Merge branch 'main' into cookie-sanitization

2025-03-31 23:41:28 -04:00 · 2025-03-31 23:41:28 -04:00 · 33420cb64b
parent 4b2e363a09 bb12633c8b
commit 33420cb64b
4 changed files with 32 additions and 80 deletions
--- a/go.mod
+++ b/go.mod
@ -18,7 +18,7 @@ require (
 require (
 	github.com/andybalholm/brotli v1.1.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fxamacker/cbor/v2 v2.7.0 // direct
+	github.com/fxamacker/cbor/v2 v2.8.0 // direct
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -2,8 +2,8 @@ github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7X
 github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gofiber/schema v1.3.0 h1:K3F3wYzAY+aivfCCEHPufCthu5/13r/lzp1nuk6mr3Q=
 github.com/gofiber/schema v1.3.0/go.mod h1:YYwj01w3hVfaNjhtJzaqetymL56VW642YS3qZPhuE6c=
 github.com/gofiber/utils/v2 v2.0.0-beta.7 h1:NnHFrRHvhrufPABdWajcKZejz9HnCWmT/asoxRsiEbQ=
@ -34,8 +34,6 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
 golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
--- a/middleware/keyauth/keyauth.go
+++ b/middleware/keyauth/keyauth.go
@ -2,7 +2,6 @@
 package keyauth

 import (
-	"context"
 	"errors"
 	"fmt"
 	"net/url"
@ -60,10 +59,7 @@ func New(config ...Config) fiber.Handler {
 		valid, err := cfg.Validator(c, key)

 		if err == nil && valid {
-			// Store in both Locals and Context
 			c.Locals(tokenKey, key)
-			ctx := context.WithValue(c.Context(), tokenKey, key)
-			c.SetContext(ctx)
 			return cfg.SuccessHandler(c)
 		}
 		return cfg.ErrorHandler(c, err)
@ -72,20 +68,12 @@ func New(config ...Config) fiber.Handler {

 // TokenFromContext returns the bearer token from the request context.
 // returns an empty string if the token does not exist
-func TokenFromContext(c any) string {
-	switch ctx := c.(type) {
-	case context.Context:
-		if token, ok := ctx.Value(tokenKey).(string); ok {
-			return token
-		}
-	case fiber.Ctx:
-		if token, ok := ctx.Locals(tokenKey).(string); ok {
-			return token
-		}
-	default:
-		panic("unsupported context type, expected fiber.Ctx or context.Context")
+func TokenFromContext(c fiber.Ctx) string {
+	token, ok := c.Locals(tokenKey).(string)
+	if !ok {
+		return ""
 	}
-	return ""
+	return token
 }

 // MultipleKeySourceLookup creates a CustomKeyLookup function that checks multiple sources until one is found
--- a/middleware/keyauth/keyauth_test.go
+++ b/middleware/keyauth/keyauth_test.go
@ -503,67 +503,33 @@ func Test_TokenFromContext_None(t *testing.T) {
 }

 func Test_TokenFromContext(t *testing.T) {
-	// Test that TokenFromContext returns the correct token
-	t.Run("fiber.Ctx", func(t *testing.T) {
-		app := fiber.New()
-		app.Use(New(Config{
-			KeyLookup:  "header:Authorization",
-			AuthScheme: "Basic",
-			Validator: func(_ fiber.Ctx, key string) (bool, error) {
-				if key == CorrectKey {
-					return true, nil
-				}
-				return false, ErrMissingOrMalformedAPIKey
-			},
-		}))
-		app.Get("/", func(c fiber.Ctx) error {
-			return c.SendString(TokenFromContext(c))
-		})
-
-		req := httptest.NewRequest(fiber.MethodGet, "/", nil)
-		req.Header.Add("Authorization", "Basic "+CorrectKey)
-		res, err := app.Test(req)
-		require.NoError(t, err)
-
-		body, err := io.ReadAll(res.Body)
-		require.NoError(t, err)
-		require.Equal(t, CorrectKey, string(body))
+	app := fiber.New()
+	// Wire up keyauth middleware to set TokenFromContext now
+	app.Use(New(Config{
+		KeyLookup:  "header:Authorization",
+		AuthScheme: "Basic",
+		Validator: func(_ fiber.Ctx, key string) (bool, error) {
+			if key == CorrectKey {
+				return true, nil
+			}
+			return false, ErrMissingOrMalformedAPIKey
+		},
+	}))
+	// Define a test handler that checks TokenFromContext
+	app.Get("/", func(c fiber.Ctx) error {
+		return c.SendString(TokenFromContext(c))
 	})

-	t.Run("context.Context", func(t *testing.T) {
-		app := fiber.New()
-		app.Use(New(Config{
-			KeyLookup:  "header:Authorization",
-			AuthScheme: "Basic",
-			Validator: func(_ fiber.Ctx, key string) (bool, error) {
-				if key == CorrectKey {
-					return true, nil
-				}
-				return false, ErrMissingOrMalformedAPIKey
-			},
-		}))
-		// Verify that TokenFromContext works with context.Context
-		app.Get("/", func(c fiber.Ctx) error {
-			ctx := c.Context()
-			token := TokenFromContext(ctx)
-			return c.SendString(token)
-		})
+	req := httptest.NewRequest(fiber.MethodGet, "/", nil)
+	req.Header.Add("Authorization", "Basic "+CorrectKey)
+	// Send
+	res, err := app.Test(req)
+	require.NoError(t, err)

-		req := httptest.NewRequest(fiber.MethodGet, "/", nil)
-		req.Header.Add("Authorization", "Basic "+CorrectKey)
-		res, err := app.Test(req)
-		require.NoError(t, err)
-
-		body, err := io.ReadAll(res.Body)
-		require.NoError(t, err)
-		require.Equal(t, CorrectKey, string(body))
-	})
-
-	t.Run("invalid context type", func(t *testing.T) {
-		require.Panics(t, func() {
-			_ = TokenFromContext("invalid")
-		})
-	})
+	// Read the response body into a string
+	body, err := io.ReadAll(res.Body)
+	require.NoError(t, err)
+	require.Equal(t, CorrectKey, string(body))
 }

 func Test_AuthSchemeToken(t *testing.T) {