* fix: token injection vulnerability GHSA-98j2-3j3p-fw2v
- Ensure session IDs are securely generated server-side.
- Add validation to prevent user-supplied session IDs.
- Update tests to verify correct session token use.
This update addresses the critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* test(middleware/csrf): Save session after generating new session ID
This commit saves the session after generating a new session ID to ensure that the updated session ID is persisted. This change is necessary to address a critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Save session ID in context for middleware chain
The code changes add functionality to save the newly generated session ID in the context, allowing it to be accessible to subsequent middlewares in the chain. This improvement ensures that the session ID is available for use throughout the middleware stack.
* test: Fix session freshness check in session_test
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
* refactor(session.go): general clean-up
* chore: Revert session freshness behavior
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
* Revert "Revert "🐛 requestid.Config.ContextKey is interface{} (#2369)" (#2742)"
This reverts commit 28be17f929cfa7d3c27dd292fc3956f2f9882e22.
* fix: request ContextKey default value condition
Should check for `nil` since it is `any`.
* fix: don't constrain middlewares' context-keys to strings
`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.
The official go blog also recommends this https://go.dev/blog/context.
`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.
But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.
This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
✅ test: fix failing csrf test
A test validating that expired tokens fail was hitting a race condition
with garbage collection. Sometimes, an assertion that expects memory
storage GC to have triggered happens too quickly, causing the assertion
to fail. Give the GC a little bit more time to process before asserting.
* internal: revert linting changes
Changes to the internal package should not have been made in 167a8b5e9421e0ab51fbf44c5621632f4a1a90c5.
* middleware/monitor: revert changes to exported field "ChartJSURL"
This is a breaking change introduced in 167a8b5e9421e0ab51fbf44c5621632f4a1a90c5.
* middleware/monitor: fix error checking
Fix the errorenous error checking introduced in 167a8b5e9421e0ab51fbf44c5621632f4a1a90c5.
* 🐛 Bug: Fix issues introduced in linting PR #2319
* 🐛 Bug: Fix issues introduced in linting PR #2319
* Bug: Fix issues introduced in linting PR #2319
---------
Co-authored-by: René Werner <rene@gofiber.io>
* golangci-lint: add and apply more stricter linting rules
* github: drop security workflow now that we use gosec linter inside golangci-lint
* github: use official golangci-lint CI linter
* Add editorconfig and gitattributes file
* feat(ctx): add SessionOnly property on Cookie struct
* feat(middleware/config): add CookieSessionOnly property on middleware Config struct
* feat(csrf): link config CookieSessionOnly with fiber.Cookie in create middleware function
* fix(ctx_test): add tests for SessionOnly cookie in test_ctx_cookie
* fix(readme): update readme in csrf middleware for CookieSessionOnly property
* remove deprecated property from CookieSessionOnly explaination comments
* expire cookie on Post, Delete, Patch and Put
Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid
* token and cookie match
* retrigger checks
* csrf tests
* csrf per session strategy