fix(deps): update rust crate loco-rs to 0.9.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
loco-rs (source)	dependencies	minor	0.1.8 -> 0.9.0
loco-rs (source)	dev-dependencies	minor	0.1.8 -> 0.9.0

---

Release Notes

loco-rs/loco (loco-rs)

v0.9.0

Compare Source

• Add fallback behavior. #​732
• Add Scheduler Feature for Running Cron Jobs. #​735
• Add --html, --htmx and --api flags to scaffold CLI command. #​749
• Add base template for scaffold generation. #​752
• Connect Redis only when the worker is BackgroundQueue. #​755
• Add loco doctor --config. #​736
• Rename demo: blo -> demo_app. #​741

v0.8.1

Compare Source

• fix: introduce secondary binary for compile-and-run on Windows. #​727

v0.8.0

Compare Source

• Added: loco-cli (loco new) now receives options from CLI and/or interactively asks for configuration options such as which asset pipeline, background worker type, or database provider to use.
• Fix: custom queue names now merge with default queues.
• Added remote_ip middleware for resolving client remote IP when under a proxy or loadbalancer, similar to the Rails remote_ip middleware.
• Added secure_headers middleware for setting secure headers by default, similar to how https://github.com/github/secure_headers works. This is now ON by default to promote security-by-default.
• Added: money, blob types to entitie generator.

v0.7.0

Compare Source

• Moving to timezone aware timestamps. From now on migrations will generate timestamps with time zone by default. Moving to TZ aware timestamps in combination with newly revamped timestamp code generation in SeaORM v1.0.0 finally allows for seamlessly moving between using sqlite and postgres with minimal or no entities code changes (resolved this long standing issue). TZ aware timestamps also aligns us with how Rails works today (initially Rails had a no-tz timestamps, and today the default is to use timestamps). If not specified the TZ is the server TZ, which is usually UTC, therefore semantically this is almost like a no-tz timestamp.

A few highlights:

Generated entities will now always use DateTimeWithTimeZone for the default timestamp fields:

...
Generating users.rs
    > Column `created_at`: DateTimeWithTimeZone, not_null
    > Column `updated_at`: DateTimeWithTimeZone, not_null
...

For better cross database provider compatibility, from now on prefer the tstz type instead of just ts when using generators (i.e. cargo loco generate model movie released:tstz)

• remove eyer lib. #​650

Breaking Changes:

 1. Update the Main Function in src/bin/main

  Replace the return type of the main function:

  **Before:**
  ```rust
  async fn main() -> eyre::Result<()>
  ```

  **After:**
  ```rust
  async fn main() -> loco_rs::Result<()>
  ```

2. Modify examples/playground.rs
   You need to apply two changes here:

   a. Update the Function Signature
   Before:

   async fn main() -> eyre::Result<()>

   After:

   async fn main() -> loco_rs::Result<()>

   b. Adjust the Context Handling
   Before:

   let _ctx = playground::<App>().await.context("playground")?;

   After:

   let _ctx = playground::<App>().await?;

Note,
If you are using eyre in your project, you can continue to do so. We have only removed this crate from our base code dependencies.

• Bump rstest crate to 0.21.0. #​650
• Bump serial_test crate to 3.1.1. #​651
• Bumo object store to create to 0.10.2. #​654
• Bump axum crate to 0.7.5. #​652
• Add Hooks::before_routes to give user control over initial axum::Router construction. #​646
• Support logger file appender. #​636
• Response from the template. #​682
• Add get_or_insert function to cache layer. #​637
• Bump ORM create to 1.0.0. #​684

v0.6.2

Compare Source

• Use Rust-based tooling for SaaS starter frontend. #​625
• Default binding to localhost to avoid firewall dialogues during development on macOS. #​627
• upgrade sea-orm to 1.0.0 RC 7. https://github.com/loco-rs/loco/pull/627
• Add a down migration command. #​414
• replace create_postgres_database function table_name to db_name. #​647

v0.6.1

Compare Source

• Upgrade htmx generator to htmx2. #​629

v0.6.0

Compare Source

• Bump socketioxide to v0.13.1. #​594
• Add CC and BCC fields to the mailers. #​599
• Delete reset tokens after use. #​602
• Generator html support delete entity. #​604
• Breaking changes move task args from BTreeMap to struct. #​609
  • Change task signature from async fn run(&self, app_context: &AppContext, vars: &BTreeMap<String, String>) to async fn run(&self, _app_context: &AppContext, _vars: &task::Vars) -> Result<()>
  • Breaking changes change default port to 5150. #​611
• Update shuttle version in deployment generation. #​616

v0.5.0

• refactor auth middleware for supporting bearer, cookie and query. #​560
• SeaORM upgraded: rc1 -> rc4. #​585
• Adding Cache to app content. #​570
• Apply a layer to a specific handler using layer method. #​554
• Add the debug macro to the templates to improve the errors. #​547
• Opentelemetry initializer. #​531
• Refactor auth middleware for supporting bearer, cookie and query #​560
• Add redirect response #​563
• Breaking changes Adding a custom claims Option<serde_json::Value> to the UserClaims struct (type changed). #​578
• Breaking changes Refactored DSL and Pagination: namespace changes. #​566
  • Replaced model::query::dsl:: with model::query.
  • Replaced model::query::exec::paginate with model::query::paginate.
  • Updated the PaginatedResponse struct. Refer to its usage example here.
• Breaking changes When introducing the Cache system which is much more flexible than having just Redis, we now call the 'redis' member simply a 'queue' which indicates it should be used only for the internal queue and not as a general purpose cache. In the application configuration setting redis, change to queue. #​590

v0.4.0

• Refactored model validation for better developer experience. Added a few traits and structs to loco::prelude for a smoother import story. Introducing Validatable:

impl Validatable for super::_entities::users::ActiveModel {
    fn validator(&self) -> Box<dyn Validate> {
        Box::new(Validator {
            name: self.name.as_ref().to_owned(),
            email: self.email.as_ref().to_owned(),
        })
    }
}

// now you can call `user.validate()` freely

• Refactored type field mapping to be centralized. Now model, scaffold share the same field mapping, so no more gaps like #​513 (e.g. when calling loco generate model title:string the ability to map string into something useful in the code generation side)
  NOTE the _integer class of types are now just _int, e.g. big_int, so that it correlate with the int field name in a better way

• Adding to to quiery dsl is_in and is_not_in. #​507

• Added: in your configuration you can now use an initializers: section for initializer specific settings

v0.3.2

• Redisgin pagination. #​463
• Wrap seaorm query and condition for common use cases. #​463
• Adding to loco-extras initializer for extra or multiple db. #​471
• Scaffold now supporting different templates such as API,HTML or htmx, this future is in beta.#​474
• Fix generatore fields types + adding tests. #​459
• Fix channel cors. #​430
• Improve auth controller compatibility with frontend #​472

v0.3.1

• Breaking changes Upgrade sea-orm to v1.0.0-rc.1. #​420
  Needs to update sea-orm crate to use v1.0.0-rc.1 version.
• Implemented file upload support with versatile strategies. #​423
• Create a loco_extra crate to share common basic implementations. #​425
• Update shuttle deployment template to 0.38. #​422
• Enhancement: Move the Serve to Hook flow with the ability to override default serve settings. #​418
• Avoid cloning sea_query::ColumnDef. #​415
• Allow required UUID type in a scaffold. #​408
• Cover SqlxMySqlPoolConnection in db.rs. #​411
• Update worker docs and change default worker mode. #​412
• Added server-side view generation through a new ViewEngine infrastructure and Tera server-side templates: #​389
• Added generate model --migration-only #​400
• Add JSON to scaffold gen. #​396
• Add --binding(-b) and --port(-b) to cargo loco start.#​402

v0.2.3

• Add: support for pre-compressed assets.
• Added: Support socket channels, see working example here. #​380
• refactor: optimize checking permissions on Postgres. 9416c
• Added: E2E db. #​371

v0.2.2

• fix: public fields in mailer-op. e51b7e
• fix: handle missing db permissions. e51b7e

v0.2.1

• enable compression for CompressionLayer, not etag. #​356
• Fix nullable JSONB column schema definition. #​357

v0.2.0

• Add: Loco now has Initializers (see the docs). Initializers help you integrate infra into your app in a seamless way, as well as share pieces of setup code between your projects
• Add: an init_logger hook in src/app.rs for those who want to take ownership of their logging and tracing stack.
• Add: Return a JSON schema when payload json could not serialize to a struct. #​343
• Init logger in cli.rs. #​338
• Add: return JSON schema in panic HTTP layer. #​336
• Add: JSON field support in model generation. #​327 #​332
• Add: float support in model generation. #​317
• Fix: conflicting idx definition on M:M migration. #​311
• Add: Breaking changes Supply AppContext to routes Hook. Migration steps in src/app.rs:

// src/app.rs: add app context to routes function
impl Hooks for App {
  ...
  fn routes(_ctx: &AppContext) -> AppRoutes;
  ...
}

• Add: Breaking changes change parameter type from &str to &Environment in src/app.rs

// src/app.rs: change parameter type for `environment` from `&str` to `&Environment`
impl Hooks for App {
    ...
    async fn boot(mode: StartMode, environment: &Environment) -> Result<BootResult> {
        create_app::<Self>(mode, environment).await
    }
    ...

• Added: setting cookies:

format::render()
    .cookies(&[
        cookie::Cookie::new("foo", "bar"),
        cookie::Cookie::new("baz", "qux"),
    ])?
    .etag("foobar")?
    .json(notes)

v0.1.9

• Adding pagination on Models. #​238
• Adding compression middleware. #​205
  Added support for compression middleware.
  usage:

middlewares:
  compression:
    enable: true

• Create a new Database from the CLI. #​223
• Validate if seaorm CLI is installed before running cargo loco db entities and show a better error to the user. #​212
• Adding to saas and rest-api` starters a redis and DB in GitHub action workflow to allow users work with github action out of the box. #​215
• Adding the app name and the environment to the DB name when creating a new starter. #​216
• Fix generator when users adding a created_at or update_at fields. #​214
• Add: format::render which allows a builder-like formatting, including setting etag and ad-hoc headers
• Add: Etag middleware, enabled by default in starter projects. Once you set an Etag it will check for cache headers and return 304 if needed. To enable etag in your existing project:

#...
  middlewares:
    etag:
      enable: true

usage:

  format::render()
      .etag("foobar")?
      .json(Entity::find().all(&ctx.db).await?)

Authentication: Added API Token Authentication!

• See #​217
  Now when you generate a saas starter or rest api starter you will get additional authentication methods for free:

• Added: authentication added -- api authentication where each user has an API token in the schema, and you can authenticate with Bearer against that user.

• Added: authentication added -- JWTWithUser extractor, which is a convenience for resolving the authenticated JWT claims into a current user from database

migrating an existing codebase

Add the following to your generated src/models/user.rs:

#[async_trait]
impl Authenticable for super::_entities::users::Model {
    async fn find_by_api_key(db: &DatabaseConnection, api_key: &str) -> ModelResult<Self> {
        let user = users::Entity::find()
            .filter(users::Column::ApiKey.eq(api_key))
            .one(db)
            .await?;
        user.ok_or_else(|| ModelError::EntityNotFound)
    }

    async fn find_by_claims_key(db: &DatabaseConnection, claims_key: &str) -> ModelResult<Self> {
        super::_entities::users::Model::find_by_pid(db, claims_key).await
    }
}

Update imports in this file to include model::Authenticable:

use loco_rs::{
    auth, hash,
    model::{Authenticable, ModelError, ModelResult},
    validation,
    validator::Validate,
};

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[secure-code-warrior-for-github]

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "sqli"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

• PHP SQL Injection Page - A detailed page on SQL injection in the online PHP manual.
• OWASP SQL Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications.
• OWASP SQL Injection - OWASP community page with comprehensive information about SQL injection, and links to various OWASP resources to help detect or prevent it.
• OWASP Query Parameterization Cheat Sheet - A derivative work of the OWASP SQL Injection Prevention Cheat Sheet focused on SQL query parameterization.
• Preventing SQL Injection Attacks With Python - A tutorial on crafting parameterized queries, SQL composition and safe query execution in Python.