* fix: token injection vulnerability GHSA-98j2-3j3p-fw2v
- Ensure session IDs are securely generated server-side.
- Add validation to prevent user-supplied session IDs.
- Update tests to verify correct session token use.
This update addresses the critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* test(middleware/csrf): Save session after generating new session ID
This commit saves the session after generating a new session ID to ensure that the updated session ID is persisted. This change is necessary to address a critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Save session ID in context for middleware chain
The code changes add functionality to save the newly generated session ID in the context, allowing it to be accessible to subsequent middlewares in the chain. This improvement ensures that the session ID is available for use throughout the middleware stack.
* test: Fix session freshness check in session_test
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
* refactor(session.go): general clean-up
* chore: Revert session freshness behavior
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
✅ test: fix failing csrf test
A test validating that expired tokens fail was hitting a race condition
with garbage collection. Sometimes, an assertion that expects memory
storage GC to have triggered happens too quickly, causing the assertion
to fail. Give the GC a little bit more time to process before asserting.
* golangci-lint: add and apply more stricter linting rules
* github: drop security workflow now that we use gosec linter inside golangci-lint
* github: use official golangci-lint CI linter
* Add editorconfig and gitattributes file
* expire cookie on Post, Delete, Patch and Put
Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid
* token and cookie match
* retrigger checks
* csrf tests
* csrf per session strategy
René
Jason McNeil
nickajacks1
leonklingele
M. Efe Çetin
Gusted
hinoguma
Fenny
kiyon