v5.3.0

Compare Source

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in #​1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in #​1049
• add go 1.26 to ci by @​pkieltyka in #​1052
• Remove last uses of io/ioutil by @​JRaspass in #​1054
• Simplify chi.walk with slices.Concat by @​JRaspass in #​1053
• Apply the stringscutprefix modernizer by @​JRaspass in #​1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in #​1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in #​1085
• Fix typo in Route doc comment by @​gouwazi in #​1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in #​1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in #​967

New Contributors

• @​LukasJenicek made their first contribution in #​1049
• @​alliasgher made their first contribution in #​1085
• @​gouwazi made their first contribution in #​1073
• @​leno23 made their first contribution in #​1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

PR #​967 introduced middleware.ClientIP, a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• #​708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• #​711
• #​453
• #​908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your
infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
func ClientIPFromRemoteAddr(h http.Handler) http.Handler

// Read the result.
func GetClientIP(ctx context.Context) string         // for logs, rate-limit keys
func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work

Example usage:

// Pick a single ClientIP middleware based on your deployment
  
// Cloudflare.
r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP"))

// Nginx with ngx_http_realip_module.
r.Use(middleware.ClientIPFromHeader("X-Real-IP"))

// Apache with mod_remoteip.
r.Use(middleware.ClientIPFromHeader("X-Client-IP"))

// AWS CloudFront, or any proxy fleet with known CIDRs.
r.Use(middleware.ClientIPFromXFF(
    "13.32.0.0/15",   // CloudFront IPv4
    "52.46.0.0/18",   // CloudFront IPv4
    "2600:9000::/28", // CloudFront IPv6
))

// Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools,
// ephemeral containers, dynamic CDN edges).
r.Use(middleware.ClientIPFromXFFTrustedProxies(2))

// Server directly on the public internet, no proxy in front.
r.Use(middleware.ClientIPFromRemoteAddr)

And in your handler or downstream middleware:

clientIP := middleware.GetClientIP(r.Context())
// log it, use it as a rate-limit key, etc.

Thanks to @​adam-p, @​c2h5oh, @​rezmoss, @​Saku0512, @​convto, @​Dirbaio, @​jawnsy, @​lrstanley, @​mfridman, @​n33pm, @​pkieltyka for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR.

Full Changelog: go-chi/chi@v5.2.5...v5.3.0

v5.2.5

Compare Source

What's Changed

• Bump minimum Go to 1.22 and use new features by @​JRaspass in #​1017
• Refactor graceful shutdown example by @​mikereid1 in #​994
• Refactor to use atomic type by @​cuiweixie in #​1019
• update reverseMethodMap in RegisterMethod by @​cixel in #​1022
• Update comment about min Go version by @​JRaspass in #​1023
• middleware: harden RedirectSlashes handler by @​pkieltyka in #​1044
• Fix(middleware): Prevent double handler invocation in RouteHeaders with empty router by @​mahanadh in #​1045

New Contributors

• @​mikereid1 made their first contribution in #​994
• @​cuiweixie made their first contribution in #​1019
• @​cixel made their first contribution in #​1022
• @​mahanadh made their first contribution in #​1045

Full Changelog: go-chi/chi@v5.2.3...v5.2.5

v5.2.4

Compare Source

v5.2.3

Compare Source

What's Changed

• Add pathvalue example to README and implement PathValue handler. by @​catatsuy in #​985
• Allow multiple whitespace between method & pattern by @​JRaspass in #​1013
• Avoid potential nil dereference by @​ProjectMutilation in #​1008
• feat(mux): support http.Request.Pattern in Go 1.23 by @​Gusted in #​986
• fix/608 - Fix flaky Throttle middleware test by synchronizing token usage by @​OtavioBernardes in #​1016
• Optimize throttle middleware by avoiding unnecessary timer creation by @​vasayxtx in #​1011
• Simplify wildcard replacement in route patterns by @​srpvpn in #​1012
• Replace methodTypString func with reverseMethodMap by @​JRaspass in #​1018

New Contributors

• @​ProjectMutilation made their first contribution in #​1008
• @​Gusted made their first contribution in #​986
• @​OtavioBernardes made their first contribution in #​1016
• @​srpvpn made their first contribution in #​1012

Full Changelog: go-chi/chi@v5.2.2...v5.2.3

v5.2.2

Compare Source

What's Changed

• Use strings.Cut in a few places by @​JRaspass in #​971
• Fix non-constant format strings in t.Fatalf by @​JRaspass in #​972
• Apply fieldalignment fixes to optimize struct memory layout by @​pixel365 in #​974
• go 1.24 by @​pkieltyka in #​977
• chore: delint ioutil usage by @​costela in #​962
• Fixed typo in Router interface definition by @​mithileshgupta12 in #​958
• Add support for TinyGo by @​efraimbart in #​978
• Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @​cxjava in #​982
• Make use of strings.Cut by @​scop in #​1005
• Change install command format to code block by @​sglkc in #​1001
• Correct documentation by @​mrdomino in #​992

Security fix

• Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
  • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
  • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

• @​pixel365 made their first contribution in #​974
• @​mithileshgupta12 made their first contribution in #​958
• @​efraimbart made their first contribution in #​978
• @​cxjava made their first contribution in #​982
• @​sglkc made their first contribution in #​1001
• @​mrdomino made their first contribution in #​992

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

Compare Source

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See #​963 for related discussion.

What's Changed

• Support the four most recent major versions of Go by @​VojtechVitek in #​969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

• update credits section to link to goji license by @​pkieltyka in #​944
• go 1.23 by @​pkieltyka in #​945
• Make Context.RoutePattern() nil-safe by @​gaiaz-iusipov in #​927
• govet: Fix non-constant format string by @​marcofranssen in #​952
• Add Find to Routes interface by @​joeriddles in #​872
• Fix grammar error by @​AntonC9018 in #​917
• feat(): add CF-Connecting-IP by @​n33pm in #​908
  • Revert "feat(): add CF-Connecting-IP" by @​VojtechVitek in #​966
• Fixed incorrect comment about routing by @​jtams in #​887
• Fix condition in TestRedirectSlashes by @​tchssk in #​856
• middleware: Add strip prefix middleware by @​m1k1o in #​875
• Set up go module for _examples/versions by @​hongkuancn in #​948
• Ability to specify response HTTP status code for Throttle middleware by @​vasayxtx in #​571
• Support Content-Type headers with charset/boundary parameters by @​GocaMaric in #​880
• Fix Mux.Find not correctly handling nested routes by @​joeriddles in #​954
• fix(WrapResponseWriter): allow multiple informational statuses by @​costela in #​961

New Contributors

• @​gaiaz-iusipov made their first contribution in #​927
• @​marcofranssen made their first contribution in #​952
• @​joeriddles made their first contribution in #​872
• @​AntonC9018 made their first contribution in #​917
• @​n33pm made their first contribution in #​908
• @​jtams made their first contribution in #​887
• @​tchssk made their first contribution in #​856
• @​m1k1o made their first contribution in #​875
• @​hongkuancn made their first contribution in #​948
• @​GocaMaric made their first contribution in #​880
• @​costela made their first contribution in #​961

Full Changelog: go-chi/chi@v5.1.0...v5.2.0

v5.1.0

Compare Source

What's Changed

• middleware: add Discard method to WrapResponseWriter by @​patrislav in #​926
  • Adds Discard() method to the middleware.WrapResponseWriter interface. This is technically an API breaking change. However after some discussion at #​926 (comment), we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.

New Contributors

• @​patrislav made their first contribution in #​926

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

v5.0.14

Compare Source

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in #​903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in #​912
• Avoid possible memory leak in compress middleware by @​Neurostep in #​919
• docs: Update stale links in docs for contributing by @​Lutherwaves in #​904
• Revert "Avoid possible memory leak in compress middleware" by @​VojtechVitek in #​924

New Contributors

• @​l2dy made their first contribution in #​903
• @​juburr made their first contribution in #​912
• @​Neurostep made their first contribution in #​919
• @​Lutherwaves made their first contribution in #​904

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

v5.0.13

Compare Source

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in #​903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in #​912
• Avoid possible memory leak in compress middleware by @​Neurostep in #​919

New Contributors

• @​l2dy made their first contribution in #​903
• @​juburr made their first contribution in #​912
• @​Neurostep made their first contribution in #​919

Full Changelog: go-chi/chi@v5.0.12...v5.0.13