Ensure middleware prefix matching requires slash boundary

[ReneWerner87]

Summary

• require middleware prefix matches to either fully match or stop at a slash boundary by sharing a helper between the path parser and router
• add path parser fixtures plus router and group tests to cover the tightened matching rules

Testing

• make audit (fails: go vet copylocks warning in generated msgp files)
• make generate
• make betteralign
• make modernize
• make format
• make test

---

https://chatgpt.com/codex/tasks/task_e_68cd6b1fb1648326ae0646c347dbb672

[coderabbitai]

Walkthrough

Boundary validation was added for partial/prefix route matches: partial matches must be exact or end at a slash. Matching logic now computes consumed length and enforces slash-or-exact boundaries; tests, benchmarks, and docs were updated to verify and describe the stricter semantics.

Changes

Cohort / File(s)	Summary
Core matching logic path.go, router.go	Added unexported hasPartialMatchBoundary, used consumed-length in getMatch, and applied boundary checks in Route.match; tightened middleware/prefix matching to require slash-or-exact boundaries for partial matches.
Tests & benchmarks app_test.go, router_test.go, path_test.go, path_testcases_test.go	Added Test_Group_Use_NoBoundary, TestHasPartialMatchBoundary, strict-routing boundary tests, concurrency/dynamic-registration tests, and new benchmark test cases exercising /partialCheck/... patterns.
Documentation docs/guide/grouping.md, docs/guide/routing.md, docs/partials/routing/handler.md, docs/whats_new.md	Clarified Use/prefix matching: prefixes must be exact or end at a slash; noted parameter-token expansion occurs before boundary checks; added explanatory notes and examples.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant R as Router
  participant P as PathMatcher
  participant H as Handler/Middleware

  C->>R: HTTP request (e.g. /api/foo/bar or /apiv1)
  R->>P: match(route, detectingPath, partialCheck)
  Note over P: compute consumedLength\nif partialCheck -> hasPartialMatchBoundary(detectingPath, plen)
  alt Boundary-valid partial or full match
    P-->>R: Match OK (params if any)
    R->>H: Invoke handler/middleware
    H-->>C: 200 OK
  else No boundary or no match
    P-->>R: No match
    R-->>C: 404 Not Found
  end

  rect rgba(200,235,255,0.18)
  Note right of P: New: partial/prefix matches now require\nslash boundary or exact endpoint
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

Thump-thump says this routing hare,
I check each slash with tender care.
Prefixes stop where slashes stand,
No sneaky foobar crosses land. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description provides a brief summary and testing commands but does not follow the repository's required template: it omits the "Changes introduced" checklist (benchmarks, docs, changelog, migration guide), the "Type of change" selection, the required checklist confirmations, and a "Fixes #" issue reference, so required template fields are missing.	Please update the PR description to match the repository template by adding a "Description" section with purpose and any "Fixes #" issue, populate the "Changes introduced" checklist with details about benchmarks, documentation updates, and changelog entries, indicate the applicable "Type of change", and complete the repository checklist items (tests, docs, formatting, and commit formatting guidance).
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately summarizes the primary change: middleware prefix matching is tightened to require a slash boundary; it directly reflects the code, test, and documentation updates described in the PR and is concise and readable.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/2025-09-20-22-25-02

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @ReneWerner87, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the routing logic to ensure that middleware prefixes are matched more precisely. Previously, a middleware defined for /api might inadvertently apply to /apiv2. This change introduces a stricter matching rule, requiring that a prefix match either fully consumes the path segment or ends at a slash boundary, thereby preventing such ambiguous matches and improving the predictability of middleware application.

Highlights

• Middleware Prefix Matching: Middleware prefix matching now strictly requires either a full match or a slash boundary. This prevents unintended matches, such as /foo matching /foobar when it should only match /foo or /foo/bar.
• Shared Helper Function: A new helper function, hasPartialMatchBoundary, has been introduced and is shared between the path parser and router to consistently enforce the new, stricter matching logic.
• Expanded Test Coverage: New test cases have been added across app_test.go, path_testcases_test.go, and router_test.go to thoroughly validate the tightened matching rules for both application groups and individual routes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

Tighten middleware prefix matching so that prefixes must end at a slash boundary or fully match, and share a helper between the router and path parser to enforce this consistently.

• Introduce hasPartialMatchBoundary and use it in both the router and route parser.
• Add tests for router, groups, and path parsing to validate the new boundary behavior.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
router.go	Enforces slash-boundary checks for middleware prefix matches.
path.go	Adds hasPartialMatchBoundary and applies it in the parser’s partial match logic.
router_test.go	Adds a test ensuring non-boundary prefixes do not match.
app_test.go	Adds group middleware tests for boundary and non-boundary scenarios.
path_testcases_test.go	Adds parser fixtures ensuring partial matches respect slash boundaries.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.44%. Comparing base (1471049) to head (2200bbf).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3755      +/-   ##
==========================================
- Coverage   91.93%   91.44%   -0.50%     
==========================================
  Files         113      113              
  Lines       11700    11824     +124     
==========================================
+ Hits        10756    10812      +56     
- Misses        684      745      +61     
- Partials      260      267       +7     

Flag	Coverage Δ
unittests	91.44% <100.00%> (-0.50%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request tightens middleware prefix matching to require a slash boundary, which is a great improvement for routing predictability and aligns Fiber's behavior with other popular web frameworks. The changes are well-implemented by introducing a shared hasPartialMatchBoundary helper function and applying it consistently in both the router and the path parser. The new logic is sound and is thoroughly covered by new tests for application-level middleware, group middleware, and the path parser itself. The code is clear and of high quality. I couldn't find any issues.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

path.go (1)

501-520: Helper looks correct; simplify and add brief doc

Logic is sound. Tiny simplification and a short doc comment improve readability without changing behavior.

+// hasPartialMatchBoundary reports whether matchedLength either consumes the full path
+// or ends at a '/' boundary (before or after).
 func hasPartialMatchBoundary(path string, matchedLength int) bool {
 	if matchedLength < 0 || matchedLength > len(path) {
 		return false
 	}
-	if matchedLength == len(path) {
-		return true
-	}
-	if matchedLength == 0 {
-		return false
-	}
-	if path[matchedLength-1] == slashDelimiter {
-		return true
-	}
-	if matchedLength < len(path) && path[matchedLength] == slashDelimiter {
-		return true
-	}
-
-	return false
+	if matchedLength == 0 || matchedLength == len(path) {
+		return matchedLength == len(path)
+	}
+	return path[matchedLength-1] == slashDelimiter || path[matchedLength] == slashDelimiter
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8136af2 and 8cde8f1.

📒 Files selected for processing (5)

• app_test.go (1 hunks)
• path.go (2 hunks)
• path_testcases_test.go (1 hunks)
• router.go (1 hunks)
• router_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• router_test.go
• path.go
• router.go
• app_test.go
• path_testcases_test.go

🧬 Code graph analysis (2)

router_test.go (2)

app.go (1)

• New (515-628)

constants.go (3)

• StatusOK (52-52)
• MethodGet (5-5)
• StatusNotFound (77-77)

app_test.go (2)

group.go (1)

• Group (14-21)

constants.go (3)

• StatusOK (52-52)
• MethodGet (5-5)
• StatusNotFound (77-77)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: repeated
• GitHub Check: Compare

🔇 Additional comments (5)

router.go (1)

97-99: Correct: enforce slash-boundary for middleware prefixes

This fixes the long-standing “/foo” matching “/foobar” issue by requiring a boundary. Behavior remains consistent for "/foo", "/foo/", and "/foo/…". Nice alignment with path parser logic.

Please confirm expected behavior with StrictRouting=true remains: "/foo" middleware still matches "/foo/" (slash boundary) but not "/foobar".

path.go (1)

523-571: Boundary-enforced partial matches are handled correctly

Storing originalDetectionPath and validating the consumedLength with the boundary helper is the right approach. Keeps “partialCheck” semantics tight and consistent with router middleware prefixes.

Consider adding one more parser test ensuring a non-slash boundary fails for partialCheck (e.g., pattern "/partialCheck/foo" vs "/partialCheck/foox"). The router tests cover a similar case already, but a direct parser case helps guard regressions.

path_testcases_test.go (1)

347-364: Good coverage for partialCheck boundaries

The exact, trailing slash, nested, and negative (“foobar”) cases clearly validate the boundary rule. Looks good.

router_test.go (1)

312-325: LGTM: regression test preventing “/foo” from matching “/foobar”

Clear and minimal. Ensures the middleware boundary rule stays intact.

app_test.go (1)

712-730: LGTM: group middleware boundary behavior validated

Confirms grouped prefix "/api" with subpath "/foo" behaves correctly for "/api/foo/bar" and not for "/api/foobar".

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/guide/routing.md (1)

327-329: Clarify boundary semantics; avoid time-relative wording.

Spell out that the boundary is "/" or end-of-path and include the trailing-slash case; also drop "now" to keep docs timeless.

Apply this edit to the note:

-:::note
-Prefix matches must now end at a slash boundary (or be an exact match). For example, `/api` runs for `/api` and `/api/users` but no longer for `/apiv2`. Parameter tokens such as `:name`, `:name?`, `*`, and `+` are still expanded before this boundary check runs.
-:::
+:::note
+Prefix matches end at a slash boundary ("/") or are an exact match. For example, `/api` matches `/api`, `/api/`, and `/api/users`, but not `/apiv2`. Parameter tokens such as `:name`, `:name?`, `*`, and `+` are expanded before this boundary check runs.
+:::

Please confirm that /api indeed matches /api/ under the new rule; if not, we should adjust the example accordingly and explicitly state the trailing-slash behavior.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8cde8f1 and da27443.

📒 Files selected for processing (4)

• docs/guide/grouping.md (1 hunks)
• docs/guide/routing.md (1 hunks)
• docs/partials/routing/handler.md (1 hunks)
• docs/whats_new.md (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• docs/whats_new.md
• docs/partials/routing/handler.md
• docs/guide/grouping.md

🧰 Additional context used

📓 Path-based instructions (1)

docs/**

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Review and update the contents of the docs folder if necessary when modifying code

Files:

• docs/guide/routing.md

🧠 Learnings (1)

📚 Learning: 2024-12-15T19:56:45.935Z

Learnt from: ckoch786
PR: gofiber/fiber#3230
File: docs/whats_new.md:944-951
Timestamp: 2024-12-15T19:56:45.935Z
Learning: Detailed usage examples and explanations for new methods like `RemoveRoute` and `RemoveRouteByName` are documented in `docs/api/app.md`, so it's unnecessary to duplicate them in `docs/whats_new.md`.

Applied to files:

• docs/guide/routing.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Compare
• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: repeated

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

router_test.go (2)

312-324: Good negative case; add a positive control for exact boundary.

Keep this test; also assert that exact "/foo" matches to guard against regressions.

 func Test_Route_Match_Middleware_NoBoundary(t *testing.T) {
   t.Parallel()

   app := New()

   app.Use("/foo", func(c Ctx) error {
     return c.SendStatus(StatusOK)
   })

   resp, err := app.Test(httptest.NewRequest(MethodGet, "/foobar", nil))
   require.NoError(t, err, "app.Test(req)")
   require.Equal(t, StatusNotFound, resp.StatusCode, "Status code")
+
+  // positive control: exact boundary must match
+  resp, err = app.Test(httptest.NewRequest(MethodGet, "/foo", nil))
+  require.NoError(t, err)
+  require.Equal(t, StatusOK, resp.StatusCode)
 }

---

708-801: Drop redundant tt := tt in these subtests

Remove both occurrences in router_test.go (lines 690 and 777); the subtests do not call t.Parallel(), so the extra capture is unnecessary and unblocks the linter.

- for _, tt := range testCases {
-   tt := tt
+ for _, tt := range testCases {
    t.Run(tt.name, func(t *testing.T) {
      app := New(Config{StrictRouting: tt.strictRouting})

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da27443 and adfe221.

📒 Files selected for processing (1)

• router_test.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• router_test.go

🧬 Code graph analysis (1)

router_test.go (2)

app.go (2)

• New (515-628)
• Config (113-418)

group.go (1)

• Group (14-21)

🪛 GitHub Check: lint

router_test.go

[failure] 777-777:
The copy of the 'for' variable "tt" can be deleted (Go 1.22+) (copyloopvar)

---

[failure] 690-690:
The copy of the 'for' variable "tt" can be deleted (Go 1.22+) (copyloopvar)

🪛 GitHub Actions: golangci-lint

router_test.go

[error] 690-690: golangci-lint: The copy of the 'for' variable "tt" can be deleted (Go 1.22+) (copyloopvar)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: unit (1.25.x, macos-latest)
• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: unit (1.25.x, macos-13)
• GitHub Check: Compare
• GitHub Check: Analyse
• GitHub Check: repeated

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

path_test.go (1)

176-224: Add a few more edge cases to harden boundary semantics.

Consider covering start-of-path, trailing-slash exact match, and UTF‑8 adjacent to the boundary.

Suggested additions:

   testCases := []struct {
@@
     {
       name:          "no boundary",
       path:          "/demo/child",
       matchedLength: len("/dem"),
       expected:      false,
     },
+    {
+      name:          "boundary at start (previous is implicit start slash)",
+      path:          "/child",
+      matchedLength: 1, // after leading '/'
+      expected:      true,
+    },
+    {
+      name:          "exact match with trailing slash",
+      path:          "/demo/",
+      matchedLength: len("/demo/"),
+      expected:      true,
+    },
+    {
+      name:          "UTF-8 next rune slash",
+      path:          "/dęmo/child",
+      matchedLength: len("/dęmo"), // next byte is '/'
+      expected:      true,
+    },

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between adfe221 and 05098eb.

📒 Files selected for processing (1)

• path_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• path_test.go

🪛 GitHub Check: lint

path_test.go

[failure] 227-227:
The copy of the 'for' variable "testCase" can be deleted (Go 1.22+) (copyloopvar)

🪛 GitHub Actions: golangci-lint

path_test.go

[error] 227-227: golangci-lint: copyloopvar - The copy of the 'for' variable "testCase" can be deleted (Go 1.22+) (copyloopvar).

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: unit (1.25.x, windows-latest)
• GitHub Check: unit (1.25.x, macos-latest)
• GitHub Check: unit (1.25.x, macos-13)
• GitHub Check: repeated
• GitHub Check: Compare

🔇 Additional comments (1)

path_test.go (1)

173-181: Good focused test for the new boundary helper.

Covers negative/overflow, zero, exact, and both-side slash boundaries; subtests run in parallel. Nice.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

path_test.go (1)

173-233: Optional: align naming with file convention and clarify subtest titles; add root-path edge case.

• For consistency with nearby tests (e.g., Test_Path_*), consider renaming the function.
• “rune” → “char” in titles is clearer since checks are byte-wise against '/'.
• Add a root “/” exact-match case.

Apply:

-func TestHasPartialMatchBoundary(t *testing.T) {
+func Test_Path_hasPartialMatchBoundary(t *testing.T) {
@@
-        {
-            name:          "previous rune slash",
+        {
+            name:          "previous char is slash",
             path:          "/demo/child",
             matchedLength: len("/demo/"),
             expected:      true,
         },
         {
-            name:          "next rune slash",
+            name:          "next char is slash",
             path:          "/demo/child",
             matchedLength: len("/demo"),
             expected:      true,
         },
@@
         {
             name:          "no boundary",
             path:          "/demo/child",
             matchedLength: len("/dem"),
             expected:      false,
         },
+        {
+            name:          "root exact",
+            path:          "/",
+            matchedLength: len("/"),
+            expected:      true,
+        },

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7bd56f7 and 2200bbf.

📒 Files selected for processing (1)

• path_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Format Go code using gofumpt (enforced via make format)
Ensure code passes golangci-lint checks (enforced via make lint)
Optimize struct field alignment using betteralign (enforced via make betteralign)
Modernize Go code using gopls modernize (enforced via make modernize)

Files:

• path_test.go

🔇 Additional comments (1)

path_test.go (1)

173-233: LGTM: solid boundary coverage; no copyloopvar.

• Table-driven cases hit negatives, overflows, exact, and slash-adjacent boundaries.
• Good use of Go 1.22+ range semantics; no redundant loop-var self-assign, so lint should be clean.