npm - create-caspian-app - Versions diffs - 0.2.0-beta.90 → 0.2.0-beta.92 - Mend

create-caspian-app 0.2.0-beta.90 → 0.2.0-beta.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/main.py +56 -23
package/dist/public/js/pp-reactive-v2.js +1 -1
package/dist/src/lib/security/runtime_security.py +164 -0
package/package.json +1 -1

package/dist/main.py CHANGED Viewed

@@ -3,13 +3,13 @@ from casp.scripts_type import transform_scripts
 import inspect
 import os
 import importlib.util
-import mimetypes
 import secrets
 import traceback
 import json
 from pathlib import Path
 from fastapi import FastAPI, Request, Response
 from fastapi.responses import RedirectResponse, FileResponse, HTMLResponse
+from starlette.datastructures import MutableHeaders
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.types import ASGIApp, Receive, Scope, Send
 from starlette.exceptions import HTTPException as StarletteHTTPException
@@ -38,6 +38,12 @@ from casp.streaming import SSE
 from typing import Any, Optional, get_args, get_origin, Union
 from urllib.parse import urlparse
 from src.lib.auth.auth_config import build_auth_settings
+from src.lib.security.runtime_security import (
+    build_security_headers,
+    client_error_message,
+    get_session_secret,
+    public_file_response,
+)
 load_dotenv()
 cfg = get_config()
@@ -77,6 +83,18 @@ CACHE_ENABLED = os.getenv('CACHE_ENABLED', 'false').lower() == 'true'
 DEFAULT_TTL = int(os.getenv('CACHE_TTL', 600))
+def _client_error_message(exc: Exception) -> str:
+    return client_error_message(exc, is_production=IS_PRODUCTION)
+def _get_session_secret() -> str:
+    return get_session_secret(is_production=IS_PRODUCTION)
+def _build_security_headers() -> dict[str, str]:
+    return build_security_headers(is_production=IS_PRODUCTION)
 def _dev_cookie_scope() -> str:
     if IS_PRODUCTION:
         return ""
@@ -120,36 +138,26 @@ SESSION_COOKIE_NAME = _scoped_cookie_name(
 @app.get('/css/{filename:path}')
 async def serve_css(filename: str):
-    file_path = Path('public/css') / filename
-    if not file_path.exists():
-        return Response(status_code=404)
-    return FileResponse(file_path, media_type='text/css')
+    return public_file_response('public/css', filename, media_type='text/css')
 @app.get('/js/{filename:path}')
 async def serve_js(filename: str):
-    file_path = Path('public/js') / filename
-    if not file_path.exists():
-        return Response(status_code=404)
-    return FileResponse(file_path, media_type='application/javascript')
+    return public_file_response(
+        'public/js',
+        filename,
+        media_type='application/javascript',
+    )
 @app.get('/assets/{filename:path}')
 async def serve_assets(filename: str):
-    file_path = Path('public/assets') / filename
-    if not file_path.exists():
-        return Response(status_code=404)
-    mime_type, _ = mimetypes.guess_type(str(file_path))
-    return FileResponse(file_path, media_type=mime_type or 'application/octet-stream')
+    return public_file_response('public/assets', filename)
 @app.get('/uploads/{filename:path}')
 async def serve_uploads(filename: str):
-    file_path = Path('public/uploads') / filename
-    if not file_path.exists():
-        return Response(status_code=404)
-    mime_type, _ = mimetypes.guess_type(str(file_path))
-    return FileResponse(file_path, media_type=mime_type or 'application/octet-stream')
+    return public_file_response('public/uploads', filename)
 @app.get('/favicon.ico')
@@ -191,6 +199,29 @@ class CSRFMiddleware:
         await self.app(scope, receive, send_wrapper)
+class SecurityHeadersMiddleware:
+    """Attach baseline browser security headers to HTTP responses."""
+    def __init__(self, app: ASGIApp): self.app = app
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+        async def send_wrapper(message):
+            if message["type"] == "http.response.start":
+                raw_headers = list(message.get("headers", []))
+                headers = MutableHeaders(raw=raw_headers)
+                for name, value in _build_security_headers().items():
+                    if headers.get(name) is None:
+                        headers[name] = value
+                message = {**message, "headers": raw_headers}
+            await send(message)
+        await self.app(scope, receive, send_wrapper)
 class AuthMiddleware:
     """Auth middleware using pure ASGI pattern for proper session handling."""
@@ -574,9 +605,10 @@ async def custom_404_handler(request: Request, exc: StarletteHTTPException):
 @app.exception_handler(Exception)
 async def custom_general_exception_handler(request: Request, exc: Exception):
-    print(traceback.format_exc())
-    error_message = str(exc)
-    error_trace = traceback.format_exc() if not IS_PRODUCTION else None
+    full_trace = traceback.format_exc()
+    print(full_trace)
+    error_message = _client_error_message(exc)
+    error_trace = full_trace if not IS_PRODUCTION else None
     error_page_path = os.path.join('src', 'app', 'error.html')
     if os.path.exists(error_page_path):
@@ -619,13 +651,14 @@ app.add_middleware(CSRFMiddleware)
 app.add_middleware(
     SessionMiddleware,
-    secret_key=os.getenv('AUTH_SECRET', 'change-me'),
+    secret_key=_get_session_secret(),
     session_cookie=SESSION_COOKIE_NAME,
     max_age=SESSION_LIFETIME_HOURS * 3600,
     same_site='lax',
     https_only=IS_PRODUCTION,
     path='/',
 )
+app.add_middleware(SecurityHeadersMiddleware)
 if __name__ == '__main__':
     port = int(os.getenv('PORT', 5091))