Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
github.com/grpc-ecosystem/go-grpc-middleware/v2
This repository holds gRPC Go Middlewares: interceptors, helpers and utilities.
gRPC Go has support for "interceptors", i.e. middleware that is executed either on the gRPC Server before the request is passed onto the user's application logic, or on the gRPC client either around the user call. It is a perfect way to implement common patterns: auth, logging, tracing, metrics, validation, retries, rate limiting and more, which can be a great generic building blocks that make it easy to build multiple microservices easily.
Especially for observability signals (logging, tracing, metrics) interceptors offers semi-auto-instrumentation that improves consistency of your observability and allows great correlation techniques (e.g. exemplars and trace ID in logs). Demo-ed in examples.
This repository offers ready-to-use middlewares that implements gRPC interceptors with examples. In some cases dedicated projects offer great interceptors, so this repository skips those, and we link them in the interceptors list.
NOTE: Some middlewares are quite simple to write, so feel free to use this repo as template if you need. It's ok to copy some simpler interceptors if you need more flexibility. This repo can't support all the edge cases you might have.
Additional great feature of interceptors is the fact we can chain those. For example below you can find example server side chain of interceptors with full observabiliy correlation, auth and panic recovery:
grpcSrv := grpc.NewServer(
grpc.ChainUnaryInterceptor(
// Order matters e.g. tracing interceptor have to create span first for the later exemplars to work.
otelgrpc.UnaryServerInterceptor(),
srvMetrics.UnaryServerInterceptor(grpcprom.WithExemplarFromContext(exemplarFromContext)),
logging.UnaryServerInterceptor(interceptorLogger(rpcLogger), logging.WithFieldsFromContext(logTraceID)),
selector.UnaryServerInterceptor(auth.UnaryServerInterceptor(authFn), selector.MatchFunc(allButHealthZ)),
recovery.UnaryServerInterceptor(recovery.WithRecoveryHandler(grpcPanicRecoveryHandler)),
),
grpc.ChainStreamInterceptor(
otelgrpc.StreamServerInterceptor(),
srvMetrics.StreamServerInterceptor(grpcprom.WithExemplarFromContext(exemplarFromContext)),
logging.StreamServerInterceptor(interceptorLogger(rpcLogger), logging.WithFieldsFromContext(logTraceID)),
selector.StreamServerInterceptor(auth.StreamServerInterceptor(authFn), selector.MatchFunc(allButHealthZ)),
recovery.StreamServerInterceptor(recovery.WithRecoveryHandler(grpcPanicRecoveryHandler)),
),
This pattern offers clean and explicit shared functionality for all your gRPC methods. Full, buildable examples can be found in examples directory.
This list covers known interceptors that users use for their Go microservices (both in this repo and external). Click on each to see extended examples in examples_test.go
(also available in pkg.go.dev)
All paths should work with go get <path>
.
github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth
- a customizable via AuthFunc
piece of auth middleware.google.golang.org/grpc/authz
- more complex, customizable via auth polices (RBAC like), piece of auth middleware.github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus
⚡ - Prometheus client-side and server-side monitoring middleware. Supports exemplars. Moved from deprecated now go-grpc-prometheus
.go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
- official OpenTelemetry interceptors (metric and tracing).github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/logging
- a customizable logging middleware offering extended per request logging. It requires logging adapter, see examples in interceptors/logging/examples
for go-kit
, log
, logr
, logrus
, slog
, zap
and zerolog
.
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
- official OpenTelemetry interceptors (metric and tracing) as used in example.github.com/grpc-ecosystem/go-grpc-middleware/tracing/opentracing
- deprecated OpenTracing client-side and server-side interceptors if you still need it!github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/retry
- a generic gRPC response code retry mechanism, client-side middleware.
github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/timeout
- a generic gRPC request timeout, client-side middleware.github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/validator
- codegen inbound message validation from .proto
options.github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/recovery
- turn panics into gRPC errors (make sure to use those as "last" interceptor, so panic does not skip other interceptors).github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/ratelimit
- grpc rate limiting by your own limiter.github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/protovalidate
- message validation from .proto
options via protovalidate-gogithub.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/selector
- allow users to select given one or more interceptors in certain condition like matching service method.The main interceptors are available in the subdirectories of the interceptors
directory e.g. interceptors/validator
, interceptors/auth
or interceptors/logging
.
Some interceptors or utilities of interceptors requires opinionated code that depends on larger amount of dependencies. Those are places in providers
directory as separate Go module, with separate versioning. For example providers/prometheus
offer metrics middleware (there is no "interceptor/metrics" at the moment). The separate module, might be a little bit harder to discover and version in your go.mod
, but it allows core interceptors to be ultra slim in terms of dependencies.
The interceptors
directory also holds generic interceptors that accepts Reporter
interface which allows creating your own middlewares with ease.
As you might notice this repository contains multiple modules with different versions (Go Module specifics). Refer to versions.yaml for current modules. We have main module of version 2.x.y and providers modules of lower versions. Since main module is v2, it's module path ends with v2
:
go get github.com/grpc-ecosystem/go-grpc-middleware/v2/<package>
For providers modules and packages, since they are v1, no version is added to the path e.g.
go get github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus
go-grpc-middleware v1 was created near 2015 and became a popular choice for gRPC users. However, many have changed since then. The main changes of v2 compared to v1:
interceptors/logging
got simplified and writing adapter for each logger is straightforward. For convenience, we will maintain examples for popular providers in interceptors/logging/examples
, but those are meant to be copied, not imported.grpc_opentracing
interceptor was removed. This is because tracing instrumentation evolved. OpenTracing is deprecated and OpenTelemetry has now a superior tracing interceptor.grpc_ctxtags
interceptor was removed. Custom tags can be added to logging fields using logging.InjectFields
. Proto option to add logging field was clunky in practice and we don't see any use of it nowadays, so it's removed.grpc
implemented one.github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/selector
interceptor to select what method, type or service should use what interceptor.grpcprom "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus"
.<package_name>.With<Option Name>
, with extensibility to add more of them.v2
is the main (default) development branch.This assumes we want to release minor version of any module:
github.com/grpc-ecosystem/go-grpc-middleware/v2
the tag has no prefix (e.g. v2.20.1). For providers (sub modules), the tag version has to have form e.g. providers/<provider/v1.2.3
. See https://github.com/golang/go/wiki/Modules#faqs--multi-module-repositories for details.go-grpc-middleware
is released under the Apache 2.0 license. See the LICENSE file for details.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.