Skip to content

v2.50.0

Compare
Choose a tag to compare
@github-actions github-actions released this 16 Oct 12:17

❗ Breaking Changes

  • Change signatures of GetReqHeaders and GetRespHeaders (#2650)

To allow single and list values under headers according to the rfc standard

- func (c *Ctx) GetReqHeaders() map[string]string
+ func (c *Ctx) GetReqHeaders() map[string][]string
- func (c *Ctx) GetRespHeaders() map[string]string
+ func (c *Ctx) GetRespHeaders() map[string][]string

👮 Security

Middleware/csrf: Token Vulnerability (GHSA-mv73-f69x-444p, GHSA-94w9-97p3-p368)

https://docs.gofiber.io/api/middleware/csrf

🚀 Improvements to the CSRF middleware:

  • Added support for single-use tokens through the SingleUseToken configuration option.
  • Optional integration with GoFiber session middleware through the Session and SessionKey configuration options.
  • Introduction of origin checks for HTTPS connections to verify referer headers.
  • Implementation of a Double Submit Cookie approach for CSRF token generation and validation when used without Session.
  • Enhancement of error handling with more descriptive error messages.
  • The documentation for the CSRF middleware has been enhanced with the addition of the new options and best practices to improve security.

Thank you @sixcolors

🚀 New

// Field names should start with an uppercase letter
type Person struct {
    Name     string  `cookie:"name"`
    Age      int     `cookie:"age"`
    Job      bool    `cookie:"job"`
}
// Example route
app.Get("/", func(c *fiber.Ctx) error {
    p := new(Person)
    // This method is similar to BodyParser, but for cookie parameters
    if err := c.CookieParser(p); err != nil {
        return err
    }
    
    log.Println(p.Name)     // Joseph
    log.Println(p.Age)      // 23
    log.Println(p.Job)      // true
})
// To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header 0.
app.Use(cors.New(cors.Config{MaxAge: -1})) 
// Provide more flexibility in session management, especially in scenarios like repeated user logins
func (s *Session) Reset() error

Example usage:

// Initialize default config
// This stores all of your app's sessions
store := session.New()

app.Post("/login", func(c *fiber.Ctx) error {
    // Get session from storage
    sess, err := store.Get(c)
    if err != nil {
        panic(err)
    }
    
    // ... validate login ...
    
    // Check if the session is fresh
    if !sess.Fresh() {
        // If the session is not fresh, reset it
        if err := sess.Reset(); err != nil {
            panic(err)
        }
    }
    // Set new session data
    sess.Set("user_id", user.ID)
    // Save session
    if err := sess.Save(); err != nil {
        panic(err)
    }

    return c.SendString(fmt.Sprintf("Welcome %v", user.ID))
})
// Provide more control over individual session management, especially in scenarios 
// like administrator-enforced user logout or user-initiated logout from a specific device session
func (s *Store) Delete(id string) error

Example usage:

app.Post("/admin/session/:id/logout", func(c *fiber.Ctx) error {
    // Get session id from request
    sessionID := c.Params("id")

    // Delete the session
    if err := store.Delete(sessionID); err != nil {
        return c.Status(500).SendString(err.Error())
    }

    return c.SendString("Logout successful")
})

🧹 Updates

  • Middleware/filesystem: Improve status for SendFile (#2664)
  • Middleware/filesystem: Set response code (#2632)
  • Refactor Ctx.Method func to improve code readability (#2647)

🛠️ Maintenance

  • Fix loop variable captured by func literal (#2660)
  • Run gofumpt and goimports (#2662)
  • Use utils.AssertEqual instead of t.Fatal on some tests (#2653)
  • Apply go fix ./... with latest version of go in repository (#2661)
  • Bump github.com/valyala/fasthttp from 1.49.0 to 1.50.0 (#2634)
  • Bump golang.org/x/sys from 0.12.0 to 0.13.0 (#2665)

🐛 Fixes

  • Path checking on route naming (#2676)
  • Incorrect log depth when use log.WithContext (#2666)
  • Jsonp ignoring custom json encoder (#2658)
  • PassLocalsToView when bind parameter is nil (#2651)
  • Parse ips return invalid in abnormal case (#2642)
  • Bug parse custom header (#2638)
  • Middleware/adaptor: Reduce memory usage by replacing io.ReadAll() with io.Copy() (#2637)
  • Middleware/idempotency: Nil pointer dereference issue on idempotency middleware (#2668)

📚 Documentation

  • Incorrect status code source (#2667)
  • Middleware/requestid: Typo in requestid.md (#2675)
  • Middleware/cors: Update docs to better explain AllowOriginsFunc (#2652)

Full Changelog: v2.49.2...v2.50.0

Thank you @kaptinlin, @Skyenought, @cuipeiyu, @dairlair, @efectn, @gaby, @geerew, @huykn, @jimmyl02, @joey1123455, @joshlarsen, @jscappini, @peczenyj and @sixcolors for making this update possible.