* feat(timeout): unify and enhance timeout middleware
- Combine classic context-based timeout with a Goroutine + channel approach
- Support custom error list without additional parameters
- Return fiber.ErrRequestTimeout for timeouts or listed errors
* feat(timeout): unify and enhance timeout middleware
- Combine classic context-based timeout with a Goroutine + channel approach
- Support custom error list without additional parameters
- Return fiber.ErrRequestTimeout for timeouts or listed errors
* refactor(timeout): remove goroutine-based logic and improve documentation
- Switch to a synchronous approach to avoid data races with fasthttp context
- Enhance error handling for deadline and custom errors
- Update comments for clarity and maintainability
* refactor(timeout): add more test cases and handle zero duration case
* refactor(timeout): add more test cases and handle zero duration case
* refactor(timeout): add more test cases and handle zero duration case
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
* Add Drop method to DefaultCtx and remove redundant checks
Introduced a Drop method in DefaultCtx for closing connections, enabling easier resource management. Removed unnecessary nil-checks for headers in manager_msgp to simplify code logic. Added a unit test to ensure the new Drop method behaves as expected.
* Add `Drop` method to Fiber context API documentation
The `Drop` method allows silently terminating client connections without sending HTTP headers or a response body. This is useful for scenarios like mitigating DDoS attacks or blocking unauthorized access to sensitive endpoints. Example usage and function signature are included in the updated documentation.
* Remove extraneous blank line in documentation.
Eliminated an unnecessary blank line in the API context documentation for improved readability and formatting consistency. No functional changes were made to the content.
* Update API documentation example to return "Hello World!"
Revised the example code in the API documentation to return a generic "Hello World!" string instead of a dynamic response. This improves consistency and simplifies the example for easier understanding.
* Refactor Drop method and extend test coverage.
Simplified the Drop method by inlining the connection close call. Added new test cases to ensure proper handling of no-response scenarios and improved overall test coverage.
* fix golangci-lint issue
* Add test for Ctx.Drop with middleware interaction
This test ensures the correct behavior of the Ctx.Drop method when used with middleware, including response handling and error scenarios. It verifies that the middleware and handler properly handle the Drop call and its resulting effects.
* Add Drop method to DefaultCtx for closing connections
The Drop method allows closing connections without sending a response, improving control over connection handling. Also updated a test assertion to use StatusOK for improved readability and consistency.
* Refine Drop method comments to clarify error handling.
Explain the rationale for not wrapping errors in the Drop method. Emphasize that the returned error is solely for logging and not for further propagation or processing.
* Update Drop method documentation for clarity
Clarified the `Drop` method's behavior, specifying that it closes the connection without sending headers or a body. Added examples of use cases, such as DDoS mitigation and blocking sensitive endpoints.
* Refactor response header setting in middleware.
Replaced the direct header setting with the `Set` method for consistency and improved clarity. Removed a test case checking for a panic on closed response body as it is no longer applicable.
* 🔥 Feature: Add thread-safe reading from a closed testConn
* 🔥 Feature: Add TestConfig to app.Test()
This commit is summarized as:
- Add the struct `TestConfig` as a parameter for `app.Test()` instead of `timeout`
- Add documentation of `TestConfig` to docs/api/app.md and in-line
- Modify middleware to use `TestConfig` instead of the previous implementation
Fixes#3149
* 📚 Doc: Add more details about TestConfig in docs
* 🩹 Fix: Correct testConn tests
- Fixes Test_Utils_TestConn_Closed_Write
- Fixes missing regular write test
* 🎨 Style: Respect linter in Add App Test Config
* 🎨 Styles: Update app.go to respect linter
* ♻️ Refactor: Rename TestConfig's ErrOnTimeout to FailOnTimeout
- Rename TestConfig.ErrOnTimeout to TestConfig.FailOnTimeout
- Update documentation to use changed name
- Also fix stale documentation about passing Timeout as a
single argument
* 🩹 Fix: Fix typo in TestConfig struct comment in app.go
* ♻️ Refactor: Change app.Test() fail on timeouterror to os.ErrDeadlineExceeded
* ♻️ Refactor:Update middleware that use the same TestConfig to use a global variable
* 🩹 Fix: Update error from FailOnTimeout to os.ErrDeadlineExceeded in tests
* 🩹 Fix: Remove errors import from middlware/proxy/proxy_test.go
* 📚 Doc: Add `app.Test()` config changes to docs/whats_new.md
* ♻ Refactor: Change app.Test() and all uses to accept 0 as no timeout instead of -1
* 📚 Doc: Add TestConfig option details to docs/whats_new.md
* 🎨 Styles: Update docs/whats_new.md to respect markdown-lint
* 🎨 Styles: Update docs/whats_new.md to use consistent style for TestConfig options description
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
* Rename UserContext() to Context(). Rename Context() to RequestCtx()
* Update Ctxt docs and What's new
* Remove extra blank lines
---------
Co-authored-by: M. Efe Çetin <efectn@protonmail.com>
* feat!(middleware/session): re-write session middleware with handler
* test(middleware/session): refactor to IdleTimeout
* fix: lint errors
* test: Save session after setting or deleting raw data in CSRF middleware
* Update middleware/session/middleware.go
Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com>
* fix: mutex and globals order
* feat: Re-Add read lock to session Get method
* feat: Migrate New() to return middleware
* chore: Refactor session middleware to improve session handling
* chore: Private get on store
* chore: Update session middleware to use saveSession instead of save
* chore: Update session middleware to use getSession instead of get
* chore: Remove unused error handler in session middleware config
* chore: Update session middleware to use NewWithStore in CSRF tests
* test: add test
* fix: destroyed session and GHSA-98j2-3j3p-fw2v
* chore: Refactor session_test.go to use newStore() instead of New()
* feat: Improve session middleware test coverage and error handling
This commit improves the session middleware test coverage by adding assertions for the presence of the Set-Cookie header and the token value. It also enhances error handling by checking for the expected number of parts in the Set-Cookie header.
* chore: fix lint issues
* chore: Fix session middleware locking issue and improve error handling
* test: improve middleware test coverage and error handling
* test: Add idle timeout test case to session middleware test
* feat: add GetSession(id string) (*Session, error)
* chore: lint
* docs: Update session middleware docs
* docs: Security Note to examples
* docs: Add recommendation for CSRF protection in session middleware
* chore: markdown lint
* docs: Update session middleware docs
* docs: makrdown lint
* test(middleware/session): Add unit tests for session config.go
* test(middleware/session): Add unit tests for store.go
* test(middleware/session): Add data.go unit tests
* refactor(middleware/session): session tests and add session release test
- Refactor session tests to improve readability and maintainability.
- Add a new test case to ensure proper session release functionality.
- Update session.md
* refactor: session data locking in middleware/session/data.go
* refactor(middleware/session): Add unit test for session middleware store
* test: fix session_test.go and store_test.go unit tests
* refactor(docs): Update session.md with v3 changes to Expiration
* refactor(middleware/session): Improve data pool handling and locking
* chore(middleware/session): TODO for Expiration field in session config
* refactor(middleware/session): Improve session data pool handling and locking
* refactor(middleware/session): Improve session data pool handling and locking
* test(middleware/csrf): add session middleware coverage
* chroe(middleware/session): TODO for unregistered session middleware
* refactor(middleware/session): Update session middleware for v3 changes
* refactor(middleware/session): Update session middleware for v3 changes
* refactor(middleware/session): Update session middleware idle timeout
- Update the default idle timeout for session middleware from 24 hours to 30 minutes.
- Add a note in the session middleware documentation about the importance of the middleware order.
* docws(middleware/session): Add note about IdleTimeout requiring save using legacy approach
* refactor(middleware/session): Update session middleware idle timeout
Update the idle timeout for the session middleware to 30 minutes. This ensures that the session expires after a period of inactivity. The previous value was 24 hours, which is too long for most use cases. This change improves the security and efficiency of the session management.
* docs(middleware/session): Update session middleware idle timeout and configuration
* test(middleware/session): Fix tests for updated panics
* refactor(middleware/session): Update session middleware initialization and saving
* refactor(middleware/session): Remove unnecessary comment about negative IdleTimeout value
* refactor(middleware/session): Update session middleware make NewStore public
* refactor(middleware/session): Update session middleware Set, Get, and Delete methods
Refactor the Set, Get, and Delete methods in the session middleware to use more descriptive parameter names. Instead of using "middlewareContextKey", the methods now use "key" to represent the key of the session value. This improves the readability and clarity of the code.
* feat(middleware/session): AbsoluteTimeout and key any
* fix(middleware/session): locking issues and lint errors
* chore(middleware/session): Regenerate code in data_msgp.go
* refactor(middleware/session): rename GetSessionByID to GetByID
This commit also includes changes to the session_test.go and store_test.go files to add test cases for the new GetByID method.
* docs(middleware/session): AbsoluteTimeout
* refactor(middleware/csrf): Rename Expiration to IdleTimeout
* docs(whats-new): CSRF Rename Expiration to IdleTimeout and remove SessionKey field
* refactor(middleware/session): Rename expirationKeyType to absExpirationKeyType and update related functions
* refactor(middleware/session): rename Test_Session_Save_Absolute to Test_Session_Save_AbsoluteTimeout
* chore(middleware/session): update as per PR comments
* docs(middlware/session): fix indent lint
* fix(middleware/session): Address EfeCtn Comments
* refactor(middleware/session): Move bytesBuffer to it's own pool
* test(middleware/session): add decodeSessionData error coverage
* refactor(middleware/session): Update absolute timeout handling
- Update absolute timeout handling in getSession function
- Set absolute expiration time in getSession function
- Delete expired session in GetByID function
* refactor(session/middleware): fix *Session nil ctx when using Store.GetByID
* refactor(middleware/session): Remove unnecessary line in session_test.go
* fix(middleware/session): *Session lifecycle issues
* docs(middleware/session): Update GetByID method documentation
* docs(middleware/session): Update GetByID method documentation
* docs(middleware/session): markdown lint
* refactor(middleware/session): Simplify error handling in DefaultErrorHandler
* fix( middleware/session/config.go
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* add ctx releases for the test cases
---------
Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: René <rene@gofiber.io>
* 🩹Fix: Adaptor middleware duplicates cookies
* 🩹Fix: add extra cases for Test_HTTPMiddlewareWithCookies
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
* enhancement: use msgp for flash message encoding/decoding
* add msgp tests
* improve test coverage
* improve test coverage
* fix linter
* update makefile
* extend go generation process
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: René <rene@gofiber.io>
* feat: add max calculator to limiter middleware
* docs: update docs including the new parameter
* refactor: add new line before go code in docs
* fix: use crypto/rand instead of math/rand on tests
* test: add new test with zero set as limit
* fix: repeated tests failing when generating random limits
* fix: wrong type of MaxCalculator in docs
* feat: include max calculator in limiter_sliding
* refactor: rename MaxCalculator to MaxFunc
* docs: update docs with MaxFunc parameter
* tests: rename tests and add test for limiter sliding
* Use composites for internal structures. Fix alignment of structures across Fiber
* Update struct alignment in test files
* Enable alignment check with govet
* Fix ctx autoformat unit-test
* Revert app Config struct. Add betteralign to Makefile
* Disable comment on alert since it wont work for forks
* Update benchmark.yml
* Update benchmark.yml
* Remove warning from using positional fields
* Update router.go
* added startup default probe endpoint
* added test case
* updated docs
* updated test order
* added test case
* fixed go fmt and md lint
* fixed go fmt and md lint
* updated doc as per coderabbitai suggestions
* changed healhtcheck route register to use default const instead of string for test cases
* updated whats new with healthcheck content
* updated whats new doc with coderabbitai sugg
* updated migration guide
* Add support for consistent documentation using markdownlint
* Only run workflow during changes to markdown files
* Fix more inconsistencies
* Fixes to markdown under .github/
* More fixes
* Apply suggestions from code review
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix typo in limiter docs
* Add missing space before code-block
* Add check for dead-links
* Add write-good
* Remove legacy README files
* Fix glob for skipping .md files
* Use paths-ignore instead
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Support for key length, Add benchmarks for EncryptCookie middleware
* Format tests
* Add tests for panics and key check in Encryptor and Decryptor functions
* Add tests for base64 decoding errors
* Update docs/middleware/encryptcookie.md
Co-authored-by: Jason McNeil <sixcolors@mac.com>
* Update middleware/encryptcookie/utils.go
Co-authored-by: Jason McNeil <sixcolors@mac.com>
* Add suggestions from code review
---------
Co-authored-by: Jason McNeil <sixcolors@mac.com>
* feat: Add session mutex lock for thread safety
* chore: Refactor releaseSession mutex
* docs: Improve session.Save() function
The changes include updating the comments to provide clearer explanations of the function's behavior.
* fix(middleware/session): mutex for thread safety
* chore: Remove extra release and acquire ctx calls in session_test.go
* feat: Remove unnecessary session mutex lock in decodeSessionData function
* port over FallbackKeyLookups from v2 middleware to v3
Signed-off-by: Dave Lee <dave@gray101.com>
* bot pointed out that I missed the format variable
Signed-off-by: Dave Lee <dave@gray101.com>
* fix lint and gofumpt issues
Signed-off-by: Dave Lee <dave@gray101.com>
* major revision: instead of FallbackKeyLookups, expose CustomKeyLookup as function, with utility functions to make creating these easy
Signed-off-by: Dave Lee <dave@gray101.com>
* add more tests to boost coverage
Signed-off-by: Dave Lee <dave@gray101.com>
* teardown code and cleanup
Signed-off-by: Dave Lee <dave@gray101.com>
* test fixes
Signed-off-by: Dave Lee <dave@gray101.com>
* slight boost to test coverage
Signed-off-by: Dave Lee <dave@gray101.com>
* docs: fix md table alignment
* fix comments - change some names, expose functions, improve docs
Signed-off-by: Dave Lee <dave@gray101.com>
* missed one old name
Signed-off-by: Dave Lee <dave@gray101.com>
* fix some suggestions from the bot - error messages, test coverage, mark purely defensive code
Signed-off-by: Dave Lee <dave@gray101.com>
---------
Signed-off-by: Dave Lee <dave@gray101.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: Jason McNeil <sixcolors@mac.com>
Co-authored-by: RW <rene@gofiber.io>
* Add an option to invalidate cache
* Add a summary about the cache middleware update
* Rename the option to make it clearer
* Rename hard tab
* Fix markdown formatting
* Revert unnecessary change
* Clarify the description of cache invalidator
* Add empty line
---------
Co-authored-by: RW <rene@gofiber.io>
* fix: token injection vulnerability GHSA-98j2-3j3p-fw2v
- Ensure session IDs are securely generated server-side.
- Add validation to prevent user-supplied session IDs.
- Update tests to verify correct session token use.
This update addresses the critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Remove unused code and dependencies in session store
* test(middleware/csrf): Save session after generating new session ID
This commit saves the session after generating a new session ID to ensure that the updated session ID is persisted. This change is necessary to address a critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Save session ID in context for middleware chain
The code changes add functionality to save the newly generated session ID in the context, allowing it to be accessible to subsequent middlewares in the chain. This improvement ensures that the session ID is available for use throughout the middleware stack.
* refactor(session.go): general clean-up
* chore: Revert session freshness behavior
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
* chore: Update session.Get method signature to use fiber.Ctx instead of *fiber.Ctx
* fix(middleware/cors): Config, lists as list types.
Improve insecure config error text.
* chore: Add tests for CORS preflight requests with Access-Control-Request-Headers
* test(middleware/cors): explicit wildcard in test
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
* Update pull_request_template.md
* Update v3-changes.md
* Update CONTRIBUTING.md (#2752)
Grammar correction.
* chore(encryptcookie)!: update default config (#2753)
* chore(encryptcookie)!: update default config
docs(encryptcookie): enhance documentation and examples
BREAKING CHANGE: removed the hardcoded "csrf_" from the Except.
* docs(encryptcookie): reads or modifies cookies
* chore(encryptcookie): csrf config example
* docs(encryptcookie): md table spacing
* build(deps): bump actions/setup-go from 4 to 5 (#2754)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* 🩹 middleware/logger/: log client IP address by default (#2755)
* middleware/logger: Log client IP address by default.
* Update doc.
* fix: don't constrain middlewares' context-keys to strings 🐛 (#2751)
* Revert "Revert "🐛 requestid.Config.ContextKey is interface{} (#2369)" (#2742)"
This reverts commit 28be17f929.
* fix: request ContextKey default value condition
Should check for `nil` since it is `any`.
* fix: don't constrain middlewares' context-keys to strings
`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.
The official go blog also recommends this https://go.dev/blog/context.
`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.
But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.
This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
* 📚 Update app.md for indentation (#2761)
Update app.md for indentation
* build(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#2762)
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/uuid/compare/v1.4.0...v1.5.0)
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github/codeql-action from 2 to 3 (#2763)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Changing default log output (#2730)
changing default log output
Closes#2729
* Update hooks.md
fix wrong hooks signature
* 🩹 Fix: CORS middleware should use the defined AllowedOriginsFunc config when AllowedOrigins is empty (#2771)
* 🐛 [Bug]: Adaptator + otelfiber issue #2641 (#2772)
* 🩹🚨 - fix for redirect with query params (#2748)
* redirect with query params did not work, fix it and add test for it
* redirect middleware - fix test typo
* ♻️ logger/middleware colorize logger error message #2593 (#2773)
* ✨ feat: add liveness and readiness checks (#2509)
* ✨ feat: add liveness and readiness checkers
* 📝 docs: add docs for liveness and readiness
* ✨ feat: add options method for probe checkers
* ✅ tests: add tests for liveness and readiness
* ♻️ refactor: change default endpoint values
* ♻️ refactor: change default value for liveness endpoint
* 📝 docs: add return status for liveness and readiness probes
* ♻️ refactor: change probechecker to middleware
* 📝 docs: move docs to middleware session
* ♻️ refactor: apply gofumpt formatting
* ♻️ refactor: remove unused parameter
* split config and apply a review
* apply reviews and add testcases
* add benchmark
* cleanup
* rename middleware
* fix linter
* Update docs and config values
* Revert change to IsReady
* Updates based on code review
* Update docs to match other middlewares
---------
Co-authored-by: Muhammed Efe Cetin <efectn@protonmail.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>
* prepare release v2.52.0
- add more Parser tests
* fix healthcheck.md
* configure workflows for V2 branch
* configure workflows for V2 branch
* Fix default value to false in docs of QueryBool (#2811)
fix default value to false in docs of QueryBool
* update queryParser config
* Update ctx.md
* Update routing.md
* 📚 Doc: Fix code snippet indentation in /docs/api/middleware/keyauth.md
Removes an an extra level of indentation in line 51 of
`keyauth.md` [here](https://github.com/gofiber/fiber/blob/v2/docs/api/middleware/keyauth.md?plain=1#L51)
* fix: healthcheck middleware not working with route group (#2863)
* fix: healthcheck middleware not working with route group
* perf: change verification method to improve perf
* Update healthcheck_test.go
* test: add not matching route test for strict routing
* add more test cases
* correct tests
* correct test helpers
* correct tests
* correct tests
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: René Werner <rene@gofiber.io>
* Merge pull request from GHSA-fmg4-x8pw-hjhg
* Enforce Wildcard Origins with AllowCredentials check
* Expand unit-tests, fix issues with subdomains logic, update docs
* Update cors.md
* Added test using localhost, ipv4, and ipv6 address
* improve documentation markdown
---------
Co-authored-by: René Werner <rene@gofiber.io>
* Update app.go
prepare release v2.52.1
* fix cors domain normalize
* fix sync-docs workflow
* fix sync-docs workflow
* fix(middleware/cors): Validation of multiple Origins (#2883)
* fix: allow origins check
Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.
fixes#2882
* test: AllowOrigins with whitespace
* test(middleware/cors): add benchmarks
* chore: fix linter errors
* test(middleware/cors): use h() instead of app.Test()
* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme
* chore: refactor validate and normalize
* test(cors/middleware): add more benchmarks
* prepare release v2.52.2
* refactor(docs): deactivate docs sync for v2
* refactor(docs): deactivate docs sync for v2
* fix(middleware/cors): Handling and wildcard subdomain matching (#2915)
* fix: allow origins check
Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.
fixes#2882
* test: AllowOrigins with whitespace
* test(middleware/cors): add benchmarks
* chore: fix linter errors
* test(middleware/cors): use h() instead of app.Test()
* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme
* chore: refactor validate and normalize
* test(cors/middleware): add more benchmarks
* fix(middleware/cors): handling and wildcard subdomain matching
docs(middleware/cors): add How it works and Security Considerations
* chore: grammar
* Apply suggestions from code review
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* chore: fix misspelling
* test(middleware/cors): combine Invalid_Origins tests
* refactor(middleware/cors): headers handling
* docs(middleware/cors): Update AllowOrigins description
* chore: merge
* perf(middleware/cors): optimize handler
* perf(middleware/cors): optimize handler
* chore(middleware/cors): ipdate origin handling logic
* chore(middleware/cors): fix header capitalization
* docs(middleware/cors): improve sercuity notes
* docs(middleware/cors): Improve security notes
* docs(middleware/cors): improve CORS overview
* docs(middleware/cors): fix ordering of how it works
* docs(middleware/cors): add additional info to How to works
* docs(middleware/cors): rm space
* docs(middleware/cors): add validation for AllowOrigins origins to overview
* docs(middleware/cors): update ExposeHeaders and MaxAge descriptions
* docs(middleware/cors): Add dynamic origin validation example
* docs(middleware/cors): Improve security notes and fix header capitalization
* docs(middleware/cors): configuration examples
* docs(middleware/cors): `"*"`
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* fix(middleware/cors): Categorize requests correctly (#2921)
* fix(middleware/cors): categorise requests correctly
* test(middleware/cors): improve test coverage for request types
* test(middleware/cors): Add subdomain matching tests
* test(middleware/cors): parallel tests for CORS headers based on request type
* test(middleware/cors): Add benchmark for CORS subdomain matching
* test(middleware/cors): cover additiona test cases
* refactor(middleware/cors): origin validation and normalization
* test(middleware/csrf): Fix Benchmark Tests (#2932)
* test(middleware/csrf): fix Benchmark_Middleware_CSRF_*
* fix(middleware/csrf): update refererMatchesHost()
* Prepare release v2.52.3
* fix(middleware/cors): CORS handling (#2937)
* fix(middleware/cors): CORS handling
* fix(middleware/cors): Vary header handling
* test(middleware/cors): Ensure Vary Headers checked
* fix(middleware/cors): Vary header handling non-cors OPTIONS requests (#2939)
* fix(middleware/cors): Vary header handling non-cors OPTIONS requests
* chore(middleware/cors): Add Vary header for non-CORS OPTIONS requests comment
* prepare release v2.52.4
* merge v2 in main(v3)
* merge v2 in main(v3)
* merge v2 in main(v3)
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: tokelo-12 <113810058+tokelo-12@users.noreply.github.com>
Co-authored-by: Jason McNeil <sixcolors@mac.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: iRedMail <2048991+iredmail@users.noreply.github.com>
Co-authored-by: Benjamin Grosse <ste3ls@gmail.com>
Co-authored-by: Mehmet Firat KOMURCU <mehmetfiratkomurcu@hotmail.com>
Co-authored-by: Bruno <bdm2943@icloud.com>
Co-authored-by: Muhammad Kholid B <muhammadkholidb@gmail.com>
Co-authored-by: gilwo <gilwo@users.noreply.github.com>
Co-authored-by: Lucas Lemos <lucashenriqueblemos@gmail.com>
Co-authored-by: Muhammed Efe Cetin <efectn@protonmail.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>
Co-authored-by: Jongmin Kim <kjongmin26@gmail.com>
Co-authored-by: Giovanni Rivera <rivera.giovanni271@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
miyamo2
RW
Bulat Bagaviev
ACHMAD IRIANTO EKA PUTRA
dependabot[bot]
Hao Chun Chang
Sumit Kumar
Giovanni Rivera
JIeJaitt
Juan Calderon-Perez
Jason McNeil
xEricL
Aaron Zingerle
Sigmund Xia 夏天睿
M. Efe Çetin
Lucas Lemos
Bruno
kirankumar-grootan
Dave
Can Celik
Orville Simba
dockercui