OpenID Connect (OIDC) http middleware for Go

Go OpenID Connect (OIDC) HTTP Middleware

Coverage Status

Introduction

This is a middleware for http to make it easy to use OpenID Connect.

Currently Supported frameworks

Echo (JWT ParseTokenFunc)

Middleware

e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
    ParseTokenFunc: oidc.NewEchoJWTParseTokenFunc(&oidc.Options{
        Issuer:                     cfg.Issuer,
        RequiredTokenType:          "JWT",
        RequiredAudience:           cfg.Audience,
        FallbackSignatureAlgorithm: cfg.FallbackSignatureAlgorithm,
        RequiredClaims: map[string]interface{}{
            "tid": cfg.TenantID,
        },
    }),
}))

Handler

func getClaimsHandler(c echo.Context) error {
	token, ok := c.Get("user").(jwt.Token)
	if !ok {
		return echo.NewHTTPError(http.StatusUnauthorized, "invalid token")
	}

	claims, err := token.AsMap(c.Request().Context())
	if err != nil {
		return echo.NewHTTPError(http.StatusUnauthorized, "invalid token")
	}

	return c.JSON(http.StatusOK, claims)
}

net/http & mux

Middleware

oidcHandler := oidc.NewNetHttpHandler(h, &oidc.Options{
    Issuer:                     cfg.Issuer,
    RequiredTokenType:          "JWT",
    RequiredAudience:           cfg.Audience,
    FallbackSignatureAlgorithm: cfg.FallbackSignatureAlgorithm,
    RequiredClaims: map[string]interface{}{
        "tid": cfg.TenantID,
    },
})

Handler

func getClaimsHandler() http.HandlerFunc {
	fn := func(w http.ResponseWriter, r *http.Request) {
		claims, ok := r.Context().Value(oidc.ClaimsContextKey).(map[string]interface{})
		if !ok {
			w.WriteHeader(http.StatusUnauthorized)
			return
		}

		w.Header().Set("Content-Type", "application/json")
		err := json.NewEncoder(w).Encode(claims)
		if err != nil {
			w.WriteHeader(http.StatusInternalServerError)
			return
		}
	}

	return http.HandlerFunc(fn)
}

Examples

See examples readme for more information.

Roadmap

GitHub Project

Owner
Xenit AB
Xenit AB
https://github.com/XenitAB/go-oidc-middleware
Comments
  • withRequiredClaims doesn't support its function signature

    withRequiredClaims doesn't support its function signature

    a JWT with the following body:

      "iat": 1635250590,
  "auth_time": 1635250589,
  "jti": "e7f11506-04b5-470a-b546-5365bea7dc74",
  "iss": "https://redacted/auth/realms/redacted",
  "aud": [
    "devel",
    "account"
  ],
  "sub": "4d1debda-2a29-4caf-9b7f-a8474051f6b6",
  "typ": "Bearer",
  "azp": "devel",
  "nonce": "ec137176-9c23-4375-849e-74bb20c7fbea",
  "session_state": "5618efe5-2bcf-4c35-8730-ae17b8258404",
  "acr": "1",
  "allowed-origins": [
    "*"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "default-roles-redacted",
      "uma_authorization",
      "user"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "sid": "5618efe5-2bcf-4c35-8730-ae17b8258404",
  "email_verified": true,
  "name": "redacted",
  "preferred_username": "redacted",
  "given_name": "redacted",
  "family_name": "redacted",
  "email": "redacted"
}

    and gin (fwiw) middleware the following options:

    	oidcHandler := oidcgin.New(
		options.WithIssuer(cfg.Issuer),
		options.WithRequiredTokenType("JWT"),
		options.WithRequiredAudience(cfg.Audience),
		options.WithRequiredClaims(map[string]interface{}{
			"realm_access": map[string]interface{}{
				"roles": "user",
			},
		}),
	)

    and the default handler

    func OIDCHandler(cx *gin.Context) {
	claimsValue, found := cx.Get("claims")
	if !found {
		fmt.Println("!found")
		cx.AbortWithStatus(http.StatusUnauthorized)
		return
	}

	claims, ok := claimsValue.(map[string]interface{})
	if !ok {
		fmt.Println("!ok")
		cx.AbortWithStatus(http.StatusUnauthorized)
		return
	}

	cx.JSON(http.StatusOK, claims)
}

    results in the following error message

    Error #01: unable to validate required claims: unable to get cty.Type: no cty.Type for interface {}
  • Bump github.com/lestrrat-go/jwx from 1.2.4 to 1.2.5

    Bump github.com/lestrrat-go/jwx from 1.2.4 to 1.2.5

    Bumps github.com/lestrrat-go/jwx from 1.2.4 to 1.2.5.

    Release notes

    Sourced from github.com/lestrrat-go/jwx's releases.

    v1.2.5

    v1.2.5 04 Aug 2021
[New features]
  * Implement RFC7797. The value of the header field `b64` changes
    how the payload is treated in JWS
  * Implement detached payloads for JWS
  * Implement (jwk.AutoRefresh).ErrorSink() to register a channel
    where you can receive errors from fetches and parses that occur during
    JWK(s) retrieval.
    Changelog

    Sourced from github.com/lestrrat-go/jwx's changelog.

    v1.2.5 04 Aug 2021 [New features]

    • Implement RFC7797. The value of the header field b64 changes how the payload is treated in JWS
    • Implement detached payloads for JWS
    • Implement (jwk.AutoRefresh).ErrorSink() to register a channel where you can receive errors from fetches and parses that occur during JWK(s) retrieval.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump goreleaser/goreleaser-action from 2.6.1 to 2.7.0

    Bump goreleaser/goreleaser-action from 2.6.1 to 2.7.0

    Bumps goreleaser/goreleaser-action from 2.6.1 to 2.7.0.

    Release notes

    Sourced from goreleaser/goreleaser-action's releases.

    v2.7.0

    • chore(deps): update dev deps (#294)
    • chore(deps): bump codecov/codecov-action from 1 to 2 (#293)
    • refactor: use built-in getExecOutput (#292)
    • chore(deps): bump @​actions/exec from 1.0.4 to 1.1.0 (#291)
    • chore(deps): bump @​actions/core from 1.3.0 to 1.4.0 (#289)
    • chore(deps): bump @​actions/tool-cache from 1.7.0 to 1.7.1 (#290)
    Commits
    • 5a54d7e chore(deps): update dev deps (#294)
    • a59bcd6 chore(deps): bump codecov/codecov-action from 1 to 2 (#293)
    • b59bff5 refactor: use built-in getExecOutput (#292)
    • b2263bd chore(deps): bump @​actions/exec from 1.0.4 to 1.1.0 (#291)
    • 76bde18 chore(deps): bump @​actions/core from 1.3.0 to 1.4.0 (#289)
    • 194deb5 chore(deps): bump @​actions/tool-cache from 1.7.0 to 1.7.1 (#290)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/cristalhq/aconfig from 0.16.2 to 0.16.5 in /examples

    Bump github.com/cristalhq/aconfig from 0.16.2 to 0.16.5 in /examples

    Bumps github.com/cristalhq/aconfig from 0.16.2 to 0.16.5.

    Release notes

    Sourced from github.com/cristalhq/aconfig's releases.

    v0.16.5

    de23397e03c0b9c4072082fa4f2a050abafc1011 Check duplicate flag (#98)

    v0.16.4

    4599e9843ad438f3bac16fbec23d1e70b7e83ed1 Fix map of slices (#102)

    v0.16.3

    32ffc950c1ed5f0de288b13ff9fb69c102e26d9a Fix map in map (#101) 5ae6b2e987975aa3fa8a084d5a8fe2c9e70d61af Better struct assert (#97)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/gin-gonic/gin from 1.7.3 to 1.7.4

    Bump github.com/gin-gonic/gin from 1.7.3 to 1.7.4

    Bumps github.com/gin-gonic/gin from 1.7.3 to 1.7.4.

    Changelog

    Sourced from github.com/gin-gonic/gin's changelog.

    Gin ChangeLog

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Default 5 seconds timeout is not enough to load openid-configuration in a slow network environment

    Default 5 seconds timeout is not enough to load openid-configuration in a slow network environment

    Default 5 seconds timeout is not enough to load openid-configuration in a slow network environment, would appreciate if add a configuration parameter to adjust the timeout

    panic: oidc discovery: unable to load jwks: unable to fetch jwksUri from discoveryUri (https://login.microsoftonline.com//v2.0/.well-known/openid-configuration): Get "https://login.microsoftonline.com//v2.0/.well-known/openid-configuration": context deadline exceeded

    goroutine 1 [running]: github.com/xenitab/go-oidc-middleware/oidcgin.New({0xc0005b1ed8, 0x4, 0x4}) /home/ythuang/go/pkg/mod/github.com/xenitab/go-oidc-middleware/[email protected]/gin.go:17 +0xd9 main.main()

  • split off internal/oidc and provide separate packages for each

    split off internal/oidc and provide separate packages for each "router package"

    Motivation:

    This package is rather unflexible if you'd like to write your own middleware. Writing your own middleware is not possible without yanking out internal/oidc and putting it into its own, separate package.

    Different responses if an error occurs are not possible to do either. You have to "eat" the stock "400 bad request" response in gin's case without any abililty, except forking, to change that.

    Also, if you only need e.g. the gin handler, you have to pull in all the other routers, like fiber etc, resulting in a larger memory footprint and larger binary.

    Why not just a fork? Because changes in this package would then again need to be done manually in the forked package, because it's internal. Please correct me if I'm wrong.

    I have forked the internal/oidc and options and put it at git.icod.de/dalu/oidc What I'll do next is take and edit just the gin handler and put it into a separate package as well then edit it to be optionally permissive and return JSON on error. Thanks to your MIT license I can do that, so thank you for that. But you're the author and it should be hosted and updated by you, therefore this proposal. And you seem to have some automation set up to upgrade dependencies.

  • should the middleware be permissive?

    should the middleware be permissive?

    Hello again,

    I'm not sure what vision you had with this package, I, for one, am trying to avoid running a separate https://github.com/gogatekeeper/gatekeeper in front of every http api I create. I stumbled upon this package because I wanted to write my own middleware and thought why re-invent the wheel.

    Usually (or it's one possibility) GETting something does not require someone to be logged in, to attract visitors. Only modifying requests should require authentication. Of course I can achieve that by not putting the middleware in front of every handler that requires it, or rather... putting the middleware in front of every handler that requires authentication and not putting it before GET requests.

    This might or might not be an issue for you.

    But why would one still do it? Convenience. When you're able to just say something like this:

    	h := handler.New(client)

	v1 := r.Group("/api/v1")
	v1.Use(oidcHandler)
	v1.GET("/oidc", h.OIDCClaimsHandler) // demo

	// Entity Routes

	post := v1.Group("/post")
	comment := v1.Group("/comment")
	h.PostRoutes(post)
	h.CommentRoutes(comment)

    vs passing the oidcHandler to every single route, which I'm going to do now.

    ~

  • Bump github.com/xenitab/go-oidc-middleware from 0.0.14 to 0.0.15 in /examples

    Bump github.com/xenitab/go-oidc-middleware from 0.0.14 to 0.0.15 in /examples

    Bumps github.com/xenitab/go-oidc-middleware from 0.0.14 to 0.0.15.

    Release notes

    Sourced from github.com/xenitab/go-oidc-middleware's releases.

    v0.0.15

    Changes

    • Update dependencies
    Commits
    • f11d391 update dependencies (#73)
    • b183299 Bump github.com/gofiber/fiber/v2 from 2.19.0 to 2.20.0 in /examples (#72)
    • 7296cf3 Bump github.com/gofiber/fiber/v2 from 2.19.0 to 2.20.0 (#71)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/zclconf/go-cty from 1.9.0 to 1.9.1

    Bump github.com/zclconf/go-cty from 1.9.0 to 1.9.1

    Bumps github.com/zclconf/go-cty from 1.9.0 to 1.9.1.

    Changelog

    Sourced from github.com/zclconf/go-cty's changelog.

    1.9.1 (Unreleased)

    • cty: Don't panic in Value.Equals if comparing complex data structures with nested marked values. Instead, Equals will aggregate all of the marks on the resulting boolean value as we typically expect for operations that derived from marked values. (#112)
    • cty: Value.AsBigFloat now properly isolates its result from the internal state of the associated value. It previously attempted to do this (so that modifying the result would not affect the supposedly-immutable cty.Number value) but ended up creating an object which still had some shared buffers. The result is now entirely separate from the internal state of the recieving value. (#114)
    • function/stdlib: The FormatList function will now return an unknown value if any of the arguments have an unknown type, because in that case it can't tell whether that value will ultimately become a string or a list of strings, and thus it can't predict how many elements the result will have. (#115)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump honnef.co/go/tools from 0.2.0 to 0.2.1

    Bump honnef.co/go/tools from 0.2.0 to 0.2.1

    Bumps honnef.co/go/tools from 0.2.0 to 0.2.1.

    Release notes

    Sourced from honnef.co/go/tools's releases.

    Staticcheck 2021.1.1 (v0.2.1)

    This release adds support for new language features in Go 1.17, namely conversions from slices to array pointers, the unsafe.Add function, and the unsafe.Slice function.

    Additionally, it fixes some false positives.

    Read the full release notes at https://staticcheck.io/changes/2021.1#2021.1.1

    Staticcheck 2021.1 (v0.2.0)

    Read the full release notes at https://staticcheck.io/changes/2021.1

    Staticcheck 2020.2.4 (v0.1.4)

    This release fixes a crash and some false positives.

    Read the full release notes at https://staticcheck.io/changes/2020.2#2020.2.4

    Staticcheck 2020.2.3 (v0.1.3)

    This release fixes a false positive in U1000. See #942 for details.

    Staticcheck 2020.2.2 (v0.1.2)

    This release fixes a rare crash in Staticcheck, reduces the number of false positives, and adds support for Go 1.16's io/fs.FileMode type.

    Read the full release notes at https://staticcheck.io/changes/2020.2#2020.2.2

    Staticcheck 2020.2.1 (v0.1.1)

    This release eliminates some false negatives as well as false positives, makes the staticcheck command less noisy and fixes a potential security issue.

    See the full release notes at https://staticcheck.io/changes/2020.2#2020.2.1

    Staticcheck 2020.2 (v0.1.0)

    Read the full release notes at https://staticcheck.io/changes/2020.2

    Commits
    • df71e5d Version 2021.1.1 (v0.2.1)
    • 5b5a29e doc: add 2021.1.1 release notes
    • f3761a6 SA5011: don't flag indexing of possibly nil slice
    • fae7339 go/ir: support unsafe.Add and unsafe.Slice
    • 1325373 go/ir: support slice to array pointer conversion
    • d182c3a S1020: don't flag nested if statements when the inner one has an else branch
    • 2978e62 SA5011: only consider nil checks used in if statements
    • 74fd1b8 SA4010: don't flag appends to slices that might have aliased backing arrays
    • e7de1ac SA4000: never flag floats
    • d3c6840 SA5002: don't print two percent signs
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/gofiber/fiber/v2 from 2.40.1 to 2.41.0 in /examples

    Bump github.com/gofiber/fiber/v2 from 2.40.1 to 2.41.0 in /examples

    Bumps github.com/gofiber/fiber/v2 from 2.40.1 to 2.41.0.

    Release notes

    Sourced from github.com/gofiber/fiber/v2's releases.

    v2.41.0

    🚀 New

    🧹 Updates

    • Latency use lowest time unit in logger middleware (#2261)
    • Add more detail error message in serverErrorHandler (#2267)
    • Use fasthttp.AddMissingPort (#2268)
    • Set byteSent log to 0 when use SetBodyStreamWriter (#2239)
    • Unintended overwritten bind variables (#2240)
    • Bump github.com/valyala/fasthttp from 1.41.0 to 1.43.0 (#2237, #2245)
    • Bump github.com/mattn/go-isatty from 0.0.16 to 0.0.17 (#2279)

    🐛 Fixes

    • Fix some warnings, go-ole on mac os (#2280)
    • Properly handle error of "net.ParseCIDR" in "(*App).handleTrustedProxy" (#2243)
    • Fix regex constraints that contain comma (#2256)
    • Unintended overwritten bind variables (#2240)

    📚 Documentation

    • Fix ci badge errors (#2282)
    • Replace 1.14 with 1.16 in READMEs (#2265)
    • Update docstring for FormValue() (#2262)
    • Added Ukrainian README translation (#2249)
    • middleware/requestid: mention that the default UUID generator exposes the number of requests made to the server (#2241)
    • middleware/filesystem does not handle url encoded values on it's own (#2247)

    Full Changelog: https://github.com/gofiber/fiber/compare/v2.40.1...v2.41.0

    Thank you @​AngelVI13, @​Simerax, @​cwinters8, @​efectn, @​jfcg, @​leonklingele, @​li-jin-gou, @​pjebs, @​shuuji3 and @​v1def for making this update possible.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/labstack/echo/v4 from 4.9.1 to 4.10.0 in /examples

    Bump github.com/labstack/echo/v4 from 4.9.1 to 4.10.0 in /examples

    Bumps github.com/labstack/echo/v4 from 4.9.1 to 4.10.0.

    Release notes

    Sourced from github.com/labstack/echo/v4's releases.

    v4.10.0

    Security

    • We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

      JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

    • This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

      Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

    Enhancements

    • Bump x/text to 0.3.8 #2305
    • Bump dependencies and add notes about Go releases we support #2336
    • Add helper interface for ProxyBalancer interface #2316
    • Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #2338
    • Refactor func(Context) error to HandlerFunc #2315
    • Improve function comments #2329
    • Add new method HTTPError.WithInternal #2340
    • Replace io/ioutil package usages #2342
    • Add staticcheck to CI flow #2343
    • Replace relative path determination from proprietary to std #2345
    • Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
    • Add testcases for some BodyLimit middleware configuration options #2350
    • Additional configuration options for RequestLogger and Logger middleware #2341
    • Add route to request log #2162
    • GitHub Workflows security hardening #2358
    • Add govulncheck to CI and bump dependencies #2362
    • Fix rate limiter docs #2366
    • Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #2337
    Changelog

    Sourced from github.com/labstack/echo/v4's changelog.

    v4.10.0 - 2022-12-27

    Security

    • We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

      JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

    • This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

      Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

    Enhancements

    • Bump x/text to 0.3.8 #2305
    • Bump dependencies and add notes about Go releases we support #2336
    • Add helper interface for ProxyBalancer interface #2316
    • Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #2338
    • Refactor func(Context) error to HandlerFunc #2315
    • Improve function comments #2329
    • Add new method HTTPError.WithInternal #2340
    • Replace io/ioutil package usages #2342
    • Add staticcheck to CI flow #2343
    • Replace relative path determination from proprietary to std #2345
    • Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
    • Add testcases for some BodyLimit middleware configuration options #2350
    • Additional configuration options for RequestLogger and Logger middleware #2341
    • Add route to request log #2162
    • GitHub Workflows security hardening #2358
    • Add govulncheck to CI and bump dependencies #2362
    • Fix rate limiter docs #2366
    • Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #2337
    Commits
    • f36d566 Changelog for 4.10.0
    • a69727e Mark JWT middleware deprecated
    • 0056cc8 Improve comments wording
    • 45402bb Add echo.OnAddRouteHandler field. As name says - this handler is called when ...
    • f1cf1ec Fix adding route with host overwrites default host route with same method+pat...
    • 895121d Fix rate limiter docs (#2366)
    • abecadc Merge pull request #2362 from aldas/add_govulncheck_2_ci
    • bc75cc2 Add govulncheck to CI and bump dependencies. Refactor GitHub workflows.
    • 40eb889 build: harden echo.yml permissions
    • 135c511 Add request route with "route" tag to logger middleware (#2162)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/gin-gonic/gin from 1.8.1 to 1.8.2 in /examples

    Bump github.com/gin-gonic/gin from 1.8.1 to 1.8.2 in /examples

    Bumps github.com/gin-gonic/gin from 1.8.1 to 1.8.2.

    Release notes

    Sourced from github.com/gin-gonic/gin's releases.

    v1.8.2

    Changelog

    Bug fixes

    • 0c2a691 fix(engine): missing route params for CreateTestContext (#2778) (#2803)
    • e305e21 fix(route): redirectSlash bug (#3227)

    Others

    • 6a2a260 Fix the GO-2022-1144 vulnerability (#3432)
    Changelog

    Sourced from github.com/gin-gonic/gin's changelog.

    Gin v1.8.2

    Bugs

    • fix(route): redirectSlash bug (#3227)
    • fix(engine): missing route params for CreateTestContext (#2778) (#2803)

    Security

    • Fix the GO-2022-1144 vulnerability (#3432)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Related tags
HTTP middlewares go-oidc-middleware
Minimalist net/http middleware for golang

interpose Interpose is a minimalist net/http middleware framework for golang. It uses http.Handler as its core unit of functionality, minimizing compl

Sep 27, 2022
Lightweight Middleware for net/http

MuxChain MuxChain is a small package designed to complement net/http for specifying chains of handlers. With it, you can succinctly compose layers of

Dec 10, 2022
Idiomatic HTTP Middleware for Golang

Negroni Notice: This is the library formerly known as github.com/codegangsta/negroni -- Github will automatically redirect requests to this repository

Jan 2, 2023
A tiny http middleware for Golang with added handlers for common needs.

rye A simple library to support http services. Currently, rye provides a middleware handler which can be used to chain http handlers together while pr

Jan 4, 2023
A collection of useful middleware for Go HTTP services & web applications 🛃

gorilla/handlers Package handlers is a collection of handlers (aka "HTTP middleware") for use with Go's net/http package (or any framework supporting

Dec 31, 2022
Simple middleware to rate-limit HTTP requests.

Tollbooth This is a generic middleware to rate-limit HTTP requests. NOTE 1: This library is considered finished. NOTE 2: Major version changes are bac

Dec 28, 2022
Go HTTP middleware to filter clients by IP

Go HTTP middleware to filter clients by IP

Oct 30, 2022
Chi ip banner is a chi middleware that bans some ips from your Chi http server.

Chi Ip Banner Chi ip banner is a chi middleware that bans some ips from your Chi http server. It reads a .txt file in your project's root, called bani

Jan 4, 2022
Painless middleware chaining for Go

Alice Alice provides a convenient way to chain your HTTP middleware functions and the app handler. In short, it transforms Middleware1(Middleware2(Mid

Dec 26, 2022
A Go middleware that stores various information about your web application (response time, status code count, etc.)

Go stats handler stats is a net/http handler in golang reporting various metrics about your web application. This middleware has been developed and re

Dec 10, 2022
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒

gorilla/csrf gorilla/csrf is a HTTP middleware library that provides cross-site request forgery (CSRF) protection. It includes: The csrf.Protect middl

Jan 9, 2023
URL Rewrite middleware for gin

Url Rewrite middleware for gin Example In this exable these urls use the same route http://localhost:1234/test-me http://localhost:1234/index.php/test

Sep 15, 2022
A customized middleware of DAPR.

A customized middleware of DAPR.

Dec 24, 2021
Gin middleware for session.

wsession Gin middleware for session management with multi-backend support: cookie-based Redis memstore Usage Start using it Download and install it: g

Jan 9, 2022
Fiber middleware for server-timing

Server Timing This is a Fiber middleware for the [W3C Server-Timing API] based on mitchellh/go-server-timing

Feb 6, 2022
echo-http - Echo http service

echo-http - Echo http service Responds with json-formatted echo of the incoming request and with a predefined message. Can be install directly (go get

Dec 4, 2022
Composable chains of nested http.Handler instances.

chain go get github.com/codemodus/chain Package chain aids the composition of nested http.Handler instances. Nesting functions is a simple concept. I

Sep 27, 2022
Add interceptors to GO http.Client

mediary Add interceptors to http.Client and you will be able to Dump request and/or response to a Log Alter your requests before they are sent or resp

Nov 17, 2022
A HTTP mole service
 A HTTP mole service

httpmole provides a HTTP mock server that will act as a mole among your services, telling you everything http clients send to it and responding them whatever you want it to respond. Just like an actual mole.

Jul 27, 2022