Zero allocation fixes + utils

mutantkeyboard · mutantkeyboard · commit 698e01b075f1 · 2026-04-09T15:37:05.000+02:00
diff --git a/docs/middleware/hostauthorization.md b/docs/middleware/hostauthorization.md
@@ -62,20 +62,20 @@ AllowedHosts: []string{"myapp.com", ".myapp.com"},
 
 ### CIDR Ranges
 
-Useful for internal services that should only respond to requests from known IP ranges:
+Useful for services accessed directly by IP (e.g. internal tooling) where the `Host` header will be a raw IP address. This matches the **Host header value** against a CIDR range — it does not filter by client IP address:
 
 ```go
 app.Use(hostauthorization.New(hostauthorization.Config{
     AllowedHosts: []string{
         "internal.myapp.com",
-        "10.0.0.0/8",       // internal network
-        "127.0.0.1",        // localhost
+        "10.0.0.0/8",       // Host header IPs in this range are allowed
+        "127.0.0.1",        // Host header must be exactly this IP
     },
 }))
 
 // Host: internal.myapp.com → 200 OK
-// Host: 10.0.50.3          → 200 OK
-// Host: 169.254.169.254    → 403 Forbidden (blocks cloud metadata)
+// Host: 10.0.50.3          → 200 OK  (Host header IP is in 10.0.0.0/8)
+// Host: 169.254.169.254    → 403 Forbidden (Host header IP not in allowlist)
 ```
 
 ### Skipping Health Checks
diff --git a/middleware/hostauthorization/config.go b/middleware/hostauthorization/config.go
@@ -44,12 +44,11 @@ type Config struct {
 var ConfigDefault = Config{}
 
 func configDefault(config ...Config) Config {
-	if len(config) < 1 {
-		panic("hostauthorization: AllowedHosts or AllowedHostsFunc is required")
+	cfg := ConfigDefault
+	if len(config) > 0 {
+		cfg = config[0]
 	}
 
-	cfg := config[0]
-
 	if len(cfg.AllowedHosts) == 0 && cfg.AllowedHostsFunc == nil {
 		panic("hostauthorization: AllowedHosts or AllowedHostsFunc is required")
 	}
diff --git a/middleware/hostauthorization/hostauthorization.go b/middleware/hostauthorization/hostauthorization.go
@@ -5,6 +5,8 @@ import (
 	"strings"
 
 	"github.com/gofiber/fiber/v3"
+	"github.com/gofiber/utils/v2"
+	utilsstrings "github.com/gofiber/utils/v2/strings"
 )
 
 // parsedHosts holds the pre-parsed host matching structures.
@@ -22,7 +24,11 @@ func parseAllowedHosts(hosts []string) parsedHosts {
 	}
 
 	for _, h := range hosts {
-		h = strings.ToLower(strings.TrimSpace(h))
+		h = utils.TrimSpace(h)
+		if h == "" {
+			continue
+		}
+		h = normalizeHost(h)
 		if h == "" {
 			continue
 		}
@@ -37,8 +43,8 @@ func parseAllowedHosts(hosts []string) parsedHosts {
 			parsed.cidrNets = append(parsed.cidrNets, cidr)
 
 		case strings.HasPrefix(h, "."):
-			// Subdomain wildcard — store without leading dot
-			parsed.wildcardSuffixes = append(parsed.wildcardSuffixes, h[1:])
+			// Subdomain wildcard — store with leading dot to avoid allocation in hot path
+			parsed.wildcardSuffixes = append(parsed.wildcardSuffixes, h)
 
 		default:
 			// Exact match
@@ -59,7 +65,7 @@ func normalizeHost(host string) string {
 	// Strip trailing dot (FQDN normalization)
 	host = strings.TrimSuffix(host, ".")
 
-	return strings.ToLower(host)
+	return utilsstrings.ToLower(host)
 }
 
 // matchHost checks if the given host matches any of the parsed allowed hosts.
@@ -71,7 +77,7 @@ func matchHost(host string, parsed parsedHosts, allowedHostsFunc func(string) bo
 
 	// Subdomain wildcard: ".myapp.com" matches "api.myapp.com" but NOT "myapp.com"
 	for _, suffix := range parsed.wildcardSuffixes {
-		if strings.HasSuffix(host, "."+suffix) {
+		if strings.HasSuffix(host, suffix) {
 			return true
 		}
 	}
diff --git a/middleware/hostauthorization/hostauthorization_test.go b/middleware/hostauthorization/hostauthorization_test.go
@@ -586,6 +586,51 @@ func Test_HostAuthorization_XForwardedHost_NoTrustProxy(t *testing.T) {
 
 // --- Benchmarks ---
 
+// --- Low-level matchHost benchmarks (isolate matching cost from HTTP pipeline) ---
+
+func Benchmark_matchHost_ExactMatch(b *testing.B) {
+	parsed := parseAllowedHosts([]string{"example.com"})
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		matchHost("example.com", parsed, nil)
+	}
+}
+
+func Benchmark_matchHost_WildcardMatch(b *testing.B) {
+	parsed := parseAllowedHosts([]string{".myapp.com"})
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		matchHost("api.myapp.com", parsed, nil)
+	}
+}
+
+func Benchmark_matchHost_CIDRMatch(b *testing.B) {
+	parsed := parseAllowedHosts([]string{"10.0.0.0/8"})
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		matchHost("10.0.50.3", parsed, nil)
+	}
+}
+
+func Benchmark_matchHost_Mixed(b *testing.B) {
+	parsed := parseAllowedHosts([]string{
+		"example.com",
+		".myapp.com",
+		"10.0.0.0/8",
+		"127.0.0.1",
+	})
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		matchHost("api.myapp.com", parsed, nil)
+	}
+}
+
+// --- Full HTTP pipeline benchmarks (includes app.Test() overhead) ---
+
 func Benchmark_HostAuthorization_ExactMatch(b *testing.B) {
 	app := fiber.New()
 	app.Use(New(Config{

Original file line number	Diff line number	Diff line change
`@@ -44,12 +44,11 @@ type Config struct {`
`44`	`44`	`var ConfigDefault = Config{}`
`45`	`45`
`46`	`46`	`func configDefault(config ...Config) Config {`
`47`		`- if len(config) < 1 {`
`48`		`- panic("hostauthorization: AllowedHosts or AllowedHostsFunc is required")`
	`47`	`+ cfg := ConfigDefault`
	`48`	`+ if len(config) > 0 {`
	`49`	`+ cfg = config[0]`
`49`	`50`	`}`
`50`	`51`
`51`		`- cfg := config[0]`
`52`		`-`
`53`	`52`	`if len(cfg.AllowedHosts) == 0 && cfg.AllowedHostsFunc == nil {`
`54`	`53`	`panic("hostauthorization: AllowedHosts or AllowedHostsFunc is required")`
`55`	`54`	`}`