🐛 bug: custom binders bypass StructValidator in Body() and Custom()

[Copilot]

Custom binders registered via RegisterCustomBinder silently skipped StructValidator when invoked through Body() or Custom(), while all built-in binders (JSON, XML, Form, CBOR, MsgPack, etc.) correctly run validation after parsing.

Changes introduced

• Body(): after a custom binder successfully parses the request, validateStruct(out) is now called before returning — consistent with all built-in binder paths.
• Custom(): same fix applied; validateStruct(dest) is called after successful parse.
• Tests: added Test_Bind_CustomBinder_Validation with subtests covering pass/fail validation for both Body() and Custom().

// Before: validation silently skipped for custom MIME type
app.RegisterCustomBinder(&tomlBinder{}) // MIMETypes: ["application/toml"]
c.Bind().Body(&out) // StructValidator never called

// After: behaves identically to JSON/XML/Form binders
c.Bind().Body(&out) // StructValidator called; returns error on invalid struct

• Benchmarks: N/A — no hot-path changes; single error-path branch added.
• Documentation Update: No API surface change; behavior now matches documented built-in binder semantics.
• Changelog/What's New: Custom binders via Body() and Custom() now invoke StructValidator, matching built-in binder behavior.
• Migration Guide: Projects relying on the absence of validation for custom binders will now see validation errors. Wrap with SkipValidation(true) to opt out.
• API Alignment with Express: N/A
• API Longevity: No API change; purely a behavioral consistency fix.
• Examples: See code snippet above.

Type of change

• Enhancement (improvement to existing features and functionality)
• Code consistency (non-breaking change which improves code reliability and robustness)

Checklist

• Followed the inspiration of the Express.js framework for new functionalities, making them similar in usage.
• Conducted a self-review of the code and provided comments for complex or critical parts.
• Updated the documentation in the /docs/ directory for Fiber's documentation.
• Added or updated unit tests to validate the effectiveness of the changes or new features.
• Ensured that new and existing unit tests pass locally with the changes.
• Verified that any new dependencies are essential and have been agreed upon by the maintainers/community.
• Aimed for optimal performance with minimal allocations in the new code.
• Provided benchmarks for the new code to analyze and improve upon.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• exampleretry.com
  • Triggering command: /tmp/go-build982216137/b307/client.test /tmp/go-build982216137/b307/client.test -test.paniconexit0 -test.v=test2json -test.timeout=10m0s -test.count=1 -test.shuffle=on k/fiber/fiber/middleware/limitertext/tabwriter ux-amd64/pkg/tool/linux_amd64/compile -p github.com/santh-unsafeptr=false -lang=go1.21 ux-amd64/pkg/too/tmp/go-build982216137/b113/vet.cfg -o rg/toolchain@v0.0.1-go1.25.0.lin. -trimpath ux-amd64/pkg/tool/linux_amd64/vet pkg/mod/golang.o/usr/bin/python3 github.com/gofib-u l/linux_amd64/cobin/WALinuxAgent-2.15.1.3-py3.12.egg ux-amd64/pkg/too-collect-logs (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Custom binders in Body() bypass StructValidator</issue_title>
<issue_description>Custom binders registered via RegisterCustomBinder are not followed by validation when called through Body(). Built-in body binders (JSON, XML, Form, etc.) all call validateStruct() after parsing, but the custom binder path returns immediately on success (line 425 in bind.go).

This creates inconsistent behavior where invalid payloads can pass validation if processed by a custom binder.

Related PR: #4120
Comment context: #4120 (comment)
Reported by: @loderunner

Suggested fix:
After customBinder.Parse(b.ctx, out) succeeds, call b.validateStruct(out) and handle validation errors consistently with built-in binders.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Custom binders in Body() bypass StructValidator #4122

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.08%. Comparing base (7077663) to head (932ddf8).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4124      +/-   ##
==========================================
- Coverage   91.11%   91.08%   -0.04%     
==========================================
  Files         119      119              
  Lines       11377    11381       +4     
==========================================
  Hits        10366    10366              
- Misses        641      645       +4     
  Partials      370      370              

Flag	Coverage Δ
unittests	91.08% <100.00%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.