NewRouter creates new gin router
()
| 32 | |
| 33 | // NewRouter creates new gin router |
| 34 | func (s *server) NewRouter() *gin.Engine { |
| 35 | router := gin.New() |
| 36 | // Restrict the set of proxies whose forwarded headers are honoured. |
| 37 | // When TrustedProxies is empty/nil, gin trusts NO proxies and falls back |
| 38 | // to RemoteAddr — preventing X-Forwarded-For spoofing for rate limiting, |
| 39 | // audit logs, and CSRF same-origin comparisons. |
| 40 | var trustedProxies []string |
| 41 | if s.Dependencies.AppConfig != nil { |
| 42 | trustedProxies = s.Dependencies.AppConfig.TrustedProxies |
| 43 | } |
| 44 | if err := router.SetTrustedProxies(trustedProxies); err != nil { |
| 45 | s.Dependencies.Log.Warn().Err(err).Msg("failed to apply trusted proxies; falling back to gin defaults") |
| 46 | } |
| 47 | router.Use(gin.Recovery()) |
| 48 | |
| 49 | router.Use(s.Dependencies.HTTPProvider.SecurityHeadersMiddleware()) |
| 50 | router.Use(s.Dependencies.HTTPProvider.LoggerMiddleware()) |
| 51 | router.Use(s.Dependencies.HTTPProvider.MetricsMiddleware()) |
| 52 | router.Use(s.Dependencies.HTTPProvider.ContextMiddleware()) |
| 53 | router.Use(s.Dependencies.HTTPProvider.CORSMiddleware()) |
| 54 | router.Use(s.Dependencies.HTTPProvider.RateLimitMiddleware()) |
| 55 | router.Use(s.Dependencies.HTTPProvider.CSRFMiddleware()) |
| 56 | router.Use(s.Dependencies.HTTPProvider.ClientCheckMiddleware()) |
| 57 | |
| 58 | router.GET("/", s.Dependencies.HTTPProvider.RootHandler()) |
| 59 | router.GET("/health", s.Dependencies.HTTPProvider.HealthHandler()) |
| 60 | router.GET("/healthz", s.Dependencies.HTTPProvider.HealthHandler()) |
| 61 | router.GET("/readyz", s.Dependencies.HTTPProvider.ReadyHandler()) |
| 62 | router.POST("/graphql", s.Dependencies.HTTPProvider.GraphqlHandler()) |
| 63 | router.GET("/playground", s.Dependencies.HTTPProvider.PlaygroundHandler()) |
| 64 | router.GET("/oauth_login/:oauth_provider", s.Dependencies.HTTPProvider.OAuthLoginHandler()) |
| 65 | router.GET("/oauth_callback/:oauth_provider", s.Dependencies.HTTPProvider.OAuthCallbackHandler()) |
| 66 | router.POST("/oauth_callback/:oauth_provider", s.Dependencies.HTTPProvider.OAuthCallbackHandler()) |
| 67 | router.GET("/verify_email", s.Dependencies.HTTPProvider.VerifyEmailHandler()) |
| 68 | // OPEN ID routes |
| 69 | router.GET("/.well-known/openid-configuration", s.Dependencies.HTTPProvider.OpenIDConfigurationHandler()) |
| 70 | router.GET("/.well-known/jwks.json", s.Dependencies.HTTPProvider.JWKsHandler()) |
| 71 | router.GET("/authorize", s.Dependencies.HTTPProvider.AuthorizeHandler()) |
| 72 | router.GET("/userinfo", s.Dependencies.HTTPProvider.UserInfoHandler()) |
| 73 | router.GET("/logout", s.Dependencies.HTTPProvider.LogoutHandler()) |
| 74 | router.POST("/logout", s.Dependencies.HTTPProvider.LogoutHandler()) |
| 75 | router.POST("/oauth/token", s.Dependencies.HTTPProvider.TokenHandler()) |
| 76 | router.POST("/oauth/revoke", s.Dependencies.HTTPProvider.RevokeRefreshTokenHandler()) |
| 77 | router.POST("/oauth/introspect", s.Dependencies.HTTPProvider.IntrospectHandler()) |
| 78 | |
| 79 | // gRPC-gateway REST surface at /v1/*. Mounted only when the gRPC |
| 80 | // server is configured. Shares all gin middleware (CORS, security |
| 81 | // headers, rate limit, logging) automatically since the route group |
| 82 | // inherits them from `router.Use(...)` above. |
| 83 | if s.gatewayHandler != nil { |
| 84 | // The gateway's routes are registered with their full /v1/... path |
| 85 | // (driven by google.api.http annotations). Mount it as a catch-all |
| 86 | // under /v1 so gin matches the prefix and hands the full request |
| 87 | // path to grpc-gateway untouched. |
| 88 | gw := gin.WrapH(s.gatewayHandler) |
| 89 | router.Any("/v1/*path", gw) |
| 90 | |
| 91 | // OpenAPI spec — generated alongside the gRPC stubs by buf and |
no test coverage detected