Migrating to v0.27¶
v0.27 adds the JSON CRUD APIs package and bumps the Den
and Go toolchains. Most of it is additive — the one breaking change is the
removal of contrib/auth's Renderer interface. This guide covers the concrete
upgrade steps from v0.26.
For the full list of changes, see the v0.27 changelog.
Quick orientation¶
| What you used | What changes | Section |
|---|---|---|
auth.WithRenderer(...) |
Removed — restyle via template overrides | Auth Renderer |
| (nothing) | New crud package for JSON APIs |
New: crud |
| Den v0.16.x | Bumped to v0.17.0 (API-compatible) | Den 0.17 |
| Go 1.26.x | Pinned to 1.26.4 (security) | Go toolchain |
| JSON clients hitting auth gates | Now get 401, not a login redirect |
JSON 401 |
Auth Renderer (removed)¶
contrib/auth's Renderer interface and the auth.WithRenderer(...) option are
gone. Auth pages render through their named templates; customize a page by
redefining its block (last-define-wins) instead of implementing a renderer:
// Before
auth.New(auth.WithRenderer(myRenderer))
// After — delete the option; override the template block you wanted to change:
// {{ define "auth/login" }} …your markup… {{ end }}
WithAuthLayout is unchanged.
New: crud package¶
Optional and opt-in — nothing to migrate. crud.NewResource[T](db, opts…) turns
a Den document type into JSON CRUD endpoints (filtering, search/FTS, offset and
cursor pagination, optimistic concurrency, full-replace PUT, relation expansion,
and OpenAPI 3.0). See the guide. Note: bearer-authenticated
API routes must be declared CSRF-exempt via csrf.ExemptPaths, and the OpenAPI
generator (crud.NewAPI) links in kin-openapi
— only if you import it.
Den 0.17.0¶
Burrow now requires Den v0.17.0. go get pulls it transitively; the re-exported
den.* surface burrow uses is API-compatible, so no code changes are required.
Run go mod tidy after upgrading.
Go toolchain¶
The toolchain is pinned to 1.26.4 (.mise.toml) for the patched standard
library fixing GO-2026-5037 / GO-2026-5039. If you build burrow from source,
mise install (or your own toolchain) should provide 1.26.4 or newer.
JSON clients get 401¶
Auth gates (RequireAuth/RequireStaff/RequireAdmin) now answer requests
sending Accept: application/json with 401 Unauthorized instead of a 302
redirect to the login page. Browser requests are unaffected. If a JSON client
relied on following the redirect, switch it to authenticate with an
API-key bearer token.