ba10e68d01
test(middleware/csrf): Fix Benchmark Tests ( #2932 )
...
* test(middleware/csrf): fix Benchmark_Middleware_CSRF_*
* fix(middleware/csrf): update refererMatchesHost()
2024-03-25 15:30:20 +01:00
b1850834a3
fix: don't constrain middlewares' context-keys to strings 🐛 ( #2751 )
...
* Revert "Revert "🐛 requestid.Config.ContextKey is interface{} (#2369 )" (#2742 )"
This reverts commit 28be17f929https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals .
The official go blog also recommends this https://go.dev/blog/context .
`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.
But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.
This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
2023-12-12 14:55:29 +01:00
8c3916dbf4
Merge pull request from GHSA-94w9-97p3-p368
...
* feat: improved csrf with session support
* fix: double submit cookie
* feat: add warning cookie extractor without session
* feat: add warning CsrfFromCookie SameSite
* fix: use byes.Equal instead
* fix: Overriden CookieName KeyLookup cookie:<name>
* feat: Create helpers.go
* feat: use compareTokens (constant time compare)
* feat: validate cookie to prevent token injection
* refactor: clean up csrf.go
* docs: update comment about Double Submit Cookie
* docs: update docs for CSRF changes
* feat: add DeleteToken
* refactor: no else
* test: add more tests
* refactor: re-order tests
* docs: update safe methods RCF add note
* test: add CSRF_Cookie_Injection_Exploit
* feat: add SingleUseToken config
* test: check for new token
* docs: use warning
* fix: always register type Token
* feat: use UUIDv4
* test: swap in UUIDv4 here too
* fix: raw token injection
* fix: merege error
* feat: Sentinel errors
* chore: rename test
* fix: url parse
* test: add path to referer
* test: add expiration tests
* docs: add cookie prefix note
* docs: fix typo
* docs: add warning for refer checks
* test: add referer edge cases
And call ctx.Request.Reset() and
ctx.Response.Reset() before re-using ctx.
2023-10-16 09:06:30 +02:00
b50d91d58e
Merge pull request from GHSA-94w9-97p3-p368
...
* feat: improved csrf with session support
* fix: double submit cookie
* feat: add warning cookie extractor without session
* feat: add warning CsrfFromCookie SameSite
* fix: use byes.Equal instead
* fix: Overriden CookieName KeyLookup cookie:<name>
* feat: Create helpers.go
* feat: use compareTokens (constant time compare)
* feat: validate cookie to prevent token injection
* refactor: clean up csrf.go
* docs: update comment about Double Submit Cookie
* docs: update docs for CSRF changes
* feat: add DeleteToken
* refactor: no else
* test: add more tests
* refactor: re-order tests
* docs: update safe methods RCF add note
* test: add CSRF_Cookie_Injection_Exploit
* feat: add SingleUseToken config
* test: check for new token
* docs: use warning
* fix: always register type Token
* feat: use UUIDv4
* test: swap in UUIDv4 here too
2023-10-11 14:41:42 +02:00
167a8b5e94
🚀 Feature: Add and apply more stricter golangci-lint linting rules ( #2286 )
...
* golangci-lint: add and apply more stricter linting rules
* github: drop security workflow now that we use gosec linter inside golangci-lint
* github: use official golangci-lint CI linter
* Add editorconfig and gitattributes file
2023-01-27 09:01:37 +01:00
6272d759eb
🚀 [Feature]: middleware/csrf custom extractor ( #2052 )
...
* feat(middleware/csrf): allow custom Extractor
* test: update Test_CSRF_From_Custom
* docs: add comma
* docs: update KeyLookup docs
2022-08-28 18:57:47 +02:00
68fcd8c88f
Feature: Session Only Cookies ( #1752 )
...
* feat(ctx): add SessionOnly property on Cookie struct
* feat(middleware/config): add CookieSessionOnly property on middleware Config struct
* feat(csrf): link config CookieSessionOnly with fiber.Cookie in create middleware function
* fix(ctx_test): add tests for SessionOnly cookie in test_ctx_cookie
* fix(readme): update readme in csrf middleware for CookieSessionOnly property
* remove deprecated property from CookieSessionOnly explaination comments
2022-02-07 13:35:00 +01:00
59e4bf6cc5
🔧 fix(middleware/csrf): unmatched token returns nil error ( #1667 )
...
* Update csrf.go
* Update csrf_test.go
* fix(middleware/csrf): missing token return and unit test
* Update csrf_test.go
2021-12-29 02:13:20 +01:00
13f0d5bb61
Remove global variable
2021-03-09 09:29:47 -05:00
b31953ab8d
Revert "Remove global variable"
...
This reverts commit 2d4d2f7c
2021-03-01 16:38:56 -05:00
2d4d2f7c47
Remove global variable
2021-03-01 16:30:04 -05:00
86e43593cd
CSRF MW Restructuring
2021-03-01 16:25:32 -05:00
53e5dc523e
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements ( #1180 )
...
* expire cookie on Post, Delete, Patch and Put
Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid
* token and cookie match
* retrigger checks
* csrf tests
* csrf per session strategy
2021-03-01 17:44:17 +01:00
19e6a4429d
add custom error func for csrf middleware
2021-01-23 03:45:47 +09:00
86f258c4ae
fixed cookie error in csrf.go
2020-12-10 10:45:21 +05:30
323d9d89cc
🩹 fix manager logic
2020-11-23 07:38:42 +01:00
9be8eedcc6
🩹 fix cache mw
...
Co-Authored-By: RW <7063188+ReneWerner87@users.noreply.github.com>
2020-11-17 13:03:18 +01:00
6338ce855c
🩹 fix csrf test
2020-11-14 03:09:53 +01:00
ef35d00a79
🦺 simplify session config
2020-11-11 23:51:32 +01:00
ec8fdb32de
🧽 clean code structure
2020-11-11 21:44:37 +01:00
b29d500fc0
🩹 verify csrf on state changing methods
2020-11-11 21:39:22 +01:00
ce897c0b66
🩹 fix tests
2020-11-11 18:34:46 +01:00
66ee4de7d8
🕊 rename token to key
2020-11-11 18:19:53 +01:00
1bd7b1b15b
✏ fix typo
2020-11-11 16:41:26 +01:00
053dfd383d
🩹 fix crsf middleware
2020-11-11 15:25:35 +01:00
8bd50de610
🧹 housekeeping
2020-11-11 13:54:27 +01:00
d8e763e366
🩹 Keep csrf token per session
2020-10-27 12:15:51 +08:00
5ea5bbfd44
👷 Improve csrf middleware
...
- Skip non GET/POST http method
- Delete token if matched
- Use cfg.Expiration instead of cfg.CookieExpires
2020-10-24 10:19:40 +08:00
b1d19f4a21
Merge pull request #958 from Fenny/master
...
🩹 add memory storage for csrf
2020-10-23 16:01:28 -07:00
9f2c0691b0
🩹 fix test cases
2020-10-24 01:00:09 +02:00
3f7b80e9a6
✏ fix typo
2020-10-24 00:19:38 +02:00
d3cf0e55e7
🩹 add memory storage for csrf
2020-10-24 00:18:25 +02:00
25db10b220
📝 Correct CSRF comment
2020-10-23 17:20:25 -04:00
1fe6d3b25d
Use default values for cookie fields
2020-10-03 10:52:06 -04:00
4898778e28
🐛 Move cookie expires outside of if
2020-10-03 10:50:29 -04:00
867f2fc0a8
🐛 Fix passing partial cookie to csrf.New
2020-10-03 10:41:14 -04:00
4ed6fff7b3
🍪 fix typo
2020-09-30 15:55:21 +02:00
ba3d08ef6d
🍪 csrf default to Strict if left empty in config
2020-09-30 15:55:01 +02:00
d6f717148a
🛠 correct convert naming
2020-09-27 12:22:17 +02:00
9d10f0e5b6
📦 set csrf same-site to strict
2020-09-25 00:42:51 +02:00
b94f238b83
🍪 default cookie name
2020-09-24 21:12:52 +02:00
c2554d7969
🍪 allow SameSite option
2020-09-24 21:08:10 +02:00
ebe107d54f
📘 add csrf readme
2020-09-16 15:36:33 +02:00
c993d8db2e
🩹 csrf expires should be time.Duration
...
Co-Authored-By: kiyon <kiyon@gofiber.io>
2020-09-16 12:48:29 +02:00
c8bb389ba6
🎈 fix csrf expiration type
2020-09-16 12:47:29 +02:00
3cedf2dc3e
👷 improve csrf mw test cases
2020-09-16 11:15:10 +08:00
2768ea2a77
🙌 make utils public
...
Co-Authored-By: RW <7063188+ReneWerner87@users.noreply.github.com>
2020-09-14 12:12:29 +02:00
a3cac71ae8
🔦 move utils to internal
2020-09-14 09:09:06 +02:00
b8cb100e28
⚡ v2
2020-09-14 05:47:17 +02:00
ec5d66e7a8
⚡ v2
2020-09-13 11:20:11 +02:00
Jason McNeil
Benjamin Grosse
leonklingele
Abhishek Mehandiratta
hi019
hinoguma
amalshaji
Fenny
kiyon
Joey B
hi019