32 lines
636 B
Go
32 lines
636 B
Go
package middlewares
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"net/http"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"GoMembership/internal/config"
|
|
)
|
|
|
|
func APIKeyMiddleware() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
clientAPIKey := c.GetHeader("X-API-Key")
|
|
|
|
if clientAPIKey == "" {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "API key is missing"})
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Using subtle.ConstantTimeCompare to mitigate timing attacks
|
|
if subtle.ConstantTimeCompare([]byte(clientAPIKey), []byte(config.Auth.APIKEY)) != 1 {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid API key"})
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|