| name | dapr-middleware-validator |
| description | Automatically validate DAPR HTTP middleware configuration files. Checks for correct middleware types, proper secret references, pipeline ordering, and security best practices. Use when configuring OAuth2, Bearer tokens, OPA policies, rate limiting, or other middleware. |
| allowed-tools | Read, Grep, Glob |
DAPR Middleware Configuration Validator
This skill validates DAPR HTTP middleware components for security and correctness.
When to Use
Claude automatically uses this skill when:
- A middleware YAML file is created or modified
- User configures OAuth2, Bearer, OPA, or rate limiting
- Pipeline configuration is being set up
- Before deploying middleware-protected APIs
Middleware Types
Authentication Middleware
| Type | Component Type | Purpose |
|---|---|---|
| OAuth2 | middleware.http.oauth2 |
Authorization Code flow |
| OAuth2 CC | middleware.http.oauth2clientcredentials |
Service-to-service auth |
| Bearer | middleware.http.bearer |
JWT/OIDC token validation |
Authorization Middleware
| Type | Component Type | Purpose |
|---|---|---|
| OPA | middleware.http.opa |
Policy-based authorization |
Traffic Control Middleware
| Type | Component Type | Purpose |
|---|---|---|
| Rate Limit | middleware.http.ratelimit |
Request throttling |
| Sentinel | middleware.http.sentinel |
Circuit breaker/flow control |
Request Processing Middleware
| Type | Component Type | Purpose |
|---|---|---|
| Router Alias | middleware.http.routeralias |
Route rewriting |
| Router Checker | middleware.http.routerchecker |
Route validation |
| WASM | middleware.http.wasm |
Custom WebAssembly logic |
| Uppercase | middleware.http.uppercase |
Testing only |
Validation Rules
OAuth2 Middleware Validation
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: oauth2
spec:
type: middleware.http.oauth2
version: v1
metadata:
- name: clientId
secretKeyRef: # REQUIRED: Use secretKeyRef
name: oauth-secrets
key: client-id
- name: clientSecret
secretKeyRef: # REQUIRED: Use secretKeyRef
name: oauth-secrets
key: client-secret
- name: scopes
value: "openid profile" # REQUIRED
- name: authURL
value: "https://..." # REQUIRED: Must be HTTPS
- name: tokenURL
value: "https://..." # REQUIRED: Must be HTTPS
- name: redirectURL
value: "..." # REQUIRED
- name: forceHTTPS
value: "true" # RECOMMENDED for production
Checks performed:
-
clientIdusessecretKeyRef(not plain value) -
clientSecretusessecretKeyRef(not plain value) -
authURLuses HTTPS protocol -
tokenURLuses HTTPS protocol -
forceHTTPSis "true" for production
Bearer Token Validation
spec:
type: middleware.http.bearer
metadata:
- name: audience
value: "api://..." # REQUIRED
- name: issuer
value: "https://..." # REQUIRED: Must be HTTPS
Checks performed:
-
audienceis specified -
issueruses HTTPS protocol - Issuer matches known providers or is valid URL
OPA Middleware Validation
spec:
type: middleware.http.opa
metadata:
- name: defaultStatus
value: "403" # RECOMMENDED: 403 for authz failures
- name: rego
value: |
package http
default allow = false # REQUIRED: Default deny
Checks performed:
- Rego policy has
default allow = false - Policy uses
package http -
includedHeaderscontains Authorization if JWT checking - No hardcoded secrets in policy
Rate Limit Validation
spec:
type: middleware.http.ratelimit
metadata:
- name: maxRequestsPerSecond
value: "100" # REQUIRED: Reasonable limit
Checks performed:
-
maxRequestsPerSecondis specified - Value is reasonable (not 0, not extremely high)
Sentinel Validation
spec:
type: middleware.http.sentinel
metadata:
- name: appName
value: "my-service" # REQUIRED
- name: flowRules
value: | # At least one rule type required
[...]
Checks performed:
-
appNameis specified - At least one rule type is defined (flowRules, circuitBreakerRules, etc.)
- Resource paths in rules are valid format
- Threshold values are reasonable
WASM Validation
spec:
type: middleware.http.wasm
metadata:
- name: url
value: "file://..." # REQUIRED
Checks performed:
-
urlis specified with valid scheme (file://, http://, https://) - HTTPS used for remote WASM binaries
- Path exists for file:// URLs (if verifiable)
Router Alias Validation
spec:
type: middleware.http.routeralias
metadata:
- name: routes
value: | # REQUIRED
{"/api": "/v1.0/invoke/..."}
Checks performed:
-
routesis valid JSON or YAML - Target paths are valid Dapr API paths
Router Checker Validation
spec:
type: middleware.http.routerchecker
metadata:
- name: rule
value: "^[A-Za-z0-9/._-]+$" # REQUIRED: Valid regex
Checks performed:
-
ruleis valid regex pattern - Pattern is security-appropriate (blocks common attacks)
Pipeline Order Validation
Correct middleware ordering:
spec:
httpPipeline:
handlers:
- name: routerchecker # 1. Block invalid requests first
type: middleware.http.routerchecker
- name: ratelimit # 2. Rate limit before auth
type: middleware.http.ratelimit
- name: bearer-auth # 3. Authenticate
type: middleware.http.bearer
- name: opa-authz # 4. Authorize (after auth)
type: middleware.http.opa
- name: routeralias # 5. Transform routes last
type: middleware.http.routeralias
Order checks:
- Rate limiting comes before authentication
- Authorization comes after authentication
- Route validation comes before other middleware
- Route aliasing comes after security middleware
Security Checks
Critical Security Issues
- Plain-text credentials - clientId/clientSecret not in secretKeyRef
- HTTP URLs - Auth/token URLs using HTTP instead of HTTPS
- Default allow - OPA policy without explicit default deny
- No rate limiting - APIs without request throttling
Warnings
- Missing forceHTTPS - OAuth2 without HTTPS enforcement
- High rate limits - Very permissive request limits
- Overly permissive OPA - Policies with broad allow rules
- Missing headers - OPA not checking Authorization header
Output Format
DAPR Middleware Validation Report
==================================
✓ components/oauth2-auth.yaml - Valid
- Type: middleware.http.oauth2
- Credentials use secretKeyRef: Yes
- HTTPS enforced: Yes
⚠ components/ratelimit.yaml - Warning
- Type: middleware.http.ratelimit
- Warning: Rate limit of 10000 RPS is very high
- Recommendation: Consider lower limit for public APIs
✗ components/bearer-auth.yaml - Invalid
- Type: middleware.http.bearer
- Error: Missing required field 'audience'
- Error: 'issuer' uses HTTP instead of HTTPS
Pipeline Analysis:
✗ Rate limiting should come BEFORE authentication middleware
Current order: [bearer-auth, ratelimit]
Recommended: [ratelimit, bearer-auth]
Security Summary:
- Critical: 1 (plain-text credentials)
- Warnings: 2
- Valid: 3
Common Issues and Fixes
Plain-Text Credentials
# BAD (security risk)
- name: clientSecret
value: "my-secret-key"
# GOOD (use secret reference)
- name: clientSecret
secretKeyRef:
name: oauth-secrets
key: client-secret
HTTP Instead of HTTPS
# BAD (insecure)
- name: tokenURL
value: "http://auth.example.com/token"
# GOOD
- name: tokenURL
value: "https://auth.example.com/token"
Default Allow in OPA
# BAD (insecure - allows everything by default)
package http
default allow = true
# GOOD (secure - denies by default)
package http
default allow = false
allow { ... specific conditions ... }
Wrong Pipeline Order
# BAD (auth before rate limit allows DoS via auth endpoints)
handlers:
- name: oauth2
type: middleware.http.oauth2
- name: ratelimit
type: middleware.http.ratelimit
# GOOD (rate limit protects auth endpoints)
handlers:
- name: ratelimit
type: middleware.http.ratelimit
- name: oauth2
type: middleware.http.oauth2
Integration Points
This skill integrates with:
middleware-expertagent for detailed configuration helpsecurity-scannerskill for broader security analysis/dapr:middlewarecommand to generate valid configs/dapr:securitycommand for pre-deployment checks