fiber
fiber copied to clipboard
gofiber
🐛 [Bug]: Auth middleware ignored in dependency of app.Static if I use any of cors/logger middleware
Bug Description
I found that in dependency of where I place app.Static my auth middleware can be totally ignored. Examples:
package main
import (
"net/http"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/cors"
"github.com/gofiber/fiber/v2/middleware/logger"
)
func auth(ctx *fiber.Ctx) error {
return ctx.SendStatus(http.StatusUnauthorized)
}
func main() {
app := fiber.New()
app.Use(cors.New())
app.Use(logger.New())
subApp := fiber.New()
subApp.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendString("sub")
})
app.Mount("/sub", subApp)
app.Static("/files", "/")
app.Use(auth)
newSubApp := fiber.New()
newSubApp.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendString("sub2")
})
app.Mount("/sub2", newSubApp)
_ = app.Listen(":3030")
}
Requesting api, responses as supposed:
GET localhost:3030/sub -> 200 OK, body: "sub"
GET localhost:3030/sub2 -> 401 Unauthorized
But if I place app.Static("/files", "/") before first subapp mount, behaviour changes:
func main() {
app := fiber.New()
app.Use(cors.New())
app.Use(logger.New())
app.Static("/files", "/")
subApp := fiber.New()
subApp.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendString("sub")
})
app.Mount("/sub", subApp)
app.Use(auth)
newSubApp := fiber.New()
newSubApp.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendString("sub2")
})
app.Mount("/sub2", newSubApp)
_ = app.Listen(":3030")
}
Requesting api, second response becomes weird:
GET localhost:3030/sub -> 200 OK, body: "sub"
GET localhost:3030/sub2 -> 200 OK body: "sub2"
And, the most important thing, if I remove built-in middlewares (cors and logger) - everything works fine and it doesn’t matter where the static files connection is placed!
func main() {
app := fiber.New()
app.Static("/files", "/")
subApp := fiber.New()
subApp.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendString("sub")
})
app.Mount("/sub", subApp)
app.Use(auth)
newSubApp := fiber.New()
newSubApp.Get("/", func(ctx *fiber.Ctx) error {
return ctx.SendString("sub2")
})
app.Mount("/sub2", newSubApp)
_ = app.Listen(":3030")
}
Everything is ok:
GET localhost:3030/sub -> 200 OK, body: "sub"
GET localhost:3030/sub2 -> 401 Unauthorized
How to Reproduce
Steps to reproduce the behavior:
- Copy first code example, run, request api
- Move app.Static before first mounts, repeat
Expected Behavior
I suppose it shouldn’t matter where I place app.Static
Fiber Version
v2.44.0
Code Snippet (optional)
No response
Checklist:
- [X] I agree to follow Fiber's Code of Conduct.
- [X] I have checked for existing issues that describe my problem prior to opening this one.
- [X] I understand that improperly formatted bug reports may be closed without explanation.
~~I suppose it shouldn’t matter where I place app.Static~~
The expected behavior is wrong As in expressjs the order of the route declaration is important
The static handler is also just a handler identical to all other middlewares
I mean place where I put static handler hardly should affect other middleware work
Actually the place where you set the middlewares totally affects the other middlewares work.
The middlewares are applied in the order that they are setted, so if you set the Auth middleware after the Static middleware, the Static middleware will be unauthenticated. If you place the Auth middleware before the Static middleware, it should be authenticated, if it's not, then it's a bug.
@luk3skyw4lker that is right. @Ivan-Feofanov, I suggest you load the static files after this code.
app.Mount("/sub2", newSubApp)
