e2b-dev · AdaAibaby · Apr 24, 2026 · Apr 24, 2026
@@ -16,6 +16,10 @@ import (
 	"github.com/e2b-dev/infra/packages/auth/pkg/types"
 )
 
+// GetTeam retrieves the effective team for the current request context.
+// It first checks for team information injected by authentication middleware
+// and falls back to resolving teams by user ID if available. If a teamID is
+// provided it validates access to that team. Returns an APIError on failure.
 func (a *APIStore) GetTeam(
 	ctx context.Context,
 	c *gin.Context,

@@ -15,15 +15,24 @@ const (
 	authInfoExpiration = time.Hour * 2
 )
 
+// AccessTokenData holds authentication details associated with a generated
+// temporary e2b token: the underlying Docker registry token and the
+// template identifier this token is valid for.
 type AccessTokenData struct {
 	DockerToken string
 	TemplateID  string
 }
 
+// AuthCache provides a TTL-backed in-memory cache for mapping generated
+// e2b tokens to `AccessTokenData`. It is intended to be short-lived and
+// is used during reverse-proxy authentication flows.
 type AuthCache struct {
 	cache *ttlcache.Cache[string, *AccessTokenData]
 }
 
+// New returns a new initialized AuthCache instance.
+// The cache is started in a separate goroutine and will store temporary
+// access tokens for template/docker authentication lookup.
 func New() *AuthCache {
 	cache := ttlcache.New(ttlcache.WithTTL[string, *AccessTokenData](authInfoExpiration))
 

@@ -15,21 +15,33 @@ import (
 )
 
 const (
-	SigningReadOperation  = "read"
+	// SigningReadOperation is the operation name used when generating
+	// signatures for read operations.
+	SigningReadOperation = "read"
+
+	// SigningWriteOperation is the operation name used when generating
+	// signatures for write operations.
 	SigningWriteOperation = "write"
 
 	accessTokenHeader = "X-Access-Token"
 )
 
 // paths that are always allowed without general authentication
 // POST/init is secured via MMDS hash validation instead
+// authExcludedPaths lists request methods+paths that are allowed without
+// general access token authentication (for example health checks and
+// endpoints that support signing instead of a token).
 var authExcludedPaths = []string{
 	"GET/health",
 	"GET/files",
 	"POST/files",
 	"POST/init",
 }
 
+// WithAuthorization is middleware that enforces access token authentication
+// for requests handled by the returned handler. If the API's access token
+// is not set the middleware is a no-op. Requests that match
+// authExcludedPaths or present a valid access token are allowed.
 func (a *API) WithAuthorization(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		if a.accessToken.IsSet() {