From f4e9f793e561af54f2b7948d14234ba7541d4348 Mon Sep 17 00:00:00 2001
From: Sai Asish Y <say.apm35@gmail.com>
Date: Tue, 12 May 2026 15:42:00 -0700
Subject: [PATCH] feat: add SecureCookie.Err to expose construction errors

---
 securecookie.go      |  7 +++++++
 securecookie_test.go | 12 ++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/securecookie.go b/securecookie.go
index 4d5ea86..0c1181e 100644
--- a/securecookie.go
+++ b/securecookie.go
@@ -234,6 +234,13 @@ func (s *SecureCookie) BlockFunc(f func([]byte) (cipher.Block, error)) *SecureCo
 	return s
 }
 
+// Err returns an error if the SecureCookie was misconfigured, for example when
+// New was called with an invalid hash or block key. It returns nil if the
+// instance is usable. Encode and Decode also report this error.
+func (s *SecureCookie) Err() error {
+	return s.err
+}
+
 // Encoding sets the encoding/serialization method for cookies.
 //
 // Default is encoding/gob.  To encode special structures using encoding/gob,
diff --git a/securecookie_test.go b/securecookie_test.go
index 72905ae..f3562e8 100644
--- a/securecookie_test.go
+++ b/securecookie_test.go
@@ -88,6 +88,18 @@ func TestSecureCookieNilKey(t *testing.T) {
 	}
 }
 
+func TestErr(t *testing.T) {
+	if err := New([]byte("12345678901234567890123456789012"), nil).Err(); err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if err := New(nil, nil).Err(); err != errHashKeyNotSet {
+		t.Fatalf("expected errHashKeyNotSet, got %v", err)
+	}
+	if err := New([]byte("12345678901234567890123456789012"), []byte("bad")).Err(); err == nil {
+		t.Fatal("expected an error for invalid block key, got nil")
+	}
+}
+
 func TestDecodeInvalid(t *testing.T) {
 	// List of invalid cookies, which must not be accepted, base64-decoded
 	// (they will be encoded before passing to Decode).