nidus_http/middleware/api_defaults.rs
1use std::time::Duration;
2
3use axum::Router;
4
5use crate::{
6 error::ErrorEnvelopeLayer,
7 health::HealthRegistry,
8 middleware::{
9 PrometheusMetrics, RateLimitConfig, RequestIdConfig, body_limit_layer, catch_panic_layer,
10 request_context_layer, security_headers_layer, streaming_body_limit_layer,
11 timeout_response_layer, validated_request_id_layer,
12 },
13};
14
15/// High-level configurable API defaults built from explicit Axum/Tower primitives.
16///
17/// `ApiDefaults` is a convenience builder for production-oriented middleware,
18/// not a hidden application runtime. [`ApiDefaults::production`] starts with
19/// request IDs, request context, production error envelopes, health routes,
20/// security headers, a `Content-Length` body limit, and a timeout enabled.
21/// Prometheus metrics and rate limiting are opt-in and only run when configured.
22///
23/// `version` and `environment` are stored as labels on this builder for callers
24/// that want to keep one deployment metadata object, but [`ApiDefaults::apply`]
25/// does not currently emit those labels to logs, metrics, headers, or health
26/// responses.
27///
28/// ```
29/// use axum::{Router, routing::get};
30/// use nidus_http::{
31/// health::{HealthRegistry, HealthStatus},
32/// middleware::{ApiDefaults, PrometheusMetrics, RequestIdConfig},
33/// };
34/// # async fn list_users() -> &'static str { "users" }
35///
36/// let metrics = PrometheusMetrics::new();
37/// let health = HealthRegistry::new()
38/// .ready_check_sync("database", || HealthStatus::up());
39///
40/// let router = Router::new().route("/users", get(list_users));
41/// let app = ApiDefaults::production("users-api")
42/// .metrics(metrics.clone())
43/// .health(health)
44/// .request_ids(RequestIdConfig::production())
45/// .apply(router)
46/// .merge(metrics.routes());
47/// # let _: Router = app;
48/// ```
49#[derive(Clone)]
50pub struct ApiDefaults {
51 service_name: String,
52 version: Option<String>,
53 environment: Option<String>,
54 request_ids: Option<RequestIdConfig>,
55 request_context: bool,
56 error_envelope: bool,
57 metrics: Option<PrometheusMetrics>,
58 health: Option<HealthRegistry>,
59 rate_limit: Option<RateLimitConfig>,
60 security_headers: bool,
61 body_limit: Option<u64>,
62 streaming_body_limit: Option<usize>,
63 timeout: Option<Duration>,
64 catch_panic: bool,
65}
66
67impl ApiDefaults {
68 /// Creates production defaults for a service.
69 ///
70 /// Enabled by default:
71 /// - request IDs: [`RequestIdConfig::production`], which requires inbound
72 /// IDs to be UUID v4 and generates UUID v4 IDs when absent
73 /// - request context: [`request_context_layer`]
74 /// - error responses: [`ErrorEnvelopeLayer`]
75 /// - health routes: [`HealthRegistry::new`] at `/health/live` and
76 /// `/health/ready`
77 /// - security headers: [`security_headers_layer`]
78 /// - body limit: [`body_limit_layer`] with `1 MiB`
79 /// - timeout: [`timeout_response_layer`] with `30s`
80 /// - panic catching: [`catch_panic_layer`] so a panicking handler yields a
81 /// `500` envelope instead of aborting the connection
82 ///
83 /// Metrics and rate limiting are disabled unless [`Self::metrics`] or
84 /// [`Self::rate_limit`] is called. The metrics middleware records requests,
85 /// but `apply` does not merge the `/metrics` route; merge
86 /// [`PrometheusMetrics::routes`] yourself when you want it exposed.
87 pub fn production(service_name: impl Into<String>) -> Self {
88 Self {
89 service_name: service_name.into(),
90 version: None,
91 environment: None,
92 request_ids: Some(RequestIdConfig::production()),
93 request_context: true,
94 error_envelope: true,
95 metrics: None,
96 health: Some(HealthRegistry::new()),
97 rate_limit: None,
98 security_headers: true,
99 body_limit: Some(1024 * 1024),
100 streaming_body_limit: None,
101 timeout: Some(Duration::from_secs(30)),
102 catch_panic: true,
103 }
104 }
105
106 /// Returns the service name attached to these defaults.
107 ///
108 /// The current [`Self::apply`] implementation keeps this as builder metadata
109 /// only; it is not emitted by any default middleware.
110 pub fn service_name(&self) -> &str {
111 &self.service_name
112 }
113
114 /// Sets a service version label.
115 ///
116 /// This is metadata on the builder. [`Self::apply`] does not currently
117 /// attach the version to metrics, health responses, logs, or response
118 /// headers.
119 pub fn version(mut self, version: impl Into<String>) -> Self {
120 self.version = Some(version.into());
121 self
122 }
123
124 /// Sets an environment label.
125 ///
126 /// This is metadata on the builder. [`Self::apply`] does not currently
127 /// attach the environment to metrics, health responses, logs, or response
128 /// headers.
129 pub fn environment(mut self, environment: impl Into<String>) -> Self {
130 self.environment = Some(environment.into());
131 self
132 }
133
134 /// Replaces request ID behavior.
135 ///
136 /// Pass [`RequestIdConfig::development`] for permissive inbound validation
137 /// during local development, or a custom config when you need a different
138 /// header name or generator.
139 pub fn request_ids(mut self, config: RequestIdConfig) -> Self {
140 self.request_ids = Some(config);
141 self
142 }
143
144 /// Disables request ID middleware.
145 pub fn without_request_ids(mut self) -> Self {
146 self.request_ids = None;
147 self
148 }
149
150 /// Disables request context middleware.
151 pub fn without_request_context(mut self) -> Self {
152 self.request_context = false;
153 self
154 }
155
156 /// Disables production error envelopes.
157 pub fn without_error_envelope(mut self) -> Self {
158 self.error_envelope = false;
159 self
160 }
161
162 /// Adds a Prometheus metrics collector.
163 ///
164 /// This installs request lifecycle recording. It does not expose the
165 /// collector's `/metrics` route; merge [`PrometheusMetrics::routes`] into
166 /// the router when you want scrape output.
167 pub fn metrics(mut self, metrics: PrometheusMetrics) -> Self {
168 self.metrics = Some(metrics);
169 self
170 }
171
172 /// Disables metrics middleware.
173 pub fn without_metrics(mut self) -> Self {
174 self.metrics = None;
175 self
176 }
177
178 /// Replaces health routes.
179 ///
180 /// The registry contributes `/health/live` and `/health/ready` routes before
181 /// middleware layers are applied, so the same default security, timeout, and
182 /// body/header handling applies to health responses too.
183 pub fn health(mut self, health: HealthRegistry) -> Self {
184 self.health = Some(health);
185 self
186 }
187
188 /// Disables health route helpers.
189 pub fn without_health(mut self) -> Self {
190 self.health = None;
191 self
192 }
193
194 /// Adds rate limiting.
195 pub fn rate_limit(mut self, config: RateLimitConfig) -> Self {
196 self.rate_limit = Some(config);
197 self
198 }
199
200 /// Disables rate limiting.
201 pub fn without_rate_limit(mut self) -> Self {
202 self.rate_limit = None;
203 self
204 }
205
206 /// Enables or replaces the request body size limit.
207 ///
208 /// The built-in layer checks the declared `Content-Length` header only. It
209 /// rejects declared oversized bodies with `413 Payload Too Large`; it does
210 /// not count streamed bytes when the header is absent or invalid (e.g.
211 /// chunked-transfer clients). For a hard read-time cap across streaming
212 /// bodies, also enable [`Self::streaming_body_limit`].
213 pub fn body_limit(mut self, max_bytes: u64) -> Self {
214 self.body_limit = Some(max_bytes);
215 self
216 }
217
218 /// Enables a streaming request body limit that counts bytes as they are read.
219 ///
220 /// Unlike [`Self::body_limit`] (which inspects only the declared
221 /// `Content-Length`), this wraps the request body and enforces `max_bytes`
222 /// even when `Content-Length` is absent, closing the chunked-transfer
223 /// bypass. The cap is applied as the downstream extractor or handler reads
224 /// the body, so a request is rejected only once it actually reads past the
225 /// limit. This is opt-in because it wraps every request body; pair it with
226 /// [`Self::body_limit`] for an early `Content-Length` rejection plus a hard
227 /// streaming cap.
228 pub fn streaming_body_limit(mut self, max_bytes: usize) -> Self {
229 self.streaming_body_limit = Some(max_bytes);
230 self
231 }
232
233 /// Disables request body size limiting.
234 pub fn without_body_limit(mut self) -> Self {
235 self.body_limit = None;
236 self
237 }
238
239 /// Enables response security headers.
240 pub fn security_headers(mut self) -> Self {
241 self.security_headers = true;
242 self
243 }
244
245 /// Disables response security headers.
246 pub fn without_security_headers(mut self) -> Self {
247 self.security_headers = false;
248 self
249 }
250
251 /// Sets a default request timeout.
252 ///
253 /// Requests whose inner service does not finish before this duration receive
254 /// `408 Request Timeout` with a plain-text `request timed out` body.
255 pub fn timeout(mut self, timeout: Duration) -> Self {
256 self.timeout = Some(timeout);
257 self
258 }
259
260 /// Disables timeout middleware.
261 pub fn without_timeout(mut self) -> Self {
262 self.timeout = None;
263 self
264 }
265
266 /// Disables the panic-catching layer.
267 ///
268 /// With it disabled, a panicking handler may abort the connection instead of
269 /// yielding the production `500` envelope. It is enabled by
270 /// [`Self::production`].
271 pub fn without_catch_panic(mut self) -> Self {
272 self.catch_panic = false;
273 self
274 }
275
276 /// Applies the configured defaults to an existing router.
277 ///
278 /// Health routes are merged first. The effective inbound request order for
279 /// the default production stack is (outermost first):
280 ///
281 /// 1. [`security_headers_layer`] response wrapper
282 /// 2. [`validated_request_id_layer`]
283 /// 3. [`request_context_layer`]
284 /// 4. metrics, when configured
285 /// 5. [`ErrorEnvelopeLayer`]
286 /// 6. [`timeout_response_layer`]
287 /// 7. [`body_limit_layer`] `Content-Length` boundary
288 /// 8. rate limiting, when configured
289 /// 9. [`catch_panic_layer`], when enabled (innermost, a handler panic is
290 /// caught and surfaced as a `500` through every outer layer)
291 /// 10. route handlers
292 ///
293 /// `body_limit` sits inside the request-id, metrics, and error-envelope
294 /// layers so an oversized-body `413` is enveloped, metered, and carries a
295 /// request id (consistent with how `408` timeouts are observed), rather than
296 /// being rejected invisibly at the edge.
297 ///
298 /// Order matters when adding route-specific layers. Layers installed on a
299 /// route before calling `apply` run inside these defaults, so they can see
300 /// the validated request ID and enriched [`crate::context::RequestContext`],
301 /// and their error responses can be wrapped by the production envelope.
302 pub fn apply(self, mut router: Router) -> Router {
303 if let Some(health) = self.health {
304 router = router.merge(health.routes());
305 }
306 // Innermost layer: catch handler panics so they surface as an enveloped
307 // 500 through every outer layer instead of aborting the connection.
308 if self.catch_panic {
309 router = router.layer(catch_panic_layer());
310 }
311 if let Some(rate_limit) = self.rate_limit {
312 router = router.layer(rate_limit.layer());
313 }
314 if let Some(max_bytes) = self.body_limit {
315 router = router.layer(body_limit_layer(max_bytes));
316 }
317 if let Some(max_bytes) = self.streaming_body_limit {
318 router = router.layer(streaming_body_limit_layer(max_bytes));
319 }
320 if let Some(timeout) = self.timeout {
321 router = router.layer(timeout_response_layer(timeout));
322 }
323 if self.error_envelope {
324 router = router.layer(ErrorEnvelopeLayer::new());
325 }
326 if let Some(metrics) = self.metrics {
327 router = router.layer(metrics.layer());
328 }
329 if self.request_context {
330 router = router.layer(request_context_layer());
331 }
332 if let Some(request_ids) = self.request_ids {
333 router = router.layer(validated_request_id_layer(request_ids));
334 }
335 if self.security_headers {
336 router = router.layer(security_headers_layer());
337 }
338 router
339 }
340}