PrecheckAPIKey extracts and fully validates the API key on every request (if present) and stores the result in context. It never writes error responses and always calls next. The rate limiter reads the stored result to key by user ID and check the Owner bypass header. Downstream ExtractAPIKeyMW rea
(cfg ValidateAPIKeyConfig)
| 207 | // check the Owner bypass header. Downstream ExtractAPIKeyMW reads |
| 208 | // it to avoid redundant DB lookups and validation. |
| 209 | func PrecheckAPIKey(cfg ValidateAPIKeyConfig) func(http.Handler) http.Handler { |
| 210 | return func(next http.Handler) http.Handler { |
| 211 | return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { |
| 212 | ctx := r.Context() |
| 213 | |
| 214 | // Already prechecked (shouldn't happen, but guard). |
| 215 | if _, ok := ctx.Value(apiKeyPrecheckedContextKey{}).(APIKeyPrechecked); ok { |
| 216 | next.ServeHTTP(rw, r) |
| 217 | return |
| 218 | } |
| 219 | |
| 220 | result, valErr := ValidateAPIKey(ctx, cfg, r) |
| 221 | |
| 222 | prechecked := APIKeyPrechecked{ |
| 223 | Result: result, |
| 224 | Err: valErr, |
| 225 | } |
| 226 | ctx = context.WithValue(ctx, apiKeyPrecheckedContextKey{}, prechecked) |
| 227 | next.ServeHTTP(rw, r.WithContext(ctx)) |
| 228 | }) |
| 229 | } |
| 230 | } |
| 231 | |
| 232 | // ValidateAPIKey extracts and validates the API key from the |
| 233 | // request. It performs all security-critical checks: |
nothing calls this directly
no test coverage detected