🧹 chore: Fix cache cleanup and redact token values

[gaby]

Summary

• Redacts sensitive token values in error messages to prevent information leakage
• Fixes cache cleanup logic to prevent memory leaks and properly track heap accounting
• Excludes specific data types from msgp generation to resolve go vet copylock warnings

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Documentation for Ctx.Err was shortened. Cache middleware refactored heap index handling and centralized cleanup on store errors. CSRF storageManager added a redacted key constant, a storage field, adjusted error messages, copies in-memory keys/values, and removed msgp methods/tests. Session data disabled msgp generation and removed its msgp methods/tests.

Changes

Cohort / File(s)	Summary of Changes
Ctx Err doc tweak ctx_interface_gen.go	Shortened Err method doc to state it mirrors context.Err; signature and behavior unchanged.
Cache middleware cleanup refactor middleware/cache/cache.go	Use local heap index copies for stable removals; introduce cleanupOnStoreError helper to centralize heap removal, storedBytes accounting, optional release and raw-key deletion; unify error-path cleanup for both external and in-memory storage; remove scattered release calls on success paths.
CSRF storage manager adjustments middleware/csrf/storage_manager.go	Added const redactedKey = "[redacted]" and a storage fiber.Storage field; redact keys in storage error messages; copy keys/bytes for in-memory storage; simplified get/delete error messages; minor comment tweaks.
CSRF msgp methods & tests removed middleware/csrf/storage_manager_msgp.go, middleware/csrf/storage_manager_msgp_test.go	Removed generated msgp serialization methods for storageManager and their tests/benchmarks.
Session data msgp disabled & removals middleware/session/data.go, middleware/session/data_msgp.go, middleware/session/data_msgp_test.go	Added //msgp:ignore data directive; removed generated msgp encode/decode/marshal methods and related tests/benchmarks for data.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant Cache as Cache Middleware
  participant Heap as EntryHeap
  participant Store as External Storage
  participant Mem as In-Memory Map

  Client->>Cache: New(request)
  rect rgba(230,245,255,0.6)
    note right of Cache: prepare entry, compute local heapIdx
    Cache->>Heap: Push(entry with heapIdx)
    note right of Cache: define cleanupOnStoreError(...)
  end

  alt External storage path
    Cache->>Store: setRaw(key, value)
    alt setRaw fails
      Cache->>Cache: cleanupOnStoreError(removeFromHeap, adjustBytes, release, delRaw?)
      Cache-->>Client: error
    else setRaw ok
      Cache-->>Client: success
    end
  else In-memory path
    Cache->>Mem: set(key, value)
    alt set fails
      Cache->>Cache: cleanupOnStoreError(removeFromHeap, adjustBytes, release)
      Cache-->>Client: error
    else set ok
      Cache-->>Client: success
    end
  end

  par Expiration
    Cache->>Heap: Pop(using local idx copy)
    Cache->>Cache: release(entry)
  end

Loading

sequenceDiagram
  autonumber
  actor App
  participant CSRF as CSRF storageManager
  participant Ext as fiber.Storage
  participant Mem as In-Memory

  rect rgba(245,235,255,0.5)
    note right of CSRF: getRaw(key)
  end
  alt using external storage
    CSRF->>Ext: Get(key)
    alt error
      CSRF-->>App: error "failed to get value from storage" (key redacted)
    else ok
      CSRF-->>App: bytes
    end
  else in-memory
    CSRF->>Mem: Lookup(key)
    alt type mismatch
      CSRF-->>App: error "type assertion failed in storage"
    else ok
      CSRF-->>App: bytes
    end
  end

  rect rgba(235,255,235,0.5)
    note right of CSRF: setRaw(key, bytes)
  end
  alt external storage
    CSRF->>Ext: Set(key, bytes)
    alt error
      CSRF-->>App: error with key "[redacted]"
    else ok
      CSRF-->>App: nil
    end
  else in-memory
    CSRF->>CSRF: Copy key and bytes (CopyString/CopyBytes)
    CSRF->>Mem: Store(copy)
    CSRF-->>App: nil
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• 🐛 bug: Fix Cache middleware handling of Age #3547 — Overlaps cache middleware changes (heap/age/manager edits).
• Refactor CSRF middleware and enhance documentation #3598 — Related CSRF middleware changes (storage/extraction/config updates).
• feat: fiber.Context implement context.Context #3382 — Related Ctx interface / Err documentation and behavior updates.

Suggested reviewers

• sixcolors
• efectn
• ReneWerner87

Poem

I hop and tidy bits of code,
Heap indexes safe on the road.
Keys redacted, bytes copied neat,
Msgp footprints skip a beat.
A rabbit's patchwork, small and bright — commits all snug by moonlight. 🥕🐇

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description contains a brief high-level summary of the changes but does not follow the repository's required template: it lacks a "Fixes # (issue)" reference, the detailed "Changes introduced" section (benchmarks, docs, changelog, migration notes), the "Type of change" checkbox selections, and the full PR checklist items needed for review and release. Because those template sections are missing, the description is incomplete for reviewers and release automation.	Please update the PR description to follow the repository template: add a "Fixes #" line if applicable, expand "Changes introduced" with file-level and behavioral details (including any removed tests and rationale), fill in the Type of change checkboxes, complete the Checklist (tests run, docs/benchmarks, migration notes), and note any commit-formatting expectations so reviewers and release processes have the required context.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "🧹 chore: Fix cache cleanup and redact token values" is a concise, single-sentence summary that directly reflects the two principal changes in the diff (cache cleanup/heap accounting fixes in middleware/cache and redaction of sensitive token values in middleware/csrf), so it accurately conveys the main intent to reviewers. It is specific and focused enough for repository history scanning. The leading emoji is non-essential but does not make the title misleading.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch redact-csrf-key-in-error-messages

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2e5ddcb and 8750440.

📒 Files selected for processing (1)

• middleware/csrf/storage_manager.go (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• middleware/csrf/storage_manager.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: unit (1.25.x, macos-13)
• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: repeated
• GitHub Check: Compare

🔇 Additional comments (7)

middleware/csrf/storage_manager.go (7)

19-19: LGTM! Security improvement for token redaction.

The redactedKey constant provides a consistent way to prevent sensitive CSRF token keys from being exposed in error messages.

---

22-22: Good practice to exclude from msgp generation.

Adding the //msgp:ignore directive for storageManager prevents potential copylock warnings during code generation.

---

53-53: Security enhancement: Key redacted from error message.

The error message now properly excludes the potentially sensitive key value while still providing meaningful error context through the wrapped underlying error.

---

61-61: Improved error message without sensitive data exposure.

The error message is now more generic and doesn't expose the key value, which could potentially contain sensitive information.

---

73-73: Security fix: CSRF key redacted in storage error.

Using redactedKey instead of the actual key prevents sensitive token information from being exposed in error logs.

---

78-79: Excellent fix for potential data corruption issue.

The addition of utils.CopyString(key) and utils.CopyBytes(raw) prevents unsafe retention of potentially reused buffer references. The updated comment accurately reflects that both key and raw value are now copied.

---

87-87: Consistent key redaction in delete operations.

The delete error message now consistently uses redactedKey to prevent exposure of sensitive CSRF token keys.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces several valuable fixes and improvements. The changes in the cache middleware correctly handle resource cleanup on storage errors, preventing potential leaks. In the CSRF middleware, redacting keys in errors and copying byte slices are great security and correctness enhancements. Skipping msgp generation for specific types is also a good move for maintainability. My review includes a couple of suggestions for the cache middleware to address a potential dead code path and to reduce some code duplication.

[codecov]

Codecov Report

❌ Patch coverage is 45.71429% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.41%. Comparing base (8136af2) to head (8750440).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
middleware/cache/cache.go	40.00%	15 Missing and 3 partials ⚠️
middleware/csrf/storage_manager.go	80.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3757      +/-   ##
==========================================
- Coverage   91.49%   91.41%   -0.09%     
==========================================
  Files         113      113              
  Lines       11806    11828      +22     
==========================================
+ Hits        10802    10812      +10     
- Misses        738      748      +10     
- Partials      266      268       +2     

Flag	Coverage Δ
unittests	91.41% <45.71%> (-0.09%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces several important fixes and improvements. The redaction of token values in CSRF error messages is a good security enhancement. The fixes for cache cleanup in the cache middleware correctly address potential resource leaks and stale data issues by ensuring heap and byte count are properly managed on storage errors. The addition of utils.CopyBytes when storing CSRF tokens in memory is a crucial fix to prevent data corruption. Finally, skipping msgp generation for structs with sync fields is the right approach to resolve the go vet warnings. The changes are well-implemented. I have one minor suggestion to improve a comment for better maintainability.

[Copilot]

Pull Request Overview

This PR addresses security concerns and fixes resource management issues in cache and CSRF middleware. The changes prevent token value leaks, fix memory management, and resolve code generation issues.

Key changes:

• Redacts sensitive token values in error messages to prevent information leakage
• Fixes cache cleanup logic to prevent memory leaks and properly track heap accounting
• Excludes specific data types from msgp generation to resolve go vet copylock warnings

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
middleware/csrf/storage_manager.go	Redacts token values in error messages and copies byte slices before storage
middleware/cache/cache.go	Fixes cache cleanup logic and removes redundant pool releases
middleware/session/data.go	Adds msgp:ignore directive to prevent code generation
middleware/csrf/storage_manager_msgp.go	Removes generated storageManager serialization code
middleware/session/data_msgp.go	Removes generated data serialization code
middleware/csrf/storage_manager_msgp_test.go	Removes generated storageManager test code
middleware/session/data_msgp_test.go	Removes generated data test code
ctx_interface_gen.go	Simplifies comment documentation for Err method

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8136af2 and 3be3c06.

📒 Files selected for processing (8)

• ctx_interface_gen.go (1 hunks)
• middleware/cache/cache.go (2 hunks)
• middleware/csrf/storage_manager.go (3 hunks)
• middleware/csrf/storage_manager_msgp.go (0 hunks)
• middleware/csrf/storage_manager_msgp_test.go (0 hunks)
• middleware/session/data.go (1 hunks)
• middleware/session/data_msgp.go (0 hunks)
• middleware/session/data_msgp_test.go (0 hunks)

💤 Files with no reviewable changes (4)

• middleware/session/data_msgp_test.go
• middleware/csrf/storage_manager_msgp_test.go
• middleware/csrf/storage_manager_msgp.go
• middleware/session/data_msgp.go

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• middleware/session/data.go
• middleware/cache/cache.go
• ctx_interface_gen.go
• middleware/csrf/storage_manager.go

🧬 Code graph analysis (1)

middleware/cache/cache.go (1)

storage_interface.go (1)

• Storage (10-46)

🔇 Additional comments (13)

ctx_interface_gen.go (1)

47-51: Doc tweak for Ctx.Err: LGTM.

Accurately reflects parity with context.Err while noting fasthttp no-op.

middleware/cache/cache.go (4)

163-168: Fix: capture heap index before release — correct.

Capturing idx := e.heapidx before manager.release(e) prevents using a potentially recycled entry; heap accounting now stays consistent.

---

306-312: Heap index handling on insert: LGTM.

Storing heapIdx locally and mirroring into e.heapidx keeps both paths coherent and simplifies later removals.

---

314-323: Centralized cleanup helper reduces duplication.

The cleanupOnStoreError closure consolidates heap unwind and optional release, addressing earlier repetition.

---

337-341: In-memory set error path likely unreachable — verify.

If cfg.Storage == nil, manager.set typically can’t fail; the cleanup call may be dead code. Either document that manager.set can error in-memory or simplify.

#!/bin/bash
# Inspect manager.set implementation and its error behavior.
rg -nP -C3 --type=go 'func\s+\(\s*\*?manager\s*\)\s*set\s*\('
rg -nP -C2 --type=go '\bmanager\.set\('

middleware/csrf/storage_manager.go (7)

19-19: Key redaction constant: good addition.

Prevents leaking sensitive tokens in errors.

---

21-27: Skip msgp on storageManager: LGTM.

Avoids copylock and keeps generated code minimal.

---

52-54: Storage get error message: safer phrasing.

Generic message plus wrapped error avoids exposing keys.

---

61-62: Type guard message: fine.

Covers unexpected in-memory value type without leaking internals.

---

73-74: Redacted key on store errors: correct.

Keeps secrets out of logs.

---

78-80: Comment clarity and typo.

Fix “crsf” and note both key and raw are copied to avoid buffer reuse issues.

- // the key is crucial in crsf and sometimes a reference to another value which can be reused later(pool/unsafe values concept), so a copy is made here
+ // To prevent corruption from reused buffers, copy both the key and raw bytes
+ // before storing them in memory (pool/unsafe value reuse).

---

85-88: Redacted delete errors: LGTM.

Consistent with set/get redaction.

middleware/session/data.go (1)

10-10: Remove or disable msgp generator — directive still present.
middleware/session/data.go:9 contains //go:generate msgp -o=data_msgp.go -tests=true -unexported; middleware/session/data_msgp.go exists — running go generate will recreate the file. Remove or scope the //go:generate directive (or stop committing the generated file).

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

middleware/cache/cache.go (1)

314-322: Nice centralization of rollback; consider clearer param semantics.

entryReleased bool is inverted (true = skip release). Rename to releaseEntry bool and flip the condition to reduce cognitive load. Non-functional polish.

Apply:

- cleanupOnStoreError := func(entryReleased bool) {
+ cleanupOnStoreError := func(releaseEntry bool) {
   if cfg.MaxBytes > 0 {
     _, size := heap.remove(heapIdx)
     storedBytes -= size
   }
-  if !entryReleased {
+  if releaseEntry {
     manager.release(e)
   }
 }

Then invert the booleans at call sites.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3be3c06 and 80465c2.

📒 Files selected for processing (1)

• middleware/cache/cache.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• middleware/cache/cache.go

🧬 Code graph analysis (1)

middleware/cache/cache.go (1)

storage_interface.go (1)

• Storage (10-46)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: unit (1.25.x, macos-13)
• GitHub Check: repeated
• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: Compare

🔇 Additional comments (4)

middleware/cache/cache.go (4)

163-168: Correct order: capture heap handle before release; then evict.

Good fix. Grabbing idx := e.heapidx before manager.release(e) avoids losing the handle when the entry is zeroed, and then adjusting storedBytes via heap.remove(idx) keeps accounting consistent.

---

337-341: Unreachable error branch for in‑memory set (duplicate of prior feedback).

Per previous review, in‑memory manager.set does not return an error; this cleanup block is dead code. Safe to keep, but consider removing to reduce noise.

---

307-312: Confirmed — indexedHeap.remove expects the stable index returned by put.
indexedHeap.remove(idx) looks up h.indices[idx] → current slice position; pushInternal and Swap update that mapping, so storing e.heapidx from heap.put and later calling remove on that handle is correct.

---

324-336: Entry ownership confirmed — no extra release required

manager.set (middleware/cache/manager.go) calls m.release(it) on marshal/store errors and also on success, so e is released; keep the code as-is and do not add another manager.release(e).

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

middleware/cache/cache.go (2)

163-168: Good fix: remove by saved heap index; add underflow guard.

Capturing e.heapidx before manager.release(e) avoids using a possibly reset index. Also, consider guarding storedBytes -= size to prevent uint underflow if accounting ever drifts.

-               _, size := heap.remove(idx)
-               storedBytes -= size
+               _, size := heap.remove(idx)
+               if storedBytes >= size {
+                   storedBytes -= size
+               } else {
+                   storedBytes = 0
+               }

---

314-318: Mirror the underflow guard here as well.

Same accounting protection as above inside the cleanup helper.

-           if cfg.MaxBytes > 0 {
-               _, size := heap.remove(heapIdx)
-               storedBytes -= size
-           }
+           if cfg.MaxBytes > 0 {
+               _, size := heap.remove(heapIdx)
+               if storedBytes >= size {
+                   storedBytes -= size
+               } else {
+                   storedBytes = 0
+               }
+           }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80465c2 and da44777.

📒 Files selected for processing (1)

• middleware/cache/cache.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• middleware/cache/cache.go

🧬 Code graph analysis (1)

middleware/cache/cache.go (1)

storage_interface.go (1)

• Storage (10-46)

🪛 GitHub Check: lint

middleware/cache/cache.go

[failure] 323-323:
Error return value of manager.del is not checked (errcheck)

---

[failure] 314-314:
File is not properly formatted (gofumpt)

🪛 GitHub Actions: golangci-lint

middleware/cache/cache.go

[error] 314-314: File is not properly formatted (gofumpt). Run 'gofmt -w' and re-run golangci-lint.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: unit (1.25.x, macos-13)
• GitHub Check: Compare
• GitHub Check: repeated

🔇 Additional comments (4)

middleware/cache/cache.go (4)

306-312: Heap index assignment is consistent and clear.

Using a local heapIdx and copying it into e.heapidx keeps later cleanup deterministic.

---

329-333: Error path releases and accounting look correct for setRaw failure.

On setRaw error you unwind heap and release the entry. Good.

---

341-343: Uniform in-memory unwind is fine.

Even if in-memory set currently can’t fail, keeping the error path consistent is OK and low-cost.

---

335-337: Leak: release pooled entry on metadata store failure (external storage).

If manager.set(c, key, e, expiration) fails after setRaw succeeded, e is leaked. Pass releaseEntry=true to return it to the pool.

-           if err := manager.set(c, key, e, expiration); err != nil {
-               cleanupOnStoreError(false, true)
+           if err := manager.set(c, key, e, expiration); err != nil {
+               cleanupOnStoreError(true, true)
                return err
            }

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: 8750440	Previous: 8136af2	Ratio
Benchmark_SetValWithStruct/error_type_should_ignore	14.99 ns/op 0 B/op 0 allocs/op	7.778 ns/op 0 B/op 0 allocs/op	1.93
Benchmark_SetValWithStruct/error_type_should_ignore - ns/op	14.99 ns/op	7.778 ns/op	1.93

This comment was automatically generated by workflow using github-action-benchmark.

[gaby]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces several important fixes and improvements. It enhances security by redacting sensitive token values from error messages in the CSRF middleware. It also fixes potential memory leaks and incorrect heap accounting in the cache middleware by ensuring proper cleanup of expired and failed-to-store entries. Additionally, it resolves go vet copylock warnings by excluding certain structs containing mutexes from msgp generation. The changes are well-implemented. I have one minor suggestion regarding a comment in the CSRF storage manager to improve clarity and correctness.