feat!(middleware/session): re-write session middleware with handler

[sixcolors]

Feature: Re-write Session Middleware with Handler

Summary

This pull request introduces significant changes to the session middleware, enhancing its functionality and improving its robustness. The primary focus is on the re-write of the session middleware with a new handler.

Status

• Initial PR for concept
• Optimize Performance
• Migrate to Middleware Style (session.New() returns middleware handler)
• Add new tests for the middleware handler to cover various scenarios including error handling, session retrieval, and data manipulation.
• Update Documentation
• Update Migration Guide
• Update CSRF Middleware
• Update CSRF Middleware Tests to cover Middleware-style sessions.

Changelog

Middleware Changes

• Re-write session middleware: The session middleware has been re-written to use a handler for better session management.
• New Middleware File: Added middleware/session/middleware.go to define the session middleware and its configuration.
• Enhanced Session Management:
  • Introduced a middleware pool for efficient session handling.
  • Added methods for setting, getting, and deleting session data within the middleware.
  • Improved error handling during session operations.

CSRF Session Manager Changes

• Improved Session Handling:
  • Modified getRaw, setRaw, and delRaw methods to use the session from the context first before falling back to the store.
  • Removed logging dependency (log) from the session manager.

Configuration Changes

• Config Struct Update:
  • Renamed Expiration to IdleTimeout to better reflect the session idle duration.
  • Updated default values and their usage in the configuration.

Session Struct Changes

• Renamed Fields:
  • exp is now idleTimeout to indicate the idle timeout duration for sessions.
• Session Methods Update:
  • Updated methods to use idleTimeout instead of exp.
  • Improved the Save method to handle idle timeout correctly.

Future Work On This PR

This is an initial commit for the new middleware approach. If the new middleware handler proves to be more effective, further changes will be made to:

• Update session.New to return the Middleware handler instead of the old session.Store struct.
• Migrate the current Session to RawSession, preferring the new style of session management.

A suggested standard use for the session might look something like this after these modifications:

func main() {
	app := fiber.New()

	// Middleware
	app.Use(logger.New())
	app.Use(session.New())
	app.Use(csrf.New(
		csrf.Config{
			KeyLookup: "header:X-CSRF-Token",
		},
	))
	app.Use(limiter.New())

	// Routes
	app.Get("/", func(c *fiber.Ctx) error {
		ses := session.FromContext(c)
		if ses == nil {
			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
				"message": "Internal Server Error",
			})
		}
		user, ok := sess.Get("user").(User)
		if !ok {
			return c.Redirect("/login")
		}

		return c.SendString(fmt.Sprintf("Welcome %s!", user.Username))

	})

	app.Get("/session", func(c *fiber.Ctx) error {
		ses := session.FromContext(c)
		if ses == nil {
			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
				"message": "Internal Server Error",
			})
		}
		// In this proposal, we will return the session ID
		// which we will always have, because we always have a session
		// even if it's empty. It's generated on the first request.
		_, sessionHasUser := sess.Get("user").(User)
		return c.JSON(fiber.Map{
			"session":        sess.ID(),
			"sessionHasUser": sessionHasUser,
		})
	})

	app.Get("/login", func(c *fiber.Ctx) error {
		return c.SendFile("login.html")
	})

	app.Post("/auth/login", func(c *fiber.Ctx) error {
		type LoginInput struct {
			Username string `json:"username"`
			Password string `json:"password"`
		}
		var input LoginInput
		if err := c.BodyParser(&input); err != nil {
			return err
		}
		// Check username and password
		usr, err := repo.Login(input.Username, input.Password)
		if err != nil {
			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
				"message": "Unauthorized",
			})
		}
		// Create session
		ses := session.FromContext(c)
		if ses == nil {
			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
				"message": "Internal Server Error",
			})
		}
		// Since this is a login, we should regenerate the session
		sess.Regenerate()
		// Set user in session
		sess.Set("user", usr)
		// Return message
		return c.JSON(fiber.Map{
			"message": "Login successful",
		})
		// Save session is automatic when middleware handler is used
		// it will happen after the handler has returned.
	})

	app.Post("/auth/logout", func(c *fiber.Ctx) error {
		ses := session.FromContext(c)
		if ses == nil {
			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
				"message": "Internal Server Error",
			})
		}
		// Destroy session
		sess.Destroy()
		// a new session will be created automatically on the next request
		// by the session middleware
		return c.JSON(fiber.Map{
			"message": "Logout successful",
		})
	})

	app.Get("/auth/timeout", func(c *fiber.Ctx) error {
		ses := session.FromContext(c)
		if ses == nil {
			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
				"message": "Internal Server Error",
			})
		}
		// Calling any route where the session middleware is
		// used will extend the idle timeout.
		return c.JSON(fiber.Map{
			"message":     "Session extended",
			"idleTimeout": sess.IdleTimeout(),
		})
	})

	// Start server
	app.Listen(":3000")
}

Testing

• Ensure all existing tests pass.
• Add new tests for the middleware handler to cover various scenarios including error handling, session retrieval, and data manipulation.

Notes

• This update introduces breaking changes due to the renaming of configuration fields and changes in session handling methods. Ensure to update the dependent code accordingly.
• The re-write aims to improve performance and maintainability of the session management logic.

Please review the changes and provide feedback or approval for merging.

---

Fixes #2741

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The recent changes address inconsistencies in session and CSRF middleware handling by aligning with NIST guidelines on timeout and expiration. Key modifications include refactoring session handling to use session.FromContext(c), renaming Expiration to IdleTimeout in configurations, and introducing new session middleware for better session state management in Fiber applications.

Changes

Files	Change Summary
middleware/csrf/session_manager.go	Refactored session handling to use session.FromContext(c) and added error handling and store session retrieval.
middleware/session/config.go	Renamed Expiration to IdleTimeout in the Config struct and updated default values and initialization logic.
middleware/session/middleware.go	Introduced session middleware with MiddlewareConfig and Middleware structs, and related methods.
middleware/session/session.go	Renamed exp to idleTimeout in the Session struct and updated related methods.

Sequence Diagram(s) (Beta)

sequenceDiagram
    participant Client
    participant FiberApp
    participant Middleware
    participant SessionStore

    Client->>FiberApp: HTTP Request
    FiberApp->>Middleware: Process Request
    Middleware->>SessionStore: Retrieve Session (session.FromContext(c))
    SessionStore-->>Middleware: Session Data
    Middleware->>FiberApp: Continue Processing
    FiberApp-->>Client: HTTP Response

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Evaluate Session middleware for consistency with NIST guidelines (#2741)	✅
Evaluate CSRF middleware for alignment with NIST standards (#2741)	✅
Update middleware documentation for clarity on expiration and timeout (#2741)	❓	Code changes indicate alignment, but documentation updates are not explicitly mentioned.

Poem

In the world of code, where sessions flow,
Refactoring brings a smoother glow.
From context now, the sessions rise,
With idle timeouts, no more surprise.
Middleware dances, in sync, in line,
Aligning with standards, so divine.
A rabbit's cheer for changes bright,
In Fiber's realm, all feels right. 🌟🐇

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Outside diff range and nitpick comments (3)

middleware/csrf/session_manager.go (1)

74-84: Consider adding logging for error scenarios in session deletion.

if err != nil {
    log.Errorf("Failed to retrieve session for deletion: %v", err)
}

middleware/session/middleware.go (1)

51-94: Add detailed documentation for the middleware lifecycle.

// NewMiddleware creates and manages the lifecycle of session middleware.
// It retrieves a middleware instance from the pool, attaches it to the context,
// and ensures it is properly released after the request is processed.

middleware/session/session.go (1)

Line range hint 170-192: Improve error handling in the Save method to handle potential encoding failures more gracefully.

if err != nil {
    log.Errorf("Session encoding failed: %v", err)
    return err
}

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between ed9d7cf and 6e76847.

Files selected for processing (4)

• middleware/csrf/session_manager.go (3 hunks)
• middleware/session/config.go (3 hunks)
• middleware/session/middleware.go (1 hunks)
• middleware/session/session.go (7 hunks)

Additional comments not posted (4)

middleware/csrf/session_manager.go (1)

57-68: Ensure thread safety when setting session tokens.

Verification successful

---

The Set method implementations found in the codebase indicate that thread safety measures are in place. Specifically:

• In middleware/session/middleware.go, the Set method uses a mutex (m.mu.Lock() and m.mu.Unlock()) to ensure thread safety.
• In middleware/session/data.go, the Set method also uses a lock (d.Lock() and d.Unlock()) to ensure thread safety.

These implementations confirm that the session management operations are thread-safe.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Check for potential data races when setting session tokens.
# Command: Run your Go data race detector tool on this section.

Length of output: 0

---

---

Script:

#!/bin/bash
# Description: Check if the session management library used in the codebase provides thread-safe operations.
# Command: Search for the session management library and inspect its documentation or implementation for thread safety.

# Find the session management library used in the codebase
session_lib=$(rg --files-with-matches 'session.FromContext' | head -n 1)

# Check if the session management library provides thread-safe operations
if [ -n "$session_lib" ]; then
  rg 'thread-safe' "$session_lib"
else
  echo "Session management library not found."
fi

Length of output: 208

---

---

Script:

#!/bin/bash
# Description: Extract and inspect the implementation of the `Set` method in the session management library to verify thread safety.

# Find the implementation of the `Set` method in the session management library
ast-grep --lang go --pattern 'func ($_ $_) Set($_, $_) $_' middleware/csrf/session_manager.go

Length of output: 95

---

---

Script:

#!/bin/bash
# Description: Search the entire codebase for the implementation of the `Set` method to verify thread safety.

# Find the implementation of the `Set` method in the entire codebase
ast-grep --lang go --pattern 'func ($_ $_) Set($_, $_) $_'

Length of output: 1417

middleware/session/config.go (1)

13-15: Renaming Expiration to IdleTimeout clarifies the purpose and aligns with best practices.

middleware/session/middleware.go (1)

31-37: Well-structured Middleware struct with appropriate use of synchronization for thread safety.

middleware/session/session.go (1)

16-22: The addition of idleTimeout in the Session struct is a positive change for better session management.

[coderabbitai]

Refactor to improve error handling in session retrieval.

if err != nil {
    // Log the error or handle it according to your error handling policy
    return nil
}

[coderabbitai]

Enhance error handling for configuration validation.

if len(selectors) != numSelectors {
    log.Errorf("[session] KeyLookup format is incorrect: %s", cfg.KeyLookup)
    return ConfigDefault // Return default config or handle error appropriately
}

[sixcolors]

TODO: There should probably be a way to allow for not having an idle timeout.

[coderabbitai]

@sixcolors, to accommodate the possibility of not having an idle timeout, we can introduce a specific value for IdleTimeout that, when set, indicates the session should not expire based on time. For example, setting IdleTimeout to -1 could be used to represent no timeout.

Here's a proposed change to the configDefault function in middleware/session/config.go to support this:

func configDefault(config ...Config) Config {
    if len(config) < 1 {
        return ConfigDefault
    }

    cfg := config[0]

    // Set default values
    if cfg.IdleTimeout == -1 {
        // -1 means no idle timeout
        cfg.IdleTimeout = 0 // 0 could internally represent no timeout
    } else if int(cfg.IdleTimeout.Seconds()) <= 0 {
        cfg.IdleTimeout = ConfigDefault.IdleTimeout
    }

    // Existing code for setting other defaults
    if cfg.KeyLookup == "" {
        cfg.KeyLookup = ConfigDefault.KeyLookup
    }
    if cfg.KeyGenerator == nil {
        cfg.KeyGenerator = ConfigDefault.KeyGenerator
    }

    // Existing code for validating KeyLookup
    selectors := strings.Split(cfg.KeyLookup, ":")
    const numSelectors = 2
    if len(selectors) != numSelectors {
        panic("[session] KeyLookup must in the form of <source>:<name>")
    }
    switch Source(selectors[0]) {
    case SourceCookie:
        cfg.source = SourceCookie
    case SourceHeader:
        cfg.source = SourceHeader
    case SourceURLQuery:
        cfg.source = SourceURLQuery
    default:
        panic("[session] source is not supported")
    }
    cfg.sessionName = selectors[1]

    return cfg
}

This modification allows setting IdleTimeout to -1 to disable the timeout, while maintaining the default behavior when a non-negative timeout is specified. If this approach aligns with your expectations, it could be implemented to enhance the flexibility of session management.

[sixcolors]

Known Issues

Storage Adapter UPSERT Behavior

There is an issue with the way Fiber's storage adapters handle setting keys. The current operation for setting a key is an UPSERT, which means it will insert a new key if it does not exist or update it if it does. This can lead to issues in scenarios with simultaneous requests altering the same session. For example:

• One request destroys the session.
• Another request makes an inconsequential change to the session.

If the session destruction completes first, the inconsequential change could recreate the session, potentially preventing actions like logging out and posing security risks.

Since this PR changes the session behavior to save and update on every request, it amplifies the problem if not addressed.

[sixcolors]

See: https://github.com/gofiber/recipes/tree/v3-csrf-with-session-PR-3016-update/csrf-with-session for usage example of this PR in current state.

[gaby]

Those new sequence diagrams are awesome

[gaby]

Do we need the Mutex Locks here too?

[sixcolors]

The mu mutex in the Middleware struct is used to ensure thread-safety when modifying the Session and hasChanged fields of the Middleware instance. This is necessary because the Middleware instance could potentially be accessed by multiple goroutines concurrently.

However, since the Session struct itself already ensures thread-safety in its methods (i.e., it uses its own mutexes to protect its data), then the mu mutex in the Middleware struct might be redundant for operations on the Session.

But, the mu mutex is still necessary for the Session and hasChanged field. If this field is accessed concurrently without a mutex, it could lead to race conditions.

I will update.

[efectn]

I think it's better if we use New() here. Maybe we can rename current New to NewStore, NewStorage etc.

[renanbastos93]

I believe that uses only e New or NewSession

[sixcolors]

How should we handle the interaction between Session and Middleware? Here's the potential issue: if the middleware is in use and the session for the same user is retrieved from the store, any changes made and saved in the handler would be overwritten by the middleware.

We could add a check in the store. If the middleware is in the context, it could pass that session when Store.Get(c) was called. And Session.Save() could noop if it's the middleware session.

[renanbastos93]

@sixcolors it makes sense to me. I believe that follows with your point.

[renanbastos93]

Wow, you've been doing a good job. I commented on a few details. Thanks for contributing here.

[renanbastos93]

sounds not so good. Why do you ignore error?

[sixcolors]

The CSRF middleware lacks a mechanism to handle that error beyond failing the CSRF check. A refactor of the CSRF middleware would be necessary to address this issue.

[renanbastos93]

It's okay, can you open this issue for us?

[sixcolors]

@coderabbitai open an issue to improve error handling in the middleware/csrf/session_manager.go and middleware/csrf/storage_manager.go files as discussed here.

[coderabbitai]

@sixcolors, I've successfully opened an issue to improve error handling in the CSRF middleware as discussed. You can track the progress and further details on this issue at GitHub Issue #3020.

Analysis chain

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Create a GitHub issue for improving error handling in specified files
gh issue create --title "Improve Error Handling in CSRF Middleware" --body "There is a need to enhance error handling in the CSRF middleware, specifically within the files `middleware/csrf/session_manager.go` and `middleware/csrf/storage_manager.go`. This issue was identified during a discussion in PR https://github.com/gofiber/fiber/pull/3016. Improving this could involve refactoring the error handling logic to provide more robust and informative error responses.

For more context, see the discussion here: https://github.com/gofiber/fiber/pull/3016#discussion_r1619785319" --assignee sixcolors

Length of output: 855

[renanbastos93]

@sixcolors #3021

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[sixcolors]

@sixcolors #3021

I’ll take a look tomorrow

[renanbastos93]

same here about ignore error

[renanbastos93]

😢

[sixcolors]

Unfortunately, middleware/csrf/storage_manager.go also ignore errors in the same manner, for example, _ = m.storage.Set(key, raw, exp) //nolint:errcheck // TODO: Do not ignore error. As a result, the CSRF check fails in the middleware, and the CSRF error handler is called with ErrTokenNotFound.

[renanbastos93]

let's go to solve together

[sixcolors]

The "safe" option appears to be failing the CSRF, so it's likely the correct result already. We could incorporate logging to improve things.

[renanbastos93]

I believe that uses only e New or NewSession

[codecov]

Codecov Report

Attention: Patch coverage is 41.61074% with 87 lines in your changes missing coverage. Please review.

Project coverage is 82.12%. Comparing base (23bcbd3) to head (4f04291).
Report is 5 commits behind head on main.

❗ Current head 4f04291 differs from pull request most recent head ee193dc

Please upload reports for the commit ee193dc to get more accurate results.

Files	Patch %	Lines
middleware/session/middleware.go	37.63%	51 Missing and 7 partials ⚠️
middleware/csrf/session_manager.go	36.66%	8 Missing and 11 partials ⚠️
middleware/session/config.go	28.57%	5 Missing ⚠️
middleware/session/session.go	76.92%	1 Missing and 2 partials ⚠️
middleware/session/store.go	66.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3016      +/-   ##
==========================================
- Coverage   82.78%   82.12%   -0.67%     
==========================================
  Files         115      116       +1     
  Lines        8227     8348     +121     
==========================================
+ Hits         6811     6856      +45     
- Misses       1086     1147      +61     
- Partials      330      345      +15     

Flag	Coverage Δ
unittests	82.12% <41.61%> (-0.67%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.