reinhardt-middleware 0.1.0-rc.15

Middleware system for request/response processing pipeline
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250

# reinhardt-middleware

Request/response processing pipeline for Reinhardt framework

## Overview

Middleware system for processing requests and responses. Provides comprehensive built-in middleware for security, performance optimization, authentication, and request handling.

## Installation

Add `reinhardt` to your `Cargo.toml`:

```toml
[dependencies]
reinhardt = { version = "0.1.0-rc.13", features = ["middleware"] }

# Or use a preset:
# reinhardt = { version = "0.1.0-rc.13", features = ["standard"] }  # Recommended
# reinhardt = { version = "0.1.0-rc.13", features = ["full"] }      # All features
```

Then import middleware features:

```rust
use reinhardt::middleware::{CsrfMiddleware, CorsMiddleware, GzipMiddleware};
use reinhardt::middleware::{LoggingMiddleware, AuthenticationMiddleware};
use reinhardt::middleware::{SecurityHeadersMiddleware, HttpsRedirectMiddleware};
```

**Note:** Middleware features are included in the `standard` and `full` feature presets.

## Implemented Features ✓

### Core Middleware System

- **Middleware Pipeline** - Request/response processing chain with handler composition
- **Custom Middleware Support** - Easy integration of user-defined middleware

### Security Middleware

- **CORS (Cross-Origin Resource Sharing)** - Configurable CORS headers with preflight support
  - Custom origin, method, and header configuration
  - Credentials support
  - Max-age caching
  - Permissive mode for development
- **CSRF Protection** - Cross-Site Request Forgery protection via `reinhardt-core` security module
  - Token generation and validation
  - Origin and referer checking
  - Secret management and rotation
- **Content Security Policy (CSP)** - XSS protection with customizable directives
  - Custom CSP directives (default-src, script-src, style-src, etc.)
  - Nonce generation for inline scripts/styles
  - Report-Only mode for testing
  - Strict preset configuration
- **X-Frame-Options** - Clickjacking protection
  - DENY mode (no framing)
  - SAMEORIGIN mode (same-origin framing only)
- **Security Headers** - Comprehensive HTTP security headers
  - HSTS (HTTP Strict Transport Security) with preload support
  - SSL/HTTPS redirects
  - X-Content-Type-Options: nosniff
  - Referrer-Policy configuration
  - Cross-Origin-Opener-Policy (COOP)
- **HTTPS Redirect** - Automatic HTTP to HTTPS redirection
  - Configurable exempt paths
  - Custom status codes (301/302)

### Performance Middleware

- **GZip Compression** - Response compression for bandwidth optimization
  - Configurable compression level (0-9)
  - Minimum size threshold
  - Content-type filtering
  - Automatic Accept-Encoding detection
- **Brotli Compression** - Advanced compression with better ratios
  - Configurable quality levels (Fast, Balanced, Best)
  - Window size configuration (10-24)
  - Content-type filtering
  - Automatic Accept-Encoding: br detection
  - Intelligent compression (only when beneficial)
- **Conditional GET** - HTTP caching with ETags and Last-Modified
  - Automatic ETag generation (SHA-256 based)
  - If-None-Match support
  - If-Modified-Since support
  - If-Match and If-Unmodified-Since validation
  - 304 Not Modified responses

### Authentication & Request Processing

- **Authentication** - JWT-based authentication middleware
  - Bearer token extraction
  - Token validation via `reinhardt-auth`
  - User type support
- **Logging** - Request/response logging
  - Timestamp, method, path, status code
  - Request duration tracking

### Dependency Injection Support

- **DI Middleware** - Integration with `reinhardt-di`
  - Middleware factory pattern
  - Injectable middleware components
  - Automatic dependency resolution

### Request Processing & Utilities

- **Common Middleware** - URL normalization
  - Automatic trailing slash appending (append_slash)
  - WWW subdomain prepending (prepend_www)
  - Smart file extension detection
  - Query parameter preservation
- **Locale Middleware** - Multi-source locale detection
  - Accept-Language header parsing with quality scores
  - Cookie-based locale storage
  - URL path prefix detection
  - Configurable fallback locale
- **Message Framework** - Django-style flash messages
  - Session-based and Cookie-based storage
  - Multiple message levels (Debug, Info, Success, Warning, Error)
  - One-time message delivery
  - Thread-safe storage implementation
- **Redirect Fallback** - Smart 404 error handling
  - Configurable fallback URL
  - Pattern-based path matching (regex)
  - Custom redirect status codes
  - Redirect loop prevention
- **Broken Link Detection** - Internal link monitoring
  - Automatic 404 detection for internal referrers
  - Domain normalization (www. handling)
  - Configurable ignored paths and user agents
  - Email notification support
  - Logging integration
- **Site Middleware** - Multi-site support
  - Domain-based site detection
  - Default site fallback mechanism
  - www subdomain normalization
  - Site ID header injection
  - Thread-safe site registry
- **Flatpages Middleware** - Static page fallback
  - 404 interception and content substitution
  - URL normalization (trailing slash handling)
  - In-memory flatpage storage
  - Template rendering support
  - Registration-based access control

### Observability & Monitoring

- **Request ID Middleware** - Request tracing and correlation
  - UUID generation for unique request identification
  - Automatic propagation through request chain
  - Custom header name support
  - X-Request-ID and X-Correlation-ID compatibility
- **Metrics Middleware** - Prometheus-compatible metrics collection
  - Request count tracking by method and path
  - Response time histograms with percentiles (p50, p95, p99)
  - Status code distribution
  - Custom metrics support
  - /metrics endpoint with Prometheus text format
  - Configurable exclusion paths
- **Tracing Middleware** - Distributed tracing support
  - OpenTelemetry-compatible span tracking
  - Trace ID and Span ID propagation
  - Automatic span lifecycle management
  - Request metadata tagging (method, path, status)
  - Configurable sampling rates
  - Error status tracking

## Related Crates

The following middleware are implemented in separate crates:

- **Session Middleware** - Implemented in `reinhardt-auth`
  - See [reinhardt-auth](../reinhardt-auth/README.md) for session management and persistence
- **Cache Middleware** - Implemented in `reinhardt-utils`
  - See [reinhardt-utils](../reinhardt-utils/README.md) for response caching layer
- **Permissions Middleware** - Implemented in `reinhardt-auth`
  - ✓ Permission-based access control
  - ✓ DRF-style permissions (IsAuthenticated, IsAdminUser, IsAuthenticatedOrReadOnly)
  - ✓ Model-level permissions (object permissions)
  - ✓ Permission operators (AND, OR, NOT)
  - ✓ Advanced permissions (dynamic, conditional, composite)
  - See [reinhardt-auth](../reinhardt-auth/README.md) for details
- **Rate Limiting** - Implemented in `reinhardt-rest`
  - ✓ Request throttling and rate limits
  - ✓ AnonRateThrottle for anonymous users
  - ✓ UserRateThrottle for authenticated users
  - ✓ ScopedRateThrottle for API scopes
  - ✓ BurstRateThrottle for burst protection
  - ✓ TieredRateThrottle for tiered limits
  - ✓ Memory and Redis backends
  - See [reinhardt-rest](../reinhardt-rest/README.md) for details

## CSRF Middleware Usage

### Basic Usage

```rust
use reinhardt::middleware::csrf::{CsrfMiddleware, CsrfMiddlewareConfig};
use reinhardt_http::{Handler, Middleware};
use std::sync::Arc;

// Default configuration
let csrf_middleware = CsrfMiddleware::new();

// Production configuration
let config = CsrfMiddlewareConfig::production(vec![
    "https://example.com".to_string(),
    "https://api.example.com".to_string(),
]);

let csrf_middleware = CsrfMiddleware::with_config(config);
```

### Exempt Paths

```rust
let config = CsrfMiddlewareConfig::default()
    .add_exempt_path("/api/webhooks".to_string())
    .add_exempt_path("/health".to_string());

let csrf_middleware = CsrfMiddleware::with_config(config);
```

### Token Extraction

CSRF tokens can be sent via:

1. **HTTP Header** (recommended): `X-CSRFToken` header
2. **Cookie**: `csrftoken` cookie

```javascript
// Send token via header from JavaScript
fetch("/api/endpoint", {
  method: "POST",
  headers: {
    "X-CSRFToken": getCookie("csrftoken"),
    "Content-Type": "application/json",
  },
  body: JSON.stringify(data),
});
```

### How It Works

1. **GET requests**: Automatically sets a CSRF cookie
2. **POST requests**: Validates the token
   - Extracts token from header or cookie
   - Checks Referer header (if configured)
   - Validates token format and value
3. **Validation failure**: Returns 403 Forbidden