v1.1.2: Request bodies can now be re-used, after being read in an `AuthenticationFunc` and Go 1.22+-only

🔊 Notable features

Go 1.22+ requirement

This module now requires Go 1.22 to build (previously we supported Go 1.20+).

Go 1.22 is still fairly old, and was marked as unsupported by the Go team in 2025-02-11, and is a new requirement as part of a dependency bump from kin-openapi.

This shouldn't technically be a breaking change given the age of the Go version used and it being unsupported - so ideally isn't being used heavily - but we wanted to flag it as such in case this came as a surprise.

Request body can now be re-used, after being read in an AuthenticationFunc

A longstanding issue with the openapi3filter from kin-openapi, that we build on top of for this middleware, resulted in cases where the request body could not be re-parsed after being consumed in a middleware's AuthenticationFunc.

This could lead to errors such as:

request body has an error: value is required but missing

Or:

request body has an error: reading failed: http: invalid Read on closed Body

This has now been fixed upstream, and therefore fixed for users of this middleware as part of this release.

👻 Maintenance

• build: build against Go 1.23 and 1.24 (#45) @jamietanna

📦 Dependency updates

• fix(deps)!: update module github.com/getkin/kin-openapi to v0.132.0 (#19) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v1.1.1: fix an incorrect HTTP status code (in an unlikely failure case)

🐛 Bug fixes

• fix: correct error code (#44) @jamietanna

📦 Dependency updates

• chore(deps): update module github.com/golangci/golangci-lint to v2.1.5 (#39) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v1.1.0: Better error handling, allow not validating `Servers` (by configuration) and return an HTTP 405 Method Not Allowed where appropriate

🔊 Notable features

Error handling is now significantly better

As part of #35, we have introduced a much more powerful means to handle the errors returned by the OpenAPI Validation middleware.

This has been a long-standing issue, and we appreciate the community's patience as well as different proposals over time.

Previously, when creating an error handler, the method signature was fairly lacking:

// create middleware
mw := middleware.OapiRequestValidatorWithOptions(spec, &middleware.Options{
    Options: openapi3filter.Options{
        AuthenticationFunc: authenticationFunc,
    },
    ErrorHandler: func(w http.ResponseWriter, message string, statusCode int) {
        http.Error(w, "This text/plain response will be returned to the caller: " + message, statusCode)
    },
})

This didn't give much information around what had happened - or in which route/endpoint - and not having the raw error made observability and additional steps to respond appropriately more difficult.

With this release, it's now possible to have the raw error, information about the current request + its context.Context, as well as some additional pieces of metadata inside the ErrorHandlerWithOpts:

// create middleware
mw := middleware.OapiRequestValidatorWithOptions(spec, &middleware.Options{
    // other options
    // ...
    ErrorHandlerWithOpts: func(ctx context.Context, err error, w http.ResponseWriter, r *http.Request, opts middleware.ErrorHandlerOpts) {
        // NOTE that ErrorHandlerOpts contains further information, and allows us to add additional information in the future, in an extensible and non-breaking way
    }
})

There is a full example of usage in the Go doc for this project.

Note that the old method, ErrorHandler has been marked as deprecated - there is no planned removal date, and this is largely as a way to "nudge" folks to using the new, more powerful, method.

🚀 New features and improvements

• feat: add error handler with more configuration (#35) @jamietanna @pebo @mikeschinkel @MattiasMartens
  • refactor: migrate error to a method parameter, not part of ErrorHandlerOpts (#43) @jamietanna
• feat: allow not validating Servers at all (#37) @jamietanna

🐛 Bug fixes

• fix: return HTTP 405 when request method mismatch (#25) @nek023

📝 Documentation updates

• docs: correct accidentally hardcoded error message (#36) @jamietanna
• docs: rewrite README, add example test + improve comments (#30) @jamietanna
• docs(sponsors): add FUNDING.yml (#20) @jamietanna

👻 Maintenance

• chore(deps): remove testutil (#33) @jamietanna
• chore: remove references to Swagger (#32) @jamietanna

📦 Dependency updates

• chore(deps): update module github.com/golangci/golangci-lint to v2.1.4 (#38) @renovate[bot]
• chore(deps): update module github.com/golangci/golangci-lint to v2 (#28) @renovate[bot]
• chore(deps): pin dependencies (#31) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v1.0.2

👻 Maintenance

• Simplify CI build matrix + build against Go 1.22 (#12) @jamietanna
• Migrate to separate testutil package (#7) @jamietanna
• Onboard to Release Drafter (#8) @jamietanna

📦 Dependency updates

• fix(deps): update module github.com/getkin/kin-openapi to v0.124.0 (#2) @renovate
• chore(deps): update release-drafter/release-drafter action to v6 (#10) @renovate
• chore(deps): update actions/setup-go action to v5 (#9) @renovate
• chore(deps): update actions/checkout action to v4 (#6) @renovate
• chore(deps): update module github.com/golangci/golangci-lint to v1.59.0 (#1) @renovate

v1.0.1

Full Changelog: v1.0.0...v1.0.1