Aleksey Shakhmatov
b5259af73e
BearerAuth, BasicAuth and DefaultHeaders mutated the caller's request, which violates the RoundTripper contract and risks races on shared/retried requests; clone before writing headers (matching RequestID). Validate the incoming X-Request-Id (length and character set) before propagating it to logs and the response header, preventing log forging and header splitting from a client-controlled value.
38 lines
1.2 KiB
Go
38 lines
1.2 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
)
|
|
|
|
// BearerAuth returns a middleware that sets the Authorization header to a
|
|
// Bearer token obtained by calling tokenFunc on each request. If tokenFunc
|
|
// returns an error, the request is not sent and the error is returned.
|
|
func BearerAuth(tokenFunc func(ctx context.Context) (string, error)) Middleware {
|
|
return func(next http.RoundTripper) http.RoundTripper {
|
|
return RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
token, err := tokenFunc(req.Context())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// RoundTrippers must not mutate the caller's request; clone before
|
|
// setting headers (req.Clone is shallow + a header copy).
|
|
req = req.Clone(req.Context())
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
return next.RoundTrip(req)
|
|
})
|
|
}
|
|
}
|
|
|
|
// BasicAuth returns a middleware that sets HTTP Basic Authentication
|
|
// credentials on every outgoing request.
|
|
func BasicAuth(username, password string) Middleware {
|
|
return func(next http.RoundTripper) http.RoundTripper {
|
|
return RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
req = req.Clone(req.Context())
|
|
req.SetBasicAuth(username, password)
|
|
return next.RoundTrip(req)
|
|
})
|
|
}
|
|
}
|