yaitoo · cnlangzi · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/app_test.go b/app_test.go
@@ -747,99 +747,6 @@ func TestDataBindOnHtml(t *testing.T) {
 
 }
 
-func TestMiddleware(t *testing.T) {
-	mux := http.NewServeMux()
-	srv := httptest.NewServer(mux)
-	defer srv.Close()
-
-	i := 0
-
-	app := New(WithMux(mux))
-	app.Use(func(next HandleFunc) HandleFunc {
-		return func(c *Context) error {
-			i++
-			c.WriteHeader("X-M1", strconv.Itoa(i))
-
-			return next(c)
-		}
-	}, func(next HandleFunc) HandleFunc {
-		return func(c *Context) error {
-			i++
-			c.WriteHeader("X-M2", strconv.Itoa(i))
-			return next(c)
-		}
-	})
-
-	app.Use(func(next HandleFunc) HandleFunc {
-		return func(c *Context) error {
-			i++
-			c.WriteHeader("X-M3", strconv.Itoa(i))
-			user := c.Request().Header.Get("X-User")
-			if user == "" {
-				c.WriteStatus(http.StatusUnauthorized)
-				return ErrCancelled
-			}
-
-			if user != "yaitoo" {
-				c.WriteStatus(http.StatusForbidden)
-				return ErrCancelled
-			}
-
-			return next(c)
-		}
-	})
-
-	app.Get("/", func(c *Context) error {
-		return c.View(nil)
-	})
-
-	go app.Start()
-	defer app.Close()
-
-	req, err := http.NewRequest("GET", srv.URL+"/", nil)
-	require.NoError(t, err)
-	resp, err := client.Do(req)
-	require.NoError(t, err)
-
-	require.Equal(t, "1", resp.Header.Get("X-M1"))
-	require.Equal(t, "2", resp.Header.Get("X-M2"))
-	require.Equal(t, "3", resp.Header.Get("X-M3"))
-	_, err = io.Copy(io.Discard, resp.Body)
-	require.NoError(t, err)
-	require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
-	resp.Body.Close()
-
-	i = 0
-	req, err = http.NewRequest("GET", srv.URL+"/", nil)
-	req.Header.Set("X-User", "xun")
-	require.NoError(t, err)
-	resp, err = client.Do(req)
-	require.NoError(t, err)
-
-	require.Equal(t, "1", resp.Header.Get("X-M1"))
-	require.Equal(t, "2", resp.Header.Get("X-M2"))
-	require.Equal(t, "3", resp.Header.Get("X-M3"))
-	_, err = io.Copy(io.Discard, resp.Body)
-	require.NoError(t, err)
-	require.Equal(t, http.StatusForbidden, resp.StatusCode)
-	resp.Body.Close()
-
-	i = 0
-	req, err = http.NewRequest("GET", srv.URL+"/", nil)
-	req.Header.Set("X-User", "yaitoo")
-	require.NoError(t, err)
-	resp, err = client.Do(req)
-	require.NoError(t, err)
-
-	require.Equal(t, "1", resp.Header.Get("X-M1"))
-	require.Equal(t, "2", resp.Header.Get("X-M2"))
-	require.Equal(t, "3", resp.Header.Get("X-M3"))
-	_, err = io.Copy(io.Discard, resp.Body)
-	require.NoError(t, err)
-	require.Equal(t, http.StatusOK, resp.StatusCode)
-	resp.Body.Close()
-}
-
 func TestUnhandledError(t *testing.T) {
 	fsys := &fstest.MapFS{
 		"public/skin.css": &fstest.MapFile{},

diff --git a/ext/hsts/hsts.go b/ext/hsts/hsts.go
@@ -0,0 +1,77 @@
+package hsts
+
+import (
+	"net"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/yaitoo/xun"
+)
+
+// Enable sets the Strict-Transport-Security header with the given maxAge,
+// includeSubdomains and preload values.
+//
+// The Strict-Transport-Security header is used to inform browsers that the site
+// should only be accessed over HTTPS, and that any HTTP requests should be
+// automatically rewritten as HTTPS.
+//
+// maxAge is the maximum age of the header in seconds.
+//
+// includeSubdomains will include all subdomains of the current domain in the
+// header.
+//
+// preload will add the preload directive to the header, which allows the site
+// to be included in the HSTS preload list.
+//
+// The HSTS preload list is a list of sites that are known to be HTTPS-only, and
+// are included in the browser's HSTS list by default. This allows the browser to
+// immediately switch to HTTPS for these sites, without having to wait for the
+// first request to complete.
+func Enable(maxAge time.Duration, includeSubdomains, preload bool) xun.Middleware {
+	return func(next xun.HandleFunc) xun.HandleFunc {
+		return func(c *xun.Context) error {
+			r := c.Request()
+
+			isHTTPS := false
+			// Check X-Forwarded-Proto header first
+			forwardedProto := r.Header.Get("X-Forwarded-Proto")
+			if forwardedProto != "" {
+				isHTTPS = forwardedProto == "https"
+			} else {
+				// Fall back to checking direct protocol
+				isHTTPS = r.TLS != nil
+			}
+
+			if isHTTPS && (r.Method == "GET" || r.Method == "HEAD") {
+				target := "https://" + stripPort(r.Host) + r.URL.RequestURI()
+
+				if maxAge <= 0 {
+					maxAge = 365 * 24 * time.Hour
+				}
+
+				v := "max-age=" + strconv.FormatInt(int64(maxAge/time.Second), 10)
+				if includeSubdomains {
+					v += "; includeSubDomains"
+				}
+				if preload {
+					v += "; preload"
+				}
+				c.WriteHeader("Strict-Transport-Security", v)
+
+				c.Redirect(target, http.StatusFound)
+				return xun.ErrCancelled
+			}
+
+			return next(c)
+		}
+	}
+}
+
+func stripPort(hostPort string) string {
+	host, _, err := net.SplitHostPort(hostPort)
+	if err != nil {
+		return hostPort
+	}
+	return host
+}
diff --git a/ext/hsts/hsts_test.go b/ext/hsts/hsts_test.go
@@ -0,0 +1,167 @@
+package hsts
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yaitoo/xun"
+)
+
+func TestHstsMiddleware(t *testing.T) {
+
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}                           // skipcq: GSC-G402,GO-S1020
+	tr.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) { // skipcq: RVV-B0012
+		if strings.HasPrefix(addr, "abc.com") {
+			return net.Dial("tcp", strings.TrimPrefix(addr, "abc.com"))
+		}
+		return net.Dial("tcp", addr)
+	}
+
+	c := http.Client{
+		Transport: tr,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error { // skipcq: RVV-B0012
+			return http.ErrUseLastResponse
+		},
+	}
+
+	t.Run("max_age_should_work", func(t *testing.T) {
+		mux := http.NewServeMux()
+		srv := httptest.NewServer(mux)
+		defer srv.Close()
+
+		u, err := url.Parse(srv.URL)
+		require.NoError(t, err)
+
+		l := "https://" + u.Hostname() + "/"
+		app := xun.New(xun.WithMux(mux))
+
+		app.Use(Enable(1*time.Hour, false, false))
+
+		app.Get("/", func(c *xun.Context) error {
+			return c.View(nil)
+		})
+
+		req, err := http.NewRequest(http.MethodGet, srv.URL, nil)
+		require.NoError(t, err)
+		resp, err := c.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+		require.Equal(t, l, resp.Header.Get("Location"))
+		require.Equal(t, "max-age=3600", resp.Header.Get("Strict-Transport-Security")) // default MaxAge is 1 year
+	})
+
+	t.Run("invalid_max_age_should_work", func(t *testing.T) {
+		mux := http.NewServeMux()
+		srv := httptest.NewServer(mux)
+		defer srv.Close()
+
+		u, err := url.Parse(srv.URL)
+		require.NoError(t, err)
+
+		l := "https://" + u.Hostname() + "/"
+		app := xun.New(xun.WithMux(mux))
+
+		app.Use(Enable(0*time.Hour, false, false))
+
+		app.Get("/", func(c *xun.Context) error {
+			return c.View(nil)
+		})
+
+		req, err := http.NewRequest(http.MethodGet, srv.URL, nil)
+		require.NoError(t, err)
+		resp, err := c.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+		require.Equal(t, l, resp.Header.Get("Location"))
+		require.Equal(t, "max-age=31536000", resp.Header.Get("Strict-Transport-Security"))
+	})
+
+	t.Run("max_age_includesubdomains_should_work", func(t *testing.T) {
+		mux := http.NewServeMux()
+		srv := httptest.NewServer(mux)
+		defer srv.Close()
+
+		u, err := url.Parse(srv.URL)
+		require.NoError(t, err)
+
+		l := "https://" + u.Hostname() + "/"
+		app := xun.New(xun.WithMux(mux))
+
+		app.Use(Enable(1*time.Hour, true, false))
+
+		app.Get("/", func(c *xun.Context) error {
+			return c.View(nil)
+		})
+
+		req, err := http.NewRequest(http.MethodGet, srv.URL, nil)
+		require.NoError(t, err)
+		resp, err := c.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+		require.Equal(t, l, resp.Header.Get("Location"))
+		require.Equal(t, "max-age=3600; includeSubDomains", resp.Header.Get("Strict-Transport-Security"))
+	})
+
+	t.Run("max_age_includesubdomains_preload_should_work", func(t *testing.T) {
+		mux := http.NewServeMux()
+		srv := httptest.NewServer(mux)
+		defer srv.Close()
+
+		u, err := url.Parse(srv.URL)
+		require.NoError(t, err)
+
+		l := "https://" + u.Hostname() + "/"
+		app := xun.New(xun.WithMux(mux))
+
+		app.Use(Enable(1*time.Hour, true, true))
+
+		app.Get("/", func(c *xun.Context) error {
+			return c.View(nil)
+		})
+
+		req, err := http.NewRequest(http.MethodGet, srv.URL, nil)
+		require.NoError(t, err)
+		resp, err := c.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+		require.Equal(t, l, resp.Header.Get("Location"))
+		require.Equal(t, "max-age=3600; includeSubDomains; preload", resp.Header.Get("Strict-Transport-Security"))
+	})
+
+	t.Run("without_port_should_work", func(t *testing.T) {
+		mux := http.NewServeMux()
+
+		srv := &http.Server{ // skipcq: GO-S2112
+			Addr:    ":80",
+			Handler: mux,
+		}
+		defer srv.Close()
+		go srv.ListenAndServe() // nolint: errcheck
+
+		l := "https://abc.com/"
+		app := xun.New(xun.WithMux(mux))
+
+		app.Use(Enable(1*time.Hour, true, true))
+
+		app.Get("/", func(c *xun.Context) error {
+			return c.View(nil)
+		})
+
+		req, err := http.NewRequest(http.MethodGet, "http://abc.com/", nil) // skipcq: GO-S1028
+		require.NoError(t, err)
+		resp, err := c.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+		require.Equal(t, l, resp.Header.Get("Location"))
+		require.Equal(t, "max-age=3600; includeSubDomains; preload", resp.Header.Get("Strict-Transport-Security"))
+	})
+}