Fix bug overwriting defaults for exempt IPs and protected file extensions

main.go

@@ -74,31 +74,24 @@ type captchaResponse struct {
 
 func CreateConfig() *Config {
 	return &Config{
-		RateLimit:          20,
-		Window:             86400,
-		IPv4SubnetMask:     16,
-		IPv6SubnetMask:     64,
-		IPForwardedHeader:  "",
-		ProtectParameters:  "false",
-		ProtectRoutes:      []string{},
-		ExcludeRoutes:      []string{},
-		ProtectHttpMethods: []string{},
-		ProtectFileExtensions: []string{
-			"html",
-		},
-		GoodBots: []string{},
-		ExemptIPs: []string{
-			"127.0.0.0/8",
-			"10.0.0.0/8",
-			"172.16.0.0/12",
-			"192.168.0.0/16",
-			"fc00::/8",
-		},
-		ChallengeURL:    "/challenge",
-		ChallengeTmpl:   "challenge.tmpl.html",
-		EnableStatsPage: "false",
-		LogLevel:        "INFO",
-		IPDepth:         0,
+		RateLimit:             20,
+		Window:                86400,
+		IPv4SubnetMask:        16,
+		IPv6SubnetMask:        64,
+		IPForwardedHeader:     "",
+		ProtectParameters:     "false",
+		ProtectRoutes:         []string{},
+		ExcludeRoutes:         []string{},
+		ProtectHttpMethods:    []string{},
+		ProtectFileExtensions: []string{},
+		GoodBots:              []string{},
+		ExemptIPs:             []string{},
+		ChallengeURL:          "/challenge",
+		ChallengeTmpl:         "challenge.tmpl.html",
+		EnableStatsPage:       "false",
+		LogLevel:              "INFO",
+		IPDepth:               0,
+		CaptchaProvider:       "turnstile",
 	}
 }
 
@@ -156,9 +149,21 @@ func NewCaptchaProtect(ctx context.Context, next http.Handler, config *Config, n
 		}
 	}
 
+	if !strInSlice("html", config.ProtectFileExtensions) {
+		config.ProtectFileExtensions = append(config.ProtectFileExtensions, "html")
+	}
+
 	// transform exempt IP strings into what go can easily parse (net.IPNet)
 	var ips []*net.IPNet
-	for _, ip := range config.ExemptIPs {
+	exemptIps := []string{
+		"127.0.0.0/8",
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"fc00::/8",
+	}
+	exemptIps = append(exemptIps, config.ExemptIPs...)
+	for _, ip := range exemptIps {
 		parsedIp, err := ParseCIDR(ip)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing cidr %s: %v", ip, err)

main_test.go

@@ -395,8 +395,9 @@ func TestRouteIsProtected(t *testing.T) {
 			c.ProtectRoutes = append(c.ProtectRoutes, tt.config.ProtectRoutes...)
 			c.ExcludeRoutes = append(c.ExcludeRoutes, tt.config.ExcludeRoutes...)
 			c.ProtectFileExtensions = append(c.ProtectFileExtensions, tt.config.ProtectFileExtensions...)
-			bc := &CaptchaProtect{
-				config: c,
+			bc, err := NewCaptchaProtect(context.Background(), nil, c, "captcha-protect")
+			if err != nil {
+				t.Errorf("unexpected error %v", err)
 			}
 
 			result := bc.RouteIsProtected(tt.path)
@@ -411,7 +412,6 @@ func TestGetClientIP(t *testing.T) {
 	tests := []struct {
 		name        string
 		config      Config
-		exemptIps   []*net.IPNet
 		headerValue string
 		remoteAddr  string
 		expectedIP  string
@@ -422,7 +422,6 @@ func TestGetClientIP(t *testing.T) {
 				IPForwardedHeader: "X-Forwarded-For",
 				IPDepth:           0,
 			},
-			exemptIps:   []*net.IPNet{},
 			headerValue: "1.1.1.1, 2.2.2.2",
 			remoteAddr:  "3.3.3.3:1234",
 			expectedIP:  "2.2.2.2",
@@ -432,8 +431,8 @@ func TestGetClientIP(t *testing.T) {
 			config: Config{
 				IPForwardedHeader: "X-Forwarded-For",
 				IPDepth:           0,
+				ExemptIPs:         []string{"2.2.2.2/32"},
 			},
-			exemptIps:   []*net.IPNet{parseCIDR("2.2.2.2/32", t)},
 			headerValue: "1.1.1.1, 3.3.3.3, 2.2.2.2",
 			remoteAddr:  "3.3.3.3:1234",
 			expectedIP:  "3.3.3.3",
@@ -444,7 +443,6 @@ func TestGetClientIP(t *testing.T) {
 				IPForwardedHeader: "X-Forwarded-For",
 				IPDepth:           1,
 			},
-			exemptIps:   []*net.IPNet{},
 			headerValue: "1.1.1.1, 2.2.2.2, 3.3.3.3, 127.0.0.1, 192.168.0.1",
 			remoteAddr:  "3.3.3.3:1234",
 			expectedIP:  "2.2.2.2",
@@ -455,7 +453,6 @@ func TestGetClientIP(t *testing.T) {
 				IPForwardedHeader: "X-Forwarded-For",
 				IPDepth:           1,
 			},
-			exemptIps:   []*net.IPNet{},
 			headerValue: "1.1.1.1, 2.2.2.2, 3.3.3.3",
 			remoteAddr:  "3.3.3.3:1234",
 			expectedIP:  "2.2.2.2",
@@ -465,8 +462,8 @@ func TestGetClientIP(t *testing.T) {
 			config: Config{
 				IPForwardedHeader: "X-Forwarded-For",
 				IPDepth:           0,
+				ExemptIPs:         []string{"2.2.0.0/16"},
 			},
-			exemptIps:   []*net.IPNet{parseCIDR("2.2.0.0/16", t)},
 			headerValue: "127.0.0.1, 192.168.1.1, 172.16.1.2, 2.2.3.4",
 			remoteAddr:  "4.4.4.4:5678",
 			expectedIP:  "4.4.4.4",
@@ -477,7 +474,6 @@ func TestGetClientIP(t *testing.T) {
 				IPForwardedHeader: "X-Forwarded-For",
 				IPDepth:           0,
 			},
-			exemptIps:   []*net.IPNet{},
 			headerValue: "",
 			remoteAddr:  "4.4.4.4:5678",
 			expectedIP:  "4.4.4.4",
@@ -488,7 +484,6 @@ func TestGetClientIP(t *testing.T) {
 				IPDepth:           0,
 				IPForwardedHeader: "",
 			},
-			exemptIps:   []*net.IPNet{},
 			headerValue: "shouldBeIgnored",
 			remoteAddr:  "5.5.5.5:4321",
 			expectedIP:  "5.5.5.5",
@@ -506,16 +501,12 @@ func TestGetClientIP(t *testing.T) {
 			c := CreateConfig()
 			c.IPForwardedHeader = tc.config.IPForwardedHeader
 			c.IPDepth = tc.config.IPDepth
-			exemptIps := tc.exemptIps
-			bc := &CaptchaProtect{
-				config:   c,
-				ipv4Mask: net.CIDRMask(16, 32),
-				ipv6Mask: net.CIDRMask(64, 128),
-			}
-			for _, ip := range c.ExemptIPs {
-				exemptIps = append(exemptIps, parseCIDR(ip, t))
+			c.ProtectRoutes = []string{"/"}
+			c.ExemptIPs = tc.config.ExemptIPs
+			bc, err := NewCaptchaProtect(context.Background(), nil, c, "captcha-protect")
+			if err != nil {
+				t.Errorf("unexpected error %v", err)
 			}
-			bc.exemptIps = exemptIps
 
 			ip, _ := bc.getClientIP(req)
 			if ip != tc.expectedIP {