Some clients send an authorization header containing the "bearer"
keyword in lower case. This led to echo responding with "missing or
malformed jwt".
Request.BasicAuth (net/http) ignores the basic auth scheme's case since
a while: https://go-review.googlesource.com/c/go/+/111516/
Currently, echo supports binding data from query, path or body.
Sometimes we need to read bind data from headers. It would be nice to
automatically bind those using the `bindData` func, which is already
well prepared to accept `http.Header`.
I didn't add this to the `Bind` func, so this will not happen
automatically. Main reason is backwards compatability. It might be
confusing if variables are bound from headers when upgrading, and might
even have become a security issue as pointed out in #1670.
* Add docs for BindHeaders
* Add test for BindHeader with invalid data type
* when url ends with slash first param route is the match (fix#1804)
* router should check if method is suitable for matching route and if not then continue search in tree (fix#1808)
* Fix performance regression #1777 and avoid double escaping in rewrite/proxy middleware.
* Add rewrite test for correct escaping of replacement (#1798)
Co-authored-by: Roland Lammel <rl@neotel.at>
* Avoid context canceled errors
Return 499 Client Closed Request when the client has closed the request before the server could send a response
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
* fix open redirect vulnerability with AddTrailingSlashWithConfig and RemoveTrailingSlashWithConfig (fix#1771)
* rename trimMultipleSlashes to sanitizeURI
* adds middleware for rate limiting
* added comment for InMemoryStore ShouldAllow
* removed redundant mutex declaration
* fixed lint issues
* removed sleep from tests
* improved coverage
* refactor: renames Identifiers, includes default SourceFunc
* Added last seen stats for visitor
* uses http Constants for improved readdability
adds default error handler
* used other handler apart from default handler to mark custom error handler for rate limiting
* split tests into separate blocks
added an error pair to IdentifierExtractor
Includes deny handler for explicitly denying requests
* adds comments for exported members Extractor and ErrorHandler
* makes cleanup implementation inhouse
* Avoid race for cleanup due to non-atomic access to store.expiresIn
* Use a dedicated producer for rate testing
* tidy commit
* refactors tests, implicitly tests lastSeen property on visitor
switches NewRateLimiterMemoryStore constructor to Referential Functions style (Advised by @pafuent)
* switches to mock of time module for time based tests
tests are now fully deterministic
* improved coverage
* replaces Rob Pike referential options with more conventional struct configs
makes cleanup asynchronous
* blocks racy access to lastCleanup
* Add benchmark tests for rate limiter
* Add rate limiter with sharded memory store
* Racy access to store.lastCleanup eliminated
Merges in shiny sharded map implementation by @lammel
* Remove RateLimiterShradedMemoryStore for now
* Make fields for RateLimiterStoreConfig public for external configuration
* Improve docs for RateLimiter usage
* Fix ErrorHandler vs. DenyHandler usage for rate limiter
* Simplify NewRateLimiterMemoryStore
* improved coverage
* updated errorHandler and denyHandler to use echo.HTTPError
* Improve wording for error and comments
* Remove duplicate lastSeen marking for Allow
* Improve wording for comments
* Add disclaimer on perf characteristics of memory store
* changes Allow signature on rate limiter to return err too
Co-authored-by: Roland Lammel <rl@neotel.at>
* Fluent Binder for Query/Path/Form binding.
* CI: report coverage for latest go (1.15) version
* improve docs, remove uncommented code
* separate unixtime with sec and nanosec precision binding
