httpx

package module
v1.4.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2025 License: MIT Imports: 19 Imported by: 3

README

httpx: Minimalist HTTP Extensions for Go

Go Report Card

中文 | English

httpx is a set of HTTP extension tools based on Go 1.18+ generics. It is not a heavy web framework, but a powerful enhancement for the standard library net/http.

It aims to eliminate repetitive JSON decoding, parameter validation, and response encapsulation code in http.Handler through Generics, while maintaining full compatibility with the standard library.

Core Concepts

  1. Type Safety: Leveraging generics to transform func(w, r) into strongly typed func(ctx, *Req) (*Res, error).
  2. Modern Conventions: Uses String Codes (e.g., "OK", "INVALID_ARGUMENT") for business logic, distinct from HTTP Status Codes.
  3. Performance at Scale: Provides a SelfValidatable interface to bypass reflection validation; integrates httpsnoop for zero-overhead metric capture.
  4. Production Ready: Built-in protection against large bodies, memory limits for uploads, and graceful shutdown for long-lived connections.

Installation

go get github.com/oy3o/httpx

Quick Start

1. Define Request & Response

Use json, form, or path tags to define the structure.

type LoginReq struct {
    // Supports Go 1.22+ PathValue
    TenantID string `path:"tenant_id"` 
    Username string `json:"username" validate:"required,min=3"`
    Password string `json:"password" validate:"required"`
}

type LoginRes struct {
    Token string `json:"token"`
}
2. Write Business Logic

No need to manipulate http.ResponseWriter and *http.Request.

import "github.com/oy3o/httpx"

func LoginHandler(ctx context.Context, req *LoginReq) (*LoginRes, error) {
    if req.Username == "admin" && req.Password == "123456" {
        return &LoginRes{Token: "abc-123"}, nil
    }
    
    // Return an error. httpx automatically maps HTTP Status to a Business Code.
    // E.g., 401 -> "UNAUTHORIZED"
    return nil, httpx.ErrUnauthorized
}
3. Register Routes

Use httpx.NewRouter for a better routing experience with Group support, fully compatible with standard http.ServeMux.Use httpx.NewHandler to convert business functions into standard http.Handlers. Use httpx.NewStreamHandler to convert streamable business functions into standard http.Handlers.

func main() {
    // 1. Create a Router (wraps http.ServeMux)
    r := httpx.NewRouter()

    // 2. Register Routes
    r.Handle("POST /login", httpx.NewHandler(LoginHandler))

    // 3. Use Groups
    api := r.Group("/api/v1")
    
    // 4. Apply Middleware to Group
    // api.Use(httpx.AuthMiddleware) - Coming soon, currently via Group(pattern, middlewares...)
    admin := r.Group("/admin", AdminAuthMiddleware)
    admin.Handle("DELETE /users/{id}", httpx.NewHandler(DeleteUser))

    // 5. Add Global Middleware
    handler := httpx.Chain(r, 
        httpx.Recovery(nil),
        httpx.Logger(nil),
    )

    http.ListenAndServe(":8080", handler)
}

Core Features

1. Cooperative Binding

httpx.Bind automatically aggregates data from multiple sources:

  • Path: Go 1.22 r.PathValue (Tag: path).
  • Query: URL Query parameters (Tag: form).
  • Body: JSON or Form/Multipart based on Content-Type.
  • Priority: Path > Body > Query.
2. Hybrid Validation (High Performance)
  • Reflection Mode: Use struct tags (validate:"required"). fast for development.
  • Interface Mode: Implement SelfValidatable. Zero reflection overhead, ideal for hot paths.
// Fast Validation: httpx calls this method first, skipping reflection
func (r *LoginReq) Validate(ctx context.Context) error {
    if len(r.Username) < 3 {
        return errors.New("username too short")
    }
    return nil
}
3. Semantic Error Handling & Trace Injection

Separates HTTP Status from Business Code. Automatically injects X-Trace-ID into headers and the response body if a Trace provider is configured.

{
    "code": "UNAUTHORIZED",
    "message": "Invalid credentials",
    "trace_id": "a1b2c3d4"
}
4. Safety & Protection
  • WithMaxBodySize(bytes): Limits the request body size. Returns 413 Entity Too Large if exceeded.
  • WithMultipartLimit(bytes): Limits memory usage during file uploads. Excess data spills to disk.

Middleware Ecosystem

Middleware Description
Chain Composes multiple middleware into an onion model.
Recovery Captures Panics to prevent service crashes; supports custom Hooks.
Logger Based on httpsnoop, accurately records status codes and latency.
SecurityHeaders Adds X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, etc.
CORS Flexible Cross-Origin Resource Sharing configuration.
RateLimit Rate limiting interface integration.
AuthBearer/Basic Token extraction and validation.
ShutdownManager Manages graceful shutdown for long-lived connections (WebSocket/SSE).
Router Enhanced ServeMux with Group support and Method+Path handling.
ClientIP Middleware to extract real client IP with Trusted Proxy support.
Advanced: Graceful Shutdown for Long Connections

Standard http.Server.Shutdown does not terminate hijacked connections (like WebSockets) immediately. httpx.ShutdownManager solves this.

// 1. Create Manager
mgr := httpx.NewShutdownManager()

// 2. Wrap Handler
mux.Handle("/ws", mgr.Middleware(websocketHandler))

// 3. Inside Handler
func websocketHandler(w http.ResponseWriter, r *http.Request) {
    // Register cleanup callback
    httpx.RegisterOnShutdown(r.Context(), func() {
        conn.WriteMessage(websocket.CloseMessage, ...)
        conn.Close()
    })
    // ... loop ...
}

// 4. On Server Shutdown
mgr.Shutdown(ctx) // Triggers all registered callbacks

Documentation

Index

Constants

View Source 
const (
	// CodeOK 表示成功
	CodeOK = "OK"

	// CodeInternalError 服务器内部错误 (500)
	CodeInternalError = "INTERNAL_ERROR"

	// CodeBadRequest 请求参数错误 (400)
	CodeBadRequest = "BAD_REQUEST"

	// CodeUnauthorized 未认证 (401)
	CodeUnauthorized = "UNAUTHORIZED"

	// CodeForbidden 无权限 (403)
	CodeForbidden = "FORBIDDEN"

	// CodeNotFound 资源不存在 (404)
	CodeNotFound = "NOT_FOUND"

	// CodeTooManyRequests 请求过多 (429)
	CodeTooManyRequests = "TOO_MANY_REQUESTS"

	// CodeConflict 资源冲突 (409)
	CodeConflict = "CONFLICT"

	// CodeValidation 校验失败 (400)
	CodeValidation = "VALIDATION_FAILED"

	// CodeRequestEntityTooLarge 请求体过大 (413)
	CodeRequestEntityTooLarge = "REQUEST_ENTITY_TOO_LARGE"
)
View Source 
const DefaultMultipartMemory = 8 << 20

DefaultMultipartMemory 8MB

View Source 
const IdentityKey contextKey = "identity"

Variables

View Source 
var (
	ErrBadRequest            = &HttpError{HttpCode: http.StatusBadRequest, BizCode: CodeBadRequest, Msg: "Bad Request"}
	ErrUnauthorized          = &HttpError{HttpCode: http.StatusUnauthorized, BizCode: CodeUnauthorized, Msg: "Unauthorized"}
	ErrForbidden             = &HttpError{HttpCode: http.StatusForbidden, BizCode: CodeForbidden, Msg: "Forbidden"}
	ErrNotFound              = &HttpError{HttpCode: http.StatusNotFound, BizCode: CodeNotFound, Msg: "Not Found"}
	ErrTooManyRequests       = &HttpError{HttpCode: http.StatusTooManyRequests, BizCode: CodeTooManyRequests, Msg: "Too Many Requests"}
	ErrInternal              = &HttpError{HttpCode: http.StatusInternalServerError, BizCode: CodeInternalError, Msg: "Internal Server Error"}
	ErrRequestEntityTooLarge = &HttpError{HttpCode: http.StatusRequestEntityTooLarge, BizCode: CodeRequestEntityTooLarge, Msg: "Request Entity Too Large"}
)
View Source 
var Binders = []Binder{
	&PathBinder{},
	&QueryBinder{},
	&JsonBinder{DisallowUnknownFields: true},
	&FormBinder{MaxMemory: DefaultMultipartMemory},
}

Binders 默认绑定器链

View Source 
var ErrorHook func(ctx context.Context, err error) = nil

ErrorHook 是一个回调函数,用于处理错误的副作用(如记录日志)。 用户可以在 NewHandler 的 Option 中覆盖它。

View Source 
var GetTraceID func(ctx context.Context) string = nil

GetTraceID 是一个依赖注入点。 外部库(如 o11y)应该设置这个函数,以便 httpx 能获取到 TraceID。

View Source 
var SafeMode = false

SafeMode 控制是否开启错误脱敏。 建议在生产环境设置为 true。

View Source 
var SchemaDecoder = func() *schema.Decoder {
	d := schema.NewDecoder()
	d.SetAliasTag("form")
	d.IgnoreUnknownKeys(true)
	return d
}()

SchemaDecoder 用于 Query 和 Form 的解码 gorilla/schema 内部已有缓存机制,性能良好

View Source 
var Validator = validator.New()

Validator 是默认的验证器实例

Functions

func Bind 

func Bind(r *http.Request, v any, binders ...Binder) error

Bind 自动选择绑定器处理请求

func Chain 

func Chain(h http.Handler, mws ...Middleware) http.Handler

Chain 组合多个中间件

func ClientIP added in v1.4.5 

func ClientIP(ctx context.Context) string

ClientIP retrieves the client IP from the context. It returns an empty string if the middleware was not applied.

func Error 

func Error(w http.ResponseWriter, r *http.Request, err error, errhooks ...func(ctx context.Context, err error))

Error 负责将 error 转换为 HTTP 响应并写入 ResponseWriter。

func GetIdentity 

func GetIdentity(ctx context.Context) any

GetIdentity 从 Context 中获取身份信息。

func NewClientIPMiddleware added in v1.4.5 

func NewClientIPMiddleware(trustedProxiesCIDR []string) func(http.Handler) http.Handler

NewClientIPMiddleware creates a middleware that extracts the real client IP. trustedProxiesCIDR is a list of CIDR strings (e.g., "10.0.0.0/8", "127.0.0.1/32"). If trustedProxiesCIDR is nil or empty, it defaults to trusting NO proxies (only RemoteAddr) for security, OR you can decide to trust all if you explicitly pass specific value (not implemented here for safety). NOTE: To trust all (e.g. dev mode), pass "0.0.0.0/0".

func NewHandler 

func NewHandler[Req any, Res any](fn HandlerFunc[Req, Res], opts ...Option) http.HandlerFunc

func NewStreamHandler added in v1.4.1 

func NewStreamHandler[Req any, Res Streamable](fn HandlerFunc[Req, Res], opts ...Option) http.HandlerFunc

NewStreamHandler 创建一个流式处理函数。

func RegisterOnShutdown added in v1.4.0 

func RegisterOnShutdown(ctx context.Context, fn func())

RegisterOnShutdown 在当前请求的上下文中注册一个关闭回调。 当 ShutdownManager.Shutdown 被调用时,这些回调会被并发执行。 适用于 WebSocket、SSE 等需要发送协议级关闭信号(如 Close Frame)的场景。

func Validate 

func Validate(ctx context.Context, v any, validators ...*validator.Validate) error

Validate 执行验证逻辑。 v: 待验证的结构体指针 validatorInstance: 可选的验证器实例,如果为 nil 则使用 DefaultValidator

Types

type AuthValidator 

type AuthValidator func(ctx context.Context, token string) (any, error)

AuthValidator 定义验证回调函数签名。 返回的 any 将被注入到 Context 中(例如 User 对象)。

type BasicValidator 

type BasicValidator func(ctx context.Context, user, pass string) (any, error)

BasicValidator 定义 Basic Auth 验证回调。

type Binder added in v0.2.0 

type Binder interface {
	Name() string
	Type() BinderType
	Match(r *http.Request) bool
	Bind(r *http.Request, v any) error
}

type BinderType added in v0.2.0 

type BinderType int
const (
	BinderMeta BinderType = iota // Query, Header, Path
	BinderBody                   // JSON, XML, Form (互斥)
)

type BizCoder added in v0.2.0 

type BizCoder interface {
	BizStatus() string
}

BizCoder 定义了如何提取业务错误码 (String)。 任何实现了此接口的 error,httpx 都会使用其返回的字符串作为响应体中的 code 字段。

type CORSOptions 

type CORSOptions struct {
	AllowedOrigins   []string
	AllowedMethods   []string
	AllowedHeaders   []string
	ExposedHeaders   []string
	AllowCredentials bool
	MaxAge           int
}

CORSOptions 定义 CORS 配置

type ErrorCoder 

type ErrorCoder interface {
	HTTPStatus() int
}

ErrorCoder 定义了如何提取 HTTP 状态码。 任何实现了此接口的 error,httpx 都会使用其返回的状态码,而不是默认的 500。

type FileResponse 

type FileResponse struct {
	Content io.Reader
	Name    string
	Size    int64
	Type    string
}

FileResponse 是一个实现了 Streamable 的文件响应辅助类。

func (*FileResponse) Headers 

func (f *FileResponse) Headers() map[string]string

func (*FileResponse) WriteTo 

func (f *FileResponse) WriteTo(w io.Writer) (int64, error)

type FormBinder added in v1.1.0 

type FormBinder struct {
	MaxMemory int64
}

FormBinder 处理 multipart/form-data 和 x-www-form-urlencoded

func (*FormBinder) Bind added in v1.1.0 

func (b *FormBinder) Bind(r *http.Request, v any) error

func (*FormBinder) Match added in v1.1.0 

func (b *FormBinder) Match(r *http.Request) bool

func (*FormBinder) Name added in v1.1.0 

func (b *FormBinder) Name() string

func (*FormBinder) Type added in v1.1.0 

func (b *FormBinder) Type() BinderType

type HandlerFunc 

type HandlerFunc[Req any, Res any] func(ctx context.Context, req *Req) (Res, error)

HandlerFunc 定义业务处理函数签名。 坚持使用标准 context.Context,避免框架耦合, 我们和 gin 那样的框架有本质上的不同, 我们所有的实现都是通过配置和中间件完成, 所谓渐进式开发即是如此, 用户不必依赖我们, 但有我们会更好。

type HttpError 

type HttpError struct {
	HttpCode int
	BizCode  string
	Msg      string
}

HttpError 是一个通用的错误实现,同时满足 error, ErrorCoder 和 BizCoder 接口。 HttpError 被视为“安全的”,因为它是开发者显式构造的业务错误。

func NewError added in v0.2.0 

func NewError(httpCode int, bizCode string, msg string) *HttpError

NewError 创建一个新的 HttpError。 httpCode: HTTP 状态码 (如 404) bizCode: 业务错误码 (如 "USER_NOT_FOUND") msg: 错误描述

func (*HttpError) BizStatus added in v0.2.0 

func (e *HttpError) BizStatus() string

func (*HttpError) Error 

func (e *HttpError) Error() string

func (*HttpError) HTTPStatus 

func (e *HttpError) HTTPStatus() int

func (*HttpError) PublicMessage added in v1.4.3 

func (e *HttpError) PublicMessage() string

type JsonBinder added in v1.1.0 

type JsonBinder struct {
	// DisallowUnknownFields 控制是否允许 JSON 中包含结构体未定义的字段。
	// 默认为 true (不允许),否则可能导致“参数污染”或逻辑绕过。。
	DisallowUnknownFields bool
}

JsonBinder 使用 sonic 进行极速解码

func (*JsonBinder) Bind added in v1.1.0 

func (b *JsonBinder) Bind(r *http.Request, v any) error

func (*JsonBinder) Match added in v1.1.0 

func (b *JsonBinder) Match(r *http.Request) bool

func (*JsonBinder) Name added in v1.1.0 

func (b *JsonBinder) Name() string

func (*JsonBinder) Type added in v1.1.0 

func (b *JsonBinder) Type() BinderType

type Limiter 

type Limiter interface {
	Allow(r *http.Request) bool
}

Limiter 接口定义了限流器的行为。 Allow 应该非阻塞地返回是否允许请求。

type LogFunc added in v0.2.0 

type LogFunc func(r *http.Request, metrics httpsnoop.Metrics)

LogFunc 定义日志回调签名

type Middleware 

type Middleware func(http.Handler) http.Handler

Middleware 标准中间件定义

func AuthBasic 

func AuthBasic(validator BasicValidator, realm string) Middleware

AuthBasic Basic Auth 认证中间件。

func AuthBearer 

func AuthBearer(validator AuthValidator, realm string) Middleware

AuthBearer Bearer Token 认证中间件。 realm: 认证域名称,例如 "MyAPI"。如果为空,默认为 "Restricted"。

func CORS 

func CORS(opts CORSOptions) Middleware

CORS 跨域资源共享中间件。

func DefaultCORS 

func DefaultCORS() Middleware

DefaultCORS 返回一个宽容的 CORS 中间件(开发环境常用)。 注意:为了安全,默认禁用了 AllowCredentials。 如果需要携带 Cookie/Auth 头,请手动配置 CORS 并指定具体的 AllowedOrigins。

func Logger 

func Logger(logFunc LogFunc) Middleware

Logger 使用 httpsnoop 包装 ResponseWriter

func RateLimit 

func RateLimit(limiter Limiter, errhooks ...func(ctx context.Context, err error)) Middleware

RateLimit 返回一个限流中间件。

func Recovery 

func Recovery(panicHook func(ctx context.Context, err interface{})) Middleware

Recovery 捕获 Panic 防止服务崩溃

func SecurityHeaders added in v1.4.0 

func SecurityHeaders(cfgs ...SecurityConfig) Middleware

SecurityHeaders 返回一个中间件,用于添加通用的安全响应头。 包括: - X-Frame-Options: DENY (防止点击劫持) - X-Content-Type-Options: nosniff (防止 MIME 嗅探) - X-XSS-Protection: 1; mode=block (开启 XSS 过滤) - Referrer-Policy: strict-origin-when-cross-origin (控制 Referrer 泄露)

type Option 

type Option func(*config)

func AddBinders added in v0.2.0 

func AddBinders(b ...Binder) Option

AddBinders 在默认 Binder 链之前添加自定义 Binder

func NoEnvelope 

func NoEnvelope() Option

NoEnvelope 指示 Handler 不要使用标准的 {code, msg, data} 封口

func WithBinders added in v0.2.0 

func WithBinders(b ...Binder) Option

WithBinders 设置自定义的 Binder 链(将覆盖默认链)

func WithErrorHook added in v0.2.0 

func WithErrorHook(hook func(ctx context.Context, err error)) Option

WithErrorHook 设置该 Handler 专属的错误处理 Hook

func WithMaxBodySize added in v1.1.0 

func WithMaxBodySize(maxBytes int64) Option

WithMaxBodySize 限制请求体 (Body) 的最大字节数。 超过限制时将返回 413 Request Entity Too Large。 这是一个硬限制,会切断连接,有效防止大文件上传攻击或磁盘耗尽。 建议值:常规 API 设为 2MB-10MB;文件上传接口根据业务需求设定 (如 100MB)。

func WithMultipartLimit added in v1.1.0 

func WithMultipartLimit(limit int64) Option

WithMultipartLimit 设置解析 Multipart 表单时的最大内存限制 (字节)。 默认值为 8MB (DefaultMultipartMemory)。 设置此选项会创建一个新的 FormBinder 实例并替换掉默认链中的实例, 这样可以避免修改全局变量,也不破坏链中其他 Binder 的配置。

func WithValidator added in v0.2.0 

func WithValidator(v *validator.Validate) Option

WithValidator 设置自定义的 Validator 实例

type PathBinder added in v1.4.0 

type PathBinder struct{}

PathBinder 处理 URL 路径参数 (Go 1.22+)

func (*PathBinder) Bind added in v1.4.0 

func (b *PathBinder) Bind(r *http.Request, v any) error

func (*PathBinder) Match added in v1.4.0 

func (b *PathBinder) Match(r *http.Request) bool

func (*PathBinder) Name added in v1.4.0 

func (b *PathBinder) Name() string

func (*PathBinder) Type added in v1.4.0 

func (b *PathBinder) Type() BinderType

type PublicError added in v1.4.3 

type PublicError interface {
	PublicMessage() string
}

PublicError 定义了该错误是否包含可安全展示给前端的信息。 在 SafeMode=true 时,只有实现了此接口且 PublicMessage() 返回非空,或者具体类型为 *HttpError 的错误, 其原本的 Error() 内容才会被返回给客户端,否则将被替换为 "Internal Server Error"。

type QueryBinder added in v1.1.0 

type QueryBinder struct{}

QueryBinder 处理 URL 查询参数

func (*QueryBinder) Bind added in v1.1.0 

func (b *QueryBinder) Bind(r *http.Request, v any) error

func (*QueryBinder) Match added in v1.1.0 

func (b *QueryBinder) Match(r *http.Request) bool

func (*QueryBinder) Name added in v1.1.0 

func (b *QueryBinder) Name() string

func (*QueryBinder) Type added in v1.1.0 

func (b *QueryBinder) Type() BinderType

type Response 

type Response[T any] struct {
	// Code 是业务错误码 (字符串),例如 "OK", "INVALID_PARAM", "USER_BANNED"。
	// 它与 HTTP Status Code 分离,由前端用于展示具体的错误文案。
	Code    string `json:"code"`
	Message string `json:"message"`
	Data    T      `json:"data,omitempty"`
	TraceID string `json:"trace_id,omitempty"`
}

Response 是默认的统一响应信封。

type Router added in v1.4.5 

type Router struct {
	// contains filtered or unexported fields
}

Router wraps http.ServeMux to provide grouping and middleware capabilities.

func NewRouter added in v1.4.5 

func NewRouter() *Router

NewRouter creates a new Router instance.

func (*Router) Group added in v1.4.5 

func (r *Router) Group(pattern string, middleware ...func(http.Handler) http.Handler) *Router

Group creates a sub-router mounted at the specified pattern configuration. The pattern should be a path prefix like "/api/v1". Accessing the sub-router via the pattern will strip the pattern prefix.

func (*Router) Handle added in v1.4.5 

func (r *Router) Handle(pattern string, handler http.Handler)

Handle registers the handler for the given pattern. It applies the router's middleware chain to the handler.

func (*Router) HandleFunc added in v1.4.5 

func (r *Router) HandleFunc(pattern string, handler func(http.ResponseWriter, *http.Request))

HandleFunc registers the handler function for the given pattern.

func (*Router) ServeHTTP added in v1.4.5 

func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServeHTTP satisfies http.Handler.

type SecurityConfig added in v1.4.3 

type SecurityConfig struct {
	// HSTSMaxAgeSeconds 启用 Strict-Transport-Security。0 表示禁用。
	// 生产环境建议设置为 31536000 (1年)。
	HSTSMaxAgeSeconds int

	// HSTSIncludeSubdomains 是否包含子域名
	HSTSIncludeSubdomains bool

	// CSP Content-Security-Policy 值。
	// 例如: "default-src 'self'"
	CSP string
}

SecurityConfig 定义安全头配置

type SelfValidatable 

type SelfValidatable interface {
	Validate(ctx context.Context) error
}

SelfValidatable 是高性能验证接口。 如果 Request 结构体实现了此接口,将跳过反射验证。

type ShutdownManager added in v1.4.0 

type ShutdownManager struct {
	// contains filtered or unexported fields
}

ShutdownManager 管理活跃连接的优雅关闭

func NewShutdownManager added in v1.4.0 

func NewShutdownManager() *ShutdownManager

NewShutdownManager 创建一个新的关闭管理器

func (*ShutdownManager) Middleware added in v1.4.0 

func (m *ShutdownManager) Middleware(next http.Handler) http.Handler

Middleware 返回一个中间件,用于跟踪请求生命周期并注入关闭支持。

func (*ShutdownManager) Shutdown added in v1.4.0 

func (m *ShutdownManager) Shutdown(ctx context.Context) error

Shutdown 触发优雅关闭。 它会并发调用所有活跃请求注册的回调函数。 此方法会阻塞直到所有回调执行完毕或 ctx 超时。

type Streamable 

type Streamable interface {
	Headers() map[string]string
	WriteTo(w io.Writer) (int64, error)
}

Streamable 接口用于指示该结构体是流式响应(文件下载、SSE)。

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.