docs: note CSRF ContextKey removal

[ReneWerner87]

Summary

• document removal of ContextKey from CSRF middleware
• add migration steps for accessing CSRF token and handler via context helpers

Testing

• make audit (fails: EncodeMsg passes lock by value)
• make generate
• make betteralign (fails: package requires newer Go version go1.25)
• make modernize (fails: package requires newer Go version go1.25)
• make format
• make test (0 tests run)

---

https://chatgpt.com/codex/tasks/task_e_68a9d1855f348326bd2f89899c69baee

[coderabbitai]

Walkthrough

Updates docs/whats_new.md to reflect CSRF middleware public API changes: field renames/removals, new Extractor, removal of FromCookie, new csrf.TokenFromContext and csrf.HandlerFromContext helpers, and clarified context-based access patterns with examples.

Changes

Cohort / File(s)	Summary
Docs: What's New docs/whats_new.md	Document CSRF API updates: Expiration→IdleTimeout, remove ContextKey/SessionKey/KeyLookup, add Extractor, remove FromCookie, add TokenFromContext/HandlerFromContext, and clarify context-based storage/access with examples.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant App
  participant CSRF as CSRF Middleware
  participant Extractor
  participant Ctx as Request Context
  participant Handler as Downstream Handler

  Client->>App: HTTP Request
  App->>CSRF: Invoke middleware
  CSRF->>Extractor: Extract token (header/form/query...)
  Extractor-->>CSRF: Token or missing
  CSRF->>Ctx: Store token and handler refs
  alt token valid
    CSRF->>Handler: Next()
    note over Handler,Ctx: Handler can call<br/>csrf.TokenFromContext(c)<br/>csrf.HandlerFromContext(c)
    Handler-->>App: Response
  else token invalid
    CSRF-->>App: CSRF error response
  end
  App-->>Client: HTTP Response

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Refactor CSRF middleware and enhance documentation #3598 — Mirrors the same CSRF API shifts: remove KeyLookup/FromCookie, add Extractor, and introduce TokenFromContext/HandlerFromContext.
• 📒 docs: fix CSRF handler example #3412 — Adjusts docs to read CSRF token directly from context, aligning with new accessor-based approach.
• feat(csrf): Enhance extractor functionality with metadata and security validation #3630 — Refactors Extractor shape/usage, overlapping with this PR’s Extractor-centric API changes.

Suggested labels

📒 Documentation, v3

Suggested reviewers

• sixcolors
• gaby
• efectn

Poem

A hare taps keys with whiskered grace,
New tokens hop through context space.
No cookie crumbs, no secret key—
An Extractor leads them, bound and free.
From burrowed helpers, truths we glean—
CSRF’s path now crisp and clean. 🥕

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/2025-08-23-14-42-41

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR documents the removal of the ContextKey field from the CSRF middleware configuration and provides migration guidance for developers. The change improves security by using unexported keys and standardizes access patterns through helper functions.

Key Changes

• Documents the removal of the ContextKey field from CSRF middleware
• Adds migration instructions for accessing CSRF tokens and handlers via new helper functions
• Updates both the main changelog and migration guide sections

[gemini-code-assist]

Summary of Changes

Hello @ReneWerner87, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on updating the documentation to reflect a significant change in the CSRF middleware. Specifically, it addresses the removal of the ContextKey field, which previously allowed custom keys for storing CSRF-related data in the context. The primary goal is to inform users about this change and provide clear instructions on how to adapt their code to access CSRF tokens and handlers using the newly introduced helper functions, ensuring a smooth transition and continued functionality.

Highlights

• CSRF Middleware Documentation Update: The documentation for the CSRF middleware has been updated to reflect the removal of the ContextKey field. This change means that CSRF tokens and handlers are now stored using unexported keys within the context.
• Migration Steps for CSRF Access: New migration steps have been added to guide users on how to access CSRF tokens and handlers. Users should now use the helper functions csrf.TokenFromContext(c) and csrf.HandlerFromContext(c) to retrieve these values from the context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Summary of Changes

Hello @ReneWerner87, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the documentation to reflect changes in the CSRF middleware. Specifically, it notes the removal of the ContextKey field and provides clear migration instructions for accessing CSRF tokens and handlers using new helper functions.

Highlights

• CSRF ContextKey Removal Documentation: The ContextKey field has been removed from the CSRF middleware configuration, and this PR updates the whats_new.md documentation to reflect this change.
• Updated CSRF Token/Handler Access: Migration steps are added to guide users on how to retrieve CSRF tokens and handlers, which are now stored using unexported keys, via csrf.TokenFromContext(c) and csrf.HandlerFromContext(c).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the documentation to reflect the removal of the ContextKey field from the CSRF middleware. The changes in docs/whats_new.md correctly note this removal and point users to the new helper functions. I've added one suggestion to improve the migration guide's clarity and consistency by providing a 'Before' and 'After' code example, similar to other migration points in the same section.

[gemini-code-assist]

For consistency with other migration points in this section, consider providing a Before and After example. This would make it clearer to users what the new helper functions replace.

Here is a suggested replacement for lines 2112-2117:

- **ContextKey Removal**: The `ContextKey` field has been removed from the CSRF middleware configuration. Use the new helper functions to access the token and handler from the context instead of `c.Locals()`.

  **Before:**
  ```go
  // In a handler, assuming default ContextKey "csrf"
  token := c.Locals("csrf")

After:

// In a handler
token := csrf.TokenFromContext(c)
handler := csrf.HandlerFromContext(c)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docs/whats_new.md (2)

1118-1119: CSRF: solid note on ContextKey removal; add a tiny example and cross-link for faster migration

Nice, this clearly states the change and the new helpers. Consider adding a 5-line example and a short note about middleware ordering, plus a cross-link to the migration section below. This will reduce confusion when folks first hit this page.

 The `ContextKey` field has been removed. Tokens and handlers are now stored using unexported keys; retrieve them with `csrf.TokenFromContext(c)` or `csrf.HandlerFromContext(c)`.
+For example:
+
+```go
+app.Get("/form", func(c fiber.Ctx) error {
+    token := csrf.TokenFromContext(c)
+    c.Set("X-CSRF-Token", token) // expose via header if needed
+    return c.Render("form", fiber.Map{"csrf_token": token})
+})
+```
+
+Note: Ensure the CSRF middleware is registered and executed before using these helpers. See the detailed migration steps in the [CSRF migration](#csrf-1).

---

2112-2118: Add nil-check guard and example CSRF token exposure

To help users avoid nil pointer panics when the CSRF middleware isn’t applied and give them a copy-paste snippet for exposing the token, update the migration example in docs/whats_new.md (lines 2112–2118):

-```go
-token := csrf.TokenFromContext(c)
-handler := csrf.HandlerFromContext(c)
-```
+```go
+token := csrf.TokenFromContext(c)
+// Typical usage: expose CSRF token to clients
+c.Set("X-CSRF-Token", token)                  // e.g., HTTP header
+// or pass to templates: fiber.Map{"csrf_token": token}
+
+// Safely retrieve the handler (nil if middleware not applied)
+if h := csrf.HandlerFromContext(c); h != nil {
+    // perform handler-specific operations
+}
+```

• Verified TokenFromContext(c fiber.Ctx) string and HandlerFromContext(c fiber.Ctx) *Handler exist in the middleware/csrf package, so the nil-guard is needed.
• This gives users a minimal, safe starting point for both token retrieval and handler usage.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5c403cd and e0523fa.

📒 Files selected for processing (1)

• docs/whats_new.md (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

docs/**

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Review and update the contents of the docs folder if necessary when modifying code

Files:

• docs/whats_new.md