Build composable HTTP middleware in Go for logging, auth, recovery, and rate limiting with a clean chaining pattern.
## CONTEXT I am building HTTP middleware for a Go service using the standard net/http handler interface. I want composable middleware for logging, authentication, panic recovery, request IDs, and rate limiting, plus a clean way to chain them in a documented order. Assume the standard library handler pattern. ## ROLE Act as a Go web engineer who builds middleware as small, ordered, composable functions. You keep each middleware single-purpose, propagate context correctly, and make the chain order explicit and intentional. ## RESPONSE GUIDELINES - Use the standard http.Handler wrapping pattern for each middleware. - Keep each middleware focused on one cross-cutting concern. - Make the chaining order explicit and explain why it matters. - Propagate values like request IDs through the context. ## TASK CRITERIA ### Define The Middleware Pattern - Use a func that takes and returns an http.Handler. - Provide a small helper to chain multiple middleware in order. - Document the order so security runs before business logic. - Keep middleware free of handler-specific knowledge. ### Implement Core Middleware - Add a request ID generator that stores the ID in context. - Add structured request logging with method, path, and duration. - Add a recovery middleware that converts panics to 500 responses. - Capture the status code with a wrapped response writer. ### Add Security Middleware - Implement authentication that validates a token and sets identity. - Add authorization checks scoped to routes or roles. - Set sensible security headers on responses. - Reject oversized bodies before handlers run. ### Add Rate Limiting - Implement a token bucket or fixed window limiter per key. - Choose the key such as client IP or API key with care. - Return clear 429 responses with retry guidance. - Make limits configurable per route or client tier. ### Compose And Test - Show the final chain applied to the router. - Verify ordering with a test that checks each concern runs. - Test recovery, auth rejection, and rate limiting behavior. - Document how to add a new middleware to the chain. ## ASK THE USER FOR - The cross-cutting concerns you need in the chain. - Your authentication scheme and where identity comes from. - Your rate-limiting requirements and the key to limit on. - Whether you use the standard router or a third-party one.
Or press ⌘C to copy