Claude-skill-registry-data dapr-middleware-validator
Automatically validate DAPR HTTP middleware configuration files. Checks for correct middleware types, proper secret references, pipeline ordering, and security best practices. Use when configuring OAuth2, Bearer tokens, OPA policies, rate limiting, or other middleware.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry-data
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry-data "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/middleware-validator" ~/.claude/skills/majiayu000-claude-skill-registry-data-dapr-middleware-validator && rm -rf "$T"
manifest:
data/middleware-validator/SKILL.mdsource content
DAPR Middleware Configuration Validator
This skill validates DAPR HTTP middleware components for security and correctness.
When to Use
Claude automatically uses this skill when:
- A middleware YAML file is created or modified
- User configures OAuth2, Bearer, OPA, or rate limiting
- Pipeline configuration is being set up
- Before deploying middleware-protected APIs
Middleware Types
Authentication Middleware
| Type | Component Type | Purpose |
|---|---|---|
| OAuth2 | | Authorization Code flow |
| OAuth2 CC | | Service-to-service auth |
| Bearer | | JWT/OIDC token validation |
Authorization Middleware
| Type | Component Type | Purpose |
|---|---|---|
| OPA | | Policy-based authorization |
Traffic Control Middleware
| Type | Component Type | Purpose |
|---|---|---|
| Rate Limit | | Request throttling |
| Sentinel | | Circuit breaker/flow control |
Request Processing Middleware
| Type | Component Type | Purpose |
|---|---|---|
| Router Alias | | Route rewriting |
| Router Checker | | Route validation |
| WASM | | Custom WebAssembly logic |
| Uppercase | | Testing only |
Validation Rules
OAuth2 Middleware Validation
apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: oauth2 spec: type: middleware.http.oauth2 version: v1 metadata: - name: clientId secretKeyRef: # REQUIRED: Use secretKeyRef name: oauth-secrets key: client-id - name: clientSecret secretKeyRef: # REQUIRED: Use secretKeyRef name: oauth-secrets key: client-secret - name: scopes value: "openid profile" # REQUIRED - name: authURL value: "https://..." # REQUIRED: Must be HTTPS - name: tokenURL value: "https://..." # REQUIRED: Must be HTTPS - name: redirectURL value: "..." # REQUIRED - name: forceHTTPS value: "true" # RECOMMENDED for production
Checks performed:
-
usesclientId
(not plain value)secretKeyRef -
usesclientSecret
(not plain value)secretKeyRef -
uses HTTPS protocolauthURL -
uses HTTPS protocoltokenURL -
is "true" for productionforceHTTPS
Bearer Token Validation
spec: type: middleware.http.bearer metadata: - name: audience value: "api://..." # REQUIRED - name: issuer value: "https://..." # REQUIRED: Must be HTTPS
Checks performed:
-
is specifiedaudience -
uses HTTPS protocolissuer - Issuer matches known providers or is valid URL
OPA Middleware Validation
spec: type: middleware.http.opa metadata: - name: defaultStatus value: "403" # RECOMMENDED: 403 for authz failures - name: rego value: | package http default allow = false # REQUIRED: Default deny
Checks performed:
- Rego policy has
default allow = false - Policy uses
package http -
contains Authorization if JWT checkingincludedHeaders - No hardcoded secrets in policy
Rate Limit Validation
spec: type: middleware.http.ratelimit metadata: - name: maxRequestsPerSecond value: "100" # REQUIRED: Reasonable limit
Checks performed:
-
is specifiedmaxRequestsPerSecond - Value is reasonable (not 0, not extremely high)
Sentinel Validation
spec: type: middleware.http.sentinel metadata: - name: appName value: "my-service" # REQUIRED - name: flowRules value: | # At least one rule type required [...]
Checks performed:
-
is specifiedappName - At least one rule type is defined (flowRules, circuitBreakerRules, etc.)
- Resource paths in rules are valid format
- Threshold values are reasonable
WASM Validation
spec: type: middleware.http.wasm metadata: - name: url value: "file://..." # REQUIRED
Checks performed:
-
is specified with valid scheme (file://, http://, https://)url - HTTPS used for remote WASM binaries
- Path exists for file:// URLs (if verifiable)
Router Alias Validation
spec: type: middleware.http.routeralias metadata: - name: routes value: | # REQUIRED {"/api": "/v1.0/invoke/..."}
Checks performed:
-
is valid JSON or YAMLroutes - Target paths are valid Dapr API paths
Router Checker Validation
spec: type: middleware.http.routerchecker metadata: - name: rule value: "^[A-Za-z0-9/._-]+$" # REQUIRED: Valid regex
Checks performed:
-
is valid regex patternrule - Pattern is security-appropriate (blocks common attacks)
Pipeline Order Validation
Correct middleware ordering:
spec: httpPipeline: handlers: - name: routerchecker # 1. Block invalid requests first type: middleware.http.routerchecker - name: ratelimit # 2. Rate limit before auth type: middleware.http.ratelimit - name: bearer-auth # 3. Authenticate type: middleware.http.bearer - name: opa-authz # 4. Authorize (after auth) type: middleware.http.opa - name: routeralias # 5. Transform routes last type: middleware.http.routeralias
Order checks:
- Rate limiting comes before authentication
- Authorization comes after authentication
- Route validation comes before other middleware
- Route aliasing comes after security middleware
Security Checks
Critical Security Issues
- Plain-text credentials - clientId/clientSecret not in secretKeyRef
- HTTP URLs - Auth/token URLs using HTTP instead of HTTPS
- Default allow - OPA policy without explicit default deny
- No rate limiting - APIs without request throttling
Warnings
- Missing forceHTTPS - OAuth2 without HTTPS enforcement
- High rate limits - Very permissive request limits
- Overly permissive OPA - Policies with broad allow rules
- Missing headers - OPA not checking Authorization header
Output Format
DAPR Middleware Validation Report ================================== ✓ components/oauth2-auth.yaml - Valid - Type: middleware.http.oauth2 - Credentials use secretKeyRef: Yes - HTTPS enforced: Yes ⚠ components/ratelimit.yaml - Warning - Type: middleware.http.ratelimit - Warning: Rate limit of 10000 RPS is very high - Recommendation: Consider lower limit for public APIs ✗ components/bearer-auth.yaml - Invalid - Type: middleware.http.bearer - Error: Missing required field 'audience' - Error: 'issuer' uses HTTP instead of HTTPS Pipeline Analysis: ✗ Rate limiting should come BEFORE authentication middleware Current order: [bearer-auth, ratelimit] Recommended: [ratelimit, bearer-auth] Security Summary: - Critical: 1 (plain-text credentials) - Warnings: 2 - Valid: 3
Common Issues and Fixes
Plain-Text Credentials
# BAD (security risk) - name: clientSecret value: "my-secret-key" # GOOD (use secret reference) - name: clientSecret secretKeyRef: name: oauth-secrets key: client-secret
HTTP Instead of HTTPS
# BAD (insecure) - name: tokenURL value: "http://auth.example.com/token" # GOOD - name: tokenURL value: "https://auth.example.com/token"
Default Allow in OPA
# BAD (insecure - allows everything by default) package http default allow = true # GOOD (secure - denies by default) package http default allow = false allow { ... specific conditions ... }
Wrong Pipeline Order
# BAD (auth before rate limit allows DoS via auth endpoints) handlers: - name: oauth2 type: middleware.http.oauth2 - name: ratelimit type: middleware.http.ratelimit # GOOD (rate limit protects auth endpoints) handlers: - name: ratelimit type: middleware.http.ratelimit - name: oauth2 type: middleware.http.oauth2
Integration Points
This skill integrates with:
agent for detailed configuration helpmiddleware-expert
skill for broader security analysissecurity-scanner
command to generate valid configs/dapr:middleware
command for pre-deployment checks/dapr:security