* feat!(middleware/session): re-write session middleware with handler
* test(middleware/session): refactor to IdleTimeout
* fix: lint errors
* test: Save session after setting or deleting raw data in CSRF middleware
* Update middleware/session/middleware.go
Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com>
* fix: mutex and globals order
* feat: Re-Add read lock to session Get method
* feat: Migrate New() to return middleware
* chore: Refactor session middleware to improve session handling
* chore: Private get on store
* chore: Update session middleware to use saveSession instead of save
* chore: Update session middleware to use getSession instead of get
* chore: Remove unused error handler in session middleware config
* chore: Update session middleware to use NewWithStore in CSRF tests
* test: add test
* fix: destroyed session and GHSA-98j2-3j3p-fw2v
* chore: Refactor session_test.go to use newStore() instead of New()
* feat: Improve session middleware test coverage and error handling
This commit improves the session middleware test coverage by adding assertions for the presence of the Set-Cookie header and the token value. It also enhances error handling by checking for the expected number of parts in the Set-Cookie header.
* chore: fix lint issues
* chore: Fix session middleware locking issue and improve error handling
* test: improve middleware test coverage and error handling
* test: Add idle timeout test case to session middleware test
* feat: add GetSession(id string) (*Session, error)
* chore: lint
* docs: Update session middleware docs
* docs: Security Note to examples
* docs: Add recommendation for CSRF protection in session middleware
* chore: markdown lint
* docs: Update session middleware docs
* docs: makrdown lint
* test(middleware/session): Add unit tests for session config.go
* test(middleware/session): Add unit tests for store.go
* test(middleware/session): Add data.go unit tests
* refactor(middleware/session): session tests and add session release test
- Refactor session tests to improve readability and maintainability.
- Add a new test case to ensure proper session release functionality.
- Update session.md
* refactor: session data locking in middleware/session/data.go
* refactor(middleware/session): Add unit test for session middleware store
* test: fix session_test.go and store_test.go unit tests
* refactor(docs): Update session.md with v3 changes to Expiration
* refactor(middleware/session): Improve data pool handling and locking
* chore(middleware/session): TODO for Expiration field in session config
* refactor(middleware/session): Improve session data pool handling and locking
* refactor(middleware/session): Improve session data pool handling and locking
* test(middleware/csrf): add session middleware coverage
* chroe(middleware/session): TODO for unregistered session middleware
* refactor(middleware/session): Update session middleware for v3 changes
* refactor(middleware/session): Update session middleware for v3 changes
* refactor(middleware/session): Update session middleware idle timeout
- Update the default idle timeout for session middleware from 24 hours to 30 minutes.
- Add a note in the session middleware documentation about the importance of the middleware order.
* docws(middleware/session): Add note about IdleTimeout requiring save using legacy approach
* refactor(middleware/session): Update session middleware idle timeout
Update the idle timeout for the session middleware to 30 minutes. This ensures that the session expires after a period of inactivity. The previous value was 24 hours, which is too long for most use cases. This change improves the security and efficiency of the session management.
* docs(middleware/session): Update session middleware idle timeout and configuration
* test(middleware/session): Fix tests for updated panics
* refactor(middleware/session): Update session middleware initialization and saving
* refactor(middleware/session): Remove unnecessary comment about negative IdleTimeout value
* refactor(middleware/session): Update session middleware make NewStore public
* refactor(middleware/session): Update session middleware Set, Get, and Delete methods
Refactor the Set, Get, and Delete methods in the session middleware to use more descriptive parameter names. Instead of using "middlewareContextKey", the methods now use "key" to represent the key of the session value. This improves the readability and clarity of the code.
* feat(middleware/session): AbsoluteTimeout and key any
* fix(middleware/session): locking issues and lint errors
* chore(middleware/session): Regenerate code in data_msgp.go
* refactor(middleware/session): rename GetSessionByID to GetByID
This commit also includes changes to the session_test.go and store_test.go files to add test cases for the new GetByID method.
* docs(middleware/session): AbsoluteTimeout
* refactor(middleware/csrf): Rename Expiration to IdleTimeout
* docs(whats-new): CSRF Rename Expiration to IdleTimeout and remove SessionKey field
* refactor(middleware/session): Rename expirationKeyType to absExpirationKeyType and update related functions
* refactor(middleware/session): rename Test_Session_Save_Absolute to Test_Session_Save_AbsoluteTimeout
* chore(middleware/session): update as per PR comments
* docs(middlware/session): fix indent lint
* fix(middleware/session): Address EfeCtn Comments
* refactor(middleware/session): Move bytesBuffer to it's own pool
* test(middleware/session): add decodeSessionData error coverage
* refactor(middleware/session): Update absolute timeout handling
- Update absolute timeout handling in getSession function
- Set absolute expiration time in getSession function
- Delete expired session in GetByID function
* refactor(session/middleware): fix *Session nil ctx when using Store.GetByID
* refactor(middleware/session): Remove unnecessary line in session_test.go
* fix(middleware/session): *Session lifecycle issues
* docs(middleware/session): Update GetByID method documentation
* docs(middleware/session): Update GetByID method documentation
* docs(middleware/session): markdown lint
* refactor(middleware/session): Simplify error handling in DefaultErrorHandler
* fix( middleware/session/config.go
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* add ctx releases for the test cases
---------
Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: René <rene@gofiber.io>
* fix(middleware/session): mutex for thread safety
* chore: Remove extra release and acquire ctx calls in session_test.go
* feat: Remove unnecessary session mutex lock in decodeSessionData function
* fix: token injection vulnerability GHSA-98j2-3j3p-fw2v
- Ensure session IDs are securely generated server-side.
- Add validation to prevent user-supplied session IDs.
- Update tests to verify correct session token use.
This update addresses the critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Remove unused code and dependencies in session store
* test(middleware/csrf): Save session after generating new session ID
This commit saves the session after generating a new session ID to ensure that the updated session ID is persisted. This change is necessary to address a critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Save session ID in context for middleware chain
The code changes add functionality to save the newly generated session ID in the context, allowing it to be accessible to subsequent middlewares in the chain. This improvement ensures that the session ID is available for use throughout the middleware stack.
* refactor(session.go): general clean-up
* chore: Revert session freshness behavior
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
* chore: Update session.Get method signature to use fiber.Ctx instead of *fiber.Ctx
* Fixes for some of the failing tests
* Add readiness check to serverStart()
* Use net/http client for tests listen test
* Use different key for this test
* Run Proxy Middleware tests in parallel. Add nil checks for potential issues pointed by nilaway
* Enable parallel client tests
* Do not run timing sensitive tests in parallel
* Remove TODO
* Revert Test_Proxy_DoTimeout_Timeout, and remove t.Parallel() for it
* Do not calculate favicon len on each handler call
* Revert logic change
* Increase timeout of SaveFile tests
* Do not run time sensitive tests in parallel
* The Agent can't be run in parallel
* Do not run time sensitive tests in parallel
* Fixes based on uber/nilaway
* Revert change to Client test
* Run parallel
* Update client_test.go
* Update client_test.go
* Update cache_test.go
* Update cookiejar_test.go
* Remove parallel for test using timeouts
* Remove t.Parallel() from logger middleware tests
* Do not use testify.require in a goroutine
* Fix import, and update golangci-lint
* Remove changes to template_chain.go
* Run more tests in parallel
* Add more parallel tests
* Add more parallel tests
* SetLogger can't run in parallel
* Run more tests in parallel, fix issue with goroutine in limiter middleware
* Update internal/storage/memory, add more benchmarks
* Increase sleep for csrf test by 100 milliseconds. Implement asserted and parallel benchmarks for Session middleware
* Add 100 milliseconds to sleep during test
* Revert name change
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
* fix: Inconsistent and flaky unit-tests
---------
Co-authored-by: M. Efe Çetin <efectn@protonmail.com>
Co-authored-by: René <rene@gofiber.io>
* Update pull_request_template.md
* Update v3-changes.md
* Update CONTRIBUTING.md (#2752)
Grammar correction.
* chore(encryptcookie)!: update default config (#2753)
* chore(encryptcookie)!: update default config
docs(encryptcookie): enhance documentation and examples
BREAKING CHANGE: removed the hardcoded "csrf_" from the Except.
* docs(encryptcookie): reads or modifies cookies
* chore(encryptcookie): csrf config example
* docs(encryptcookie): md table spacing
* build(deps): bump actions/setup-go from 4 to 5 (#2754)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* 🩹 middleware/logger/: log client IP address by default (#2755)
* middleware/logger: Log client IP address by default.
* Update doc.
* fix: don't constrain middlewares' context-keys to strings 🐛 (#2751)
* Revert "Revert "🐛 requestid.Config.ContextKey is interface{} (#2369)" (#2742)"
This reverts commit 28be17f929.
* fix: request ContextKey default value condition
Should check for `nil` since it is `any`.
* fix: don't constrain middlewares' context-keys to strings
`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.
The official go blog also recommends this https://go.dev/blog/context.
`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.
But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.
This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
* 📚 Update app.md for indentation (#2761)
Update app.md for indentation
* build(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#2762)
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/uuid/compare/v1.4.0...v1.5.0)
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github/codeql-action from 2 to 3 (#2763)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Changing default log output (#2730)
changing default log output
Closes#2729
* Update hooks.md
fix wrong hooks signature
* 🩹 Fix: CORS middleware should use the defined AllowedOriginsFunc config when AllowedOrigins is empty (#2771)
* 🐛 [Bug]: Adaptator + otelfiber issue #2641 (#2772)
* 🩹🚨 - fix for redirect with query params (#2748)
* redirect with query params did not work, fix it and add test for it
* redirect middleware - fix test typo
* ♻️ logger/middleware colorize logger error message #2593 (#2773)
* ✨ feat: add liveness and readiness checks (#2509)
* ✨ feat: add liveness and readiness checkers
* 📝 docs: add docs for liveness and readiness
* ✨ feat: add options method for probe checkers
* ✅ tests: add tests for liveness and readiness
* ♻️ refactor: change default endpoint values
* ♻️ refactor: change default value for liveness endpoint
* 📝 docs: add return status for liveness and readiness probes
* ♻️ refactor: change probechecker to middleware
* 📝 docs: move docs to middleware session
* ♻️ refactor: apply gofumpt formatting
* ♻️ refactor: remove unused parameter
* split config and apply a review
* apply reviews and add testcases
* add benchmark
* cleanup
* rename middleware
* fix linter
* Update docs and config values
* Revert change to IsReady
* Updates based on code review
* Update docs to match other middlewares
---------
Co-authored-by: Muhammed Efe Cetin <efectn@protonmail.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>
* prepare release v2.52.0
- add more Parser tests
* fix healthcheck.md
* configure workflows for V2 branch
* configure workflows for V2 branch
* Fix default value to false in docs of QueryBool (#2811)
fix default value to false in docs of QueryBool
* update queryParser config
* Update ctx.md
* Update routing.md
* merge v2 in v3
* merge v2 in v3
* lint fixes
* 📚 Doc: Fix code snippet indentation in /docs/api/middleware/keyauth.md
Removes an an extra level of indentation in line 51 of
`keyauth.md` [here](https://github.com/gofiber/fiber/blob/v2/docs/api/middleware/keyauth.md?plain=1#L51)
* fix: healthcheck middleware not working with route group (#2863)
* fix: healthcheck middleware not working with route group
* perf: change verification method to improve perf
* Update healthcheck_test.go
* test: add not matching route test for strict routing
* add more test cases
* correct tests
* correct test helpers
* correct tests
* correct tests
---------
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: René Werner <rene@gofiber.io>
* merge v2 in v3
* Merge pull request from GHSA-fmg4-x8pw-hjhg
* Enforce Wildcard Origins with AllowCredentials check
* Expand unit-tests, fix issues with subdomains logic, update docs
* Update cors.md
* Added test using localhost, ipv4, and ipv6 address
* improve documentation markdown
---------
Co-authored-by: René Werner <rene@gofiber.io>
* Update app.go
prepare release v2.52.1
* fix cors domain normalize
* fix sync-docs workflow
* test: fix failing tests
* fix sync-docs workflow
* test: cors middleware use testify require
* chore: fix lint warnings
* chore: revert test isolation.
* fixed the fasthttp ctx race condition problem
* Update middleware/cors/utils.go
Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com>
* fix sync_docs.sh
* fix review comments/hints
* fix review comments/hints
* stabilize Test_Proxy_Timeout_Slow_Server test
* stabilize Test_Proxy_.* tests
* ignore bodyclose linter for tests
use http.NoBody instead of nil
* revert(tests): undo http.NoBody usage
* fix(ctx pool): postpone the reset for some values
shortly before the release in the pool
* refactor(tests): use testify panic method instead of custom solution
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: tokelo-12 <113810058+tokelo-12@users.noreply.github.com>
Co-authored-by: Jason McNeil <sixcolors@mac.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: iRedMail <2048991+iredmail@users.noreply.github.com>
Co-authored-by: Benjamin Grosse <ste3ls@gmail.com>
Co-authored-by: Mehmet Firat KOMURCU <mehmetfiratkomurcu@hotmail.com>
Co-authored-by: Bruno <bdm2943@icloud.com>
Co-authored-by: Muhammad Kholid B <muhammadkholidb@gmail.com>
Co-authored-by: gilwo <gilwo@users.noreply.github.com>
Co-authored-by: Lucas Lemos <lucashenriqueblemos@gmail.com>
Co-authored-by: Muhammed Efe Cetin <efectn@protonmail.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>
Co-authored-by: Jongmin Kim <kjongmin26@gmail.com>
Co-authored-by: Giovanni Rivera <rivera.giovanni271@gmail.com>
Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com>
In some cases, loop variables had to be reassigned to a local variable
to avoid concurrent access. This will no longer be needed when fiber's
minimum go version is bumped to 1.22, where each loop iteration gets its
own variable.
A Session must not be accessed after Save() is called, but a unit test
calls Session.ID() after Session.Save(), sometimes causing the test to
fail when -race is enabled. The assertions that ID() was being used in
were redundant with the previous two assertions (checking that the
session name header is empty), so we can just remove the offending code.
* 🔧 feat: Decode body in order when sent a list on content-encoding
* 🚀 perf: Change `getSplicedStrList` to have 0 allocations
* 🍵 test: Add tests for the new features
* 🍵 test: Ensure session test will not raise an error unexpectedly
* 🐗 feat: Replace strings.TrimLeft by utils.TrimLeft
Add docs to functions to inform correctly what the change is
* 🌷 refactor: Apply linter rules
* 🍵 test: Add test cases to the new body method change
* 🔧 feat: Remove return problems to be able to reach original body
* 🌷 refactor: Split Body method into two to make it more maintainable
Also, with the previous fix to problems detected by tests, it becomes really hard to make the linter happy, so this change also helps in it
* 🚀 perf: Came back with Header.VisitAll, to improve speed
* 📃 docs: Update Context docs
* golangci-lint: add and apply more stricter linting rules
* github: drop security workflow now that we use gosec linter inside golangci-lint
* github: use official golangci-lint CI linter
* Add editorconfig and gitattributes file
* fix unhandled errors
* fix unhandled error in cache package test
* omit variable type
* omit variable type
* rename variable because collide with the imported package name
* Update session.go
Fix: Session.Regenerate does not set Session.fresh to be true.
* Fix: Session should be regenerated if the session can not be found in the storage
https://github.com/gofiber/fiber/issues/1408
* Add test for session and store in session middleware.
* Clean up code
* Update middleware/session/session.go
Co-authored-by: hi019 <65871571+hi019@users.noreply.github.com>
* 🔥 Feature: Define KeyLookup configuration (#1110)
* 🔥 Feature: Allow session ID to be written in header (#1110)
* 🔥 Feature: Allow session ID to be obtained from different sources (#1110)
* 📚 Doc: Add Source configuration (#1110)
Jason McNeil
René
Juan Calderon-Perez
naoki kuroda
nickajacks1
Muhammed Efe Cetin
KaptinLin
João Victor Oliveira Couto
leonklingele
Amir Hossein
Trim21
Bhurinat Wangsutthitham
Spedoske
João Victor Santos
hi019
LeoZhan
tianjipeng
Fenny