Security update & Breaking change
This release includes SECURITY UPDATE and associated BREAKING CHANGES.
- Targets: "Basic Auth Middleware" and "Bearer Auth Middleware".
- Vulnerability detail: Even if "unauthorized", the Handler will be executed.
If you are using an older version of Basic Auth Middleware and Bearer Auth Middleware, please use this version. See the release notes on GitHub for version updates.
With it, there is Breaking Change.
If you are using Basic Auth and Bearer Auth in your Handler (nested), change as follows:
app.use('/auth/*', async (c, next) => {
const auth = basicAuth({ username: c.env.USERNAME, password: c.env.PASSWORD })
return auth(c, next) // Older: `await auth(c, next)`
})
New features
Validator Middleware supports nested validation
For example, there is a nested object like below:
const data = {
posts: [
{
id: 123,
title: 'JavaScript',
tags: ['Workers', 'Deno', 'Bun'],
},
],
pager: {
prev: true,
next: false,
},
}
It will be validated with v.array()
and v.object()
:
app.post(
'/posts',
validator((v) => ({
posts: v.array('posts', (v) => ({
id: v.json('id').asNumber().isRequired(),
title: v.json('title'),
tags: v.json('tags').asArray(),
})),
pager: v.object('pager', (v) => ({
prev: v.json('prev').asBoolean(),
next: v.json('next').asBoolean(),
})),
})),
(c) => {
return c.text('Valid!')
}
)
And it also has types:
Isn't it cool?
Validator Middleware supports friendly error messages
For example, an error message will become more friendly.
'Invalid Value: the request body "title" is invalid - abcdefg'
will be:
'Invalid Value [abcdef]: the request body "title" is invalid - isLength'
All updates
- perf: remove unrequired cloning of ctx.res by @JakeChampion in #589
- fix(deno): fixed the bug calling
next()
multiple times in Serve Static by @yusukebe in #594 - test(bun): add more tests for serve static middleware by @yusukebe in #595
- perf(serve-static): return immediately if
c.finalized
by @yusukebe in #596 - feat(validator): introduce nested validation by @yusukebe in #592
- feat(validator): has the error message per rule by @yusukebe in #603
- fix(bearer-auth, basic-auth): handler should not be executed when unauthorized by @NOBLES5E in #608
- fix(basic/bearer): support "nested" middleware by @yusukebe in #610
- refactor(jwt): refactor code and add more tests by @yusukebe in #611
New Contributors
- @JakeChampion made their first contribution in #589
- @NOBLES5E made their first contribution in #608
Full Changelog: v2.2.5...v2.3.0