feat: make golangci-lint config stricter

[leonklingele]

Summary by CodeRabbit

• Refactor
  • Improved the logic for handling idempotency in HTTP requests to enhance clarity and accuracy.
  • Adjusted error handling in session storage to ensure smoother operation.
  • Refined the control flow in URL path processing for more efficient string handling.
  • Optimized the parsing and setting of flash messages in redirects for better user feedback.
• Chores
  • Updated linter settings to enhance code quality and maintainability.

[ReneWerner87]

@nickajacks1 can you verify these changes

[nickajacks1]

Thanks for the super thorough update. Left a lot of comments (sorry). Some comments are just me thinking out loud so feel free to resolve those right away.

There were a number of linters that are either deprecated or audit usage of packages that we don't use. I recommend explicitly disabling all of them. For contrib we can enable ones like spancheck and zerologlint.

[nickajacks1]

I looked into this a bit and wastedassign feels like it is doing exactly what ineffassign does, except that it errs on the side of false positives instead of false negatives. The only failures in fiber today triggered by wastedassign are zero-initialization (eg foo := "" instead of var foo string)
So I might put my vote on disabling wastedassign. Dont need to decide that now though.

[leonklingele]

I'd prefer consistency here. For example, we use both var foo string and foo := "" in this codebase.

[nickajacks1]

I believe wsl directly conflicts with gofumpt in some areas, so it is impossible to enable both with default configuration. We can probably add config to make them agree though.

[nickajacks1]

does the above TODO also apply to these

[leonklingele]

No, it's an inline-comment, so it only applies that that one specified line.

[nickajacks1]

Do you know which cases are not handled by errcheck?

[leonklingele]

I don't know off-head right now and don't have access to a Go system at the moment. Simply try it yourself and drop the line :D

[nickajacks1]

In the current codebase it doesn't catch anything that other linters don't catch, but I'd like to see some cases that it does catch which the others dont.
Actually, I just remembered another reason why I disabled it - golangci-lint has a bug that prevents you from setting global ignores for this rule golangci/golangci-lint#3749
So until that get's fixed, you'd have to manually add ignores everywhere, which adds a lot of noise to the code.

[nickajacks1]

is this relevant for us?

[leonklingele]

I think so, see their examples at timonwong/loggercheck@ef578c4#diff-dbd79b07e7f11adb8139d961bff8a7df5f2e3f331e92e9d13d8f34ff84595cdeR1

[gaby]

I think it's fine if we leave enable ones that don't apply. That way we don't have to be tailoring the config for each repo. The golangci-lint job is quite quick compared to the Tests and the Benchmarks.

[nickajacks1]

I agree that having a common config for all the projects makes sense, so enabling things like spancheck probably makes things easier.
I disagree with enabling deprecated linters, but that's mostly based on an aversion to using deprecated things. Perhaps if we can find real cases where they catch issues their replacements don't, I'd be more open to it. Just my own opinion though, so let's hear what others think.

[coderabbitai]

Walkthrough

The recent updates encompass a range of improvements across configuration, middleware logic, and internal function optimizations. Key adjustments include enhanced timeout handling and runner settings in the linter configuration, refined idempotency handling in HTTP requests, a more resilient session store operation, and smarter path processing logic. Additionally, flash message parsing in redirects has been fine-tuned for accuracy. Collectively, these changes aim to boost code quality, performance, and maintainability.

Changes

File(s)	Summary
.golangci.yml	Enhanced linter configurations for timeouts, runner behavior, directory skipping, and issue handling. Adjusted output settings and linter selections.
middleware/.../idempotency_test.go, middleware/session/store.go	Improved idempotency handling in HTTP requests and error handling in session store operations.
path.go	Refined findGreedyParamLen function for better control flow and efficiency.
redirect.go	Adjusted flash message parsing logic in setFlash method for correctness.

"In the realm of code, where logic does play,
A rabbit hopped in, making changes today.
🐾 Across files and functions, with a meticulous eye,
Tweaks and improvements, oh how they fly!
🚀 From paths to sessions, no stone left unturned,
With each careful edit, a brighter future earned."

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 8

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 8c413d0 and 6fd995d.

Files selected for processing (5)

• .golangci.yml (6 hunks)
• middleware/idempotency/idempotency_test.go (1 hunks)
• middleware/session/store.go (1 hunks)
• path.go (1 hunks)
• redirect.go (1 hunks)

Additional comments: 7

middleware/idempotency/idempotency_test.go (1)

• 47-48: The adjustments made to the logic for handling idempotency in HTTP requests when the X-Idempotency-Key header is not set improve clarity and accuracy. Using clear and specific error messages in tests is a good practice, as it helps identify the reason for test failures more easily.

redirect.go (1)

• 281-286: The adjustments made to the logic for parsing and setting flash messages from a cookie, specifically to ensure the last message is handled correctly, are well thought out. Correctly handling the last flash message is crucial for user feedback mechanisms, and this change addresses a potential issue with the previous logic. Good job on improving the robustness of the flash message parsing logic.

.golangci.yml (4)

• 13-13: The output setting uniq-by-line is set to false. This change might affect the readability and manageability of linting results, especially in cases where multiple issues are reported on the same line. It's worth considering the impact on the development workflow and whether this setting aligns with the team's preferences for handling lint results.

Consider discussing with the team to ensure this setting aligns with how you prefer to review and manage linting results.

• 32-39: The errcheck linter settings have been adjusted to include checks for type assertions and blank identifiers, and to disable default exclusions. These changes enhance the thoroughness of error checking. However, specific functions are excluded from checks, which is reasonable but requires justification to ensure that these exclusions do not overlook potential errors.

Ensure that the rationale for excluding specific functions from errcheck is documented, either in the configuration file or related documentation, to maintain clarity on why these exceptions are made.

• 45-45: The exhaustive linter is configured to check generated files and treat missing cases in switch statements over enums as exhaustive by default. This is a good practice for ensuring completeness in handling enum cases. However, it's important to assess the impact on generated code and ensure that this setting does not introduce unnecessary burdens on developers.

Evaluate the impact of enabling check-generated and default-signifies-exhaustive on the development workflow, especially regarding generated code, to ensure it aligns with project standards.

• 258-266: The issues configuration has been updated with new settings, including exclude-use-default, exclude-case-sensitive, and rules for maximum issues per linter and same issues. Additionally, specific rules are defined to exclude certain texts. These changes are aimed at refining the handling of issues reported by linters. However, it's important to ensure that these settings do not inadvertently suppress important feedback from the linters.

Review the issues configuration to ensure that it effectively balances between reducing noise and not missing critical issues. Consider the impact of these settings on the visibility of important linter feedback.

path.go (1)

• 594-599: The refactoring in the findGreedyParamLen function introduces a more efficient control flow by breaking the loop early if constPosition is -1. This change is logical and improves the performance by avoiding unnecessary iterations over the string s when the segment.ComparePart is not found anymore. This is a good practice in optimizing loop operations, especially in string manipulation tasks which can be performance-sensitive.

However, it's important to ensure that this change does not alter the expected behavior of the function, especially in edge cases where segment.ComparePart might be an empty string or when searchCount is initially 0. Adding unit tests or enhancing existing ones to cover these scenarios would be beneficial to ensure the robustness of this change.

[coderabbitai]

Ignoring the error returned by sess.byteBuffer.Write(raw) is risky, even if it's assumed that this operation will never fail. It's generally a good practice to handle or at least log errors to catch unexpected scenarios, especially in I/O operations. Can you please verify this assumption in the broader context of how sess.byteBuffer is used throughout the application? Additionally, considering the use of a mutex around this operation, ensure that the concurrency model doesn't introduce edge cases where the write operation might fail.

[coderabbitai]

Review Status

Actionable comments generated: 7

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 6fd995d and 401d741.

Files selected for processing (2)

• .golangci.yml (7 hunks)
• middleware/idempotency/idempotency_test.go (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• middleware/idempotency/idempotency_test.go

Additional comments: 3

.golangci.yml (3)

• 13-13: The uniq-by-line setting in the output section has been adjusted to false. This change affects how linting results are aggregated and displayed. Ensure that this setting aligns with the team's preferences for reviewing linting results, as it could potentially lead to more verbose output by not uniquing results by line.
• 32-39: The errcheck linter configuration has been updated to include checks for type assertions and blank identifiers, and to disable default exclusions. Additionally, specific functions have been excluded from checks. This configuration enhances error handling checks but requires careful consideration of the excluded functions to ensure important errors are not missed. Verify that the chosen exclusions are appropriate and do not overlook critical error checks.
• 258-266: The issues configuration has been updated with new settings, including exclude-use-default, exclude-case-sensitive, max-issues-per-linter, and max-same-issues. Additionally, specific rules have been defined to exclude certain linters or texts. It's important to ensure that these configurations align with the project's goals for code quality and do not inadvertently ignore significant issues. Review the exclusions and limits set to confirm they are appropriate and do not compromise the effectiveness of the linting process.

[coderabbitai]

The depguard linter settings have been refined, including specifying packages to deny with descriptive reasons. This is a good practice for maintaining code quality and preventing the use of deprecated or undesirable packages. However, there are commented-out entries for the reflect and unsafe packages with a TODO note suggesting a need for justification when using these packages. It's important to decide whether to enforce these rules or not, as leaving commented-out code can lead to confusion.

Consider finalizing the decision on the reflect and unsafe packages and either enforce the rules or remove the commented-out code to avoid confusion.

[coderabbitai]

The forbidigo linter settings include forbidding certain patterns like print, fmt.Print, and http.Default* with a TODO note to eventually enable more patterns. This approach helps maintain code quality by discouraging the use of certain functions. However, the commented-out patterns for panic and time.Sleep suggest an intention to further refine the rules, which should be addressed to avoid leaving unfinished configurations.

Finalize the decision on forbidding additional patterns like panic and time.Sleep to ensure the linter configuration is complete and reflects the project's coding standards.

[coderabbitai]

The gci linter settings define a custom order for import sections, which is a good practice for maintaining consistency across the codebase. However, the alias section is commented out, suggesting uncertainty about its inclusion. It's important to clarify the intended import order and ensure it's consistently applied across the project.

Decide on the inclusion of the alias section in the import order and update the configuration accordingly to avoid ambiguity and ensure consistent import formatting.

[coderabbitai]

The gocritic linter has several TODO comments related to enabling tags and disabling checks. While it's beneficial to customize the linter for specific needs, leaving TODO comments without addressing them can lead to confusion and an incomplete configuration.

Address the TODO comments in the gocritic linter settings by finalizing the decisions on enabled tags and disabled checks to ensure the configuration is clear and complete.

[coderabbitai]

The gosec linter excludes the G104 check with a TODO note to enable it again. This exclusion might overlook unchecked errors, which can lead to potential security issues. It's crucial to assess the impact of this exclusion and consider enabling the G104 check to ensure comprehensive security analysis.

Re-evaluate the decision to exclude the G104 check from the gosec linter and consider enabling it to ensure thorough security analysis and maintain high code quality.

[coderabbitai]

The linters section has been extensively modified, including enabling and disabling various linters. Some linters are marked as deprecated in favor of others, and there are several TODO comments suggesting further actions. It's essential to finalize decisions on deprecated linters and address TODO comments to ensure the linter configuration is up-to-date and reflects the project's standards.

Finalize decisions on deprecated linters and address TODO comments in the linters section to ensure the configuration is clear, complete, and aligned with best practices.

[leonklingele]

What's blocking this?

[ReneWerner87]

@nickajacks1 Has everything been clarified? or are there still open points?

[nickajacks1]

@ReneWerner87 @leonklingele I don't think we should enable deprecated linters, but my opinion shouldn't block this being merged.

Also, inamedparam was disabled here, I assume by accident.

[ReneWerner87]

Yes, pls don't activate deprecated linters
@leonklingele can you fix this

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 401d741 and 54cef6e.

Files selected for processing (1)

• middleware/idempotency/idempotency_test.go (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• middleware/idempotency/idempotency_test.go

[codecov]

Codecov Report

Attention: Patch coverage is 88.88889% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 82.65%. Comparing base (df1f877) to head (63cc8c7).

Files	Patch %	Lines
path.go	66.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2874      +/-   ##
==========================================
- Coverage   82.73%   82.65%   -0.08%     
==========================================
  Files         116      116              
  Lines        8369     8367       -2     
==========================================
- Hits         6924     6916       -8     
- Misses       1103     1107       +4     
- Partials      342      344       +2     

Flag	Coverage Δ
unittests	82.65% <88.88%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gaby]

@leonklingele The merge from main broke the golangci-lint yaml. There's a duplicated key

[ReneWerner87]

@leonklingele friendly ping

[leonklingele]

Sorry for the long delay — once again! I don't have a dev system at hand but will be able to update this until end of the week.

[leonklingele]

Rebased & removed deprecated linters. PTAL :)

[coderabbitai]

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between df1f877 and 63cc8c7.

Files selected for processing (7)

• .golangci.yml (6 hunks)
• listen_test.go (1 hunks)
• middleware/cors/cors.go (1 hunks)
• middleware/idempotency/idempotency_test.go (1 hunks)
• middleware/session/store.go (1 hunks)
• path.go (1 hunks)
• redirect.go (1 hunks)

Files skipped from review as they are similar to previous changes (4)

• middleware/idempotency/idempotency_test.go
• middleware/session/store.go
• path.go
• redirect.go

Additional comments: 1

middleware/cors/cors.go (1)

• 129-132: The logic for handling invalid origins in the CORS configuration has been adjusted to log an error and continue processing, ensuring that only valid origins are stored in allowOrigins. This change improves the robustness of the CORS middleware by preventing invalid origins from being mistakenly allowed.

[coderabbitai]

The run section has been updated with new settings including timeout, allow-serial-runners, and a modification to skip-dirs. The TODO comment on line 9 suggests an intention to revisit the decision to ignore the internal directory. It's important to ensure that this TODO is tracked and addressed to avoid unintentionally skipping important directories in the linting process.

Consider creating a tracking issue or plan to address the TODO regarding the internal directory to ensure it does not get overlooked.

[coderabbitai]

MinVersion is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported and insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add MinVersion: tls.VersionTLS13 to the TLS configuration to bump the minimum version to TLS 1.3.

- config := &tls.Config{Certificates: []tls.Certificate{cer}}
+ config := &tls.Config{Certificates: []tls.Certificate{cer}, MinVersion: tls.VersionTLS13}

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

os-dev-null: true

[coderabbitai]

Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.

Consider specifying a more restrictive IP address to bind the server to, enhancing security by limiting the network interfaces the server is exposed on.

[coderabbitai]

The addition of a comment regarding the use of the log package suggests the need to capture output and hints at a future change to use an internal log package instead. This is a good practice to ensure that logging is consistent and centralized within the project. Tracking this TODO for future implementation is recommended.

Would you like me to help with implementing the internal log package or create a tracking issue for this task?

[gaby]

LGTM

[efectn]

Mostly seems OK to me. Just thinking, there is no need to keep deprecated linters on golangci.yml