Changes

• Authentication (#282)
  • Added auth.SchemeAuthenticator interface that authenticators can implement to indicate the scheme they are using. On authentication failure, the auth middleware adds the WWW-Authenticate header to the response if the authenticator implements auth.SchemeAuthenticator.
  • Added auth.MiddlewareWithRealm to provide custom realm description for the WWW-Authenticate header.
• Added an explicit error message when server.RegisterRoutes is called more than once.
• Static file serving: fixed an issue on Windows which resulted in 404 errors if the filesystem was embedded and the requested path contained slashes. #281

New Contributors

• @YoSev made their first contribution in #281

Full Changelog: v5.10.0...v5.11.0

• Validation: UniqueArray / ExistsArray improvements
  • This validator was previously using a naive dialect detection based on the config database.connection. This didn't work with custom dialectors. It now detects the dialect and generate the corresponding query based on the gorm.Dialector's name.
  • Fixed query generation for BigQuery.
  • Validation middleware now checks if server database is not nil instead of relying on config database.connection. This improves support for servers where the database connection has been setup manually.
• Added server.HasDB() to check if the server's database connection is setup or not without having to rely on config database.connection.
• Added *Options.ListenConfig (type net.ListenConfig). This option let developers customize the network listener settings and keep-alives to better accomodate large traffic scenarios. (@Supakornn #280)

Full Changelog: v5.9.0...v5.10.0

• Added CommonWriter.Writer() to retrieve the underlying writer.
• Compression:
  • Fixed an error raised in case of no content responses (HTTP 204 notably) when using the compress middleware.
  • Added the header Vary: Accept-Encoding if a response is compressed.
  • Set the Content-Encoding header only if the response is compressed. The header won't be added anymore for no content responses.
• Prevent Response.JSON() and Response.String() from overriding the response status after the headers have been written, which could lead to incorrect information given to other components such as the access logger.
• Error handling edge cases improvements:
  • The panic status handler (500) is now executed too if an error happens after writing to the response. Previously, the panic status handler was executed just like any other status handler: only if the response is empty. This allows better error handling in scenarios such as streaming, SSE, etc.
  • The panic status handler (500) doesn't attempt to write to the response body anymore if a non-500 header has already been written.
  • The recovery middleware doesn't override the status if header has already been written. This avoids inconsistencies between real response and logged response.

Full Changelog: v5.8.1...v5.9.0

• Better IPv6 support:
  • Fixed an error when starting the server when server.host was an IPv6.
  • server.Host(), server.BaseURL() and server.ProxyBaseURL() properly format IPv6 hosts with enclosing square brackets, which also fixes route.BuildURL() and route.BuildProxyURL() when the host is an IPv6.
  • server.BaseURL() now converts :: to ::1 (IPv6 loopback).

Full Changelog: v5.8.0...v5.8.1

• Added HTTP 2 configuration to goyave.Options.

Full Changelog: v5.7.0...v5.8.0

• util/walk package
  • walk.Path:
    • Path now support escaping characters (., [, ], *, \) using a backslash. ( #236 by @achimoraites )
    • Path.String() outputs the path with the escape characters.
    • Improved illegal path syntax error to make it easier for developers to troubleshoot.
    • New methods:
      • Path.IsWildcard: returns true if the path has unescaped "*" as Name.
      • Path.UnescapedString: returns a string representation of the path without the escape characters.
  • New function Unescape: remove escape characters from a path without parsing it.
• Validation:
  • field paths in rule sets now support escaping characters using a backslash.
  • validating both the the literal object fields and the wildcard (*) isn't allowed anymore. This goes with the same logic as the repeated paths rule introduced in v5.6.0.
  • minor optimizations.
• Added support for bigquery database dialect. You must disable prepared statements for the dialect to work, as this is not supported by this driver. ( #238 by @pn03 )
• Upgraded to golangci-lint v2. New rules and changes to the configuration were made. Minor changes to the codebase were made to fix the newly reported lint issues.
• Updated dependencies.

Full Changelog: v5.6.1...v5.7.0

• Fixed default language entry for the validation error message of the KeysIn validator.
• KeysIn validator now accepts any concrete type string. This allows the use of type aliases.

Full Changelog: v5.6.0...v5.6.1

typeutil.Undefined improvements (#244)

With the introduction of the json omitzero tag in Go 1.24, the typeutil.Undefined type has been improved to support json marshaling and SQL scanning. If used in combination with the omitzero tag, the marshaling behavior will now be as expected for a non-present field. This means the type can now be used in models and response DTOs to selectively make fields visible or not in a response.

• Added the Set and Unset convenience methods.
• Improved documentation.
• Handle more cases in the sql.Scanner implementation to support Undefined[T], *Undefined[T], T or *T values as input.
• typeutil.Undefined now implements json.Marshaler. Only the Value is marshaled as opposed to previously where the entire struct was marshaled.

Validation

Bug fixes

• Fixed incorrect validation order when using composition for array elements. (#259)
• Repeated paths in a rule set are not allowed anymore and will result in a panic. This incorrect usage of RuleSet could lead to buggy behavior. (#259)
• Fixed "illegal syntax" error when using ruleset composition for an array of objects. (#247)

New features

• Added the Init() method to the validation.Validator interface. (#246)
  • This allows initializing validators in unit tests.
  • This method can be overridden by developers in custom validators in case some additional custom values must be defined at initialization.
  • This change doesn't require any change in existing code-bases as the new method is already implemented by BaseValidator.
• Added validation.WithMessage(), which overrides the language entry used to render the error message of a validator. (#260)
  • Original placeholders returned by the validator are still used to render the message.
  • Type-dependent and "element" suffixes are not added when the message is overridden.
• Added validation.OnlyIf() validator, which executes a validator only if a condition is met. It can be useful for conditional validation. (#258)

Miscellaneous

• Upgraded github.com/golang-jwt/jwt to github.com/golang-jwt/jwt/v5 so the auth.JWTService can benefit from the latest features and security. This is not a breaking change but you will need to update your import path if you use the auth.JWTController.SigningMethod field. (#254)
• On successful authentication, the user is now injected in the request's context.Context. (#261)
  • The user can be retrieved from the context using the new function auth.UserFromContext().

Full Changelog: v5.5.6...v5.6.0

• Don't require authentication by default in the auth.JWTController's login route. auth.MetaAuth is set to false. (#241 by @fnoopv)

• In validation, fixed a panic when trying to convert a nil single value array using the ConvertSingleValueArrays option.
• Retract v5.5.4 as it introduced a bug: when a non-nullable field was provided and thus removed from the request, its associated validators were still executed.
• Fixed the bug introduced in v5.5.4.