Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!(middleware/session): re-write session middleware with handler #3016

Merged
merged 93 commits into from
Oct 25, 2024
Merged
Show file tree
Hide file tree
Changes from 92 commits
Commits
Show all changes
93 commits
Select commit Hold shift + click to select a range
6e76847
feat!(middleware/session): re-write session middleware with handler
sixcolors May 28, 2024
ac9a028
test(middleware/session): refactor to IdleTimeout
sixcolors May 28, 2024
81f6789
fix: lint errors
sixcolors May 28, 2024
28790cb
test: Save session after setting or deleting raw data in CSRF middleware
sixcolors May 28, 2024
7ffae3d
Update middleware/session/middleware.go
sixcolors May 30, 2024
68f2739
fix: mutex and globals order
sixcolors May 30, 2024
92e6877
feat: Re-Add read lock to session Get method
sixcolors Jun 4, 2024
239db00
feat: Migrate New() to return middleware
sixcolors Jun 15, 2024
0b93c5c
chore: Refactor session middleware to improve session handling
sixcolors Jun 15, 2024
7cb4a6e
chore: Private get on store
sixcolors Jun 15, 2024
b4c8ea8
chore: Update session middleware to use saveSession instead of save
sixcolors Jun 15, 2024
aafee92
chore: Update session middleware to use getSession instead of get
sixcolors Jun 15, 2024
cd91db4
chore: Remove unused error handler in session middleware config
sixcolors Jun 15, 2024
c3b303f
chore: Update session middleware to use NewWithStore in CSRF tests
sixcolors Jun 15, 2024
75cffca
Merge branch 'main' into 2741-session-changes
sixcolors Jun 15, 2024
2731428
test: add test
sixcolors Jun 15, 2024
4f04291
Merge branch '2741-session-changes' of https://github.com/sixcolors/f…
sixcolors Jun 15, 2024
ee193dc
fix: destroyed session and GHSA-98j2-3j3p-fw2v
sixcolors Jun 22, 2024
01571cb
Merge remote-tracking branch 'origin/main' into 2741-session-changes
sixcolors Jul 29, 2024
5f032d4
Merge branch 'main' into 2741-session-changes
sixcolors Jul 29, 2024
1a5a3d7
chore: Refactor session_test.go to use newStore() instead of New()
sixcolors Jul 29, 2024
52e41a4
feat: Improve session middleware test coverage and error handling
sixcolors Jul 29, 2024
ed95d83
chore: fix lint issues
sixcolors Jul 29, 2024
c6e1c34
chore: Fix session middleware locking issue and improve error handling
sixcolors Jul 29, 2024
8a5663a
test: improve middleware test coverage and error handling
sixcolors Aug 3, 2024
46845e6
test: Add idle timeout test case to session middleware test
sixcolors Aug 3, 2024
ba0e491
feat: add GetSession(id string) (*Session, error)
sixcolors Aug 10, 2024
d08b686
chore: lint
sixcolors Aug 10, 2024
8df7c81
Merge branch 'main' into pr/3016
sixcolors Aug 14, 2024
508cf24
Merge branch 'main' into pr/3016
sixcolors Aug 27, 2024
6ee953b
Merge branch 'main' into pr/3016
sixcolors Aug 28, 2024
355b8f5
Merge branch 'main' into pr/3016
sixcolors Sep 2, 2024
2f3f724
Merge branch 'main' into 2741-session-changes
sixcolors Sep 3, 2024
c08ddc1
docs: Update session middleware docs
sixcolors Sep 8, 2024
56f6ce0
docs: Security Note to examples
sixcolors Sep 8, 2024
9e406f4
docs: Add recommendation for CSRF protection in session middleware
sixcolors Sep 8, 2024
12b219a
chore: markdown lint
sixcolors Sep 8, 2024
6812fc4
docs: Update session middleware docs
sixcolors Sep 8, 2024
28aad65
docs: makrdown lint
sixcolors Sep 8, 2024
d4e607e
Merge branch 'main' into 2741-session-changes
sixcolors Sep 13, 2024
14c7a6c
test(middleware/session): Add unit tests for session config.go
sixcolors Sep 13, 2024
a865ba5
test(middleware/session): Add unit tests for store.go
sixcolors Sep 13, 2024
eaedc6d
test(middleware/session): Add data.go unit tests
sixcolors Sep 13, 2024
d2cf5b8
refactor(middleware/session): session tests and add session release test
sixcolors Sep 13, 2024
b479895
refactor: session data locking in middleware/session/data.go
sixcolors Sep 13, 2024
afab580
refactor(middleware/session): Add unit test for session middleware store
sixcolors Sep 13, 2024
6c0bf25
test: fix session_test.go and store_test.go unit tests
sixcolors Sep 13, 2024
ad337f8
refactor(docs): Update session.md with v3 changes to Expiration
sixcolors Sep 13, 2024
280d539
refactor(middleware/session): Improve data pool handling and locking
sixcolors Sep 14, 2024
40da2c0
chore(middleware/session): TODO for Expiration field in session config
sixcolors Sep 14, 2024
3ad4bc9
refactor(middleware/session): Improve session data pool handling and …
sixcolors Sep 14, 2024
ffac824
refactor(middleware/session): Improve session data pool handling and …
sixcolors Sep 14, 2024
9f8c2d7
test(middleware/csrf): add session middleware coverage
sixcolors Sep 19, 2024
ecac9ce
chroe(middleware/session): TODO for unregistered session middleware
sixcolors Sep 19, 2024
e272082
refactor(middleware/session): Update session middleware for v3 changes
sixcolors Sep 19, 2024
b262a08
refactor(middleware/session): Update session middleware for v3 changes
sixcolors Sep 19, 2024
937a9b3
Merge branch 'main' into pr/3016
sixcolors Sep 19, 2024
9ec2b30
refactor(middleware/session): Update session middleware idle timeout
sixcolors Sep 20, 2024
684dc8a
docws(middleware/session): Add note about IdleTimeout requiring save …
sixcolors Sep 20, 2024
05d30a4
refactor(middleware/session): Update session middleware idle timeout
sixcolors Sep 20, 2024
ec5a698
docs(middleware/session): Update session middleware idle timeout and …
sixcolors Sep 20, 2024
13a1eb4
test(middleware/session): Fix tests for updated panics
sixcolors Sep 20, 2024
9d3b032
refactor(middleware/session): Update session middleware initializatio…
sixcolors Sep 20, 2024
9762767
refactor(middleware/session): Remove unnecessary comment about negati…
sixcolors Sep 20, 2024
e59905f
refactor(middleware/session): Update session middleware make NewStore…
sixcolors Sep 25, 2024
7765ee5
Merge branch 'main' into 2741-session-changes
sixcolors Sep 25, 2024
8716c95
refactor(middleware/session): Update session middleware Set, Get, and…
sixcolors Sep 25, 2024
0e302e9
Merge branch 'main' into 2741-session-changes
sixcolors Sep 26, 2024
951691d
feat(middleware/session): AbsoluteTimeout and key any
sixcolors Sep 26, 2024
3ac9b68
fix(middleware/session): locking issues and lint errors
sixcolors Sep 26, 2024
bc95c6a
chore(middleware/session): Regenerate code in data_msgp.go
sixcolors Sep 26, 2024
6bba849
refactor(middleware/session): rename GetSessionByID to GetByID
sixcolors Sep 26, 2024
281c0e1
docs(middleware/session): AbsoluteTimeout
sixcolors Sep 26, 2024
3d88ece
refactor(middleware/csrf): Rename Expiration to IdleTimeout
sixcolors Sep 26, 2024
3ddfeae
docs(whats-new): CSRF Rename Expiration to IdleTimeout and remove Ses…
sixcolors Sep 26, 2024
c3d3f0c
refactor(middleware/session): Rename expirationKeyType to absExpirati…
sixcolors Sep 26, 2024
0e9a73e
refactor(middleware/session): rename Test_Session_Save_Absolute to Te…
sixcolors Sep 26, 2024
a467236
chore(middleware/session): update as per PR comments
sixcolors Oct 1, 2024
6f35ff8
docs(middlware/session): fix indent lint
sixcolors Oct 1, 2024
f3c4e8e
fix(middleware/session): Address EfeCtn Comments
sixcolors Oct 1, 2024
e41ee74
refactor(middleware/session): Move bytesBuffer to it's own pool
sixcolors Oct 2, 2024
07092c8
test(middleware/session): add decodeSessionData error coverage
sixcolors Oct 2, 2024
84adbe1
refactor(middleware/session): Update absolute timeout handling
sixcolors Oct 2, 2024
f6440e2
refactor(session/middleware): fix *Session nil ctx when using Store.G…
sixcolors Oct 2, 2024
eac16b6
refactor(middleware/session): Remove unnecessary line in session_test.go
sixcolors Oct 2, 2024
7068a0e
fix(middleware/session): *Session lifecycle issues
sixcolors Oct 2, 2024
87a6cb9
docs(middleware/session): Update GetByID method documentation
sixcolors Oct 2, 2024
e5e5fd8
docs(middleware/session): Update GetByID method documentation
sixcolors Oct 2, 2024
00b9e07
docs(middleware/session): markdown lint
sixcolors Oct 2, 2024
23e823b
refactor(middleware/session): Simplify error handling in DefaultError…
sixcolors Oct 2, 2024
ba38786
fix( middleware/session/config.go
sixcolors Oct 3, 2024
f77fa8f
Merge branch 'main' into 2741-session-changes
gaby Oct 8, 2024
b54c954
add ctx releases for the test cases
ReneWerner87 Oct 23, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 6 additions & 9 deletions docs/middleware/csrf.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ app.Use(csrf.New(csrf.Config{
KeyLookup: "header:X-Csrf-Token",
CookieName: "csrf_",
CookieSameSite: "Lax",
Expiration: 1 * time.Hour,
IdleTimeout: 30 * time.Minute,
ReneWerner87 marked this conversation as resolved.
Show resolved Hide resolved
KeyGenerator: utils.UUIDv4,
Extractor: func(c fiber.Ctx) (string, error) { ... },
}))
Expand Down Expand Up @@ -106,15 +106,14 @@ func (h *Handler) DeleteToken(c fiber.Ctx) error
| CookieSecure | `bool` | Indicates if the CSRF cookie is secure. | false |
| CookieHTTPOnly | `bool` | Indicates if the CSRF cookie is HTTP-only. | false |
| CookieSameSite | `string` | Value of SameSite cookie. | "Lax" |
| CookieSessionOnly | `bool` | Decides whether the cookie should last for only the browser session. Ignores Expiration if set to true. | false |
| Expiration | `time.Duration` | Expiration is the duration before the CSRF token will expire. | 1 * time.Hour |
| CookieSessionOnly | `bool` | Decides whether the cookie should last for only the browser session. (cookie expires on close). | false |
| IdleTimeout | `time.Duration` | IdleTimeout is the duration of inactivity before the CSRF token will expire. | 30 * time.Minute |
| KeyGenerator | `func() string` | KeyGenerator creates a new CSRF token. | utils.UUID |
| ErrorHandler | `fiber.ErrorHandler` | ErrorHandler is executed when an error is returned from fiber.Handler. | DefaultErrorHandler |
| Extractor | `func(fiber.Ctx) (string, error)` | Extractor returns the CSRF token. If set, this will be used in place of an Extractor based on KeyLookup. | Extractor based on KeyLookup |
| SingleUseToken | `bool` | SingleUseToken indicates if the CSRF token be destroyed and a new one generated on each use. (See TokenLifecycle) | false |
| Storage | `fiber.Storage` | Store is used to store the state of the middleware. | `nil` |
| Session | `*session.Store` | Session is used to store the state of the middleware. Overrides Storage if set. | `nil` |
| SessionKey | `string` | SessionKey is the key used to store the token in the session. | "csrfToken" |
| TrustedOrigins | `[]string` | TrustedOrigins is a list of trusted origins for unsafe requests. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `[]` |

### Default Config
Expand All @@ -124,11 +123,10 @@ var ConfigDefault = Config{
KeyLookup: "header:" + HeaderName,
CookieName: "csrf_",
CookieSameSite: "Lax",
Expiration: 1 * time.Hour,
IdleTimeout: 30 * time.Minute,
KeyGenerator: utils.UUIDv4,
ErrorHandler: defaultErrorHandler,
Extractor: FromHeader(HeaderName),
SessionKey: "csrfToken",
}
```

Expand All @@ -144,12 +142,11 @@ var ConfigDefault = Config{
CookieSecure: true,
CookieSessionOnly: true,
CookieHTTPOnly: true,
Expiration: 1 * time.Hour,
IdleTimeout: 30 * time.Minute,
KeyGenerator: utils.UUIDv4,
ErrorHandler: defaultErrorHandler,
Extractor: FromHeader(HeaderName),
Session: session.Store,
SessionKey: "csrfToken",
}
```

Expand Down Expand Up @@ -304,7 +301,7 @@ The Referer header is automatically included in requests by all modern browsers,

## Token Lifecycle

Tokens are valid until they expire or until they are deleted. By default, tokens are valid for 1 hour, and each subsequent request extends the expiration by 1 hour. The token only expires if the user doesn't make a request for the duration of the expiration time.
Tokens are valid until they expire or until they are deleted. By default, tokens are valid for 30 minutes, and each subsequent request extends the expiration by the idle timeout. The token only expires if the user doesn't make a request for the duration of the idle timeout.

### Token Reuse

Expand Down
Loading
Loading