This PR extracts our session cookie handling code into a dedicated crate. This helps avoid tight coupling of the code and might improve compile times a little bit too.

Motivation

While working on some other stuff, I noticed that the TestClient implementation in the axum crate could be simplified a little bit …

Solution

… by taking advantage of the Deref trait.

As discussed in the last crates.io team meeting the current limit of just 100 downloads per month was too conservative. This commit raises the limit to 500 downloads per month to make self-service deletions a bit more viable in practice.

This PR addresses part two of https://github.com/rust-lang/crates.io/issues/9352#issuecomment-2549402681 by sending a notification email to the owner when a crate is getting deleted.

This PR improves our OpenAPI description by declaring what "security schemes" (aka. authentication schemes) are available, and what endpoints require which kind of authentication.

![Bildschirmfoto 2024-12-23 um 08 34 57](https://githu...

• same as #1253, but for the utoipa crate this time

This PR continues what https://github.com/juhaku/utoipa/pull/1247 has started by migrating all tests in utoipa-gen that use assert-json-diff to use insta::assert_json_snapshot!() instead.

https://github.com/juhaku/utoipa/pull/665 renamed the feature, but for some reason the test.sh script contained utoipa/ prefixes for the feature name in some cases, which effectively disabled these tests from even getting compiled. ...

I wish rustfmt / cargo clippy would lint for such things but unfortunately the corresponding rules are not stable yet... anyway, this saves a couple of lines and makes it easier for IDEs to auto-import things without duplicating imports.

We have upgraded our servers to use the "Heroku Router 2.0" which fixed the X-Forwarded-For bug and no longer appends the IP to the first header it sees. This means we can finally remove our workaround and parse the header appropriately.

This PR resolves https://github.com/juhaku/utoipa/issues/1215 by ensuring that Option<_> usage in Query params is not transformed into a nullable feature.

https://swagger.io/docs/specification/v3_0/describing-parameters/#default-p...

I saw in https://github.com/juhaku/utoipa/discussions/145 that snapshot testing had been considered in the past, but then assert-json-diff was used instead. This PR migrates a couple of the utoipa-gen tests to use insta instead of ...

as requested in https://github.com/tokio-rs/axum/pull/3081#discussion_r1890763459 :)

I guess the title speaks for itself...? 😅

Related:

• https://github.com/rust-lang/crates.io/issues/741
• https://github.com/rust-lang/crates.io/pull/10186
• https://github.com/rust-lang/crates.io/pull/10201
• https://github.c...

This PR moves a couple of endpoints to new modules to make the individual files easier to digest. Additionally, some endpoints were previously in modules that didn't really fit that well.

These are easier to use and recommended by axum, so let's use them :)

The axum Json extractor expects a Content-Type: application/json header, but in our test utilities we currently only add that when we detect that the request body contains a JSON object. This PR adjusts the code to also work for JSON...

This makes the Record type a bit easier to work with compared to before with a unnamed, seven item tuple :D

This simplifies the make_query() fn, since it no longer needs to return a Result

No need to manually implement it, now that we use derive_more 🎉

We can figure out the auth_user_id value at the point where we turn the ListQueryParams instance into FilterParams. This then allows us to get rid of the OnceLock, and remove the extra arguments from the make_query() fn.

These are all in Result returning fns, so there is no need to use unwrap() if we can use ? instead :)

see https://docs.rs/chrono/0.4.39/chrono/format/strftime/index.html

This allows us to automatically derive OpenAPI descriptions and avoids unnecessary memory allocations from query parameters we do not care about in this endpoint.

Small caveat: the serde_html_form crate currently deserializes foo=...

The overhead of adding dedicated Path structs for these did not seem worth it compared to https://github.com/rust-lang/crates.io/pull/10208, so I added these Path params only to the utoipa annotations.

Related:

• https://gith...

These structs can be used as axum extractors for the corresponding Path patterns. At the same time, they implement utoipa::IntoParams, which allows them to be used in #[utoipa::path(params(CratePath), ...) form, which adds them t...

... and unify some of the differing naming patterns.

This PR continues what #10186 started. It migrates (almost) all of our API endpoints to utoipa with a set of very basic annotations. The next step will be to add path and query parameters and request/response body schemas. Also missing...

Once the routes!() invocation contains more than a couple of routes, it is likely that each route will be on its own line. Currently, the macro does not support trailing commas, which causes the git diff when adding a new route to be u...

Now that we are not using the BytesRequest in the publish endpoint, this limit isn't actually used anymore. The StreamReader does not care about the limit and the JSON metadata blob and the tarball have their dedicated limits already.

This avoids allocating a bunch of String instances for all the keys and values in the query string when all we need is three optional fields, of which two are just integers. This PR also uses NonZeroU32 for the page and per_page ...

There is no need for us to implement this trait manually if we can just derive it :)

The former hasn't had a commit in 4 years, while the latter is properly maintained and might potentially unlock other useful derives.

This PR is roughly similar to #10190 and removes another generic parameter

Ideally we'd only pass in a Uri, but since we're using the RequestLog we still need to pass in the full Parts struct.

Previously we were compiling two variants of this function, one for Parts and one for Request, although on...

Our search endpoint supports having multiple ids[] query parameters defined, but the way we generate our pagination fields only considered the last such query parameter until now. This PR fixes the code to include all query parameters ...

This PR implements the basic infrastructure to have an experimental, best-effort, automatically generated Op...

This makes it a bit more visible when buttons are disabled.

9bbea928ba2c66247fa64e6474f371ac3d57d48c introduced an important! marker, but missed that this was somewhat incompatible with the disabled state. This commit fixes it by also using important! for the disabled state. Clearly not a goo...

This partially implements step 2 of https://github.com/rust-lang/crates.io/issues/9352. The missing piece after this PR is a "Delete" button in the crate settings tab, since the new route is currently only reachable by typing it directly...

see https://woodruffw.github.io/zizmor/

see https://github.com/rust-lang/crates.io/pull/9904

DELETE endpoints are supposed to return "204 No Content" upon successful deletion, unless the response contains an entity, which is not the case here.

see https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE#successfully...

This reverts commit 4f55cbedd87b9178ef77c03eab6c21c7700c48f5.

Related:

• #10069
• https://github.com/rust-lang/crates.io/issues/10098
• https://github.com/rust-lang/crates.io/pull/10102

Resolves https://github.com/rust-lang/crates.io/issues/9949

see https://github.com/rustsec/advisory-db/pull/2100#discussion_r1869452789