* fix: allow origins check
Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.
fixes#2882
* test: AllowOrigins with whitespace
* test(middleware/cors): add benchmarks
* chore: fix linter errors
* test(middleware/cors): use h() instead of app.Test()
* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme
* chore: refactor validate and normalize
* test(cors/middleware): add more benchmarks
* fix(middleware/cors): handling and wildcard subdomain matching
docs(middleware/cors): add How it works and Security Considerations
* chore: grammar
* Apply suggestions from code review
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* chore: fix misspelling
* test(middleware/cors): combine Invalid_Origins tests
* refactor(middleware/cors): headers handling
* docs(middleware/cors): Update AllowOrigins description
* chore: merge
* perf(middleware/cors): optimize handler
* perf(middleware/cors): optimize handler
* chore(middleware/cors): ipdate origin handling logic
* chore(middleware/cors): fix header capitalization
* docs(middleware/cors): improve sercuity notes
* docs(middleware/cors): Improve security notes
* docs(middleware/cors): improve CORS overview
* docs(middleware/cors): fix ordering of how it works
* docs(middleware/cors): add additional info to How to works
* docs(middleware/cors): rm space
* docs(middleware/cors): add validation for AllowOrigins origins to overview
* docs(middleware/cors): update ExposeHeaders and MaxAge descriptions
* docs(middleware/cors): Add dynamic origin validation example
* docs(middleware/cors): Improve security notes and fix header capitalization
* docs(middleware/cors): configuration examples
* docs(middleware/cors): `"*"`
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Revert "Revert "🐛 requestid.Config.ContextKey is interface{} (#2369)" (#2742)"
This reverts commit 28be17f929cfa7d3c27dd292fc3956f2f9882e22.
* fix: request ContextKey default value condition
Should check for `nil` since it is `any`.
* fix: don't constrain middlewares' context-keys to strings
`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.
The official go blog also recommends this https://go.dev/blog/context.
`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.
But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.
This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
* chore(encryptcookie)!: update default config
docs(encryptcookie): enhance documentation and examples
BREAKING CHANGE: removed the hardcoded "csrf_" from the Except.
* docs(encryptcookie): reads or modifies cookies
* chore(encryptcookie): csrf config example
* docs(encryptcookie): md table spacing
* ✨ feat(cors): Added new 'AllowOriginsFunc' function.
* feat(cors): Added warning log for when both 'AllowOrigins' and 'AllowOriginsFunc' are set.
* feat(docs): Updated docs to include note about discouraging the use of this function in production workloads.
---------
Co-authored-by: RW <rene@gofiber.io>
Fix typos, and make docs more consistent
This fixes several typos in the ISSUE_TEMPLATES, as well as improve
their readability, also makes the documentation markdowns more
consistent
* feature: session only for zero expire cookie #2145
* refactor condition to set MaxAge and Expire on cookie
* move checking zero maxage and expire in session middleware
Signed-off-by: Yves Tumushimire <yvestumushimire@gmail.com>
* feature: session only for zero expire cookie #2145
* refactor condition to set MaxAge and Expire on cookie
* move checking zero maxage and expire in session middleware
Signed-off-by: Yves Tumushimire <yvestumushimire@gmail.com>
* CR changes
* some updates
---------
Signed-off-by: Yves Tumushimire <yvestumushimire@gmail.com>
Co-authored-by: Muhammed Efe Çetin <efectn@protonmail.com>
Co-authored-by: René Werner <rene.werner@verivox.com>
