mirror of
https://github.com/gofiber/fiber.git
synced 2025-05-05 07:10:20 +00:00
e3232c1505
* feat!(middleware/session): re-write session middleware with handler * test(middleware/session): refactor to IdleTimeout * fix: lint errors * test: Save session after setting or deleting raw data in CSRF middleware * Update middleware/session/middleware.go Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com> * fix: mutex and globals order * feat: Re-Add read lock to session Get method * feat: Migrate New() to return middleware * chore: Refactor session middleware to improve session handling * chore: Private get on store * chore: Update session middleware to use saveSession instead of save * chore: Update session middleware to use getSession instead of get * chore: Remove unused error handler in session middleware config * chore: Update session middleware to use NewWithStore in CSRF tests * test: add test * fix: destroyed session and GHSA-98j2-3j3p-fw2v * chore: Refactor session_test.go to use newStore() instead of New() * feat: Improve session middleware test coverage and error handling This commit improves the session middleware test coverage by adding assertions for the presence of the Set-Cookie header and the token value. It also enhances error handling by checking for the expected number of parts in the Set-Cookie header. * chore: fix lint issues * chore: Fix session middleware locking issue and improve error handling * test: improve middleware test coverage and error handling * test: Add idle timeout test case to session middleware test * feat: add GetSession(id string) (*Session, error) * chore: lint * docs: Update session middleware docs * docs: Security Note to examples * docs: Add recommendation for CSRF protection in session middleware * chore: markdown lint * docs: Update session middleware docs * docs: makrdown lint * test(middleware/session): Add unit tests for session config.go * test(middleware/session): Add unit tests for store.go * test(middleware/session): Add data.go unit tests * refactor(middleware/session): session tests and add session release test - Refactor session tests to improve readability and maintainability. - Add a new test case to ensure proper session release functionality. - Update session.md * refactor: session data locking in middleware/session/data.go * refactor(middleware/session): Add unit test for session middleware store * test: fix session_test.go and store_test.go unit tests * refactor(docs): Update session.md with v3 changes to Expiration * refactor(middleware/session): Improve data pool handling and locking * chore(middleware/session): TODO for Expiration field in session config * refactor(middleware/session): Improve session data pool handling and locking * refactor(middleware/session): Improve session data pool handling and locking * test(middleware/csrf): add session middleware coverage * chroe(middleware/session): TODO for unregistered session middleware * refactor(middleware/session): Update session middleware for v3 changes * refactor(middleware/session): Update session middleware for v3 changes * refactor(middleware/session): Update session middleware idle timeout - Update the default idle timeout for session middleware from 24 hours to 30 minutes. - Add a note in the session middleware documentation about the importance of the middleware order. * docws(middleware/session): Add note about IdleTimeout requiring save using legacy approach * refactor(middleware/session): Update session middleware idle timeout Update the idle timeout for the session middleware to 30 minutes. This ensures that the session expires after a period of inactivity. The previous value was 24 hours, which is too long for most use cases. This change improves the security and efficiency of the session management. * docs(middleware/session): Update session middleware idle timeout and configuration * test(middleware/session): Fix tests for updated panics * refactor(middleware/session): Update session middleware initialization and saving * refactor(middleware/session): Remove unnecessary comment about negative IdleTimeout value * refactor(middleware/session): Update session middleware make NewStore public * refactor(middleware/session): Update session middleware Set, Get, and Delete methods Refactor the Set, Get, and Delete methods in the session middleware to use more descriptive parameter names. Instead of using "middlewareContextKey", the methods now use "key" to represent the key of the session value. This improves the readability and clarity of the code. * feat(middleware/session): AbsoluteTimeout and key any * fix(middleware/session): locking issues and lint errors * chore(middleware/session): Regenerate code in data_msgp.go * refactor(middleware/session): rename GetSessionByID to GetByID This commit also includes changes to the session_test.go and store_test.go files to add test cases for the new GetByID method. * docs(middleware/session): AbsoluteTimeout * refactor(middleware/csrf): Rename Expiration to IdleTimeout * docs(whats-new): CSRF Rename Expiration to IdleTimeout and remove SessionKey field * refactor(middleware/session): Rename expirationKeyType to absExpirationKeyType and update related functions * refactor(middleware/session): rename Test_Session_Save_Absolute to Test_Session_Save_AbsoluteTimeout * chore(middleware/session): update as per PR comments * docs(middlware/session): fix indent lint * fix(middleware/session): Address EfeCtn Comments * refactor(middleware/session): Move bytesBuffer to it's own pool * test(middleware/session): add decodeSessionData error coverage * refactor(middleware/session): Update absolute timeout handling - Update absolute timeout handling in getSession function - Set absolute expiration time in getSession function - Delete expired session in GetByID function * refactor(session/middleware): fix *Session nil ctx when using Store.GetByID * refactor(middleware/session): Remove unnecessary line in session_test.go * fix(middleware/session): *Session lifecycle issues * docs(middleware/session): Update GetByID method documentation * docs(middleware/session): Update GetByID method documentation * docs(middleware/session): markdown lint * refactor(middleware/session): Simplify error handling in DefaultErrorHandler * fix( middleware/session/config.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * add ctx releases for the test cases --------- Co-authored-by: Renan Bastos <renanbastos.tec@gmail.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com> Co-authored-by: René <rene@gofiber.io>
199 lines
5.5 KiB
Go
199 lines
5.5 KiB
Go
package csrf
|
|
|
|
import (
|
|
"net/textproto"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v3"
|
|
"github.com/gofiber/fiber/v3/log"
|
|
"github.com/gofiber/fiber/v3/middleware/session"
|
|
"github.com/gofiber/utils/v2"
|
|
)
|
|
|
|
// Config defines the config for middleware.
|
|
type Config struct {
|
|
// Store is used to store the state of the middleware
|
|
//
|
|
// Optional. Default: memory.New()
|
|
// Ignored if Session is set.
|
|
Storage fiber.Storage
|
|
|
|
// Next defines a function to skip this middleware when returned true.
|
|
//
|
|
// Optional. Default: nil
|
|
Next func(c fiber.Ctx) bool
|
|
|
|
// Session is used to store the state of the middleware
|
|
//
|
|
// Optional. Default: nil
|
|
// If set, the middleware will use the session store instead of the storage
|
|
Session *session.Store
|
|
|
|
// KeyGenerator creates a new CSRF token
|
|
//
|
|
// Optional. Default: utils.UUID
|
|
KeyGenerator func() string
|
|
|
|
// ErrorHandler is executed when an error is returned from fiber.Handler.
|
|
//
|
|
// Optional. Default: DefaultErrorHandler
|
|
ErrorHandler fiber.ErrorHandler
|
|
|
|
// Extractor returns the csrf token
|
|
//
|
|
// If set this will be used in place of an Extractor based on KeyLookup.
|
|
//
|
|
// Optional. Default will create an Extractor based on KeyLookup.
|
|
Extractor func(c fiber.Ctx) (string, error)
|
|
|
|
// KeyLookup is a string in the form of "<source>:<key>" that is used
|
|
// to create an Extractor that extracts the token from the request.
|
|
// Possible values:
|
|
// - "header:<name>"
|
|
// - "query:<name>"
|
|
// - "param:<name>"
|
|
// - "form:<name>"
|
|
// - "cookie:<name>"
|
|
//
|
|
// Ignored if an Extractor is explicitly set.
|
|
//
|
|
// Optional. Default: "header:X-Csrf-Token"
|
|
KeyLookup string
|
|
|
|
// Name of the session cookie. This cookie will store session key.
|
|
// Optional. Default value "csrf_".
|
|
// Overridden if KeyLookup == "cookie:<name>"
|
|
CookieName string
|
|
|
|
// Domain of the CSRF cookie.
|
|
// Optional. Default value "".
|
|
CookieDomain string
|
|
|
|
// Path of the CSRF cookie.
|
|
// Optional. Default value "".
|
|
CookiePath string
|
|
|
|
// Value of SameSite cookie.
|
|
// Optional. Default value "Lax".
|
|
CookieSameSite string
|
|
|
|
// TrustedOrigins is a list of trusted origins for unsafe requests.
|
|
// For requests that use the Origin header, the origin must match the
|
|
// Host header or one of the TrustedOrigins.
|
|
// For secure requests, that do not include the Origin header, the Referer
|
|
// header must match the Host header or one of the TrustedOrigins.
|
|
//
|
|
// This supports matching subdomains at any level. This means you can use a value like
|
|
// `"https://*.example.com"` to allow any subdomain of `example.com` to submit requests,
|
|
// including multiple subdomain levels such as `"https://sub.sub.example.com"`.
|
|
//
|
|
// Optional. Default: []
|
|
TrustedOrigins []string
|
|
|
|
// IdleTimeout is the duration of time the CSRF token is valid.
|
|
//
|
|
// Optional. Default: 30 * time.Minute
|
|
IdleTimeout time.Duration
|
|
|
|
// Indicates if CSRF cookie is secure.
|
|
// Optional. Default value false.
|
|
CookieSecure bool
|
|
|
|
// Indicates if CSRF cookie is HTTP only.
|
|
// Optional. Default value false.
|
|
CookieHTTPOnly bool
|
|
|
|
// Decides whether cookie should last for only the browser sesison.
|
|
// Ignores Expiration if set to true
|
|
CookieSessionOnly bool
|
|
|
|
// SingleUseToken indicates if the CSRF token be destroyed
|
|
// and a new one generated on each use.
|
|
//
|
|
// Optional. Default: false
|
|
SingleUseToken bool
|
|
}
|
|
|
|
const HeaderName = "X-Csrf-Token"
|
|
|
|
// ConfigDefault is the default config
|
|
var ConfigDefault = Config{
|
|
KeyLookup: "header:" + HeaderName,
|
|
CookieName: "csrf_",
|
|
CookieSameSite: "Lax",
|
|
IdleTimeout: 30 * time.Minute,
|
|
KeyGenerator: utils.UUIDv4,
|
|
ErrorHandler: defaultErrorHandler,
|
|
Extractor: FromHeader(HeaderName),
|
|
}
|
|
|
|
// default ErrorHandler that process return error from fiber.Handler
|
|
func defaultErrorHandler(_ fiber.Ctx, _ error) error {
|
|
return fiber.ErrForbidden
|
|
}
|
|
|
|
// Helper function to set default values
|
|
func configDefault(config ...Config) Config {
|
|
// Return default config if nothing provided
|
|
if len(config) < 1 {
|
|
return ConfigDefault
|
|
}
|
|
|
|
// Override default config
|
|
cfg := config[0]
|
|
|
|
// Set default values
|
|
if cfg.KeyLookup == "" {
|
|
cfg.KeyLookup = ConfigDefault.KeyLookup
|
|
}
|
|
if cfg.IdleTimeout <= 0 {
|
|
cfg.IdleTimeout = ConfigDefault.IdleTimeout
|
|
}
|
|
if cfg.CookieName == "" {
|
|
cfg.CookieName = ConfigDefault.CookieName
|
|
}
|
|
if cfg.CookieSameSite == "" {
|
|
cfg.CookieSameSite = ConfigDefault.CookieSameSite
|
|
}
|
|
if cfg.KeyGenerator == nil {
|
|
cfg.KeyGenerator = ConfigDefault.KeyGenerator
|
|
}
|
|
if cfg.ErrorHandler == nil {
|
|
cfg.ErrorHandler = ConfigDefault.ErrorHandler
|
|
}
|
|
|
|
// Generate the correct extractor to get the token from the correct location
|
|
selectors := strings.Split(cfg.KeyLookup, ":")
|
|
|
|
const numParts = 2
|
|
if len(selectors) != numParts {
|
|
panic("[CSRF] KeyLookup must in the form of <source>:<key>")
|
|
}
|
|
|
|
if cfg.Extractor == nil {
|
|
// By default we extract from a header
|
|
cfg.Extractor = FromHeader(textproto.CanonicalMIMEHeaderKey(selectors[1]))
|
|
|
|
switch selectors[0] {
|
|
case "form":
|
|
cfg.Extractor = FromForm(selectors[1])
|
|
case "query":
|
|
cfg.Extractor = FromQuery(selectors[1])
|
|
case "param":
|
|
cfg.Extractor = FromParam(selectors[1])
|
|
case "cookie":
|
|
if cfg.Session == nil {
|
|
log.Warn("[CSRF] Cookie extractor is not recommended without a session store")
|
|
}
|
|
if cfg.CookieSameSite == "None" || cfg.CookieSameSite != "Lax" && cfg.CookieSameSite != "Strict" {
|
|
log.Warn("[CSRF] Cookie extractor is only recommended for use with SameSite=Lax or SameSite=Strict")
|
|
}
|
|
cfg.Extractor = FromCookie(selectors[1])
|
|
cfg.CookieName = selectors[1] // Cookie name is the same as the key
|
|
}
|
|
}
|
|
|
|
return cfg
|
|
}
|