Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Main v2 merge #2944

Merged
merged 48 commits into from
Mar 28, 2024
Merged

Main v2 merge #2944

merged 48 commits into from
Mar 28, 2024

Conversation

ReneWerner87
Copy link
Member

@ReneWerner87 ReneWerner87 commented Mar 28, 2024

Summary by CodeRabbit

  • Documentation
    • Updated API documentation to reflect minor changes in method signatures and security recommendations.
  • Refactor
    • Improved CSRF middleware logic for enhanced security.

ReneWerner87 and others added 30 commits December 3, 2023 10:19
Grammar correction.
* chore(encryptcookie)!: update default config

docs(encryptcookie): enhance documentation and examples

BREAKING CHANGE: removed the hardcoded "csrf_" from the Except.

* docs(encryptcookie): reads or modifies cookies

* chore(encryptcookie): csrf config example

* docs(encryptcookie): md table spacing
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* middleware/logger: Log client IP address by default.

* Update doc.
* Revert "Revert ":bug: requestid.Config.ContextKey is interface{} (#2369)" (#2742)"

This reverts commit 28be17f.

* fix: request ContextKey default value condition

Should check for `nil` since it is `any`.

* fix: don't constrain middlewares' context-keys to strings

`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.

The official go blog also recommends this https://go.dev/blog/context.

`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.

But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.

This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
Update app.md for indentation
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](google/uuid@v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v2...v3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
changing default log output

Closes #2729
fix wrong hooks signature
* redirect with query params did not work, fix it and add test for it

* redirect middleware - fix test typo
* ✨ feat: add liveness and readiness checkers

* 📝 docs: add docs for liveness and readiness

* ✨ feat: add options method for probe checkers

* ✅ tests: add tests for liveness and readiness

* ♻️ refactor: change default endpoint values

* ♻️ refactor: change default value for liveness endpoint

* 📝 docs: add return status for liveness and readiness probes

* ♻️ refactor: change probechecker to middleware

* 📝 docs: move docs to middleware session

* ♻️ refactor: apply gofumpt formatting

* ♻️ refactor: remove unused parameter

* split config and apply a review

* apply reviews and add testcases

* add benchmark

* cleanup

* rename middleware

* fix linter

* Update docs and config values

* Revert change to IsReady

* Updates based on code review

* Update docs to match other middlewares

---------

Co-authored-by: Muhammed Efe Cetin <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: Juan Calderon-Perez <[email protected]>
- add more Parser tests
fix default value to false in docs of QueryBool
📚 Doc: Fix code snippet indentation in /docs/api/middleware/keyauth.md
* fix: healthcheck middleware not working with route group

* perf: change verification method to improve perf

* Update healthcheck_test.go

* test: add not matching route test for strict routing

* add more test cases

* correct tests

* correct test helpers

* correct tests

* correct tests

---------

Co-authored-by: Juan Calderon-Perez <[email protected]>
Co-authored-by: René Werner <[email protected]>
* Enforce Wildcard Origins with AllowCredentials check

* Expand unit-tests, fix issues with subdomains logic, update docs

* Update cors.md

* Added test using localhost, ipv4, and ipv6 address

* improve documentation markdown

---------

Co-authored-by: René Werner <[email protected]>
prepare release v2.52.1
ReneWerner87 and others added 15 commits February 21, 2024 21:43
* fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes #2882

* test: AllowOrigins with whitespace

* test(middleware/cors): add benchmarks

* chore: fix linter errors

* test(middleware/cors): use h() instead of app.Test()

* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme

* chore: refactor validate and normalize

* test(cors/middleware): add more benchmarks
* fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic.

fixes #2882

* test: AllowOrigins with whitespace

* test(middleware/cors): add benchmarks

* chore: fix linter errors

* test(middleware/cors): use h() instead of app.Test()

* test(middleware/cors): add miltiple origins in Test_CORS_AllowOriginScheme

* chore: refactor validate and normalize

* test(cors/middleware): add more benchmarks

* fix(middleware/cors): handling and wildcard subdomain matching

docs(middleware/cors): add How it works and Security Considerations

* chore: grammar

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* chore: fix misspelling

* test(middleware/cors): combine Invalid_Origins tests

* refactor(middleware/cors): headers handling

* docs(middleware/cors): Update AllowOrigins description

* chore: merge

* perf(middleware/cors): optimize handler

* perf(middleware/cors): optimize handler

* chore(middleware/cors): ipdate origin handling logic

* chore(middleware/cors): fix header capitalization

* docs(middleware/cors): improve sercuity notes

* docs(middleware/cors): Improve security notes

* docs(middleware/cors): improve CORS overview

* docs(middleware/cors): fix ordering of how it works

* docs(middleware/cors): add additional info to How to works

* docs(middleware/cors): rm space

* docs(middleware/cors): add validation for AllowOrigins origins to overview

* docs(middleware/cors): update ExposeHeaders and MaxAge descriptions

* docs(middleware/cors): Add dynamic origin validation example

* docs(middleware/cors): Improve security notes and fix header capitalization

* docs(middleware/cors): configuration examples

* docs(middleware/cors): `"*"`

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* fix(middleware/cors): categorise requests correctly

* test(middleware/cors): improve test coverage for request types

* test(middleware/cors): Add subdomain matching tests

* test(middleware/cors): parallel tests for CORS headers based on request type

* test(middleware/cors): Add benchmark for CORS subdomain matching

* test(middleware/cors): cover additiona test cases

* refactor(middleware/cors): origin validation and normalization
* test(middleware/csrf): fix Benchmark_Middleware_CSRF_*

* fix(middleware/csrf): update refererMatchesHost()
* fix(middleware/cors): CORS handling

* fix(middleware/cors): Vary header handling

* test(middleware/cors): Ensure Vary Headers checked
…2939)

* fix(middleware/cors): Vary header handling non-cors OPTIONS requests

* chore(middleware/cors): Add Vary header for non-CORS OPTIONS requests comment
# Conflicts:
#	.github/ISSUE_TEMPLATE/maintenance-task.yaml
#	.github/pull_request_template.md
#	.github/release-drafter.yml
#	app.go
#	ctx.go
#	ctx_test.go
#	docs/api/middleware/basicauth.md
#	docs/api/middleware/cors.md
#	docs/api/middleware/csrf.md
#	docs/api/middleware/encryptcookie.md
#	docs/api/middleware/healthcheck.md
#	docs/api/middleware/keyauth.md
#	docs/api/middleware/logger.md
#	docs/api/middleware/requestid.md
#	go.mod
#	go.sum
#	middleware/adaptor/adaptor_test.go
#	middleware/basicauth/config.go
#	middleware/cors/cors.go
#	middleware/cors/cors_test.go
#	middleware/cors/utils.go
#	middleware/cors/utils_test.go
#	middleware/csrf/config.go
#	middleware/csrf/csrf.go
#	middleware/csrf/csrf_test.go
#	middleware/healthcheck/config.go
#	middleware/healthcheck/healthcheck.go
#	middleware/healthcheck/healthcheck_test.go
#	middleware/idempotency/idempotency.go
#	middleware/keyauth/config.go
#	middleware/logger/config.go
#	middleware/logger/logger.go
#	middleware/redirect/redirect.go
#	middleware/requestid/config.go
#	middleware/requestid/requestid_test.go
Copy link
Contributor

coderabbitai bot commented Mar 28, 2024

Walkthrough

The recent updates span across the application's API and middleware layers, refining functionality and enhancing security. A minor adjustment was made to a method's signature in the Go code, ensuring more streamlined operations. Additionally, a documentation revision clarifies the significance of secure CORS configurations, while a middleware function has been optimized by eliminating redundant code. These changes collectively aim to improve the application's robustness and user guidance on security practices.

Changes

File Path Change Summary
docs/api/app.md Minor modification in the Hooks method signature within the App struct.
docs/api/.../cors.md Removed a sentence on the importance of secure CORS configuration regarding allowed origins/methods/headers.
middleware/csrf/csrf.go Optimized by removing an unnecessary line in the refererMatchesHost function.

🐇✨
In the realm of code, where logic does play,
A rabbit hopped through, refining the way.
With a tweak and a trim, and docs made to fit,
Security's tight, and the middleware's lit.
So cheer for the changes, both big and small,
For they make our app stronger, secure for us all.
🌟🐾

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>.
    • Generate unit-tests for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit tests for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai generate interesting stats about this repository and render them as a table.
    • @coderabbitai show all the console.log statements in this repository.
    • @coderabbitai read src/utils.ts and generate unit tests.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • The JSON schema for the configuration file is available here.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

Copy link

codecov bot commented Mar 28, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.85%. Comparing base (0248e58) to head (2f7d837).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2944      +/-   ##
==========================================
+ Coverage   82.75%   82.85%   +0.09%     
==========================================
  Files         116      116              
  Lines        8422     8422              
==========================================
+ Hits         6970     6978       +8     
+ Misses       1111     1106       -5     
+ Partials      341      338       -3     
Flag Coverage Δ
unittests 82.85% <ø> (+0.09%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ReneWerner87 ReneWerner87 marked this pull request as ready for review March 28, 2024 09:07
@ReneWerner87 ReneWerner87 requested a review from a team as a code owner March 28, 2024 09:07
@ReneWerner87 ReneWerner87 requested review from gaby, sixcolors and efectn and removed request for a team March 28, 2024 09:07
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits Files that changed from the base of the PR and between 0248e58 and 2f7d837.
Files selected for processing (3)
  • docs/api/app.md (1 hunks)
  • docs/api/middleware/cors.md (1 hunks)
  • middleware/csrf/csrf.go (1 hunks)
Files skipped from review due to trivial changes (1)
  • middleware/csrf/csrf.go
Additional comments (2)
docs/api/app.md (1)
  • 667-667: The documentation has been updated with a minor modification in the signature of the Hooks method within the App struct. Ensure that this change is accurately reflected in the corresponding Go code and that any examples or guides that reference the Hooks method are also updated to prevent confusion.
Verification successful

The verification process confirms that the Hooks method signature in the Go code matches the documentation update in app.md. This ensures that the documentation accurately reflects the current state of the codebase.

Scripts Executed

The following scripts were executed for the analysis:


Script:

#!/bin/bash
# Verify if the Hooks method signature has been updated in the Go code.
ast-grep --lang go --pattern $'func (app *App) Hooks() *Hooks'

Length of output: 155

docs/api/middleware/cors.md (1)
  • 217-217: The removal of the sentence emphasizing the importance of secure CORS configuration could potentially reduce the awareness of security considerations among users. It's crucial to ensure that the documentation still adequately conveys the importance of careful CORS configuration to prevent security vulnerabilities. Consider adding or enhancing other sections related to security considerations to compensate for this removal.

@ReneWerner87 ReneWerner87 merged commit 60967f5 into main Mar 28, 2024
14 of 15 checks passed
@ReneWerner87 ReneWerner87 added this to the v3 milestone Mar 28, 2024
@efectn efectn deleted the mainV2Merge branch May 22, 2024 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.