Release v5.6.0

typeutil.Undefined improvements (#244)

With the introduction of the json omitzero tag in Go 1.24, the typeutil.Undefined type has been improved to support json marshaling and SQL scanning. If used in combination with the omitzero tag, the marshaling behavior will now be as expected for a non-present field. This means the type can now be used in models and response DTOs to selectively make fields visible or not in a response.

• Added the Set and Unset convenience methods.
• Improved documentation.
• Handle more cases in the sql.Scanner implementation to support Undefined[T], *Undefined[T], T or *T values as input.
• typeutil.Undefined now implements json.Marshaler. Only the Value is marshaled as opposed to previously where the entire struct was marshaled.

Validation

Bug fixes

• Fixed incorrect validation order when using composition for array elements. (#259)
• Repeated paths in a rule set are not allowed anymore and will result in a panic. This incorrect usage of RuleSet could lead to buggy behavior. (#259)
• Fixed "illegal syntax" error when using ruleset composition for an array of objects. (#247)

New features

• Added the Init() method to the validation.Validator interface. (#246)
  • This allows initializing validators in unit tests.
  • This method can be overridden by developers in custom validators in case some additional custom values must be defined at initialization.
  • This change doesn't require any change in existing code-bases as the new method is already implemented by BaseValidator.
• Added validation.WithMessage(), which overrides the language entry used to render the error message of a validator. (#260)
  • Original placeholders returned by the validator are still used to render the message.
  • Type-dependent and "element" suffixes are not added when the message is overridden.
• Added validation.OnlyIf() validator, which executes a validator only if a condition is met. It can be useful for conditional validation. (#258)

Miscellaneous

• Upgraded github.com/golang-jwt/jwt to github.com/golang-jwt/jwt/v5 so the auth.JWTService can benefit from the latest features and security. This is not a breaking change but you will need to update your import path if you use the auth.JWTController.SigningMethod field. (#254)
• On successful authentication, the user is now injected in the request's context.Context. (#261)
  • The user can be retrieved from the context using the new function auth.UserFromContext().

Full Changelog: v5.5.6...v5.6.0

Release v5.5.6

• Don't require authentication by default in the auth.JWTController's login route. auth.MetaAuth is set to false. (#241 by @fnoopv)

Release v5.5.5

• In validation, fixed a panic when trying to convert a nil single value array using the ConvertSingleValueArrays option.
• Retract v5.5.4 as it introduced a bug: when a non-nullable field was provided and thus removed from the request, its associated validators were still executed.
• Fixed the bug introduced in v5.5.4.

Release v5.5.4

• Retract v5.5.3 as it introduced a bug in the absence detection for the root element (if validation.CurrentElement wasn't required).
• Fixed the bug introduced in v5.5.3

Release v5.5.3

• In validation, fixed nullable field absence detection. This fixes validators on nullable fields being executed even if the field is not present at all in the request.

Release v5.5.2

• Fixed request/response put back in the sync.Pool when the response was hijacked. This caused concurrent uses of these resources when using websockets.

Release v5.5.1

• session.DB() now applies the given context to the fallback DB using WithContext() before returning.

Release v5.5.0

• Static file serving (router.Static())
  • Now rejects paths containing \, // with 404 Not Found.
  • Now rejects non-empty paths that don't start with a slash. An empty path will still return index.html like before.
  • Now rejects paths containing a ., .. or empty segment.
  • These changes fix a vulnerability when using osfs.FS as the file system for router.Static(): files outside of the base path of the file system were accessible to the clients if they requested a path containing ...
  • For the Content-Disposition header, the actual path is now used to get the name of the file instead of the raw input. This solves the issue of an invalid header value returned when the returned file is index.html.
• In response.File() and response.Download(), the file is now opened only once instead of thrice.
• fsutil changes:
  • Added fsutil.DetectContentType(), which sniffs directly from a reader instead of a file name.
  • Added fsutil.DetectContentTypeByExtension() for content type detection fallback.
  • Expanded the list of known file extensions for content type detection.
• Added testutil.Session(), a new testing utility used to mock the session.Session interface. This implementation is designed to provide a realistic, observable transaction system and help identify incorrect usage.

Release v5.4.3

• Exported the T field of testutil.LogWriter struct. This field not being exported was an oversight.

Release v5.4.2

• Fixed Distinct validation rule not passing for empty arrays.