* CSRF, JWT, KeyAuth middleware support for multivalue value extractors
* Add flag to JWT and KeyAuth middleware to allow continuing execution `next(c)` when error handler decides to swallow the error (returns nil).
* stream decompression instead of buffering
* simple body replace with gzip reader with deferred close
* defer resource closes
* simply gzip.Reader pool
* fix 1905 and add some notes
(cherry picked from commit 9d96199e2dbb6d4374b5a8b6e16fdc0b0d7cb3a7)
* fix typo
(cherry picked from commit e8ea1bcabb6cdb50b06e1ec0e7c3cce44287d8b7)
* Add tests for timeout middleware with full http.Server stack running.
Add warning about middleware
* Fix example
Co-authored-by: lipengwei <lipengwei@uniontech.com>
Co-authored-by: toimtoimtoim <desinformatsioon@gmail.com>
Some clients send an authorization header containing the "bearer"
keyword in lower case. This led to echo responding with "missing or
malformed jwt".
Request.BasicAuth (net/http) ignores the basic auth scheme's case since
a while: https://go-review.googlesource.com/c/go/+/111516/
* Fix performance regression #1777 and avoid double escaping in rewrite/proxy middleware.
* Add rewrite test for correct escaping of replacement (#1798)
Co-authored-by: Roland Lammel <rl@neotel.at>
* Avoid context canceled errors
Return 499 Client Closed Request when the client has closed the request before the server could send a response
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
* fix open redirect vulnerability with AddTrailingSlashWithConfig and RemoveTrailingSlashWithConfig (fix#1771)
* rename trimMultipleSlashes to sanitizeURI
* adds middleware for rate limiting
* added comment for InMemoryStore ShouldAllow
* removed redundant mutex declaration
* fixed lint issues
* removed sleep from tests
* improved coverage
* refactor: renames Identifiers, includes default SourceFunc
* Added last seen stats for visitor
* uses http Constants for improved readdability
adds default error handler
* used other handler apart from default handler to mark custom error handler for rate limiting
* split tests into separate blocks
added an error pair to IdentifierExtractor
Includes deny handler for explicitly denying requests
* adds comments for exported members Extractor and ErrorHandler
* makes cleanup implementation inhouse
* Avoid race for cleanup due to non-atomic access to store.expiresIn
* Use a dedicated producer for rate testing
* tidy commit
* refactors tests, implicitly tests lastSeen property on visitor
switches NewRateLimiterMemoryStore constructor to Referential Functions style (Advised by @pafuent)
* switches to mock of time module for time based tests
tests are now fully deterministic
* improved coverage
* replaces Rob Pike referential options with more conventional struct configs
makes cleanup asynchronous
* blocks racy access to lastCleanup
* Add benchmark tests for rate limiter
* Add rate limiter with sharded memory store
* Racy access to store.lastCleanup eliminated
Merges in shiny sharded map implementation by @lammel
* Remove RateLimiterShradedMemoryStore for now
* Make fields for RateLimiterStoreConfig public for external configuration
* Improve docs for RateLimiter usage
* Fix ErrorHandler vs. DenyHandler usage for rate limiter
* Simplify NewRateLimiterMemoryStore
* improved coverage
* updated errorHandler and denyHandler to use echo.HTTPError
* Improve wording for error and comments
* Remove duplicate lastSeen marking for Allow
* Improve wording for comments
* Add disclaimer on perf characteristics of memory store
* changes Allow signature on rate limiter to return err too
Co-authored-by: Roland Lammel <rl@neotel.at>
