diff --git a/go.mod b/go.mod index ffe07b3..0e117ad 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.26.3 require ( github.com/fogleman/gg v1.3.0 - github.com/go-chi/chi/v5 v5.2.5 + github.com/go-chi/chi/v5 v5.3.0 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 github.com/prometheus/client_golang v1.23.2 golang.org/x/image v0.41.0 diff --git a/go.sum b/go.sum index 912a3f5..edd0d0c 100644 --- a/go.sum +++ b/go.sum @@ -7,8 +7,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= -github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug= -github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0= +github.com/go-chi/chi/v5 v5.3.0 h1:halUjDxhshgXHMrao5bB8eNBXo/rnzwr8m5m36glehM= +github.com/go-chi/chi/v5 v5.3.0/go.mod h1:R+tYY2hNuVUUjxoPtqUdgBqevM9s9njzkTLutVsOCto= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= diff --git a/vendor/github.com/go-chi/chi/v5/README.md b/vendor/github.com/go-chi/chi/v5/README.md index c58a0e2..a116596 100644 --- a/vendor/github.com/go-chi/chi/v5/README.md +++ b/vendor/github.com/go-chi/chi/v5/README.md @@ -87,7 +87,7 @@ func main() { // A good base middleware stack r.Use(middleware.RequestID) - r.Use(middleware.RealIP) + r.Use(middleware.ClientIPFromRemoteAddr) // pick one ClientIPFrom* based on your infra, see below r.Use(middleware.Logger) r.Use(middleware.Recoverer) @@ -349,7 +349,11 @@ with `net/http` can be used with chi's mux. | [Logger] | Logs the start and end of each request with the elapsed processing time | | [NoCache] | Sets response headers to prevent clients from caching | | [Profiler] | Easily attach net/http/pprof to your routers | -| [RealIP] | Sets a http.Request's RemoteAddr to either X-Real-IP or X-Forwarded-For | +| [ClientIPFromHeader] | Capture client IP from a trusted single-IP header (X-Real-IP, CF-Connecting-IP, ...) | +| [ClientIPFromXFF] | Capture client IP from X-Forwarded-For, skipping listed trusted CIDR prefixes | +| [ClientIPFromXFFTrustedProxies] | Capture client IP from X-Forwarded-For given a fixed number of trusted proxies | +| [ClientIPFromRemoteAddr] | Capture client IP from the TCP RemoteAddr (server directly on the public internet) | +| [RealIP] | Deprecated — vulnerable to IP spoofing; use [ClientIPFromXFF] or another ClientIPFrom\* middleware | | [Recoverer] | Gracefully absorb panics and prints the stack trace | | [RequestID] | Injects a request ID into the context of each request | | [RedirectSlashes] | Redirect slashes on routing paths | @@ -375,6 +379,12 @@ with `net/http` can be used with chi's mux. [Logger]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Logger [NoCache]: https://pkg.go.dev/github.com/go-chi/chi/middleware#NoCache [Profiler]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Profiler +[ClientIPFromHeader]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ClientIPFromHeader +[ClientIPFromXFF]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ClientIPFromXFF +[ClientIPFromXFFTrustedProxies]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ClientIPFromXFFTrustedProxies +[ClientIPFromRemoteAddr]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ClientIPFromRemoteAddr +[GetClientIP]: https://pkg.go.dev/github.com/go-chi/chi/middleware#GetClientIP +[GetClientIPAddr]: https://pkg.go.dev/github.com/go-chi/chi/middleware#GetClientIPAddr [RealIP]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RealIP [Recoverer]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Recoverer [RedirectSlashes]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RedirectSlashes @@ -402,6 +412,62 @@ with `net/http` can be used with chi's mux. [ThrottleOpts]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ThrottleOpts [WrapResponseWriter]: https://pkg.go.dev/github.com/go-chi/chi/middleware#WrapResponseWriter +### Choosing a ClientIP middleware + +The legacy [RealIP] middleware is deprecated — it is vulnerable to IP spoofing +(GHSA-3fxj-6jh8-hvhx, GHSA-rjr7-jggh-pgcp, GHSA-9g5q-2w5x-hmxf) and mutates +`r.RemoteAddr`. Use one of the four `ClientIPFrom*` middlewares instead — pick +exactly one based on your network setup — and read the resulting IP with +[GetClientIP] (string) or [GetClientIPAddr] (`netip.Addr`): + +| Your setup | Use | +|---|---| +| Directly on the public internet, no proxy | `middleware.ClientIPFromRemoteAddr` | +| Behind nginx (`X-Real-IP`), Cloudflare (`CF-Connecting-IP`), Apache (`X-Client-IP`) | `middleware.ClientIPFromHeader("")` | +| Behind one or more proxies whose IP ranges you can list | `middleware.ClientIPFromXFF("10.0.0.0/8", ...)` | +| Behind a known, fixed number of proxies with dynamic IPs | `middleware.ClientIPFromXFFTrustedProxies(2)` | + +```go +r := chi.NewRouter() +r.Use(middleware.RequestID) + +// Pick exactly one. Examples for common deployments: + +// Direct internet exposure (no proxy): +// r.Use(middleware.ClientIPFromRemoteAddr) + +// Behind Cloudflare: +// r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP")) + +// Behind AWS CloudFront (or any proxy fleet with known CIDRs): +r.Use(middleware.ClientIPFromXFF( + "13.32.0.0/15", // CloudFront IPv4 + "52.46.0.0/18", // CloudFront IPv4 + "2600:9000::/28", // CloudFront IPv6 +)) + +// Behind a known number of proxies with dynamic IPs: +// r.Use(middleware.ClientIPFromXFFTrustedProxies(2)) + +r.Use(middleware.Logger) +r.Use(middleware.Recoverer) + +r.Get("/", func(w http.ResponseWriter, r *http.Request) { + clientIP := middleware.GetClientIP(r.Context()) // for logs, rate-limit keys, etc. + _ = clientIP +}) +``` + +These middlewares never mutate `r.RemoteAddr`. They store a normalized +`netip.Addr` in the request context — IPv4-mapped IPv6 (`::ffff:a.b.c.d`) +is folded to plain IPv4, and IPv6 zone identifiers carried in headers are +stripped, so one logical client maps to a single canonical key for logs, +rate limits, and ACLs. + +See the per-function godoc for the full semantics of each middleware, and +[adam-p's "The perils of the 'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/) +for the underlying threat model. + ### Extra middlewares & packages Please see https://github.com/go-chi for additional packages. diff --git a/vendor/github.com/go-chi/chi/v5/chi.go b/vendor/github.com/go-chi/chi/v5/chi.go index f650116..ad0ca74 100644 --- a/vendor/github.com/go-chi/chi/v5/chi.go +++ b/vendor/github.com/go-chi/chi/v5/chi.go @@ -77,7 +77,7 @@ type Router interface { // path, with a fresh middleware stack for the inline-Router. Group(fn func(r Router)) Router - // Route mounts a sub-Router along a `pattern`` string. + // Route mounts a sub-Router along a `pattern` string. Route(pattern string, fn func(r Router)) Router // Mount attaches another http.Handler along ./pattern/* diff --git a/vendor/github.com/go-chi/chi/v5/middleware/client_ip.go b/vendor/github.com/go-chi/chi/v5/middleware/client_ip.go new file mode 100644 index 0000000..1495a86 --- /dev/null +++ b/vendor/github.com/go-chi/chi/v5/middleware/client_ip.go @@ -0,0 +1,263 @@ +package middleware + +import ( + "context" + "net" + "net/http" + "net/netip" + "strings" +) + +// clientIPCtxKey stores the client IP set by any of the ClientIPFrom* middlewares. +var clientIPCtxKey = &contextKey{"clientIP"} + +// xForwardedForHeader is the canonical form of the X-Forwarded-For header +// name, used by the XFF-based middlewares. +const xForwardedForHeader = "X-Forwarded-For" + +// ClientIPFromHeader stores the client IP from a single-IP header set by +// your reverse proxy. Read it with [GetClientIP]. +// +// Only safe with headers your proxy unconditionally OVERWRITES on every +// request, e.g.: +// +// - X-Real-IP — Nginx with ngx_http_realip_module +// - X-Client-IP — Apache with mod_remoteip +// - CF-Connecting-IP — Cloudflare +// +// True-Client-IP, X-Azure-ClientIP, and Fastly-Client-IP look similar but +// pass through from the client by default in those products; don't use them +// unless your edge strips the inbound value. +// +// If the header reaches us with multiple values (misconfigured proxy that +// appends, or a downstream proxy not stripping a client-supplied value), +// the LAST value wins — that's the one set by the hop closest to us, and +// therefore the most trusted. Fail-closed if the last value doesn't parse: +// no client IP is set rather than falling back to earlier (less-trusted) +// values. +// +// v4-mapped IPv6 (::ffff:a.b.c.d) folds to plain v4 and IPv6 zones are +// stripped before storage. +func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler { + header := http.CanonicalHeaderKey(trustedHeader) + return func(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + values := r.Header.Values(header) + if len(values) > 0 { + if ip, ok := parseHeaderAddr(values[len(values)-1]); ok { + r = r.WithContext(context.WithValue(r.Context(), clientIPCtxKey, ip)) + } + } + h.ServeHTTP(w, r) + }) + } +} + +// ClientIPFromXFF stores the client IP read from the X-Forwarded-For header, +// walking the chain right-to-left and skipping any IP that falls within one +// of the given trusted CIDR prefixes. The first IP that is not trusted is +// the client. Read it with [GetClientIP]. +// +// An unparseable entry mid-chain aborts the walk and leaves no client IP +// set (fail-closed) — we can't safely trust anything left of garbage. +// +// Use this when you sit behind one or more reverse proxies whose IP ranges +// you can enumerate as CIDRs: +// +// r.Use(middleware.ClientIPFromXFF( +// "13.32.0.0/15", // CloudFront IPv4 +// "52.46.0.0/18", // CloudFront IPv4 +// "2600:9000::/28", // CloudFront IPv6 +// )) +// +// Calling with no arguments returns the rightmost XFF entry, or no IP if +// that entry doesn't parse (fail-closed) — safe only if you have exactly +// one trusted hop directly in front of this server (e.g., nginx on localhost). +// +// v4-mapped IPv6 (::ffff:a.b.c.d) folds to plain v4 and IPv6 zones are +// stripped before the prefix check and storage; otherwise an attacker +// could use either notation to alias a trusted IP past the check. +// +// If you know the number of trusted proxies but not their IPs, use +// [ClientIPFromXFFTrustedProxies] instead. +// +// Panics at startup if any prefix is invalid. +func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler { + prefixes := make([]netip.Prefix, len(trustedIPPrefixes)) + for i, p := range trustedIPPrefixes { + prefixes[i] = netip.MustParsePrefix(p) + } + return func(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var found netip.Addr + walkXFF(r.Header[xForwardedForHeader], func(v string) bool { + ip, ok := parseHeaderAddr(v) + if !ok { + return true // fail-closed; leave found unset + } + if inAnyPrefix(ip, prefixes) { + return false // trusted hop; keep walking left + } + found = ip + return true + }) + if found.IsValid() { + r = r.WithContext(context.WithValue(r.Context(), clientIPCtxKey, found)) + } + h.ServeHTTP(w, r) + }) + } +} + +// ClientIPFromXFFTrustedProxies stores the client IP read from the +// X-Forwarded-For header, given the exact number of trusted reverse proxies +// between this server and the public internet. It returns the IP at position +// len(xff) - numTrustedProxies in the merged X-Forwarded-For list — the IP +// added by the outermost of your trusted proxies, the only IP in the chain +// that none of your proxies have allowed an attacker to forge. Read it with +// [GetClientIP]. +// +// Use this when: +// - You know exactly how many proxies you sit behind, AND +// - Their IP addresses are dynamic (autoscaling proxy pools, ephemeral +// containers, dynamic CDN edges) so listing CIDRs with [ClientIPFromXFF] +// is impractical. +// +// WARNING: This variant is brittle to network architecture changes. If you +// add or remove a proxy level, numTrustedProxies silently becomes wrong and +// you may start trusting an attacker-supplied IP. Prefer [ClientIPFromXFF] +// with explicit trusted CIDRs whenever you can. +// +// If the XFF chain has fewer than numTrustedProxies entries (header missing +// or architecture changed), no client IP is set and [GetClientIP] returns "". +// +// Like [ClientIPFromXFF], v4-mapped IPv6 folds to plain v4 and IPv6 zones +// are stripped before storage. +// +// Panics at startup if numTrustedProxies < 1. +func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler { + if numTrustedProxies < 1 { + panic("middleware.ClientIPFromXFFTrustedProxies: numTrustedProxies must be >= 1") + } + return func(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + n := numTrustedProxies + var entry string + walkXFF(r.Header[xForwardedForHeader], func(v string) bool { + n-- + if n == 0 { + entry = v + return true + } + return false + }) + if entry != "" { + if ip, ok := parseHeaderAddr(entry); ok { + r = r.WithContext(context.WithValue(r.Context(), clientIPCtxKey, ip)) + } + } + h.ServeHTTP(w, r) + }) + } +} + +// ClientIPFromRemoteAddr stores the client IP read from the TCP RemoteAddr +// of the incoming request — the IP address of whoever opened the connection +// to this server. Read it with [GetClientIP]. +// +// Use this when this server is directly connected to the public internet +// with NO reverse proxy in front of it. Behind a reverse proxy, RemoteAddr +// is the proxy's IP, not the client's — use [ClientIPFromHeader] or +// [ClientIPFromXFF] instead. +// +// IPv4 clients on a dual-stack listener surface as ::ffff:a.b.c.d; they +// fold to plain v4 before storage so one logical client maps to one key. +// IPv6 zones are preserved (link-local connections may legitimately have one). +func ClientIPFromRemoteAddr(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + host, _, err := net.SplitHostPort(r.RemoteAddr) + if err != nil { + host = r.RemoteAddr // RemoteAddr may already be a bare IP (e.g. in tests). + } + if ip, err := netip.ParseAddr(host); err == nil { + r = r.WithContext(context.WithValue(r.Context(), clientIPCtxKey, ip.Unmap())) + } + h.ServeHTTP(w, r) + }) +} + +// GetClientIP returns the client IP as a string, as set by one of the +// ClientIPFrom* middlewares. Returns "" if no valid IP was set. +// Convenient for logging, rate-limit keys, etc. +func GetClientIP(ctx context.Context) string { + ip := GetClientIPAddr(ctx) + if !ip.IsValid() { + return "" + } + return ip.String() +} + +// GetClientIPAddr returns the client IP as a [netip.Addr], as set by one of +// the ClientIPFrom* middlewares. The returned Addr is the zero value if not +// set; use [netip.Addr.IsValid] to check. Useful when you need typed work — +// prefix containment, Is4/Is6, etc. — without re-parsing the string. +func GetClientIPAddr(ctx context.Context) netip.Addr { + ip, _ := ctx.Value(clientIPCtxKey).(netip.Addr) + return ip +} + +// walkXFF walks the entries of the merged X-Forwarded-For chain +// RIGHT-TO-LEFT, invoking visit on each trimmed non-empty entry. visit +// returns true to stop the walk. Lazy walk, zero allocations (entries +// are substrings of the input headers). +// +// Multiple XFF headers are merged per RFC 2616 — each header's +// comma-separated entries in order received — so an attacker cannot pick +// which value security logic sees by sending a duplicate header. +func walkXFF(headers []string, visit func(entry string) bool) { + for hi := len(headers) - 1; hi >= 0; hi-- { + h := headers[hi] + for h != "" { + var v string + if i := strings.LastIndexByte(h, ','); i >= 0 { + v, h = h[i+1:], h[:i] + } else { + v, h = h, "" + } + v = strings.TrimSpace(v) + if v == "" { + continue + } + if visit(v) { + return + } + } + } +} + +// inAnyPrefix reports whether ip falls within any of the given prefixes. +func inAnyPrefix(ip netip.Addr, prefixes []netip.Prefix) bool { + for _, p := range prefixes { + if p.Contains(ip) { + return true + } + } + return false +} + +// parseHeaderAddr parses s and normalizes for storage: v4-mapped IPv6 +// (::ffff:a.b.c.d) folds to plain v4, IPv6 zone is stripped. Both defend the +// trust-prefix check against attacker-injected aliases — [netip.Prefix.Contains] +// returns false for v4-mapped addresses vs v4 prefixes and for any zoned +// address, so without folding/stripping an attacker could escape an +// otherwise valid trust list. +// +// Header-sourced IPs only. [ClientIPFromRemoteAddr] normalizes inline +// (Unmap, but zone preserved for legitimate link-local connections). +func parseHeaderAddr(s string) (netip.Addr, bool) { + ip, err := netip.ParseAddr(s) + if err != nil { + return netip.Addr{}, false + } + return ip.Unmap().WithZone(""), true +} diff --git a/vendor/github.com/go-chi/chi/v5/middleware/compress.go b/vendor/github.com/go-chi/chi/v5/middleware/compress.go index 9c64bd4..4e46f70 100644 --- a/vendor/github.com/go-chi/chi/v5/middleware/compress.go +++ b/vendor/github.com/go-chi/chi/v5/middleware/compress.go @@ -70,8 +70,8 @@ func NewCompressor(level int, types ...string) *Compressor { if strings.Contains(strings.TrimSuffix(t, "/*"), "*") { panic(fmt.Sprintf("middleware/compress: Unsupported content-type wildcard pattern '%s'. Only '/*' supported", t)) } - if strings.HasSuffix(t, "/*") { - allowedWildcards[strings.TrimSuffix(t, "/*")] = struct{}{} + if before, ok := strings.CutSuffix(t, "/*"); ok { + allowedWildcards[before] = struct{}{} } else { allowedTypes[t] = struct{}{} } diff --git a/vendor/github.com/go-chi/chi/v5/middleware/logger.go b/vendor/github.com/go-chi/chi/v5/middleware/logger.go index cff9bd2..4d30a9a 100644 --- a/vendor/github.com/go-chi/chi/v5/middleware/logger.go +++ b/vendor/github.com/go-chi/chi/v5/middleware/logger.go @@ -96,6 +96,8 @@ type DefaultLogFormatter struct { // NewLogEntry creates a new LogEntry for the request. func (l *DefaultLogFormatter) NewLogEntry(r *http.Request) LogEntry { + ctx := r.Context() + useColor := !l.NoColor entry := &defaultLogEntry{ DefaultLogFormatter: l, @@ -104,7 +106,7 @@ func (l *DefaultLogFormatter) NewLogEntry(r *http.Request) LogEntry { useColor: useColor, } - reqID := GetReqID(r.Context()) + reqID := GetReqID(ctx) if reqID != "" { cW(entry.buf, useColor, nYellow, "[%s] ", reqID) } @@ -118,7 +120,11 @@ func (l *DefaultLogFormatter) NewLogEntry(r *http.Request) LogEntry { cW(entry.buf, useColor, nCyan, "%s://%s%s %s\" ", scheme, r.Host, r.RequestURI, r.Proto) entry.buf.WriteString("from ") - entry.buf.WriteString(r.RemoteAddr) + clientIP := GetClientIP(ctx) + if clientIP == "" { + clientIP = r.RemoteAddr + } + entry.buf.WriteString(clientIP) entry.buf.WriteString(" - ") return entry diff --git a/vendor/github.com/go-chi/chi/v5/middleware/realip.go b/vendor/github.com/go-chi/chi/v5/middleware/realip.go index afcb79e..349f168 100644 --- a/vendor/github.com/go-chi/chi/v5/middleware/realip.go +++ b/vendor/github.com/go-chi/chi/v5/middleware/realip.go @@ -17,17 +17,14 @@ var xRealIP = http.CanonicalHeaderKey("X-Real-IP") // of parsing either the True-Client-IP, X-Real-IP or the X-Forwarded-For headers // (in that order). // -// This middleware should be inserted fairly early in the middleware stack to -// ensure that subsequent layers (e.g., request loggers) which examine the -// RemoteAddr will see the intended value. +// Deprecated: RealIP is vulnerable to IP spoofing — it mutates r.RemoteAddr +// to the leftmost X-Forwarded-For value, or to True-Client-IP / X-Real-IP +// whether or not your infrastructure actually sets them. See +// GHSA-3fxj-6jh8-hvhx, GHSA-rjr7-jggh-pgcp, GHSA-9g5q-2w5x-hmxf. // -// You should only use this middleware if you can trust the headers passed to -// you (in particular, the three headers this middleware uses), for example -// because you have placed a reverse proxy like HAProxy or nginx in front of -// chi. If your reverse proxies are configured to pass along arbitrary header -// values from the client, or if you use this middleware without a reverse -// proxy, malicious clients will be able to make you very sad (or, depending on -// how you're using RemoteAddr, vulnerable to an attack of some sort). +// Use [ClientIPFromHeader], [ClientIPFromXFF], [ClientIPFromXFFTrustedProxies] +// or [ClientIPFromRemoteAddr] and read the IP with [GetClientIP] instead. +// These never mutate r.RemoteAddr. func RealIP(h http.Handler) http.Handler { fn := func(w http.ResponseWriter, r *http.Request) { if rip := realIP(r); rip != "" { diff --git a/vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go b/vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go index 367e0fc..b2de875 100644 --- a/vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go +++ b/vendor/github.com/go-chi/chi/v5/middleware/wrap_writer.go @@ -208,8 +208,10 @@ func (f *http2FancyWriter) Push(target string, opts *http.PushOptions) error { func (f *httpFancyWriter) ReadFrom(r io.Reader) (int64, error) { if f.basicWriter.tee != nil { + // Route through basicWriter.Write so that data is also written to the + // tee writer. basicWriter.Write already increments basicWriter.bytes, + // so we must NOT add n again here (that would double-count). n, err := io.Copy(&f.basicWriter, r) - f.basicWriter.bytes += int(n) return n, err } rf := f.basicWriter.ResponseWriter.(io.ReaderFrom) diff --git a/vendor/github.com/go-chi/chi/v5/mux.go b/vendor/github.com/go-chi/chi/v5/mux.go index 71652dd..3da7f3f 100644 --- a/vendor/github.com/go-chi/chi/v5/mux.go +++ b/vendor/github.com/go-chi/chi/v5/mux.go @@ -472,9 +472,7 @@ func (mx *Mux) routeHTTP(w http.ResponseWriter, r *http.Request) { value := rctx.URLParams.Values[i] r.SetPathValue(key, value) } - if supportsPattern { - setPattern(rctx, r) - } + r.Pattern = rctx.RoutePattern() h.ServeHTTP(w, r) return diff --git a/vendor/github.com/go-chi/chi/v5/pattern.go b/vendor/github.com/go-chi/chi/v5/pattern.go deleted file mode 100644 index 890a2c2..0000000 --- a/vendor/github.com/go-chi/chi/v5/pattern.go +++ /dev/null @@ -1,16 +0,0 @@ -//go:build go1.23 && !tinygo -// +build go1.23,!tinygo - -package chi - -import "net/http" - -// supportsPattern is true if the Go version is 1.23 and above. -// -// If this is true, `net/http.Request` has field `Pattern`. -const supportsPattern = true - -// setPattern sets the mux matched pattern in the http Request. -func setPattern(rctx *Context, r *http.Request) { - r.Pattern = rctx.routePattern -} diff --git a/vendor/github.com/go-chi/chi/v5/pattern_fallback.go b/vendor/github.com/go-chi/chi/v5/pattern_fallback.go deleted file mode 100644 index 48a94ef..0000000 --- a/vendor/github.com/go-chi/chi/v5/pattern_fallback.go +++ /dev/null @@ -1,17 +0,0 @@ -//go:build !go1.23 || tinygo -// +build !go1.23 tinygo - -package chi - -import "net/http" - -// supportsPattern is true if the Go version is 1.23 and above. -// -// If this is true, `net/http.Request` has field `Pattern`. -const supportsPattern = false - -// setPattern sets the mux matched pattern in the http Request. -// -// setPattern is only supported in Go 1.23 and above so -// this is just a blank function so that it compiles. -func setPattern(rctx *Context, r *http.Request) {} diff --git a/vendor/github.com/go-chi/chi/v5/tree.go b/vendor/github.com/go-chi/chi/v5/tree.go index 8b1ed19..95f31d4 100644 --- a/vendor/github.com/go-chi/chi/v5/tree.go +++ b/vendor/github.com/go-chi/chi/v5/tree.go @@ -8,6 +8,7 @@ import ( "fmt" "net/http" "regexp" + "slices" "sort" "strconv" "strings" @@ -836,11 +837,15 @@ func Walk(r Routes, walkFn WalkFunc) error { func walk(r Routes, walkFn WalkFunc, parentRoute string, parentMw ...func(http.Handler) http.Handler) error { for _, route := range r.Routes() { - mws := make([]func(http.Handler) http.Handler, len(parentMw)) - copy(mws, parentMw) - mws = append(mws, r.Middlewares()...) + mws := slices.Concat(parentMw, r.Middlewares()) if route.SubRoutes != nil { + if handler, ok := route.Handlers["*"]; ok { + if chain, ok := handler.(*ChainHandler); ok { + mws = append(mws, chain.Middlewares...) + } + } + if err := walk(route.SubRoutes, walkFn, parentRoute+route.Pattern, mws...); err != nil { return err } @@ -854,7 +859,7 @@ func walk(r Routes, walkFn WalkFunc, parentRoute string, parentMw ...func(http.H } fullRoute := parentRoute + route.Pattern - fullRoute = strings.Replace(fullRoute, "/*/", "/", -1) + fullRoute = strings.ReplaceAll(fullRoute, "/*/", "/") if chain, ok := handler.(*ChainHandler); ok { if err := walkFn(method, fullRoute, chain.Endpoint, append(mws, chain.Middlewares...)...); err != nil { diff --git a/vendor/modules.txt b/vendor/modules.txt index 5565d74..dbedd6d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -7,8 +7,8 @@ github.com/cespare/xxhash/v2 # github.com/fogleman/gg v1.3.0 ## explicit github.com/fogleman/gg -# github.com/go-chi/chi/v5 v5.2.5 -## explicit; go 1.22 +# github.com/go-chi/chi/v5 v5.3.0 +## explicit; go 1.23 github.com/go-chi/chi/v5 github.com/go-chi/chi/v5/middleware # github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 diff --git a/web/web.go b/web/web.go index ae988a2..cb16ae6 100644 --- a/web/web.go +++ b/web/web.go @@ -15,7 +15,6 @@ import ( "time" "github.com/go-chi/chi/v5" - "github.com/go-chi/chi/v5/middleware" "github.com/menzerath/mcgen/assets" "github.com/menzerath/mcgen/generator" "github.com/menzerath/mcgen/metrics" @@ -36,7 +35,6 @@ func New(generator *generator.Generator) WebAPI { // StartWebAPI starts the WebAPI, registers all routes and blocks until the server is shut down. func (web WebAPI) StartWebAPI() { r := chi.NewRouter() - r.Use(middleware.RealIP) r.Use(func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Server", "mcgen")