We have this:

class HasSessionCsrfToken a where
  sessionCsrfToken :: Lens' a (Maybe CsrfToken)

What's the intuition of the Nothing case? Shouldn't that be an error that is thrown inside the middleware, so that the application logic can rely on the token to always be present?