* CSRF, JWT, KeyAuth middleware support for multivalue value extractors
* Add flag to JWT and KeyAuth middleware to allow continuing execution `next(c)` when error handler decides to swallow the error (returns nil).
* stream decompression instead of buffering
* simple body replace with gzip reader with deferred close
* defer resource closes
* simply gzip.Reader pool
* fix 1905 and add some notes
(cherry picked from commit 9d96199e2dbb6d4374b5a8b6e16fdc0b0d7cb3a7)
* fix typo
(cherry picked from commit e8ea1bcabb6cdb50b06e1ec0e7c3cce44287d8b7)
* Add tests for timeout middleware with full http.Server stack running.
Add warning about middleware
* Fix example
Co-authored-by: lipengwei <lipengwei@uniontech.com>
Co-authored-by: toimtoimtoim <desinformatsioon@gmail.com>
Some clients send an authorization header containing the "bearer"
keyword in lower case. This led to echo responding with "missing or
malformed jwt".
Request.BasicAuth (net/http) ignores the basic auth scheme's case since
a while: https://go-review.googlesource.com/c/go/+/111516/
* Fix performance regression #1777 and avoid double escaping in rewrite/proxy middleware.
* Add rewrite test for correct escaping of replacement (#1798)
Co-authored-by: Roland Lammel <rl@neotel.at>
* Avoid context canceled errors
Return 499 Client Closed Request when the client has closed the request before the server could send a response
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
* fix open redirect vulnerability with AddTrailingSlashWithConfig and RemoveTrailingSlashWithConfig (fix#1771)
* rename trimMultipleSlashes to sanitizeURI
* adds middleware for rate limiting
* added comment for InMemoryStore ShouldAllow
* removed redundant mutex declaration
* fixed lint issues
* removed sleep from tests
* improved coverage
* refactor: renames Identifiers, includes default SourceFunc
* Added last seen stats for visitor
* uses http Constants for improved readdability
adds default error handler
* used other handler apart from default handler to mark custom error handler for rate limiting
* split tests into separate blocks
added an error pair to IdentifierExtractor
Includes deny handler for explicitly denying requests
* adds comments for exported members Extractor and ErrorHandler
* makes cleanup implementation inhouse
* Avoid race for cleanup due to non-atomic access to store.expiresIn
* Use a dedicated producer for rate testing
* tidy commit
* refactors tests, implicitly tests lastSeen property on visitor
switches NewRateLimiterMemoryStore constructor to Referential Functions style (Advised by @pafuent)
* switches to mock of time module for time based tests
tests are now fully deterministic
* improved coverage
* replaces Rob Pike referential options with more conventional struct configs
makes cleanup asynchronous
* blocks racy access to lastCleanup
* Add benchmark tests for rate limiter
* Add rate limiter with sharded memory store
* Racy access to store.lastCleanup eliminated
Merges in shiny sharded map implementation by @lammel
* Remove RateLimiterShradedMemoryStore for now
* Make fields for RateLimiterStoreConfig public for external configuration
* Improve docs for RateLimiter usage
* Fix ErrorHandler vs. DenyHandler usage for rate limiter
* Simplify NewRateLimiterMemoryStore
* improved coverage
* updated errorHandler and denyHandler to use echo.HTTPError
* Improve wording for error and comments
* Remove duplicate lastSeen marking for Allow
* Improve wording for comments
* Add disclaimer on perf characteristics of memory store
* changes Allow signature on rate limiter to return err too
Co-authored-by: Roland Lammel <rl@neotel.at>
- Fix Static file route not working without trailing slash
- Add tests for static middleware with/without trailing slash
- Add tests for static middleware under group
Co-authored-by: pwli <lipw0755@gmail.com>
Fixing a http.Request.Body leak on the decompress middleware that were
not properly Close
Removing the defer on the call to gzip.Reader, because that reader is
already exausted after the call to io.Copy
Adding a sync.Pool for the *gzip.Writer reduces the allocations of the
Compress middleware in 50% and gives an increase on execution speed of
a 85%
This fix#1643
Currently there is a half and half situation where the user can't use regex (fully) because * will be replaced with (.*), yet they also can't just enter any old string, because meta chars like . would need escaping.
e.g. currently *.html wouldn't work as intended, and instead *\.html should be used.
Work around this by using regexp's QuoteMeta function to sanitise the input before handling it.
