🐛 bug: harden session middleware lifecycle and error handling

[gaby]

Motivation

• Prevent session-object leaks and panics by ensuring acquired Session objects are always returned to the pool on every terminal/error path.
• Let middleware initialization failures be handled by the configured error handler instead of panicking and ensure middleware objects are released on init failure.
• Add regression coverage for lifecycle/error paths so release/save semantics are exercised and protected from regressions.

Description

• Make (*Middleware).initialize return error and update NewWithStore to invoke the configured ErrorHandler or DefaultErrorHandler on init failures while releasing the middleware and returning the original error only when no response status was written.
• Add finalizeSession() which conditionally calls saveSession() (skips when destroyed) and always calls releaseSession(m.Session) exactly once to guarantee object lifecycle cleanup.
• Harden Store.getSession to call sess.Release() before returning when sess.Reset() fails on absolute-expiry, and change Store.GetByID to always sess.Release() before returning ErrSessionIDNotFoundInStore after attempting sess.Destroy().
• Audit nearby early-return branches around acquireSession() for balanced Release() calls and add targeted tests for the new behaviors in middleware/session/middleware_test.go and middleware/session/store_test.go.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-session-middleware-to-fail-gracefully

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @gaby, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the reliability and resource management of the session middleware. It focuses on preventing session object leaks and application panics by ensuring that session objects are always properly released back to their pool, even when errors occur during initialization or session lifecycle events. The changes centralize session finalization logic and harden error paths within the session store, leading to a more stable and predictable session management system.

Highlights

• Robust Error Handling for Session Middleware Initialization: The session middleware's initialization process now gracefully handles errors by invoking a configured error handler and ensuring proper resource release, preventing panics and improving stability.
• Centralized Session Lifecycle Management: A new finalizeSession() method has been introduced to ensure that acquired session objects are consistently saved (if not destroyed) and always returned to the pool, preventing session object leaks.
• Hardened Session Store Error Paths: The Store.getSession and Store.GetByID methods have been updated to explicitly release session objects back to the pool in various error and expiry scenarios, such as when sess.Reset() fails or an expired session is destroyed.
• Comprehensive Test Coverage: New unit tests have been added for both middleware.go and store.go to specifically cover the new error handling, session finalization logic, and session release behaviors in edge cases.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• middleware/session/middleware.go
  • Modified NewWithStore to catch initialization errors from m.initialize, call the configured ErrorHandler, and release the middleware object.
  • Changed (*Middleware).initialize to return an error instead of panicking, allowing for controlled error propagation.
  • Introduced (*Middleware).finalizeSession to encapsulate the logic for conditionally saving a session and always releasing the session object.
• middleware/session/middleware_test.go
  • Added failingStorage and lifecycleStorage structs to simulate storage errors and track lifecycle calls in tests.
  • Introduced new tests for Test_Session_Middleware_InitializeError_WithCustomErrorHandler, Test_Session_Middleware_InitializeError_DefaultErrorHandler, and Test_Session_Middleware_InitializeError_ReturnsHandlerErrorWhenUnwritten to validate middleware initialization error handling.
  • Added new tests for Test_Middleware_FinalizeSession_NormalSavePath, Test_Middleware_FinalizeSession_DestroyedPathSkipsSave, and Test_Middleware_FinalizeSession_SaveErrorStillReleasesSession to verify the finalizeSession behavior.
• middleware/session/store.go
  • Ensured sess.Release() is called in getSession if sess.Reset() fails when an absolute-expired session is encountered.
  • Modified GetByID to always call sess.Release() before returning ErrSessionIDNotFoundInStore after attempting to destroy an expired session.
• middleware/session/store_test.go
  • Added trackingStorage to monitor Delete calls in tests.
  • Introduced seedExpiredSessionInStore helper function to set up expired sessions for testing.
  • Added Test_Store_getSession_ExpiredResetFailureReleasesSession to confirm session release when Reset() fails on an expired session.
  • Added Test_Store_GetByID_ExpiredDestroySuccessReleasesSession to confirm session release when an expired session is destroyed via GetByID.

Activity

• The author, gaby, provided a detailed motivation for the changes, highlighting the prevention of session-object leaks and panics.
• The description outlines specific code modifications, including making initialize return an error, adding finalizeSession(), and hardening Store methods.
• Testing involved running unit tests for the session package with focused cases, full go test ./middleware/session, and make test, all of which passed.
• Code quality checks (make generate, make betteralign, make modernize, make format, make lint) were performed and succeeded.
• An make audit was run, which failed due to unrelated standard-library vulnerabilities in Go 1.25.1, as noted by the author.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 82.97872% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.13%. Comparing base (082e205) to head (097e06f).

Files with missing lines	Patch %	Lines
middleware/session/data.go	40.00%	2 Missing and 1 partial ⚠️
middleware/session/session.go	57.14%	1 Missing and 2 partials ⚠️
middleware/session/middleware.go	95.23%	1 Missing ⚠️
middleware/session/store.go	92.85%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4059      +/-   ##
==========================================
+ Coverage   91.04%   91.13%   +0.09%     
==========================================
  Files         119      119              
  Lines       11340    11370      +30     
==========================================
+ Hits        10324    10362      +38     
+ Misses        644      638       -6     
+ Partials      372      370       -2     

Flag	Coverage Δ
unittests	91.13% <82.97%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request significantly hardens the session middleware by improving error handling and fixing several potential resource leaks. While the changes are well-implemented, replacing panics with proper error propagation and ensuring session objects are always released back to the pool, a high-severity issue remains. The middleware instance is returned to the pool while a reference to it still exists in the request context's locals, which can lead to cross-request session data leakage if other middlewares access the session after the main handler chain has completed. It is recommended to clear the context local reference before releasing the middleware instance. Additionally, consider improving context propagation during session destruction in middleware/session/store.go.

[Copilot]

Pull request overview

This PR hardens the session middleware/store lifecycle to prevent pooled Session/Middleware objects from leaking across request/error paths, and adds regression tests around those paths.

Changes:

• Convert (*Middleware).initialize to return an error and route init failures through the configured ErrorHandler/DefaultErrorHandler instead of panicking.
• Ensure sessions are always released back to the pool on terminal/error paths (finalizeSession, extra Release() calls in store error branches).
• Add regression tests for initialization, context-local cleanup, and store expiry/destroy behaviors.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
middleware/session/middleware.go	Switch init to error-return and add finalizeSession() to guarantee session release and locals cleanup.
middleware/session/session.go	Add a stored context (gctx) so Destroy() can honor GetByID’s context; clear it on release.
middleware/session/store.go	Release sessions on absolute-expiry reset failure; ensure GetByID releases sessions on expiry destroy path and uses gctx.
middleware/session/middleware_test.go	Add tests for locals cleanup, init error handling, and finalize lifecycle behavior.
middleware/session/store_test.go	Add tests for expiry/reset failure release, expiry destroy release, and destroy context propagation.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: a5953ea	Previous: 92ada8a	Ratio
BenchmarkDecoderedirectionMsgs - MB/s	118.68 MB/s	47.86 MB/s	2.48

This comment was automatically generated by workflow using github-action-benchmark.

[gaby]

@copilot

• Make sure the session middleware is properly storing values and utilizing fiber.StoreInContext
• In middleware/session/store.go accepts extracted session IDs from Extractor and immediately uses them as storage keys (Storage.GetWithContext(c, id)) without length/character validation.
• Replace panic-on-session-load-failure with safe error handling path.

[Copilot]

@gaby I've opened a new pull request, #4107, to work on those changes. Once the pull request is ready, I'll request review from you.

[gaby]

/gemini review

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

[gemini-code-assist]

Code Review

This pull request significantly hardens the session middleware by improving its lifecycle management and error handling. Key changes include preventing session object leaks by ensuring sessions are always returned to the pool, handling middleware initialization failures gracefully instead of panicking, and adding robust validation for session IDs as a security measure. The introduction of finalizeSession clarifies the session cleanup logic and fixes a potential resource leak when a session was destroyed. The changes from panicking to returning errors in initialize and acquire* functions make the middleware more robust and align better with Go's error handling practices. The pull request is well-structured and includes a comprehensive set of regression tests that cover the new behaviors and protect against future regressions. Overall, these are excellent improvements that enhance the stability and security of the session middleware.

[gemini-code-assist]

Code Review

This pull request significantly hardens the session middleware by improving its lifecycle management and error handling. Key improvements include replacing panics with returned errors in initialization paths, ensuring session objects are consistently released to prevent leaks (especially on error paths), and adding validation for session IDs as a security measure. The introduction of finalizeSession centralizes cleanup logic, making it more robust. The added regression tests are comprehensive and cover the new behaviors well.

I've found a couple of minor opportunities for improvement to make the hardening even more consistent across the codebase. Overall, this is an excellent set of changes that improves the stability and security of the session middleware.

[gemini-code-assist]

Code Review

The pull request significantly improves the robustness of the session middleware by ensuring proper lifecycle management and error handling. The transition from panicking to returning errors during initialization, along with the addition of session ID validation and better pooling safety, are excellent improvements. I have a few suggestions to further 'harden' the lifecycle against panics and ensure consistency in context usage across all session operations.

[gemini-code-assist]

To fully 'harden' the middleware lifecycle as intended by this PR, consider using defer for releasing the middleware and finalizing the session. This ensures that pooled objects are returned even if a downstream handler panics, preventing memory leaks in high-load scenarios.

Suggested change

	m := acquireMiddleware()
	m.initialize(c, &cfg)
	if err := m.initialize(c, &cfg); err != nil {
	if cfg.ErrorHandler != nil {
	cfg.ErrorHandler(c, err)
	} else {
	DefaultErrorHandler(c, err)
	}
	releaseMiddleware(m)
	if c.Response().StatusCode() == fiber.StatusOK && len(c.Response().Body()) == 0 {
	return err
	}
	return nil
	}
	stackErr := c.Next()
	m.mu.RLock()
	destroyed := m.destroyed
	m.mu.RUnlock()
	if !destroyed {
	m.saveSession()
	}
	m.finalizeSession()
	fiber.StoreInContext(c, middlewareContextKey, nil)
	releaseMiddleware(m)
	return stackErr
	m := acquireMiddleware()
	defer releaseMiddleware(m)
	if err := m.initialize(c, &cfg); err != nil {
	if cfg.ErrorHandler != nil {
	cfg.ErrorHandler(c, err)
	} else {
	DefaultErrorHandler(c, err)
	}
	if c.Response().StatusCode() == fiber.StatusOK && len(c.Response().Body()) == 0 {
	return err
	}
	return nil
	}
	defer m.finalizeSession()
	defer fiber.StoreInContext(c, middlewareContextKey, nil)
	return c.Next()

[gemini-code-assist]

The addition of gctx to honor the context from GetByID is a good improvement for Destroy. However, for full consistency and correctness, this context should also be honored in other storage-touching methods like Save, Reset, and Regenerate. Currently, those methods fall back to context.Background() if s.ctx is nil, ignoring any timeout or cancellation associated with the context passed to GetByID.

[gemini-code-assist]

Since finalizeSession is now responsible for releasing the session, it should include a nil check for m.Session to prevent potential panics if called on an uninitialized or partially initialized middleware instance (e.g., if used with the defer pattern suggested elsewhere).

func (m *Middleware) finalizeSession() {
	if m.Session == nil {
		return
	}
	m.mu.RLock()
	destroyed := m.destroyed
	m.mu.RUnlock()

	if !destroyed {
		m.saveSession()
	}

	releaseSession(m.Session)
}