New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
panic in getSessionDataFromContext makes this package hard to work with #114
Comments
Hi : ) The decision to panic in The way I view it, you should only be calling Panics for expected errors (e.g. database query timeout, a network resource being unavailable, or bad user input) that may happen at runtime are unidiomatic in Go. In contrast, panics for unexpected errors (e.g. a logical error --- like trying to access an out-of-bounds index in a slice, or trying to close an already-closed channel --- or trying to use language or package features in an unintended way) are much more acceptable. There's a lot of precedent for this in the std lib packages. Calling Personally, I usually wrap all my main application routes (i.e. all those that aren't serving static files, or performing some other special function) with the |
@alexedwards how can I inspect a context to know whether or not it has the appropriate session inside, to selectively avoid invoking your code (thus seeing the panic)? |
@theckman Can you explain the scenario in which would you need to do that? Why would you want to perform an session operation on a context which may or may not contain a session? |
To put some more color on my use-case: I'm writing an authentication microservice that needs to collate nearly a half-dozen different ways that a request could be authenticated. I have handlers and middleware in that service that want to treat the presence or absence of a "valid" session -- not just an empty, uninitialized one -- as a signal, and fall through various authentication methods without having to do a weird I'm not sure I buy the difference between "expected" and "unexpected" errors. Panics should be, in my opinion, reserved for cases where there's truly no reasonable way for execution to continue. Everything else is just an error that can be returned as a value and handled as part of the normal execution flow. Throwing a panic because an expected value is not present in a context, which is what this case boils down to, feels especially unpleasant. |
Respectfully, I think that is the case here. I'll try to explain my thinking on this further. Let's say that we don't panic, and return a Now, the context may not contain a session for a number of reasons. A few possibilities are: a) The programmer deliberately didn't load a context into the session, and actively doesn't want one to be there. There might be more reasons too. If I'm following your example correctly, then in your specific scenario, if To be fair, in this scenario the same problem exists if you use the panic as the signal too. Even outside of your scenario, in a more 'standard' use case of SCS, we can't tell the difference between reasons b and c. One of the design decisions of SCS is that |
One option could be to add a new |
If there's any desire to see |
@alexedwards What about allowing the user to configure if |
Hello,
I was a happy user of the v1 of this package, and recently decided to upgrade to v2, however, I found some of the new behaviors extremely difficult to work with.
One piece in particular was the fact that the package throws a
panic
if you try and load a session from a request that doesn't have a session attached: getSessionDataFromContext. Previously, I could attempt to load a session blindly, and based on the response from the function, I'd know if the request had a session attached. Now, I have to make absolutely sure that I've got theLoadAndSave
middleware inserted all over the place.Panics thrown from userland are pretty unidiomatic in go, I feel, and the only way to really handle them is by doing the defer-recover dance, which is messy and error-prone. I'm likely going to migrate to another session-management library.
The text was updated successfully, but these errors were encountered: