RRuna

HTTP Middleware Overview

Add logs, recovery, rate limits, authentication, security headers, and other cross-cutting HTTP behavior

Middleware is where you put cross-cutting HTTP behavior: panic recovery, request IDs, real IP parsing, access logs, CORS, CSRF, body size limits, timeouts, static files, sessions, auth, rate limits, and audit records

Runa middleware is route.Middleware, which is func(route.Handler) route.Handler. It belongs to the HTTP route transport. It is not part of the micro-kernel and it is not a Provider. As an application developer, focus on three things: install the package you need, mount it at the right level, and install any required capability Provider first

Install

Install route when you only need the middleware mechanism:

go get github.com/duxweb/runa/route

Install official built-in middleware when needed:

go get github.com/duxweb/runa/middleware

Language negotiation middleware is a separate module:

go get github.com/duxweb/runa/middleware/lang

Install the production preset when you want the standard security chain:

go get github.com/duxweb/runa/security

Business middleware is installed per capability:

go get github.com/duxweb/runa/session github.com/duxweb/runa/auth github.com/duxweb/runa/rate github.com/duxweb/runa/audit

Minimal example

package main

import (
    "context"

    "github.com/duxweb/runa"
    "github.com/duxweb/runa/route"
    "github.com/duxweb/runa/security"
)

func main() {
    app := runa.New()
    app.Install(route.Provider(route.Addr(":8080")))

    route.Default().Use(security.New(security.Production()))
    route.Default().Get("/", func(ctx *route.Context) error {
        return ctx.Text("ok")
    })

    if err := app.Run(context.Background()); err != nil {
        panic(err)
    }
}

Where to mount middleware

Global middleware:

route.Default().Use(mw)

Group middleware:

api := route.Default().Group("/api")
api.Use(mw)

Single-route middleware:

route.Default().Get("/profile", profile).Use(mw)

Execution order

Middleware enters in registration order and exits in reverse order:

route.Default().Use(A(), B(), C())
A before -> B before -> C before -> handler -> C after -> B after -> A after

A practical order is recover, request id, real ip, logger, body limit, timeout, helmet or CORS, then business middleware such as session, auth, rate, and audit

Page index

Page What it solves
Recover Convert panic to route errors
Request ID Attach a traceable request ID
Real IP Read client IP from trusted proxies
Logger Write HTTP access logs
CORS Handle browser cross-origin requests
CSRF Protect browser forms and cookie-authenticated endpoints
Body Limit Limit request body size
Timeout Bound normal HTTP request duration
Helmet Write common security headers
Healthcheck Return a simple health response
Static Serve static files
Security Use the production middleware preset
Session Load and save sessions
Auth Enforce authentication and permissions
Rate Limit Protect routes with named limiters
Audit Record business operation audits
Lang Negotiate request language from query, cookie, and Accept-Language
Edit this page