Releases: danielgtaylor/huma
v2.26.0
Overview
Better Marking of Visited Types
When looking for params, headers, defaults, and resolvers the Huma type traversal code now tracks previously visited types more narrowly, continuing to detect recursive loops while allowing multiple adjacent fields to use the same type. Before this fix it would ignore some fields. For example, this now works propertly to run the resolver on both HomeAddress
and AwayAddress
:
type Address struct {
Line1 string `json:"line1" required:"true" minLength:"1" maxLength:"50"`
Line2 string `json:"line2,omitempty" required:"false" minLength:"0" maxLength:"50" default:""`
City string `json:"city" required:"true" minLength:"1" maxLength:"64"`
State string `json:"state" required:"true" minLength:"1" maxLength:"32"`
Zip string `json:"zip" required:"true" minLength:"1" maxLength:"16"`
CountryCode string `json:"countryCode" required:"false" minLength:"1" maxLength:"2" default:"US"`
}
func (a Address) Resolve(_ huma.Context, prefix *huma.PathBuffer) []error {
/* ... do stuff ... */
}
type TestRequestBody struct {
Name string `json:"name"`
Age int `json:"age"`
HomeAddress Address `json:"home" required:"true"`
AwayAddress Address `json:"away" required:"true"`
}
More Resilient Fast Q Value Selection
Several minor bugs have been fixed in the fast zero-allocation q
value parsing for client-based content negotiation via the Accept
header. Values like a;,
no longer cause a panic. Several new tests were added to ensure robustness.
No Longer Panic From Client Disconnect
When a client disconnects and a write to the socket results in an error, we now check if the context is context.Canceled
and ignore it. This should not result in a panic as that has a negative impact on metrics and perceived service health. An attempt is made to tell the huma.Context
that the response status code should be 499 Client Disconnected to help with metrics/logging middleware.
Others
- Fixed doc bug
- Minor fix when printing response bodies in tests if JSON indenting fails
- Refactored code for sending responses to be more consistent & re-used between the handlers and
WriteErr
and ensureNewErrorWithContext
is used everywhere. This should be a no-op for library users.
What's Changed
- fix: doc comments for TestAPI functions by @alexandear in #644
- fix: marking visited types in findInType by @danielgtaylor in #641
- fix: make content negotiation more resilient to bad input by @danielgtaylor in #645
- fix: dump body directly if json indent fails by @danielgtaylor in #643
- refactor: use WriteErr function for handling error returned by handler by @notjustmoney in #640
- fix: do not panic on client disconnect by @danielgtaylor in #650
New Contributors
- @notjustmoney made their first contribution in #640
Full Changelog: v2.25.0...v2.26.0
v2.25.0
Overview
Case-insensitive JSON
Since the standard library Go unmarshaler supports case-insensitive field matches, Huma has been updated to support this during validation as well to better support integration with legacy systems & clients. This behavior can be disabled by explicitly setting huma.ValidateStrictCasing = true
(the default matches the standard library behavior). For example, given:
huma.Put(api, "/demo", func(ctx context.Context, input *struct{
Body struct {
Value string `json:"value"`
}
}) (*struct{}, error) {
fmt.Println("Value is", input.Body.Value)
return nil, nil
})
If a client were to send {"Value": "test"}
instead of {"value": "test"}
it will now pass validation and work. This also works for the built-in CBOR format as well.
Support Scalar Pointers with Defaults
Defaults have become more useful by enabling the use of pointers for basic types to have default values attached. For example, given this input to an operation:
type MyInput struct {
Body struct {
Enabled *bool `json:"enabled,omitempty" default:"true"`
}
}
It's now possible to explicitly send false
without the value being overridden by the default. The behavior seen by the handler code is this:
Client sends | Handler sees |
---|---|
true |
true |
false |
false |
null / undefined |
true |
Since this is using the built-in mechanism to determine if a value was sent, there is no additional performance penalty for setting the default values in Huma.
What's Changed
- Update request-resolvers.md by @alexanderilyin in #619
- docs: fix YAML command example by @danielgtaylor in #624
- feat: case-insensitive field matching for JSON/CBOR by @danielgtaylor in #629
- feat: allow scalar pointers with defaults by @danielgtaylor in #633
- Update build-sdk.sh by @MaximeWeyl in #637
New Contributors
- @MaximeWeyl made their first contribution in #637
Full Changelog: v2.24.0...v2.25.0
v2.24.0
Overview
Better Support of String Subtype Slice Params
It's now possible to use types based on string
like you commonly see for enumerations as slice inputs to Huma operations.
type MyEnum string
const (
Value1 MyEnum = "value1"
Value2 MyEnum = "value2"
// ...
)
huma.Get(api, "/example", func(ctx context.Context, input *struct{
Example []MyEnum `query:"example" enum:"value1,value2"`
}) (*struct{}, error) {
// ...
}
Better Support of non-Object Refs
Fixes a bug that prevented deliberate refs of nullable non-objects from being used due to a panic. It's now possible to do something like this to automatically add enum values from a type when generating the schema and use a $ref
in the JSON Schema:
type InstitutionKind string
const (
Lab InstitutionKind = "Lab"
FoundingAgency InstitutionKind = "FundingAgency"
SequencingPlatform InstitutionKind = "SequencingPlatform"
Other InstitutionKind = "Other"
)
var InstitutionKindValues = []InstitutionKind{
Lab,
FoundingAgency,
SequencingPlatform,
Other,
}
// Register enum in OpenAPI specification
func (u InstitutionKind) Schema(r huma.Registry) *huma.Schema {
if r.Map()["InstitutionKind"] == nil {
schemaRef := r.Schema(reflect.TypeOf(""), false, "InstitutionKind")
schemaRef.Title = "InstitutionKind"
for _, v := range InstitutionKindValues {
schemaRef.Enum = append(schemaRef.Enum, string(v))
}
r.Map()["InstitutionKind"] = schemaRef
}
return &huma.Schema{Ref: "#/components/schemas/InstitutionKind"}
}
Fix Empty Security Marshaling
The empty security object has semantic meaning in OpenAPI 3.x which enables you to override a global security setting to make one or more operations public. It's now possible to do so:
huma.Register(api, huma.Operation{
OperationID: "GetUser",
Method: http.MethodGet,
Path: "/user/{id}",
Security: []map[string][]string{}, // This will not require security!
}, func(ctx context.Context, input *GetUserInput) (*GetUserOutput, error) {
resp := &GetUserOutput{}
resp.Body.Message = "GetUser with ID: " + input.ID + " works!"
return resp, nil
})
Expanded Adapter Interface
The huma.Adapter
interface now has methods for getting the HTTP version and TLS info of the incoming request, which enables better tracing middleware using e.g. OpenTelemetry.
Schema Transformers Automatically Call schema.PrecomputeMessages()
Schema transformers may modify the schema in ways that precomputed messages & validation cache data are no longer valid. This change makes sure to recompute them if the schema has been modified, preventing potential panics.
Configurable Array Nullability
Huma v2.20.0 introduced nullable JSON Schema arrays for Go slices due to the default behavior of Go's JSON marshaler. This change resulted in some clients (e.g. Typescript) now needing to do extra checks even when the service is sure it will never return a nil
slice. This release includes a way to change the global default Huma behavior by setting huma.DefaultArrayNullable = false
. It is still possible to set nullable
on each field to override this behavior, but now it is easier to do so globally for those who wish to use the old (arguably less correct) behavior.
Better SSE Support
This release includes some http.ResponseController
behavior to unwrap response writers to try and get access to SetWriteDeadline
and Flush
methods on response writers. This prevents error messages from being dumped into the console and enables Gin SSE support for the first time with the Huma sse
package. Most routers should Just Work ™️ with SSE now.
Read-Only & Write-Only Behavior Clarification
The read and write-only behavior of Huma validation has been clarified in the docs. See https://huma.rocks/features/request-validation/#read-and-write-only to ensure it works as you expect.
What's Changed
- Fix typo in request-inputs.md by @j0urneyK in #591
- refactor: use type switch instead of if-else by @alexandear in #595
- chore: enable dupword; fix appeared lint issues by @alexandear in #598
- docs: fix typos in docs, comments, and tests by @alexandear in #596
- fix: panic - allow for parameters to be subtype of string by @hlavavit in #592
- fix: check actual type in schema ref when enforcing non-nullable object schemas by @lsdch in #599
- fix: dependency upgrades, fixes #569 by @danielgtaylor in #601
- docs: add new testimonial to README by @danielgtaylor in #602
- fix: marshal empty security object by @danielgtaylor in #603
- docs: add info about read/write only behavior by @danielgtaylor in #608
- docs: add note about required write-only field by @danielgtaylor in #609
- Add api version and tls to adapter by @fntz in #610
- fix: recompute property names after schema transform by @danielgtaylor in #611
- fix: make nullable arrays configurable by @danielgtaylor in #612
- Update your-first-api.md by @alexanderilyin in #615
- feat: unwrap resp for better deadline/flush SSE support by @danielgtaylor in #613
New Contributors
- @j0urneyK made their first contribution in #591
- @alexandear made their first contribution in #595
- @hlavavit made their first contribution in #592
- @fntz made their first contribution in #610
- @alexanderilyin made their first contribution in #615
Full Changelog: v2.23.0...v2.24.0
v2.23.0
Overview
Pointers for Non-Param Fields
It's now possible to use pointers for non-param fields in input structs without Huma complaining. For example, here the User
is not a path/query/header param and is populated from the Authorization
header value for use later:
type EndpointInput struct {
Token string `header:"Authorization"`
User *User
}
func (i *EndpointInput) Resolve(ctx huma.Context) []error {
user, token_valid := ValidateToken(i.Token) // user is nil if token is missing or invalid
i.User = user
return nil
}
Hidden Field Validation
Hidden fields are now validated properly if they are present in the input. For example:
huma.Put(api, "/demo", func(ctx context.Context, input *struct{
Body struct {
Field1 string `json:"field1"
Field2 int `json:"field2" hidden:"true" minimum:"10"`
}
}) (*MyResponse, error) {
// If `input.Field2` is sent by the client, the request will fail
// if its value is below 10 due to the validation schema.
return &MyResponse{...}, nil
})
Prevent Overwriting Schema Validations
All validations now take the existing value of the validator as input when generating the schema, which means a SchemaProvider
or SchemaTransformer
output won't get overwritten when generating schemas. This fixes a bug that was partially fixed but missed several important fields like pattern
.
Non-Addressable Resolver
It's now possible to use non-addressable types which implement Resolver
, such as custom primitive types as map keys. This is currently a little less efficient as a pointer to the type needs to be generated, but at least it is now possible and performance can be improved in the future.
Use the Status Code from NewError
When providing your own custom huma.NewError
function, the resulting error's status code was ignored. This has been fixed to be used as the output status code, enabling the function to modify the status code before going out on the wire.
NewError with a Context
It's now possible to replace huma.NewErrorWithContext
so your error generation function has access to the underlying request context.
NewWithPrefix & Servers
When using humago.NewWithPrefix
and not providing any servers, a single server entry is now generated for you with the given prefix.
Support url.URL
Parameters
You can now use a URL as an input path/query/header parameter and it will be parsed/validated for you.
Request Body Generation Improvements
Like response body generation, the request body generation has been improved to generate missing pieces of the body OpenAPI structure. This enables you to easily e.g. add a description but have Huma still generate the JSON Schema for you. Example:
func (tr TEERouter) RegisterRoutes(api huma.API) {
operation := huma.Operation{
Method: http.MethodPost,
Path: "/tee",
Summary: "TEE",
Description: "TEE description",
RequestBody: &huma.RequestBody{
Description: "My custom request schema",
},
}
huma.Register(api, operation, tr.CalculateTEE)
}
What's Changed
- Allow using pointers for non param fields in input structs by @lsdch in #565
- fix: validate hidden fields by @danielgtaylor in #573
- fix: prevent overwriting schema validations by @danielgtaylor in #575
- fix: support non-addressable resolver values by @danielgtaylor in #580
- fix: use status code returned from NewError when writing errors by @danielgtaylor in #581
- add NewErrorWithContext by @nunoo in #582
- Add default Server object when calling humago.NewWithPrefix by @yursan9 in #579
- fix: unsupported param type url.URL by @ddl-ebrown in #584
- fix: allow setting request description and still gen schema by @danielgtaylor in #587
New Contributors
- @yursan9 made their first contribution in #579
- @ddl-ebrown made their first contribution in #584
Full Changelog: v2.22.1...v2.23.0
v1.14.3
What's Changed
- fix: reset recovery middleware buffer by @danielgtaylor in #572
Full Changelog: v1.14.2...v1.14.3
v2.22.1
Overview
This patch release fixes a bug where the order of operations when resetting a buffer could cause a race condition when putting that buffer back into the shared sync.Pool
for re-use when reading in request bodies.
What's Changed
- fix: order of operations when resetting buffer by @danielgtaylor in #553
Full Changelog: v2.22.0...v2.22.1
v2.22.0
Sponsors
A big thank you to our new sponsor:
Overview
Minimum Go Version: 1.21
The minimum Go version has been upgraded to 1.21, in alignment with the official Go policy. This enables us to fix some critical vulnerabilities with optional dependencies via dependabot and allows the code to be updated to use newer packages like slices
, modernizing the codebase.
Each major Go release is supported until there are two newer major releases. For example, Go 1.5 was supported until the Go 1.7 release, and Go 1.6 was supported until the Go 1.8 release.
https://go.dev/doc/devel/release
Fixes Raw Body Race Condition
This release fixes a critical bug where you could run into a race condition using a shared buffer when accessing a request's RawBody []byte
field. The buffer was getting returned to the sync.Pool
too early, resulting in multiple requests having concurrent access. For handlers which register needing access to the RawBody
field, returning the buffer to the pool is now deferred until after then entire handler has run, fixing the issue.
Warning
If you use the RawBody
feature, you should upgrade immediately. This bug results in incorrect/corrupted data.
Better encoding.TextUnmarshaler
Support
Support for types which implement encoding.TextUnmarshaler
has been improved. The types are now treated as a JSON Schema string
by default, making it easier to set up validation and defaults without needing to provide a custom schema via huma.SchemaProvider
. Among other things this can be used for custom date/time types:
type MyDate time.Time
func (d *MyDate) UnmarshalText(data []byte) error {
t, err := time.Parse(time.RFC3339, string(data))
if err != nil {
return err
}
*d = MyDate(t)
return nil
}
// Later use it in a request
type Request struct {
Date MyDate `json:"date" format:"date-time" example:"2024-01-01T12:00:00Z"`
}
Precompute Schema Validation
Schema validation messages are no longer required to be precomputed manually with a call to schema.PrecomputeMessages()
as this now happens at operation registration time. This simplifies using custom schemas and makes it possible to define them inline with the operation.
If you modify a schema after registration, you must still call PrecomputeMessages()
manually to update the messages.
Fix Nil Response Panic
If an operation is registered as returning a body and a handler mistakenly invokes return nil, nil
(meaning no response, no error) this caused a panic as the body is required. This release changes that behavior to no longer panic, but instead return the operation's default status code instead.
What's Changed
- fix: race by deferring the return of buf to sync.Pool when using RawBody by @nunoo in #542
- fix: automatically precompute schema validation messages by @danielgtaylor in #545
- fix: if err & response are nil, return default status by @danielgtaylor in #546
- feat: Update minimum Go version to 1.21 by @danielgtaylor in #547
- chore(deps): bump github.com/gofiber/fiber/v2 from 2.52.1 to 2.52.5 by @dependabot in #549
- feat: treat encoding.TextUnmarshaler as string in schema by @danielgtaylor in #550
New Contributors
Full Changelog: v2.21.0...v2.22.0
v2.21.0
Overview
Better Support for Default/Example in Custom Schemas
Fixes an issue where custom schemas could have values overwritten by the default instead of using the given value. For example:
type GreetingType int
func (*GreetingType) Schema(r huma.Registry) *huma.Schema {
schema := &huma.Schema{
Type: huma.TypeInteger,
Default: 10,
Examples: []any{1},
}
return schema
}
Better Errors When Using Discriminators
OpenAPI supports using a discriminator field in schemas that use oneOf
to determine which of the included schemas to validate against. Huma now uses this information to generate better error messages like expected required property color to be present
instead of just saying it expected one of the schemas to match. Also handles problems with the discriminator type and value mapping. Example https://go.dev/play/p/5gkNczNJ_jK:
type Cat struct {
Name string `json:"name" minLength:"2" maxLength:"10"`
Kind string `json:"kind" enum:"cat"`
}
type Dog struct {
Color string `json:"color" enum:"black,white,brown"`
Kind string `json:"kind" enum:"dog"`
}
type DogOrCat struct {
Kind string `json:"kind" enum:"cat,dog"`
}
func (v DogOrCat) Schema(r huma.Registry) *huma.Schema {
catSchema := r.Schema(reflect.TypeOf(Cat{}), true, "Cat")
dogSchema := r.Schema(reflect.TypeOf(Dog{}), true, "Dog")
return &huma.Schema{
Type: huma.TypeObject,
Description: "Animal",
OneOf: []*huma.Schema{
{Ref: catSchema.Ref},
{Ref: dogSchema.Ref},
},
Discriminator: &huma.Discriminator{
PropertyName: "kind",
Mapping: map[string]string{
"cat": catSchema.Ref,
"dog": dogSchema.Ref,
},
},
}
}
// ...
huma.Put(api, "/demo", func(ctx context.Context, input *struct {
Body DogOrCat
}) (*DemoResponse, error) {
resp := &DemoResponse{}
resp.Body.Message = "You sent a " + input.Body.Kind
return resp, nil
})
What's Changed
- fix(schema): default value not work by @fourcels in #531
- fix(typo): accmplished -> accomplished by @superstas in #534
- fix(schema): schema example not work in Parameter by @fourcels in #532
- #533: Add Validation for Discriminator with OneOf and Mapping. by @superstas in #536
Full Changelog: v2.20.0...v2.21.0
v2.20.0
Overview
Sponsors
Thank you to Zuplo for sponsoring the project.
Fixed Validation Tags & Referenced Schemas
Sometimes schemas and schemas in references wound up getting overwritten with default values for validation like minimum
, maximum
, minLength
, maxLength
, as well as skipping calling TransformSchema
. This is now fixed to behave as expected by derefencing structs and only setting validation values when the tag is actually present.
Customizable Validation Errors
Validation errors are now completely customizable as globals in the library.
// Set a custom message for minimum validation failure.
huma.MsgExpectedMinimumNumber = "expected number bigger than or equal to %v"
You can also change the function used to format error messages via huma.ErrorFormatter
. This must be overwritten before generating any schemas, as the generated messages are cached at schema creation time.
var ErrorFormatter func(format string, a ...any) string = fmt.Sprintf
Nullable Slices
Due to the way nil
slices get encoded in Go as null
in JSON and other formats, we now generate array schemas as nullable by default. See also the discussion and links to JSON v2 at golang/go#37711.
What's Changed
- fix(schema): proper minLength, maxLength in generated schemas. by @superstas in #513
- fix(schema): proper minimum, maximum in generated schemas. by @superstas in #515
- fix(schema): add dereferencing for SchemaFromType by @superstas in #518
- feat: add zuplo sponsorship by @danielgtaylor in #501
- docs: fix formatting in sponsors by @danielgtaylor in #523
- feat: make validation error messages customizable by @smacker in #520
- fix: nullable schemas for arrays/slices by @lsdch in #527
New Contributors
- @superstas made their first contribution in #513
- @smacker made their first contribution in #520
Full Changelog: v2.19.0...v2.20.0
v2.19.0
Overview
Sponsors
A big thank you to our new sponsor:
Multipart Form File Metadata
It's now possible to get filename & size metadata information from multipart form files.
huma.Post(api, "/form-example", func(ctx context.Context, input *struct{
RawBody huma.MultipartFormFiles[struct {
HelloWorld huma.FormFile `form:"file" contentType:"text/plain" required:"true"`
}]
}) (*struct{}, error) {
fileData := input.RawBody.Data()
fmt.Println( fileData.HelloWorld.Filename)
fmt.Println( fileData.HelloWorld.Size)
}
Easier Custom Context When Testing
It's now easier to pass a custom context to operations in the test API. Instead of having to create a custom request with its own context and manually call the adapter you can now use the methods like GetCtx
instead of Get
.
_, api := humatest.New(t)
ctx := context.Background() // define your necessary context
resp := api.GetCtx(ctx, "/greeting/world") // provide it using the 'Ctx' suffixed methods
Exploded Query Params
It's now possible to use the OpenAPI explode
feature where query params are passed multiple times rather than using comma separated values.
huma.Get(api, "/example", func(ctx context.Context, input *struct{
Value []string `query:"value,explode"`
}) (*struct{}, error) {
fmt.Println(input.Value)
return nil, nil
})
You can then make requests like GET /example?value=foo&value=bar
.
Autopatch Schema Improvements
Autopatch now uses the PUT
schema (modified to all be optional) rather than just relying on an object
with any allowed properties, which improves documentation for users. This is automatic so there is no need to configure anything new.
Other Improvements
- Performance improvement by removing the response body from panics which could be very large.
- Fixes to min/max items schema generation when using arrays.
- Remove
slices
dependency to continue to support Go 1.20 until 1.23 is released (we will support the latest two major versions just like the Go project itself)
What's Changed
- fix: expose metadata of decoded multipart form files by @lsdch in #466
- Extend TestAPI interface to allow for custom context.Context by @coury-clark in #469
- Update README_CN.md by @Ivlyth in #477
- remove response body from panic message by @austincollinpena in #479
- fix(schema): proper array minItems, maxItems and doc reporting in generated schemas by @Grumpfy in #485
- fix: remove slices dependency to better support Go 1.20 by @danielgtaylor in #497
- Implement exploded query parameters by @csmarchbanks in #498
- Improvement Autopatch (adding a body) by @ScriptType in #496
- docs: add new sponsor by @danielgtaylor in #506
New Contributors
- @coury-clark made their first contribution in #469
- @Ivlyth made their first contribution in #477
- @Grumpfy made their first contribution in #485
- @csmarchbanks made their first contribution in #498
- @ScriptType made their first contribution in #496
Full Changelog: v2.18.0...v2.19.0