[Feature 05] Business Logic - Auth & Rate Limiting

[onlyhyde]

Overview

Implement API Key authentication, rate limiting, and input validation middleware.

Implementation Details

Files:

• internal/middleware/auth.go - API Key authentication
• internal/middleware/ratelimit.go - Rate limiting
• internal/api/validation.go - Input validation

API Key Authentication

type APIKeyConfig struct {
    Enabled   bool
    KeyHashes []string  // SHA256 hashes of valid keys
}

• Use SHA256 hashing for API key storage
• Use constant-time comparison (crypto/subtle.ConstantTimeCompare) to prevent timing attacks
• Return 401 Unauthorized for missing/invalid keys

Rate Limiting

type RateLimitConfig struct {
    Enabled           bool
    RequestsPerSecond float64
    Burst             int
    CleanupPeriod     time.Duration
}

• Per-client rate limiting (by API key or IP)
• Use golang.org/x/time/rate for token bucket algorithm
• Return 429 Too Many Requests when exceeded
• Cleanup stale limiters periodically

Input Validation

• Network format validation (CAIP-2: eip155:<chainId>)
• Address format validation (^0x[a-fA-F0-9]{40}$)
• Amount validation (positive, within limits)
• Asset allowlist (optional)

Acceptance Criteria

• API Key middleware with constant-time comparison
• Rate limiting middleware with per-client tracking
• Input validation for verify/settle requests
• Configuration via TOML
• Unit tests for each middleware
• Integration tests

Dependencies

• [Feature 03] API Server #22 API Server

Branch

feature/business-logic