DAPR Middleware Configuration Validator

This skill validates DAPR HTTP middleware components for security and correctness.

When to Use

Claude automatically uses this skill when:

• A middleware YAML file is created or modified
• User configures OAuth2, Bearer, OPA, or rate limiting
• Pipeline configuration is being set up
• Before deploying middleware-protected APIs

Middleware Types

Authentication Middleware

Type	Component Type	Purpose
OAuth2	middleware.http.oauth2	Authorization Code flow
OAuth2 CC	middleware.http.oauth2clientcredentials	Service-to-service auth
Bearer	middleware.http.bearer	JWT/OIDC token validation

Authorization Middleware

Type	Component Type	Purpose
OPA	middleware.http.opa	Policy-based authorization

Traffic Control Middleware

Type	Component Type	Purpose
Rate Limit	middleware.http.ratelimit	Request throttling
Sentinel	middleware.http.sentinel	Circuit breaker/flow control

Request Processing Middleware

Type	Component Type	Purpose
Router Alias	middleware.http.routeralias	Route rewriting
Router Checker	middleware.http.routerchecker	Route validation
WASM	middleware.http.wasm	Custom WebAssembly logic
Uppercase	middleware.http.uppercase	Testing only

Validation Rules

OAuth2 Middleware Validation

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: oauth2
spec:
  type: middleware.http.oauth2
  version: v1
  metadata:
  - name: clientId
    secretKeyRef:           # REQUIRED: Use secretKeyRef
      name: oauth-secrets
      key: client-id
  - name: clientSecret
    secretKeyRef:           # REQUIRED: Use secretKeyRef
      name: oauth-secrets
      key: client-secret
  - name: scopes
    value: "openid profile" # REQUIRED
  - name: authURL
    value: "https://..."    # REQUIRED: Must be HTTPS
  - name: tokenURL
    value: "https://..."    # REQUIRED: Must be HTTPS
  - name: redirectURL
    value: "..."            # REQUIRED
  - name: forceHTTPS
    value: "true"           # RECOMMENDED for production

Checks performed:

• clientId uses secretKeyRef (not plain value)
• clientSecret uses secretKeyRef (not plain value)
• authURL uses HTTPS protocol
• tokenURL uses HTTPS protocol
• forceHTTPS is "true" for production

Bearer Token Validation

spec:
  type: middleware.http.bearer
  metadata:
  - name: audience
    value: "api://..."      # REQUIRED
  - name: issuer
    value: "https://..."    # REQUIRED: Must be HTTPS

Checks performed:

• audience is specified
• issuer uses HTTPS protocol
• Issuer matches known providers or is valid URL

OPA Middleware Validation

spec:
  type: middleware.http.opa
  metadata:
  - name: defaultStatus
    value: "403"            # RECOMMENDED: 403 for authz failures
  - name: rego
    value: |
      package http
      default allow = false  # REQUIRED: Default deny

Checks performed:

• Rego policy has default allow = false
• Policy uses package http
• includedHeaders contains Authorization if JWT checking
• No hardcoded secrets in policy

Rate Limit Validation

spec:
  type: middleware.http.ratelimit
  metadata:
  - name: maxRequestsPerSecond
    value: "100"            # REQUIRED: Reasonable limit

Checks performed:

• maxRequestsPerSecond is specified
• Value is reasonable (not 0, not extremely high)

Sentinel Validation

spec:
  type: middleware.http.sentinel
  metadata:
  - name: appName
    value: "my-service"     # REQUIRED
  - name: flowRules
    value: |                # At least one rule type required
      [...]

Checks performed:

• appName is specified
• At least one rule type is defined (flowRules, circuitBreakerRules, etc.)
• Resource paths in rules are valid format
• Threshold values are reasonable

WASM Validation

spec:
  type: middleware.http.wasm
  metadata:
  - name: url
    value: "file://..."     # REQUIRED

Checks performed:

• url is specified with valid scheme (file://, http://, https://)
• HTTPS used for remote WASM binaries
• Path exists for file:// URLs (if verifiable)

Router Alias Validation

spec:
  type: middleware.http.routeralias
  metadata:
  - name: routes
    value: |                # REQUIRED
      {"/api": "/v1.0/invoke/..."}

Checks performed:

• routes is valid JSON or YAML
• Target paths are valid Dapr API paths

Router Checker Validation

spec:
  type: middleware.http.routerchecker
  metadata:
  - name: rule
    value: "^[A-Za-z0-9/._-]+$"  # REQUIRED: Valid regex

Checks performed:

• rule is valid regex pattern
• Pattern is security-appropriate (blocks common attacks)

Pipeline Order Validation

Correct middleware ordering:

spec:
  httpPipeline:
    handlers:
    - name: routerchecker     # 1. Block invalid requests first
      type: middleware.http.routerchecker
    - name: ratelimit         # 2. Rate limit before auth
      type: middleware.http.ratelimit
    - name: bearer-auth       # 3. Authenticate
      type: middleware.http.bearer
    - name: opa-authz         # 4. Authorize (after auth)
      type: middleware.http.opa
    - name: routeralias       # 5. Transform routes last
      type: middleware.http.routeralias

Order checks:

• Rate limiting comes before authentication
• Authorization comes after authentication
• Route validation comes before other middleware
• Route aliasing comes after security middleware

Security Checks

Critical Security Issues

1. Plain-text credentials - clientId/clientSecret not in secretKeyRef
2. HTTP URLs - Auth/token URLs using HTTP instead of HTTPS
3. Default allow - OPA policy without explicit default deny
4. No rate limiting - APIs without request throttling

Warnings

1. Missing forceHTTPS - OAuth2 without HTTPS enforcement
2. High rate limits - Very permissive request limits
3. Overly permissive OPA - Policies with broad allow rules
4. Missing headers - OPA not checking Authorization header

Output Format

DAPR Middleware Validation Report
==================================

✓ components/oauth2-auth.yaml - Valid
  - Type: middleware.http.oauth2
  - Credentials use secretKeyRef: Yes
  - HTTPS enforced: Yes

⚠ components/ratelimit.yaml - Warning
  - Type: middleware.http.ratelimit
  - Warning: Rate limit of 10000 RPS is very high
  - Recommendation: Consider lower limit for public APIs

✗ components/bearer-auth.yaml - Invalid
  - Type: middleware.http.bearer
  - Error: Missing required field 'audience'
  - Error: 'issuer' uses HTTP instead of HTTPS

Pipeline Analysis:
✗ Rate limiting should come BEFORE authentication middleware
  Current order: [bearer-auth, ratelimit]
  Recommended:   [ratelimit, bearer-auth]

Security Summary:
- Critical: 1 (plain-text credentials)
- Warnings: 2
- Valid: 3

Common Issues and Fixes

Plain-Text Credentials

# BAD (security risk)
- name: clientSecret
  value: "my-secret-key"

# GOOD (use secret reference)
- name: clientSecret
  secretKeyRef:
    name: oauth-secrets
    key: client-secret

HTTP Instead of HTTPS

# BAD (insecure)
- name: tokenURL
  value: "http://auth.example.com/token"

# GOOD
- name: tokenURL
  value: "https://auth.example.com/token"

Default Allow in OPA

# BAD (insecure - allows everything by default)
package http
default allow = true

# GOOD (secure - denies by default)
package http
default allow = false
allow { ... specific conditions ... }

Wrong Pipeline Order

# BAD (auth before rate limit allows DoS via auth endpoints)
handlers:
- name: oauth2
  type: middleware.http.oauth2
- name: ratelimit
  type: middleware.http.ratelimit

# GOOD (rate limit protects auth endpoints)
handlers:
- name: ratelimit
  type: middleware.http.ratelimit
- name: oauth2
  type: middleware.http.oauth2

Integration Points

This skill integrates with:

• middleware-expert agent for detailed configuration help
• security-scanner skill for broader security analysis
• /dapr:middleware command to generate valid configs
• /dapr:security command for pre-deployment checks