feat: add RealIP, RequestID, and RequestSize middleware

2025-11-20 23:13:26 +05:30
parent dffcf6c203
commit 43da615326
3 changed files with 170 additions and 0 deletions
--- a/middleware/real_ip.go
+++ b/middleware/real_ip.go
@@ -0,0 +1,56 @@
 package middleware
 // Ported from Goji's middleware, source:
 // https://github.com/zenazn/goji/tree/master/web/middleware
 import (
 	"net"
 	"net/http"
 	"strings"
 )
 var trueClientIP = http.CanonicalHeaderKey("True-Client-IP")
 var xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
 var xRealIP = http.CanonicalHeaderKey("X-Real-IP")
 // RealIP is a middleware that sets a http.Request's RemoteAddr to the results
 // of parsing either the True-Client-IP, X-Real-IP or the X-Forwarded-For headers
 // (in that order).
 //
 // This middleware should be inserted fairly early in the middleware stack to
 // ensure that subsequent layers (e.g., request loggers) which examine the
 // RemoteAddr will see the intended value.
 //
 // You should only use this middleware if you can trust the headers passed to
 // you (in particular, the three headers this middleware uses), for example
 // because you have placed a reverse proxy like HAProxy or nginx in front of
 // chi. If your reverse proxies are configured to pass along arbitrary header
 // values from the client, or if you use this middleware without a reverse
 // proxy, malicious clients will be able to make you very sad (or, depending on
 // how you're using RemoteAddr, vulnerable to an attack of some sort).
 func RealIP(h http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		if rip := realIP(r); rip != "" {
 			r.RemoteAddr = rip
 		}
 		h.ServeHTTP(w, r)
 	}
 	return http.HandlerFunc(fn)
 }
 func realIP(r *http.Request) string {
 	var ip string
 	if tcip := r.Header.Get(trueClientIP); tcip != "" {
 		ip = tcip
 	} else if xrip := r.Header.Get(xRealIP); xrip != "" {
 		ip = xrip
 	} else if xff := r.Header.Get(xForwardedFor); xff != "" {
 		ip, _, _ = strings.Cut(xff, ",")
 	}
 	if ip == "" || net.ParseIP(ip) == nil {
 		return ""
 	}
 	return ip
 }
--- a/middleware/request_id.go
+++ b/middleware/request_id.go
@@ -0,0 +1,96 @@
 package middleware
 // Ported from Goji's middleware, source:
 // https://github.com/zenazn/goji/tree/master/web/middleware
 import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 	"net/http"
 	"os"
 	"strings"
 	"sync/atomic"
 )
 // Key to use when setting the request ID.
 type ctxKeyRequestID int
 // RequestIDKey is the key that holds the unique request ID in a request context.
 const RequestIDKey ctxKeyRequestID = 0
 // RequestIDHeader is the name of the HTTP Header which contains the request id.
 // Exported so that it can be changed by developers
 var RequestIDHeader = "X-Request-Id"
 var prefix string
 var reqid atomic.Uint64
 // A quick note on the statistics here: we're trying to calculate the chance that
 // two randomly generated base62 prefixes will collide. We use the formula from
 // http://en.wikipedia.org/wiki/Birthday_problem
 //
 // P[m, n] \approx 1 - e^{-m^2/2n}
 //
 // We ballpark an upper bound for $m$ by imagining (for whatever reason) a server
 // that restarts every second over 10 years, for $m = 86400 * 365 * 10 = 315360000$
 //
 // For a $k$ character base-62 identifier, we have $n(k) = 62^k$
 //
 // Plugging this in, we find $P[m, n(10)] \approx 5.75%$, which is good enough for
 // our purposes, and is surely more than anyone would ever need in practice -- a
 // process that is rebooted a handful of times a day for a hundred years has less
 // than a millionth of a percent chance of generating two colliding IDs.
 func init() {
 	hostname, err := os.Hostname()
 	if hostname == "" || err != nil {
 		hostname = "localhost"
 	}
 	var buf [12]byte
 	var b64 string
 	for len(b64) < 10 {
 		rand.Read(buf[:])
 		b64 = base64.StdEncoding.EncodeToString(buf[:])
 		b64 = strings.NewReplacer("+", "", "/", "").Replace(b64)
 	}
 	prefix = fmt.Sprintf("%s/%s", hostname, b64[0:10])
 }
 // RequestID is a middleware that injects a request ID into the context of each
 // request. A request ID is a string of the form "host.example.com/random-0001",
 // where "random" is a base62 random string that uniquely identifies this go
 // process, and where the last number is an atomically incremented request
 // counter.
 func RequestID(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		requestID := r.Header.Get(RequestIDHeader)
 		if requestID == "" {
 			myid := reqid.Add(1)
 			requestID = fmt.Sprintf("%s-%06d", prefix, myid)
 		}
 		ctx = context.WithValue(ctx, RequestIDKey, requestID)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	}
 	return http.HandlerFunc(fn)
 }
 // GetReqID returns a request ID from the given context if one is present.
 // Returns the empty string if a request ID cannot be found.
 func GetReqID(ctx context.Context) string {
 	if ctx == nil {
 		return ""
 	}
 	if reqID, ok := ctx.Value(RequestIDKey).(string); ok {
 		return reqID
 	}
 	return ""
 }
 // NextRequestID generates the next request ID in the sequence.
 func NextRequestID() uint64 {
 	return reqid.Add(1)
 }
--- a/middleware/request_size.go
+++ b/middleware/request_size.go
@@ -0,0 +1,18 @@
 package middleware
 import (
 	"net/http"
 )
 // RequestSize is a middleware that will limit request sizes to a specified
 // number of bytes. It uses MaxBytesReader to do so.
 func RequestSize(bytes int64) func(http.Handler) http.Handler {
 	f := func(h http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
 			r.Body = http.MaxBytesReader(w, r.Body, bytes)
 			h.ServeHTTP(w, r)
 		}
 		return http.HandlerFunc(fn)
 	}
 	return f
 }