v2.50.0
❗ Breaking Changes
- Change signatures of GetReqHeaders and GetRespHeaders (#2650)
To allow single and list values under headers according to the rfc standard
- func (c *Ctx) GetReqHeaders() map[string]string
+ func (c *Ctx) GetReqHeaders() map[string][]string
- func (c *Ctx) GetRespHeaders() map[string]string
+ func (c *Ctx) GetRespHeaders() map[string][]string
👮 Security
Middleware/csrf: Token Vulnerability (GHSA-mv73-f69x-444p, GHSA-94w9-97p3-p368)
https://docs.gofiber.io/api/middleware/csrf
🚀 Improvements to the CSRF middleware:
- Added support for single-use tokens through the
SingleUseToken
configuration option. - Optional integration with GoFiber session middleware through the
Session
andSessionKey
configuration options. - Introduction of origin checks for HTTPS connections to verify referer headers.
- Implementation of a Double Submit Cookie approach for CSRF token generation and validation when used without
Session
. - Enhancement of error handling with more descriptive error messages.
- The documentation for the CSRF middleware has been enhanced with the addition of the new options and best practices to improve security.
Thank you @sixcolors
🚀 New
- Cookie parser (#2656)
https://docs.gofiber.io/api/ctx#cookieparser
// Field names should start with an uppercase letter
type Person struct {
Name string `cookie:"name"`
Age int `cookie:"age"`
Job bool `cookie:"job"`
}
// Example route
app.Get("/", func(c *fiber.Ctx) error {
p := new(Person)
// This method is similar to BodyParser, but for cookie parameters
if err := c.CookieParser(p); err != nil {
return err
}
log.Println(p.Name) // Joseph
log.Println(p.Age) // 23
log.Println(p.Job) // true
})
- Middleware/cors: Allow disabling caching in preflight requests (#2649)
https://docs.gofiber.io/api/middleware/cors#config
// To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header 0.
app.Use(cors.New(cors.Config{MaxAge: -1}))
- Middleware/session: Add Reset method to Session struct in session middleware (#2654)
https://docs.gofiber.io/api/middleware/session#signatures
// Provide more flexibility in session management, especially in scenarios like repeated user logins
func (s *Session) Reset() error
Example usage:
// Initialize default config
// This stores all of your app's sessions
store := session.New()
app.Post("/login", func(c *fiber.Ctx) error {
// Get session from storage
sess, err := store.Get(c)
if err != nil {
panic(err)
}
// ... validate login ...
// Check if the session is fresh
if !sess.Fresh() {
// If the session is not fresh, reset it
if err := sess.Reset(); err != nil {
panic(err)
}
}
// Set new session data
sess.Set("user_id", user.ID)
// Save session
if err := sess.Save(); err != nil {
panic(err)
}
return c.SendString(fmt.Sprintf("Welcome %v", user.ID))
})
- Middleware/session: Add Delete method to Store struct in session middleware (#2655)
https://docs.gofiber.io/api/middleware/session#signatures
// Provide more control over individual session management, especially in scenarios
// like administrator-enforced user logout or user-initiated logout from a specific device session
func (s *Store) Delete(id string) error
Example usage:
app.Post("/admin/session/:id/logout", func(c *fiber.Ctx) error {
// Get session id from request
sessionID := c.Params("id")
// Delete the session
if err := store.Delete(sessionID); err != nil {
return c.Status(500).SendString(err.Error())
}
return c.SendString("Logout successful")
})
🧹 Updates
- Middleware/filesystem: Improve status for SendFile (#2664)
- Middleware/filesystem: Set response code (#2632)
- Refactor Ctx.Method func to improve code readability (#2647)
🛠️ Maintenance
- Fix loop variable captured by func literal (#2660)
- Run gofumpt and goimports (#2662)
- Use utils.AssertEqual instead of t.Fatal on some tests (#2653)
- Apply go fix ./... with latest version of go in repository (#2661)
- Bump github.com/valyala/fasthttp from 1.49.0 to 1.50.0 (#2634)
- Bump golang.org/x/sys from 0.12.0 to 0.13.0 (#2665)
🐛 Fixes
- Path checking on route naming (#2676)
- Incorrect log depth when use log.WithContext (#2666)
- Jsonp ignoring custom json encoder (#2658)
- PassLocalsToView when bind parameter is nil (#2651)
- Parse ips return invalid in abnormal case (#2642)
- Bug parse custom header (#2638)
- Middleware/adaptor: Reduce memory usage by replacing io.ReadAll() with io.Copy() (#2637)
- Middleware/idempotency: Nil pointer dereference issue on idempotency middleware (#2668)
📚 Documentation
- Incorrect status code source (#2667)
- Middleware/requestid: Typo in requestid.md (#2675)
- Middleware/cors: Update docs to better explain AllowOriginsFunc (#2652)
Full Changelog: v2.49.2...v2.50.0
Thank you @kaptinlin, @Skyenought, @cuipeiyu, @dairlair, @efectn, @gaby, @geerew, @huykn, @jimmyl02, @joey1123455, @joshlarsen, @jscappini, @peczenyj and @sixcolors for making this update possible.