refactor: use pinned golangci-lint Docker image for linting (#55)

Closes [issue #50](#50) ## Summary Refactors the Dockerfile to use a separate lint stage with a pinned golangci-lint Docker image, following the pattern used by [sneak/pixa](https://git.eeqj.de/sneak/pixa). This replaces the previous approach of installing golangci-lint via curl in the builder stage. ## Changes ### Dockerfile - **New `lint` stage** using `golangci/golangci-lint:v2.11.3` (Debian-based, pinned by sha256 digest) as a separate build stage - **Builder stage** depends on lint via `COPY --from=lint /src/go.sum /dev/null` — build won't proceed unless linting passes - **Go bumped** from 1.24 to 1.26.1 (`golang:1.26.1-bookworm`, pinned by sha256) - **golangci-lint bumped** from v1.64.8 to v2.11.3 - All three Docker images (golangci-lint, golang, alpine) pinned by sha256 digest - Debian-based golangci-lint image used (not Alpine) because mattn/go-sqlite3 CGO does not compile on musl (off64_t) ### Linter Config (.golangci.yml) - Migrated from v1 to v2 format (`version: "2"` added) - Removed linters no longer available in v2: `gofmt` (handled by `make fmt-check`), `gosimple` (merged into `staticcheck`), `typecheck` (always-on in v2) - Same set of linters enabled — no rules weakened ### Code Fixes (all lint issues from v2 upgrade) - Added package comments to all packages - Added doc comments to all exported types, functions, and methods - Fixed unchecked errors flagged by `errcheck` (sqlDB.Close, os.Setenv in tests, resp.Body.Close, fmt.Fprint) - Fixed unused parameters flagged by `revive` (renamed to `_`) - Fixed `gosec` G120 warnings: added `http.MaxBytesReader` before `r.ParseForm()` calls - Fixed `staticcheck` QF1012: replaced `WriteString(fmt.Sprintf(...))` with `fmt.Fprintf` - Fixed `staticcheck` QF1003: converted if/else chain to tagged switch - Renamed `DeliveryTask` → `Task` to avoid package stutter (`delivery.Task` instead of `delivery.DeliveryTask`) - Renamed shadowed builtin `max` parameter to `upperBound` in `cryptoRandInt` - Used `t.Setenv` instead of `os.Setenv` in tests (auto-restores) ### README.md - Updated version requirements: Go 1.26+, golangci-lint v2.11+ - Updated Dockerfile description in project structure ## Verification `docker build .` passes cleanly — formatting check, linting, all tests, and build all succeed. Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #55 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-25 02:16:38 +01:00
parent d771fe14df
commit afe88c601a
59 changed files with 7792 additions and 4282 deletions
--- a/internal/session/session.go
+++ b/internal/session/session.go
@@ -1,10 +1,14 @@
+// Package session manages HTTP session storage and authentication
+// state.
 package session

 import (
 	"context"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"log/slog"
+	"maps"
 	"net/http"

 	"github.com/gorilla/sessions"
@@ -15,28 +19,44 @@ import (
 )

 const (
-	// SessionName is the name of the session cookie
+	// SessionName is the name of the session cookie.
 	SessionName = "webhooker_session"

-	// UserIDKey is the session key for user ID
+	// UserIDKey is the session key for user ID.
 	UserIDKey = "user_id"

-	// UsernameKey is the session key for username
+	// UsernameKey is the session key for username.
 	UsernameKey = "username"

-	// AuthenticatedKey is the session key for authentication status
+	// AuthenticatedKey is the session key for authentication
+	// status.
 	AuthenticatedKey = "authenticated"
+
+	// sessionKeyLength is the required length in bytes for the
+	// session authentication key.
+	sessionKeyLength = 32
+
+	// sessionMaxAgeDays is the session cookie lifetime in days.
+	sessionMaxAgeDays = 7
+
+	// secondsPerDay is the number of seconds in a day.
+	secondsPerDay = 86400
 )

-// nolint:revive // SessionParams is a standard fx naming convention
-type SessionParams struct {
+// ErrSessionKeyLength is returned when the decoded session key
+// does not have the expected length.
+var ErrSessionKeyLength = errors.New("session key length mismatch")
+
+// Params holds dependencies injected by fx.
+type Params struct {
 	fx.In
+
 	Config   *config.Config
 	Database *database.Database
 	Logger   *logger.Logger
 }

-// Session manages encrypted session storage
+// Session manages encrypted session storage.
 type Session struct {
 	store  *sessions.CookieStore
 	key    []byte // raw 32-byte auth key, also used for CSRF cookie signing
@@ -44,29 +64,44 @@ type Session struct {
 	config *config.Config
 }

-// New creates a new session manager. The cookie store is initialized
-// during the fx OnStart phase after the database is connected, using
-// a session key that is auto-generated and stored in the database.
-func New(lc fx.Lifecycle, params SessionParams) (*Session, error) {
+// New creates a new session manager. The cookie store is
+// initialized during the fx OnStart phase after the database is
+// connected, using a session key that is auto-generated and stored
+// in the database.
+func New(
+	lc fx.Lifecycle,
+	params Params,
+) (*Session, error) {
 	s := &Session{
 		log:    params.Logger.Get(),
 		config: params.Config,
 	}

 	lc.Append(fx.Hook{
-		OnStart: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
+		OnStart: func(_ context.Context) error {
 			sessionKey, err := params.Database.GetOrCreateSessionKey()
 			if err != nil {
-				return fmt.Errorf("failed to get session key: %w", err)
+				return fmt.Errorf(
+					"failed to get session key: %w", err,
+				)
 			}

-			keyBytes, err := base64.StdEncoding.DecodeString(sessionKey)
+			keyBytes, err := base64.StdEncoding.DecodeString(
+				sessionKey,
+			)
 			if err != nil {
-				return fmt.Errorf("invalid session key format: %w", err)
+				return fmt.Errorf(
+					"invalid session key format: %w", err,
+				)
 			}

-			if len(keyBytes) != 32 {
-				return fmt.Errorf("session key must be 32 bytes (got %d)", len(keyBytes))
+			if len(keyBytes) != sessionKeyLength {
+				return fmt.Errorf(
+					"%w: want %d, got %d",
+					ErrSessionKeyLength,
+					sessionKeyLength,
+					len(keyBytes),
+				)
 			}

 			store := sessions.NewCookieStore(keyBytes)
@@ -74,15 +109,16 @@ func New(lc fx.Lifecycle, params SessionParams) (*Session, error) {
 			// Configure cookie options for security
 			store.Options = &sessions.Options{
 				Path:     "/",
-				MaxAge:   86400 * 7, // 7 days
+				MaxAge:   secondsPerDay * sessionMaxAgeDays,
 				HttpOnly: true,
-				Secure:   !params.Config.IsDev(), // HTTPS in production
+				Secure:   !params.Config.IsDev(),
 				SameSite: http.SameSiteLaxMode,
 			}

 			s.key = keyBytes
 			s.store = store
 			s.log.Info("session manager initialized")
+
 			return nil
 		},
 	})
@@ -90,99 +126,126 @@ func New(lc fx.Lifecycle, params SessionParams) (*Session, error) {
 	return s, nil
 }

-// Get retrieves a session for the request
-func (s *Session) Get(r *http.Request) (*sessions.Session, error) {
+// Get retrieves a session for the request.
+func (s *Session) Get(
+	r *http.Request,
+) (*sessions.Session, error) {
 	return s.store.Get(r, SessionName)
 }

-// GetKey returns the raw 32-byte authentication key used for session
-// encryption. This key is also suitable for CSRF cookie signing.
+// GetKey returns the raw 32-byte authentication key used for
+// session encryption. This key is also suitable for CSRF cookie
+// signing.
 func (s *Session) GetKey() []byte {
 	return s.key
 }

-// Save saves the session
-func (s *Session) Save(r *http.Request, w http.ResponseWriter, sess *sessions.Session) error {
+// Save saves the session.
+func (s *Session) Save(
+	r *http.Request,
+	w http.ResponseWriter,
+	sess *sessions.Session,
+) error {
 	return sess.Save(r, w)
 }

-// SetUser sets the user information in the session
-func (s *Session) SetUser(sess *sessions.Session, userID, username string) {
+// SetUser sets the user information in the session.
+func (s *Session) SetUser(
+	sess *sessions.Session,
+	userID, username string,
+) {
 	sess.Values[UserIDKey] = userID
 	sess.Values[UsernameKey] = username
 	sess.Values[AuthenticatedKey] = true
 }

-// ClearUser removes user information from the session
+// ClearUser removes user information from the session.
 func (s *Session) ClearUser(sess *sessions.Session) {
 	delete(sess.Values, UserIDKey)
 	delete(sess.Values, UsernameKey)
 	delete(sess.Values, AuthenticatedKey)
 }

-// IsAuthenticated checks if the session has an authenticated user
+// IsAuthenticated checks if the session has an authenticated
+// user.
 func (s *Session) IsAuthenticated(sess *sessions.Session) bool {
 	auth, ok := sess.Values[AuthenticatedKey].(bool)
+
 	return ok && auth
 }

-// GetUserID retrieves the user ID from the session
-func (s *Session) GetUserID(sess *sessions.Session) (string, bool) {
+// GetUserID retrieves the user ID from the session.
+func (s *Session) GetUserID(
+	sess *sessions.Session,
+) (string, bool) {
 	userID, ok := sess.Values[UserIDKey].(string)
+
 	return userID, ok
 }

-// GetUsername retrieves the username from the session
-func (s *Session) GetUsername(sess *sessions.Session) (string, bool) {
+// GetUsername retrieves the username from the session.
+func (s *Session) GetUsername(
+	sess *sessions.Session,
+) (string, bool) {
 	username, ok := sess.Values[UsernameKey].(string)
+
 	return username, ok
 }

-// Destroy invalidates the session
+// Destroy invalidates the session.
 func (s *Session) Destroy(sess *sessions.Session) {
 	sess.Options.MaxAge = -1
 	s.ClearUser(sess)
 }

-// Regenerate creates a new session with the same values but a fresh ID.
-// The old session is destroyed (MaxAge = -1) and saved, then a new session
-// is created. This prevents session fixation attacks by ensuring the
-// session ID changes after privilege escalation (e.g. login).
-func (s *Session) Regenerate(r *http.Request, w http.ResponseWriter, oldSess *sessions.Session) (*sessions.Session, error) {
+// Regenerate creates a new session with the same values but a
+// fresh ID. The old session is destroyed (MaxAge = -1) and saved,
+// then a new session is created. This prevents session fixation
+// attacks by ensuring the session ID changes after privilege
+// escalation (e.g. login).
+func (s *Session) Regenerate(
+	r *http.Request,
+	w http.ResponseWriter,
+	oldSess *sessions.Session,
+) (*sessions.Session, error) {
 	// Copy the values from the old session
-	oldValues := make(map[interface{}]interface{})
-	for k, v := range oldSess.Values {
-		oldValues[k] = v
-	}
+	oldValues := make(map[any]any)
+	maps.Copy(oldValues, oldSess.Values)

 	// Destroy the old session
 	oldSess.Options.MaxAge = -1
 	s.ClearUser(oldSess)
-	if err := oldSess.Save(r, w); err != nil {
-		return nil, fmt.Errorf("failed to destroy old session: %w", err)
+
+	err := oldSess.Save(r, w)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to destroy old session: %w", err,
+		)
 	}

 	// Create a new session (gorilla/sessions generates a new ID)
 	newSess, err := s.store.New(r, SessionName)
 	if err != nil {
-		// store.New may return an error alongside a new empty session
-		// if the old cookie is now invalid. That is expected after we
-		// destroyed it above. Only fail on a nil session.
+		// store.New may return an error alongside a new empty
+		// session if the old cookie is now invalid. That is
+		// expected after we destroyed it above. Only fail on a
+		// nil session.
 		if newSess == nil {
-			return nil, fmt.Errorf("failed to create new session: %w", err)
+			return nil, fmt.Errorf(
+				"failed to create new session: %w", err,
+			)
 		}
 	}

 	// Restore the copied values into the new session
-	for k, v := range oldValues {
-		newSess.Values[k] = v
-	}
+	maps.Copy(newSess.Values, oldValues)

-	// Apply the standard session options (the destroyed old session had
-	// MaxAge = -1, which store.New might inherit from the cookie).
+	// Apply the standard session options (the destroyed old
+	// session had MaxAge = -1, which store.New might inherit
+	// from the cookie).
 	newSess.Options = &sessions.Options{
 		Path:     "/",
-		MaxAge:   86400 * 7,
+		MaxAge:   secondsPerDay * sessionMaxAgeDays,
 		HttpOnly: true,
 		Secure:   !s.config.IsDev(),
 		SameSite: http.SameSiteLaxMode,
--- a/internal/session/session_test.go
+++ b/internal/session/session_test.go
@@ -1,6 +1,7 @@
-package session
+package session_test

 import (
+	"context"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
@@ -11,15 +12,22 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/webhooker/internal/config"
+	"sneak.berlin/go/webhooker/internal/session"
 )

-// testSession creates a Session with a real cookie store for testing.
-func testSession(t *testing.T) *Session {
+const testKeySize = 32
+
+// testSession creates a Session with a real cookie store for
+// testing.
+func testSession(t *testing.T) *session.Session {
 	t.Helper()
-	key := make([]byte, 32)
+
+	key := make([]byte, testKeySize)
+
 	for i := range key {
 		key[i] = byte(i + 42)
 	}
+
 	store := sessions.NewCookieStore(key)
 	store.Options = &sessions.Options{
 		Path:     "/",
@@ -32,34 +40,47 @@ func testSession(t *testing.T) *Session {
 	cfg := &config.Config{
 		Environment: config.EnvironmentDev,
 	}
-	log := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug}))

-	return NewForTest(store, cfg, log, key)
+	log := slog.New(slog.NewTextHandler(
+		os.Stderr,
+		&slog.HandlerOptions{Level: slog.LevelDebug},
+	))
+
+	return session.NewForTest(store, cfg, log, key)
 }

 // --- Get and Save Tests ---

 func TestGet_NewSession(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)
 	require.NotNil(t, sess)
-	assert.True(t, sess.IsNew, "session should be new when no cookie is present")
+	assert.True(
+		t, sess.IsNew,
+		"session should be new when no cookie is present",
+	)
 }

 func TestGet_ExistingSession(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

 	// Create and save a session
-	req1 := httptest.NewRequest(http.MethodGet, "/", nil)
+	req1 := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
 	w1 := httptest.NewRecorder()

 	sess1, err := s.Get(req1)
 	require.NoError(t, err)
+
 	sess1.Values["test_key"] = "test_value"
 	require.NoError(t, s.Save(req1, w1, sess1))

@@ -68,26 +89,34 @@ func TestGet_ExistingSession(t *testing.T) {
 	require.NotEmpty(t, cookies)

 	// Make a new request with the session cookie
-	req2 := httptest.NewRequest(http.MethodGet, "/", nil)
+	req2 := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	for _, c := range cookies {
 		req2.AddCookie(c)
 	}

 	sess2, err := s.Get(req2)
 	require.NoError(t, err)
-	assert.False(t, sess2.IsNew, "session should not be new when cookie is present")
+	assert.False(
+		t, sess2.IsNew,
+		"session should not be new when cookie is present",
+	)
 	assert.Equal(t, "test_value", sess2.Values["test_key"])
 }

 func TestSave_SetsCookie(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()

 	sess, err := s.Get(req)
 	require.NoError(t, err)
+
 	sess.Values["key"] = "value"

 	err = s.Save(req, w, sess)
@@ -98,48 +127,73 @@ func TestSave_SetsCookie(t *testing.T) {

 	// Verify the cookie has the expected name
 	var found bool
+
 	for _, c := range cookies {
-		if c.Name == SessionName {
+		if c.Name == session.SessionName {
 			found = true
-			assert.True(t, c.HttpOnly, "session cookie should be HTTP-only")
+
+			assert.True(
+				t, c.HttpOnly,
+				"session cookie should be HTTP-only",
+			)
+
 			break
 		}
 	}
-	assert.True(t, found, "should find a cookie named %s", SessionName)
+
+	assert.True(
+		t, found,
+		"should find a cookie named %s", session.SessionName,
+	)
 }

 // --- SetUser and User Retrieval Tests ---

 func TestSetUser_SetsAllFields(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

 	s.SetUser(sess, "user-abc-123", "alice")

-	assert.Equal(t, "user-abc-123", sess.Values[UserIDKey])
-	assert.Equal(t, "alice", sess.Values[UsernameKey])
-	assert.Equal(t, true, sess.Values[AuthenticatedKey])
+	assert.Equal(
+		t, "user-abc-123", sess.Values[session.UserIDKey],
+	)
+	assert.Equal(
+		t, "alice", sess.Values[session.UsernameKey],
+	)
+	assert.Equal(
+		t, true, sess.Values[session.AuthenticatedKey],
+	)
 }

 func TestGetUserID(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

 	// Before setting user
 	userID, ok := s.GetUserID(sess)
-	assert.False(t, ok, "should return false when no user ID is set")
+	assert.False(
+		t, ok, "should return false when no user ID is set",
+	)
 	assert.Empty(t, userID)

 	// After setting user
 	s.SetUser(sess, "user-xyz", "bob")
+
 	userID, ok = s.GetUserID(sess)
 	assert.True(t, ok)
 	assert.Equal(t, "user-xyz", userID)
@@ -147,19 +201,25 @@ func TestGetUserID(t *testing.T) {

 func TestGetUsername(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

 	// Before setting user
 	username, ok := s.GetUsername(sess)
-	assert.False(t, ok, "should return false when no username is set")
+	assert.False(
+		t, ok, "should return false when no username is set",
+	)
 	assert.Empty(t, username)

 	// After setting user
 	s.SetUser(sess, "user-xyz", "bob")
+
 	username, ok = s.GetUsername(sess)
 	assert.True(t, ok)
 	assert.Equal(t, "bob", username)
@@ -169,20 +229,29 @@ func TestGetUsername(t *testing.T) {

 func TestIsAuthenticated_NoSession(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

-	assert.False(t, s.IsAuthenticated(sess), "new session should not be authenticated")
+	assert.False(
+		t, s.IsAuthenticated(sess),
+		"new session should not be authenticated",
+	)
 }

 func TestIsAuthenticated_AfterSetUser(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

@@ -192,9 +261,12 @@ func TestIsAuthenticated_AfterSetUser(t *testing.T) {

 func TestIsAuthenticated_AfterClearUser(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

@@ -202,52 +274,71 @@ func TestIsAuthenticated_AfterClearUser(t *testing.T) {
 	require.True(t, s.IsAuthenticated(sess))

 	s.ClearUser(sess)
-	assert.False(t, s.IsAuthenticated(sess), "should not be authenticated after ClearUser")
+
+	assert.False(
+		t, s.IsAuthenticated(sess),
+		"should not be authenticated after ClearUser",
+	)
 }

 func TestIsAuthenticated_WrongType(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

 	// Set authenticated to a non-bool value
-	sess.Values[AuthenticatedKey] = "yes"
-	assert.False(t, s.IsAuthenticated(sess), "should return false for non-bool authenticated value")
+	sess.Values[session.AuthenticatedKey] = "yes"
+
+	assert.False(
+		t, s.IsAuthenticated(sess),
+		"should return false for non-bool authenticated value",
+	)
 }

 // --- ClearUser Tests ---

 func TestClearUser_RemovesAllKeys(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

 	s.SetUser(sess, "user-123", "alice")
 	s.ClearUser(sess)

-	_, hasUserID := sess.Values[UserIDKey]
+	_, hasUserID := sess.Values[session.UserIDKey]
 	assert.False(t, hasUserID, "UserIDKey should be removed")

-	_, hasUsername := sess.Values[UsernameKey]
+	_, hasUsername := sess.Values[session.UsernameKey]
 	assert.False(t, hasUsername, "UsernameKey should be removed")

-	_, hasAuth := sess.Values[AuthenticatedKey]
-	assert.False(t, hasAuth, "AuthenticatedKey should be removed")
+	_, hasAuth := sess.Values[session.AuthenticatedKey]
+	assert.False(
+		t, hasAuth, "AuthenticatedKey should be removed",
+	)
 }

 // --- Destroy Tests ---

 func TestDestroy_InvalidatesSession(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

@@ -255,11 +346,18 @@ func TestDestroy_InvalidatesSession(t *testing.T) {

 	s.Destroy(sess)

-	// After Destroy: MaxAge should be -1 (delete cookie) and user data cleared
-	assert.Equal(t, -1, sess.Options.MaxAge, "Destroy should set MaxAge to -1")
-	assert.False(t, s.IsAuthenticated(sess), "should not be authenticated after Destroy")
+	// After Destroy: MaxAge should be -1 (delete cookie) and
+	// user data cleared
+	assert.Equal(
+		t, -1, sess.Options.MaxAge,
+		"Destroy should set MaxAge to -1",
+	)
+	assert.False(
+		t, s.IsAuthenticated(sess),
+		"should not be authenticated after Destroy",
+	)

-	_, hasUserID := sess.Values[UserIDKey]
+	_, hasUserID := sess.Values[session.UserIDKey]
 	assert.False(t, hasUserID, "Destroy should clear user ID")
 }

@@ -267,10 +365,12 @@ func TestDestroy_InvalidatesSession(t *testing.T) {

 func TestSessionPersistence_RoundTrip(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

 	// Step 1: Create session, set user, save
-	req1 := httptest.NewRequest(http.MethodGet, "/", nil)
+	req1 := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
 	w1 := httptest.NewRecorder()

 	sess1, err := s.Get(req1)
@@ -281,8 +381,13 @@ func TestSessionPersistence_RoundTrip(t *testing.T) {
 	cookies := w1.Result().Cookies()
 	require.NotEmpty(t, cookies)

-	// Step 2: New request with cookies — session data should persist
-	req2 := httptest.NewRequest(http.MethodGet, "/profile", nil)
+	// Step 2: New request with cookies -- session data should
+	// persist
+	req2 := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodGet, "/profile", nil,
+	)
+
 	for _, c := range cookies {
 		req2.AddCookie(c)
 	}
@@ -290,7 +395,10 @@ func TestSessionPersistence_RoundTrip(t *testing.T) {
 	sess2, err := s.Get(req2)
 	require.NoError(t, err)

-	assert.True(t, s.IsAuthenticated(sess2), "session should be authenticated after round-trip")
+	assert.True(
+		t, s.IsAuthenticated(sess2),
+		"session should be authenticated after round-trip",
+	)

 	userID, ok := s.GetUserID(sess2)
 	assert.True(t, ok)
@@ -305,19 +413,23 @@ func TestSessionPersistence_RoundTrip(t *testing.T) {

 func TestSessionConstants(t *testing.T) {
 	t.Parallel()
-	assert.Equal(t, "webhooker_session", SessionName)
-	assert.Equal(t, "user_id", UserIDKey)
-	assert.Equal(t, "username", UsernameKey)
-	assert.Equal(t, "authenticated", AuthenticatedKey)
+
+	assert.Equal(t, "webhooker_session", session.SessionName)
+	assert.Equal(t, "user_id", session.UserIDKey)
+	assert.Equal(t, "username", session.UsernameKey)
+	assert.Equal(t, "authenticated", session.AuthenticatedKey)
 }

 // --- Edge Cases ---

 func TestSetUser_OverwritesPreviousUser(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

-	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
+
 	sess, err := s.Get(req)
 	require.NoError(t, err)

@@ -338,10 +450,12 @@ func TestSetUser_OverwritesPreviousUser(t *testing.T) {

 func TestDestroy_ThenSave_DeletesCookie(t *testing.T) {
 	t.Parallel()
+
 	s := testSession(t)

 	// Create a session
-	req1 := httptest.NewRequest(http.MethodGet, "/", nil)
+	req1 := httptest.NewRequestWithContext(
+		context.Background(), http.MethodGet, "/", nil)
 	w1 := httptest.NewRecorder()

 	sess, err := s.Get(req1)
@@ -353,10 +467,15 @@ func TestDestroy_ThenSave_DeletesCookie(t *testing.T) {
 	require.NotEmpty(t, cookies)

 	// Destroy and save
-	req2 := httptest.NewRequest(http.MethodGet, "/logout", nil)
+	req2 := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodGet, "/logout", nil,
+	)
+
 	for _, c := range cookies {
 		req2.AddCookie(c)
 	}
+
 	w2 := httptest.NewRecorder()

 	sess2, err := s.Get(req2)
@@ -364,15 +483,25 @@ func TestDestroy_ThenSave_DeletesCookie(t *testing.T) {
 	s.Destroy(sess2)
 	require.NoError(t, s.Save(req2, w2, sess2))

-	// The cookie should have MaxAge = -1 (browser should delete it)
+	// The cookie should have MaxAge = -1 (browser should delete)
 	responseCookies := w2.Result().Cookies()
+
 	var sessionCookie *http.Cookie
+
 	for _, c := range responseCookies {
-		if c.Name == SessionName {
+		if c.Name == session.SessionName {
 			sessionCookie = c
+
 			break
 		}
 	}
-	require.NotNil(t, sessionCookie, "should have a session cookie in response")
-	assert.True(t, sessionCookie.MaxAge < 0, "destroyed session cookie should have negative MaxAge")
+
+	require.NotNil(
+		t, sessionCookie,
+		"should have a session cookie in response",
+	)
+	assert.Negative(
+		t, sessionCookie.MaxAge,
+		"destroyed session cookie should have negative MaxAge",
+	)
 }