spikard 0.8.2 → 0.10.1

data/vendor/crates/spikard-core/tests/parameters_schema_and_formats.rs

@@ -203,7 +203,7 @@ fn boolean_empty_string_is_coerced_to_false() {
 
     let validator = ParameterValidator::new(schema).expect("validator");
     let mut raw_query = HashMap::new();
-    raw_query.insert("flag".to_string(), vec!["".to_string()]);
+    raw_query.insert("flag".to_string(), vec![String::new()]);
 
     let extracted = validator
         .validate_and_extract(

data/vendor/crates/spikard-core/tests/validation_coverage.rs

@@ -32,10 +32,10 @@ fn validator_preprocesses_binary_file_objects_recursively() {
     });
 
     let data = json!({
-        "file": file_object.clone(),
-        "files": [file_object.clone()],
+        "file": &file_object,
+        "files": [&file_object],
         "nested": {
-            "inner": file_object,
+            "inner": &file_object,
             "other": 1
         }
     });
@@ -242,7 +242,7 @@ fn error_mapper_uses_schema_constraints_when_present() {
 
     let (ty, _msg, ctx) = ErrorMapper::map_error(&ErrorCondition::EmailFormat, &schema, "/properties/value", "generic");
     assert_eq!(ty, "string_pattern_mismatch");
-    assert!(ctx.as_ref().unwrap()["pattern"].as_str().unwrap().contains("@"));
+    assert!(ctx.as_ref().unwrap()["pattern"].as_str().unwrap().contains('@'));
 
     let (ty, _msg, ctx) = ErrorMapper::map_error(&ErrorCondition::UuidFormat, &schema, "/properties/value", "generic");
     assert_eq!(ty, "uuid_parsing");

data/vendor/crates/spikard-http/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "spikard-http"
-version = "0.8.2"
+version = "0.10.1"
 edition = "2024"
 authors = ["Na'aman Hirschfeld <nhirschfeld@gmail.com>"]
 license = "MIT"
@@ -16,6 +16,7 @@ readme = "README.md"
 axum = { version = "0.8", features = ["multipart", "ws"] }
 tokio = { version = "1", features = ["full"] }
 tokio-util = "0.7"
+tokio-stream = "0.1"
 tower = "0.5"
 tower-http = { version = "0.6.8", features = ["fs", "trace", "compression-gzip", "compression-br", "compression-deflate", "cors", "request-id", "limit", "timeout", "set-header", "sensitive-headers"] }
 tower_governor = "0.8"
@@ -40,7 +41,8 @@ urlencoding = "2.1"
 url = "2.5"
 mime = "0.3"
 jiff = "0.2"
-uuid = "1.19"
+uuid = "1.20"
+ahash = "0.8"
 bytes = "1.11"
 http-body-util = "0.1"
 http-body = "1.0"
@@ -55,6 +57,13 @@ prost = "0.14"
 prost-types = "0.14"
 h2 = "0.4"
 
+[lints.rust]
+unexpected_cfgs = { level = "allow", check-cfg = ['cfg(tarpaulin_include)'] }
+
+[lints.clippy]
+all = { level = "deny", priority = 0 }
+pedantic = { level = "deny", priority = 0 }
+nursery = { level = "deny", priority = 0 }
 
 [features]
 default = []

data/vendor/crates/spikard-http/src/cors.rs

@@ -56,15 +56,16 @@ fn is_method_allowed(method: &str, allowed_methods: &[String]) -> bool {
 ///
 /// # Returns
 /// `true` if all requested headers are allowed, `false` if any header is not allowed
-fn are_headers_allowed(requested: &[&str], allowed: &[String]) -> bool {
+fn are_headers_allowed(requested: impl IntoIterator<Item = impl AsRef<str>>, allowed: &[String]) -> bool {
     if allowed.iter().any(|h| h == "*") {
         return true;
     }
 
-    requested.iter().all(|req_header| {
+    requested.into_iter().all(|req_header| {
+        let req_str = req_header.as_ref();
         allowed
             .iter()
-            .any(|allowed_header| allowed_header.eq_ignore_ascii_case(req_header))
+            .any(|allowed_header| allowed_header.eq_ignore_ascii_case(req_str))
     })
 }
 
@@ -133,9 +134,8 @@ pub fn handle_preflight(headers: &HeaderMap, cors_config: &CorsConfig) -> Result
         .and_then(|v| v.to_str().ok());
 
     if let Some(req_headers) = requested_headers_str {
-        let requested_headers: Vec<&str> = req_headers.split(',').map(|h| h.trim()).collect();
-
-        if !are_headers_allowed(&requested_headers, &cors_config.allowed_headers) {
+        // Pass iterator directly without collecting into Vec
+        if !are_headers_allowed(req_headers.split(',').map(|h| h.trim()), &cors_config.allowed_headers) {
             return Err(Box::new((StatusCode::FORBIDDEN).into_response()));
         }
     }
@@ -162,16 +162,16 @@ pub fn handle_preflight(headers: &HeaderMap, cors_config: &CorsConfig) -> Result
         HeaderValue::from_str(origin).unwrap_or_else(|_| HeaderValue::from_static("*")),
     );
 
-    let methods = cors_config.allowed_methods.join(", ");
+    let methods = cors_config.allowed_methods_joined();
     headers_mut.insert(
         "access-control-allow-methods",
-        HeaderValue::from_str(&methods).unwrap_or_else(|_| HeaderValue::from_static("*")),
+        HeaderValue::from_str(methods).unwrap_or_else(|_| HeaderValue::from_static("*")),
     );
 
-    let allowed_headers = cors_config.allowed_headers.join(", ");
+    let allowed_headers = cors_config.allowed_headers_joined();
     headers_mut.insert(
         "access-control-allow-headers",
-        HeaderValue::from_str(&allowed_headers).unwrap_or_else(|_| HeaderValue::from_static("*")),
+        HeaderValue::from_str(allowed_headers).unwrap_or_else(|_| HeaderValue::from_static("*")),
     );
 
     if let Some(max_age) = cors_config.max_age
@@ -291,6 +291,7 @@ mod tests {
             expose_headers: Some(vec!["x-custom-header".to_string()]),
             max_age: Some(3600),
             allow_credentials: Some(true),
+            ..Default::default()
         }
     }
 
@@ -500,7 +501,8 @@ mod tests {
             allowed_headers: vec![],
             expose_headers: None,
             max_age: None,
-            allow_credentials: Some(true), // SECURITY BUG: This should not be allowed with wildcard
+            allow_credentials: Some(true), // SECURITY BUG: This should not be allowed with wildcard,
+            ..Default::default()
         };
 
         let mut headers = HeaderMap::new();
@@ -538,6 +540,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(!is_origin_allowed("https://api.example.com", &config.allowed_origins));
@@ -561,6 +564,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(!is_origin_allowed("http://localhost:3001", &config.allowed_origins));
@@ -581,6 +585,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(!is_origin_allowed("http://example.com", &config.allowed_origins));
@@ -601,6 +606,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(!is_origin_allowed("https://example.com", &config.allowed_origins));
@@ -620,6 +626,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(!is_origin_allowed("https://example.com/", &config.allowed_origins));
@@ -640,6 +647,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         // SECURITY NOTE: "null" origin is allowed by wildcard in current implementation
@@ -652,6 +660,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
         assert!(is_origin_allowed("null", &with_explicit_null.allowed_origins));
     }
@@ -666,6 +675,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
         assert!(!is_origin_allowed("", &config_with_wildcard.allowed_origins));
 
@@ -676,6 +686,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
         assert!(!is_origin_allowed("", &config_with_explicit.allowed_origins));
     }
@@ -705,6 +716,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(is_origin_allowed("https://trusted1.com", &config.allowed_origins));
@@ -728,6 +740,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(is_origin_allowed("https://example.com", &config.allowed_origins));
@@ -747,6 +760,7 @@ mod tests {
             expose_headers: None,
             max_age: Some(3600),
             allow_credentials: Some(false),
+            ..Default::default()
         };
 
         let mut headers = HeaderMap::new();
@@ -798,6 +812,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         let test_cases = vec![
@@ -836,6 +851,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         let test_cases = vec![
@@ -883,6 +899,7 @@ mod tests {
             expose_headers: Some(vec!["x-custom".to_string()]),
             max_age: None,
             allow_credentials: Some(true),
+            ..Default::default()
         };
 
         let mut response = Response::new(Body::empty());
@@ -908,6 +925,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         let mut headers = HeaderMap::new();
@@ -943,6 +961,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         let test_cases = vec!["GET", "get", "Get", "POST", "post"];
@@ -971,6 +990,7 @@ mod tests {
             expose_headers: None,
             max_age: Some(7200),
             allow_credentials: None,
+            ..Default::default()
         };
 
         let mut headers = HeaderMap::new();
@@ -995,6 +1015,7 @@ mod tests {
             expose_headers: None,
             max_age: None,
             allow_credentials: None,
+            ..Default::default()
         };
 
         assert!(!is_origin_allowed("https://api.example.com", &config.allowed_origins));

data/vendor/crates/spikard-http/src/di_handler.rs

@@ -153,10 +153,14 @@ impl Handler for DependencyInjectingHandler {
 
             let core_request_data = spikard_core::RequestData {
                 path_params: Arc::clone(&request_data.path_params),
-                query_params: request_data.query_params.clone(),
-                validated_params: request_data.validated_params.clone(),
+                query_params: Arc::try_unwrap(Arc::clone(&request_data.query_params))
+                    .unwrap_or_else(|arc| (*arc).clone()),
+                validated_params: request_data
+                    .validated_params
+                    .as_ref()
+                    .map(|arc| Arc::try_unwrap(Arc::clone(arc)).unwrap_or_else(|a| (*a).clone())),
                 raw_query_params: Arc::clone(&request_data.raw_query_params),
-                body: request_data.body.clone(),
+                body: Arc::try_unwrap(Arc::clone(&request_data.body)).unwrap_or_else(|arc| (*arc).clone()),
                 raw_body: request_data.raw_body.clone(),
                 headers: Arc::clone(&request_data.headers),
                 cookies: Arc::clone(&request_data.cookies),
@@ -346,10 +350,10 @@ mod tests {
     fn create_request_data() -> RequestData {
         RequestData {
             path_params: Arc::new(HashMap::new()),
-            query_params: serde_json::Value::Null,
+            query_params: Arc::new(serde_json::Value::Null),
             validated_params: None,
             raw_query_params: Arc::new(HashMap::new()),
-            body: serde_json::Value::Null,
+            body: Arc::new(serde_json::Value::Null),
             raw_body: None,
             headers: Arc::new(HashMap::new()),
             cookies: Arc::new(HashMap::new()),
@@ -1163,7 +1167,7 @@ mod tests {
             .unwrap();
         let mut request_data = create_request_data();
         request_data.method = "POST".to_string();
-        request_data.body = serde_json::json!({"key": "value"});
+        request_data.body = Arc::new(serde_json::json!({"key": "value"}));
 
         let result = di_handler.call(request, request_data).await;
 
@@ -1602,10 +1606,10 @@ mod tests {
 
         let request_data = RequestData {
             path_params: Arc::new(path_params.clone()),
-            query_params: serde_json::json!({"filter": "active", "sort": "name"}),
+            query_params: Arc::new(serde_json::json!({"filter": "active", "sort": "name"})),
             validated_params: None,
             raw_query_params: Arc::new(raw_query_params.clone()),
-            body: serde_json::json!({"name": "John", "email": "john@example.com"}),
+            body: Arc::new(serde_json::json!({"name": "John", "email": "john@example.com"})),
             raw_body: Some(bytes::Bytes::from(r#"{"name":"John","email":"john@example.com"}"#)),
             headers: Arc::new(headers.clone()),
             cookies: Arc::new(cookies.clone()),