectUnprintableURI ¶ added in v0.23.0
MiddlewareRejectUnprintableURI is a middleware rejecting HTTP requests having a Carriage Return "\r" or a Line Feed "\n" within the URI to prevent log injection.
func MiddlewareSecureHTTPHeader ¶ added in v0.23.0
MiddlewareSecureHTTPHeader is a middleware adding recommended HTTP response headers to secure the web application.
func MiddlewareServerHeader ¶ added in v0.23.0
MiddlewareServerHeader is the middleware setting the Server HTTP header in the response.
func NewAccessToken ¶ added in v0.26.0
func NotImplemented ¶ added in v0.17.0
func NotImplemented(w http.ResponseWriter, r *http.Request)
func PrintVersion ¶ added in v0.17.0
func PrintVersion(program string)
PrintVersion prints the version and exits. The version may also contain the (Git) commit information.
func ProbeCPU ¶ added in v0.17.0
func ProbeCPU() interface{ Stop() }
ProbeCPU is used like the following:
defer pprof.ProbeCPU.Stop()
When the caller reaches its function end, the defer executes Stop() that writes the file "cpu.pprof". To visualize "cpu.pprof" use the pprof tool:
cd ~/go go get -u github.com/google/pprof cd - pprof -http=: cpu.pprof
or using one single command line:
go run github.com/google/pprof@latest -http=: cpu.pprof
func ServeVersion ¶ added in v0.22.0
func ServeVersion() func(w http.ResponseWriter, r *http.Request)
ServeVersion send HTML or JSON depending on Accept header.
func Server ¶ added in v0.23.0
Server returns a default http.Server ready to handle API endpoints, static web pages...
func SetCustomVersionFlag ¶ added in v0.20.0
SetCustomVersionFlag register PrintVersion() for the version flag.
Example with default values:
import "github.com/teal-finance/garcon" func main() { garcon.SetCustomVersionFlag(nil, "", "") flag.Parse() }
Example with custom values values:
import "github.com/teal-finance/garcon" func main() { garcon.SetCustomVersionFlag(nil, "v", "MyApp") flag.Parse() }
func SetVersionFlag ¶ added in v0.17.0
func SetVersionFlag()
SetVersionFlag defines -version flag to print the version stored in V. See SetCustomVersionFlag for a more flexibility.
func StartMetricsServer ¶ added in v0.17.0
StartMetricsServer creates and starts the Prometheus export server.
func StartPProfServer ¶ added in v0.17.0
func StartPProfServer(port int)
StartPProfServer starts a PProf server in background. Endpoints usage example:
curl http://localhost:6063/debug/pprof/allocs > allocs.pprof pprof -http=: allocs.pprof wget http://localhost:31415/debug/pprof/goroutine pprof -http=: goroutine wget http://localhost:31415/debug/pprof/heap pprof -http=: heap wget http://localhost:31415/debug/pprof/trace pprof -http=: trace
func StatusCodeStr ¶ added in v0.28.0
func Version ¶ added in v0.17.0
Version format is "Program-1.2.3". If the program argument is empty, the format is "v1.2.3". If V is empty, Version uses the main module version.
func WriteOK ¶ added in v0.21.0
func WriteOK(w http.ResponseWriter, kv ...any)
Types ¶
type AdaptiveRate ¶ added in v0.24.0
AdaptiveRate continuously adjusts the timing between requests to prevent the API responds "429 Too Many Requests". AdaptiveRate increases/decreases the rate depending on absence/presence of the 429 status code.
func NewAdaptiveRate ¶ added in v0.24.0
func NewAdaptiveRate(name string, d time.Duration) AdaptiveRate
func (*AdaptiveRate) Get ¶ added in v0.24.0
func (ar *AdaptiveRate) Get(symbol, url string, msg any, maxBytes ...int) error
func (*AdaptiveRate) LogStats ¶ added in v0.24.0
func (ar *AdaptiveRate) LogStats()
type Garcon ¶
type Garcon struct { ServerName ServerName Writer Writer // contains filtered or unexported fields }
func (*Garcon) IncorruptibleChecker ¶ added in v0.23.0
func (g *Garcon) IncorruptibleChecker(secretKeyHex string, maxAge int, setIP bool) *incorruptible.Incorruptible
IncorruptibleChecker uses cookies based the fast and tiny Incorruptible token. IncorruptibleChecker requires g.WithURLs() to set the Cookie secure, domain and path.
func (*Garcon) IncorruptibleCheckerBin ¶ added in v0.27.0
func (g *Garcon) IncorruptibleCheckerBin(secretKeyBin []byte, maxAge int, setIP bool) *incorruptible.Incorruptible
IncorruptibleChecker uses cookies based the fast and tiny Incorruptible token. IncorruptibleChecker requires g.WithURLs() to set the Cookie secure, domain and path.
func (*Garcon) JWTChecker ¶ added in v0.6.0
func (g *Garcon) JWTChecker(secretKeyHex string, planPerm ...any) *JWTChecker
JWTChecker requires WithURLs() to set the Cookie name, secure, domain and path.
func (*Garcon) MiddlewareCORS ¶ added in v0.23.0
func (g *Garcon) MiddlewareCORS() gg.Middleware
MiddlewareCORS is a middleware to handle Cross-Origin Resource Sharing (CORS).
func (*Garcon) MiddlewareCORSWithMethodsHeaders ¶ added in v0.23.3
func (g *Garcon) MiddlewareCORSWithMethodsHeaders(methods, headers []string) gg.Middleware
MiddlewareCORSWithMethodsHeaders is a middleware to handle Cross-Origin Resource Sharing (CORS).
func (*Garcon) MiddlewareLogDuration ¶ added in v0.23.0
func (g *Garcon) MiddlewareLogDuration(safe ...bool) gg.Middleware
MiddlewareLogDuration logs the requested URL along with its handling time. When the optional parameter safe is true, this middleware sanitizes the URL before printing it.
func (*Garcon) MiddlewareLogRequest ¶ added in v0.23.0
func (g *Garcon) MiddlewareLogRequest(settings ...string) gg.Middleware
MiddlewareLogRequest logs the incoming request URL. If one of its optional parameter is "fingerprint", this middleware also logs the browser fingerprint. If the other optional parameter is "safe", this middleware sanitizes the URL before printing it.
func (*Garcon) MiddlewareRateLimiter ¶ added in v0.23.0
func (g *Garcon) MiddlewareRateLimiter(settings ...int) gg.Middleware
func (Garcon) MiddlewareRejectUnprintableURI ¶ added in v0.23.0
func (Garcon) MiddlewareRejectUnprintableURI() gg.Middleware
MiddlewareRejectUnprintableURI is a middleware rejecting HTTP requests having a Carriage Return "\r" or a Line Feed "\n" within the URI to prevent log injection.
func (*Garcon) MiddlewareServerHeader ¶ added in v0.23.0
func (g *Garcon) MiddlewareServerHeader(serverName ...string) gg.Middleware
func (*Garcon) NewContactForm ¶ added in v0.22.0
func (*Garcon) NewStaticWebServer ¶ added in v0.23.0
func (g *Garcon) NewStaticWebServer(dir string) StaticWebServer
NewStaticWebServer creates a StaticWebServer.
type JWTChecker ¶ added in v0.20.0
type JWTChecker struct {
// contains filtered or unexported fields
}
func NewJWTChecker ¶ added in v0.20.0
func (*JWTChecker) Chk ¶ added in v0.20.0
func (ck *JWTChecker) Chk(next http.Handler) http.Handler
Chk is a middleware to accept only HTTP requests having a valid cookie. Then, Chk puts the permission (of the JWT) in the request context.
func (*JWTChecker) Cookie ¶ added in v0.20.0
func (ck *JWTChecker) Cookie(i int) *http.Cookie
Cookie returns a default cookie to facilitate testing.
func (*JWTChecker) PermFromBearerOrCookie ¶ added in v0.20.0
func (ck *JWTChecker) PermFromBearerOrCookie(r *http.Request) (Perm, []any)
func (*JWTChecker) PermFromCookie ¶ added in v0.20.0
func (ck *JWTChecker) PermFromCookie(r *http.Request) (Perm, []any)
func (*JWTChecker) PermFromJWT ¶ added in v0.20.0
func (ck *JWTChecker) PermFromJWT(JWT string) (Perm, []any)
func (*JWTChecker) Set ¶ added in v0.20.0
func (ck *JWTChecker) Set(next http.Handler) http.Handler
Set is a middleware putting a HttpOnly cookie in the HTTP response header when no valid cookie is present. The new cookie conveys the JWT of the first plan. Set also puts the permission from the JWT in the request context.
func (*JWTChecker) Vet ¶ added in v0.20.0
func (ck *JWTChecker) Vet(next http.Handler) http.Handler
Vet is a middleware to accept only the HTTP request having a valid JWT. The JWT can be either in the cookie or in the first "Authorization" header. Then, Vet puts the permission (of the JWT) in the request context.
type Muter ¶ added in v0.21.0
type Muter struct { // Threshold is the level enabling the muted state. Threshold int // NoAlertDuration allows to consider the verbosity is back to normal. NoAlertDuration time.Duration // RemindMuteState allows to remind the state is still muted. // Set value 100 to send this reminder every 100 increments. // Set to zero to disable this feature, RemindMuteState int // contains filtered or unexported fields }
Muter can be used to limit the logger/alerting verbosity. Muter detects when its internal counter is over the Threshold and waits the counter goes back to zero or after NoAlertDuration to return to normal situation. Muter uses the Hysteresis principle: https://wikiless.org/wiki/Hysteresis Similar wording: quieter, stopper, limiter, reducer, inhibitor, mouth-closer.
type Option ¶ added in v0.6.0
type Option func(*Garcon)
func WithDocURL ¶ added in v0.6.0
func WithServerName ¶ added in v0.23.0
type Perm ¶ added in v0.17.0
type Perm struct {
Value int
}
func PermFromCtx ¶ added in v0.20.0
PermFromCtx gets the permission information from the request context.
type ReqLimiter ¶ added in v0.17.0
type ReqLimiter struct {
// contains filtered or unexported fields
}
func NewRateLimiter ¶ added in v0.23.0
func NewRateLimiter(gw Writer, maxReqBurst, maxReqPerMinute int, devMode bool) ReqLimiter
func (*ReqLimiter) MiddlewareRateLimiter ¶ added in v0.23.0
func (rl *ReqLimiter) MiddlewareRateLimiter(next http.Handler) http.Handler
type ServerName ¶ added in v0.23.0
type ServerName string
ServerName is used in multiple parts in Garcon: - the HTTP Server header, - the Prometheus namespace.
func ExtractName ¶ added in v0.23.0
func ExtractName(str string) ServerName
ExtractName extracts the wider "[a-zA-Z0-9_]+" string from the end of str. If str is a path or an URL, keep the last basename. Example: keep "myapp" from "https://example.com/path/myapp/" ExtractName also removes all punctuation characters except "_".
func (ServerName) MiddlewareExportTrafficMetrics ¶ added in v0.23.0
func (ns ServerName) MiddlewareExportTrafficMetrics(next http.Handler) http.Handler
MiddlewareExportTrafficMetrics measures the time to handle a request.
func (*ServerName) SetPromNamingRule ¶ added in v0.23.0
func (ns *ServerName) SetPromNamingRule()
SetPromNamingRule verifies Prom naming rules for namespace and fixes it if necessary. valid namespace = [a-zA-Z][a-zA-Z0-9_]* https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels
func (ServerName) String ¶ added in v0.23.0
func (ns ServerName) String() string
type StaticWebServer ¶ added in v0.16.0
StaticWebServer is a webserver serving static files among HTML, CSS, JS and popular image formats.
func NewStaticWebServer ¶ added in v0.16.0
func NewStaticWebServer(gw Writer, dir string) StaticWebServer
NewStaticWebServer creates a StaticWebServer.
func (*StaticWebServer) ServeAssets ¶ added in v0.16.0
func (ws *StaticWebServer) ServeAssets() func(w http.ResponseWriter, r *http.Request)
ServeAssets detects the Content-Type depending on the asset extension.
func (*StaticWebServer) ServeDir ¶ added in v0.16.0
func (ws *StaticWebServer) ServeDir(contentType string) func(w http.ResponseWriter, r *http.Request)
ServeDir handles the static files using the same Content-Type.
func (*StaticWebServer) ServeFile ¶ added in v0.16.0
func (ws *StaticWebServer) ServeFile(urlPath, contentType string) func(w http.ResponseWriter, r *http.Request)
ServeFile handles one specific file (and its specific Content-Type).
func (*StaticWebServer) ServeImages ¶ added in v0.16.0
func (ws *StaticWebServer) ServeImages() func(w http.ResponseWriter, r *http.Request)
ServeImages detects the Content-Type depending on the image extension.
type TokenChecker ¶ added in v0.13.0
type TokenChecker interface { // Set is a middleware setting a cookie in the response when the request has no valid token. // Set searches the token in a cookie and in the first "Authorization" header. // Finally, Set stores the decoded token fields within the request context. Set(next http.Handler) http.Handler // Chk is a middleware accepting requests only if it has a valid cookie: // other requests are rejected with http.StatusUnauthorized. // Chk does not verify the "Authorization" header. // See also the Vet() function if the token should also be verified in the "Authorization" header. // Finally, Chk stores the decoded token fields within the request context. // In dev. mode, Chk accepts any request but does not store invalid tokens. Chk(next http.Handler) http.Handler // Vet is a middleware accepting accepting requests having a valid token // either in the cookie or in the first "Authorization" header: // other requests are rejected with http.StatusUnauthorized. // Vet also stores the decoded token in the request context. // In dev. mode, Vet accepts any request but does not store invalid tokens. Vet(next http.Handler) http.Handler // Cookie returns a default cookie to facilitate testing. Cookie(i int) *http.Cookie }
TokenChecker is the common interface to Incorruptible and JWTChecker.
type WebForm ¶ added in v0.16.0
type WebForm struct { Writer Writer Notifier gg.Notifier Redirect string // TextLimits are used as security limits // to avoid being flooded by large web forms // and unexpected field names. // The map key is the input field name. // The map value is a pair of integers: // the max length and the max line breaks. // Zero (or negative) value for unlimited value size. TextLimits map[string][2]int // FileLimits is similar to TextLimits // but for uploaded files. // The map value is a pair of integers: // the max size in runes of one file // and the max occurrences having same field name. // Zero (or negative) value for unlimited file size. FileLimits map[string][2]int // MaxBodyBytes limits someone hogging the host resources. // Zero (or negative) value disables this security check. MaxBodyBytes int64 // MaxMDBytes includes the form fields and browser fingerprints. // Zero (or negative) value disables this security check. MaxMDBytes int // contains filtered or unexported fields }
func NewContactForm ¶ added in v0.16.0
NewContactForm initializes a new WebForm with the default contact-form settings.
type Writer ¶ added in v0.21.0
type Writer string
Writer enables writing useful JSON error message in the HTTP response body.
func (Writer) InvalidPath ¶ added in v0.21.0
func (gw Writer) InvalidPath(w http.ResponseWriter, r *http.Request)
func (Writer) NotImplemented ¶ added in v0.21.0
func (gw Writer) NotImplemented(w http.ResponseWriter, r *http.Request)
func (Writer) TraversalPath ¶ added in v0.30.0
TraversalPath returns true when path contains ".." to prevent path traversal attack.