django-ninja-aio-crud 2.18.0__py3-none-any.whl → 2.18.2__py3-none-any.whl

{django_ninja_aio_crud-2.18.0.dist-info → django_ninja_aio_crud-2.18.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: django-ninja-aio-crud
-Version: 2.18.0
+Version: 2.18.2
 Summary: Django Ninja AIO CRUD - Rest Framework
 Author: Giuseppe Casillo
 Requires-Python: >=3.10, <3.15
@@ -34,11 +34,9 @@ Project-URL: Repository, https://github.com/caspel26/django-ninja-aio-crud
 Provides-Extra: test
 
 <p align="center">
-  <img src="https://raw.githubusercontent.com/caspel26/django-ninja-aio-crud/main/docs/images/logo.png" alt="django-ninja-aio-crud" width="120">
+  <img src="https://raw.githubusercontent.com/caspel26/django-ninja-aio-crud/main/docs/images/logo-full.png" alt="django-ninja-aio-crud">
 </p>
 
-<h1 align="center">django-ninja-aio-crud</h1>
-
 <p align="center">
   <strong>Async CRUD framework for Django Ninja</strong><br>
   Automatic schema generation · Filtering · Pagination · Auth · M2M management
@@ -51,11 +49,13 @@ Provides-Extra: test
   <a href="https://pypi.org/project/django-ninja-aio-crud/"><img src="https://img.shields.io/pypi/v/django-ninja-aio-crud?color=g&logo=pypi&logoColor=white" alt="PyPI - Version"></a>
   <a href="LICENSE"><img src="https://img.shields.io/pypi/l/django-ninja-aio-crud" alt="PyPI - License"></a>
   <a href="https://github.com/astral-sh/ruff"><img src="https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json" alt="Ruff"></a>
+  <a href="https://github.com/caspel26/django-ninja-aio-crud/actions/workflows/performance.yml"><img src="https://github.com/caspel26/django-ninja-aio-crud/actions/workflows/performance.yml/badge.svg" alt="Performance"></a>
 </p>
 
 <p align="center">
   <a href="https://django-ninja-aio.com">Documentation</a> ·
   <a href="https://pypi.org/project/django-ninja-aio-crud/">PyPI</a> ·
+  <a href="https://caspel26.github.io/django-ninja-aio-crud/">Performance Benchmarks</a> ·
   <a href="https://github.com/caspel26/ninja-aio-blog-example">Example Project</a> ·
   <a href="https://github.com/caspel26/django-ninja-aio-crud/issues">Issues</a>
 </p>
@@ -392,7 +392,13 @@ class ReadOnlyBookViewSet(APIViewSet):
 
 ---
 
-## Performance Tips
+## Performance
+
+View live benchmarks tracking schema generation, serialization, and CRUD throughput:
+
+**[Live Performance Report](https://caspel26.github.io/django-ninja-aio-crud/)** — Interactive charts with historical trends
+
+### Performance Tips
 
 - Use `queryset_request` classmethod to `select_related` / `prefetch_related`
 - Index frequently filtered fields

{django_ninja_aio_crud-2.18.0.dist-info → django_ninja_aio_crud-2.18.2.dist-info}/RECORD

@@ -1,10 +1,10 @@
-ninja_aio/__init__.py,sha256=CezrF0WOFMCLNAybIgP0uAtNTsUMEiOezULFLq3iluY,120
+ninja_aio/__init__.py,sha256=GG9VIprfl_xsxe8mkdQQOZKg-SjYn-uPExDck4VTOSg,120
 ninja_aio/api.py,sha256=tuC7vdvn7s1GkCnSFy9Kn1zv0glZfYptRQVvo8ZRtGQ,2429
 ninja_aio/auth.py,sha256=f4yk45fLi36Qctu0A0zgHTFedb9yk3ewq5rOMpoPYIE,9035
 ninja_aio/exceptions.py,sha256=w8QWmVlg88iJvBrNODSDBHSsy8nNpwngaCGWRnkXoPo,3899
 ninja_aio/parsers.py,sha256=e_4lGCPV7zs-HTqtdJTc8yQD2KPAn9njbL8nF_Mmgkc,153
 ninja_aio/renders.py,sha256=CW0xDa05Xna-UvL0MZqZeDEgueEaUassV_nG7Rh1-cw,1824
-ninja_aio/types.py,sha256=E3yfXbNKkvLVcr8bvkHTSyIiCRZ4zumzJaXj1aiBi5U,735
+ninja_aio/types.py,sha256=fSDTLLraQeZ9-bpoWSQcV5WN8vy2v4Te48D5dnnW25M,1441
 ninja_aio/decorators/__init__.py,sha256=cDDHD_9EI4CP7c5eL1m2mGNl9bR24i8FAkQsT3_RNGM,371
 ninja_aio/decorators/operations.py,sha256=L9yt2ku5oo4CpOLixCADmkcFjLGsWAn-cg-sDcjFhMA,343
 ninja_aio/decorators/views.py,sha256=0RVU4XaM1HvTQ-BOt_NwUtbhwfHau06lh-O8El1LqQk,8139
@@ -14,17 +14,17 @@ ninja_aio/helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU
 ninja_aio/helpers/api.py,sha256=va_HvZVBFm1KxwQhH4u09U4F1JS5JrQuRpRmPTHJt7w,21326
 ninja_aio/helpers/query.py,sha256=Lqv4nrWYr543tC5K-SEcBottLID8cb83aDc26i2Wxj4,5053
 ninja_aio/models/__init__.py,sha256=L3UQnQAlKoI3F7jinadL-Nn55hkPvnSRPYW0JtnbWFo,114
-ninja_aio/models/serializers.py,sha256=Obw6HCLMU9iTvAtuoGFXB2gtRELtR3g1nhn23U9McrM,60376
-ninja_aio/models/utils.py,sha256=lAXtc3YY7_n4f0jIacX4DSXhUOzMy7y5MsBnInNxtfk,32874
+ninja_aio/models/serializers.py,sha256=pRRa0ci8ObhmJoQkzreDxV0JA6elG0Tyj8mJutRDqpo,64021
+ninja_aio/models/utils.py,sha256=uIjQz6-89H7Myires79_v9xSMU5A6JVBBmMzlDLZwp4,37261
 ninja_aio/schemas/__init__.py,sha256=dHILiYBKMb51lDcyQdiXRw_0nzqM7Lu81UX2hv7kEfo,837
 ninja_aio/schemas/api.py,sha256=dGUpJXR1iAf93QNR4kYj1uqIkTjiMfXultCotY6GtaQ,361
 ninja_aio/schemas/filters.py,sha256=VxzH2xSWok8cUSkyfeqtrGhRewtFVmNHQfHNvY8Aynw,2662
 ninja_aio/schemas/generics.py,sha256=frjJsKJMAdM_NdNKv-9ddZNGxYy5PNzjIRGtuycgr-w,112
 ninja_aio/schemas/helpers.py,sha256=CpubwNXsZHtu8jddliyQybF1epwZ-GO60vHIuF5AR1Y,8967
 ninja_aio/views/__init__.py,sha256=DEzjWA6y3WF0V10nNF8eEurLNEodgxKzyFd09AqVp3s,148
-ninja_aio/views/api.py,sha256=AAqkj0xT8J3PmJvsbluZ33cfrmrXJHiV9ARe2BqnfQ8,22492
-ninja_aio/views/mixins.py,sha256=Zl6J8gbVagwT85bzDuKyJTk3iFxxFgX0YgYkjiUxZGg,17040
-django_ninja_aio_crud-2.18.0.dist-info/licenses/LICENSE,sha256=yrDAYcm0gRp_Qyzo3GQa4BjYjWRkAhGC8QRva__RYq0,1073
-django_ninja_aio_crud-2.18.0.dist-info/WHEEL,sha256=G2gURzTEtmeR8nrdXUJfNiB3VYVxigPQ-bEQujpNiNs,82
-django_ninja_aio_crud-2.18.0.dist-info/METADATA,sha256=2R1JT9MbqKfuAb05If2Ic1U-Cx6l_uTcXLPKHIyod5Q,12911
-django_ninja_aio_crud-2.18.0.dist-info/RECORD,,
+ninja_aio/views/api.py,sha256=Sj4yIVLVQEVKxwFzVbT6YhiSCxXtcvdlTtWhJfccOus,26191
+ninja_aio/views/mixins.py,sha256=rE4otyuenx6bfOLmnvMiSn10Kh7p0newU0-HarWDWS4,17779
+django_ninja_aio_crud-2.18.2.dist-info/licenses/LICENSE,sha256=yrDAYcm0gRp_Qyzo3GQa4BjYjWRkAhGC8QRva__RYq0,1073
+django_ninja_aio_crud-2.18.2.dist-info/WHEEL,sha256=G2gURzTEtmeR8nrdXUJfNiB3VYVxigPQ-bEQujpNiNs,82
+django_ninja_aio_crud-2.18.2.dist-info/METADATA,sha256=uRj6qJ8HaV6vM5nhqSTs6FYwd1Bex_gfCosWXtlJDbw,13404
+django_ninja_aio_crud-2.18.2.dist-info/RECORD,,

ninja_aio/__init__.py

@@ -1,6 +1,6 @@
 """Django Ninja AIO CRUD - Rest Framework"""
 
-__version__ = "2.18.0"
+__version__ = "2.18.2"
 
 from .api import NinjaAIO
 

ninja_aio/models/serializers.py

@@ -11,6 +11,8 @@ from typing import (
 )
 import warnings
 import sys
+import threading
+from functools import lru_cache
 
 from django.conf import settings
 from ninja import Schema
@@ -103,6 +105,56 @@ class BaseSerializer:
         queryset_request = ModelQuerySetSchema()
         extras: list[ModelQuerySetExtraSchema] = []
 
+    # Thread-local storage for tracking circular reference resolution
+    _resolution_context = threading.local()
+
+    @classmethod
+    def _get_resolution_stack(cls) -> list[str]:
+        """
+        Get the current resolution stack for detecting circular references.
+
+        Returns
+        -------
+        list[str]
+            Stack of model names currently being resolved (thread-safe).
+        """
+        if not hasattr(cls._resolution_context, 'stack'):
+            cls._resolution_context.stack = []
+        return cls._resolution_context.stack
+
+    @classmethod
+    def _is_circular_reference(cls, model: models.Model) -> bool:
+        """
+        Check if resolving this model would create a circular reference.
+
+        Security: Prevents infinite recursion and stack overflow attacks.
+
+        Parameters
+        ----------
+        model : models.Model
+            The model to check
+
+        Returns
+        -------
+        bool
+            True if the model is already being resolved (circular reference detected)
+        """
+        model_key = f"{model._meta.app_label}.{model._meta.model_name}"
+        return model_key in cls._get_resolution_stack()
+
+    @classmethod
+    def _push_resolution(cls, model: models.Model) -> None:
+        """Add a model to the resolution stack."""
+        model_key = f"{model._meta.app_label}.{model._meta.model_name}"
+        cls._get_resolution_stack().append(model_key)
+
+    @classmethod
+    def _pop_resolution(cls) -> None:
+        """Remove the most recent model from the resolution stack."""
+        stack = cls._get_resolution_stack()
+        if stack:
+            stack.pop()
+
     @classmethod
     def _collect_validators(cls, source_class) -> dict:
         """
@@ -425,29 +477,51 @@ class BaseSerializer:
         -------
         Schema | Union[Schema, ...] | None
             Generated schema, Union of schemas, or None if cannot be resolved.
-        """
-        # Auto-resolve ModelSerializer with readable fields
-        if isinstance(rel_model, ModelSerializerMeta):
-            has_readable_fields = rel_model.get_fields(
-                "read"
-            ) or rel_model.get_custom_fields("read")
-            return rel_model.generate_related_s() if has_readable_fields else None
-
-        # Resolve from explicit serializer mapping
-        rel_serializers = cls._get_relations_serializers() or {}
-        serializer_ref = rel_serializers.get(field_name)
 
-        if not serializer_ref:
+        Notes
+        -----
+        Includes circular reference detection to prevent infinite recursion.
+        """
+        # Security: Check for circular references to prevent infinite recursion
+        if cls._is_circular_reference(rel_model):
+            # Circular reference detected - return None to break the cycle
+            warnings.warn(
+                f"Circular reference detected for {rel_model._meta.label} "
+                f"in field '{field_name}' of {cls._get_model()._meta.label}. "
+                f"Skipping nested schema generation to prevent infinite recursion.",
+                UserWarning,
+                stacklevel=2
+            )
             return None
 
-        resolved = cls._resolve_serializer_reference(serializer_ref)
+        # Track this model in the resolution stack
+        cls._push_resolution(rel_model)
+        try:
+            # Auto-resolve ModelSerializer with readable fields
+            if isinstance(rel_model, ModelSerializerMeta):
+                has_readable_fields = rel_model.get_fields(
+                    "read"
+                ) or rel_model.get_custom_fields("read")
+                return rel_model.generate_related_s() if has_readable_fields else None
+
+            # Resolve from explicit serializer mapping
+            rel_serializers = cls._get_relations_serializers() or {}
+            serializer_ref = rel_serializers.get(field_name)
+
+            if not serializer_ref:
+                return None
+
+            resolved = cls._resolve_serializer_reference(serializer_ref)
 
-        # Handle Union of serializers
-        if get_origin(resolved) is Union:
-            return cls._generate_union_schema(resolved)
+            # Handle Union of serializers
+            if get_origin(resolved) is Union:
+                return cls._generate_union_schema(resolved)
 
-        # Handle single serializer
-        return resolved.generate_related_s()
+            # Handle single serializer
+            return resolved.generate_related_s()
+        finally:
+            # Always pop from resolution stack when done
+            cls._pop_resolution()
 
     @classmethod
     def _is_special_field(
@@ -928,64 +1002,45 @@ class BaseSerializer:
         )
 
     @classmethod
-    def _generate_model_schema(
-        cls,
-        schema_type: type[SCHEMA_TYPES],
-        depth: int = None,
-    ) -> Schema:
-        """
-        Core schema factory bridging serializer configuration to ``ninja.orm.create_schema``.
-
-        Dispatches to the appropriate field/custom/exclude gathering logic based
-        on the requested schema type and delegates to Django Ninja's
-        ``create_schema`` for the actual Pydantic model construction.
-
-        Parameters
-        ----------
-        schema_type : SCHEMA_TYPES
-            One of ``"In"``, ``"Patch"``, ``"Out"``, ``"Detail"``, or ``"Related"``.
-        depth : int, optional
-            Nesting depth for related model schemas (used by ``Out`` and ``Detail``).
-
-        Returns
-        -------
-        Schema | None
-            Generated Pydantic schema, or ``None`` if no fields are configured.
-        """
-        model = cls._get_model()
-        validators = cls._get_validators(schema_type)
-
-        # Handle special schema types with custom logic
-        if schema_type == "Out" or schema_type == "Detail":
-            fields, reverse_rels, excludes, customs, optionals = (
-                cls.get_schema_out_data(schema_type)
-            )
-            if not any([fields, reverse_rels, excludes, customs]):
-                return None
-            schema_name = "SchemaOut" if schema_type == "Out" else "DetailSchemaOut"
-            schema = create_schema(
-                model=model,
-                name=f"{model._meta.model_name}{schema_name}",
-                depth=depth,
-                fields=fields,
-                custom_fields=reverse_rels + customs + optionals,
-                exclude=excludes,
-            )
-            return cls._apply_validators(schema, validators)
+    def _create_out_or_detail_schema(
+        cls, schema_type: type[SCHEMA_TYPES], model, validators, depth: int = None
+    ) -> Schema | None:
+        """Create schema for Out or Detail types."""
+        fields, reverse_rels, excludes, customs, optionals = (
+            cls.get_schema_out_data(schema_type)
+        )
+        if not any([fields, reverse_rels, excludes, customs]):
+            return None
+        schema_name = "SchemaOut" if schema_type == "Out" else "DetailSchemaOut"
+        schema = create_schema(
+            model=model,
+            name=f"{model._meta.model_name}{schema_name}",
+            depth=depth,
+            fields=fields,
+            custom_fields=reverse_rels + customs + optionals,
+            exclude=excludes,
+        )
+        return cls._apply_validators(schema, validators)
 
-        if schema_type == "Related":
-            fields, customs = cls.get_related_schema_data()
-            if not fields and not customs:
-                return None
-            schema = create_schema(
-                model=model,
-                name=f"{model._meta.model_name}SchemaRelated",
-                fields=fields,
-                custom_fields=customs,
-            )
-            return cls._apply_validators(schema, validators)
+    @classmethod
+    def _create_related_schema(cls, model, validators) -> Schema | None:
+        """Create schema for Related type."""
+        fields, customs = cls.get_related_schema_data()
+        if not fields and not customs:
+            return None
+        schema = create_schema(
+            model=model,
+            name=f"{model._meta.model_name}SchemaRelated",
+            fields=fields,
+            custom_fields=customs,
+        )
+        return cls._apply_validators(schema, validators)
 
-        # Handle standard In/Patch schema types
+    @classmethod
+    def _create_in_or_patch_schema(
+        cls, schema_type: type[SCHEMA_TYPES], model, validators
+    ) -> Schema | None:
+        """Create schema for In or Patch types."""
         s_type = "create" if schema_type == "In" else "update"
         fields = cls.get_fields(s_type)
         optionals = cls.get_optional_fields(s_type)
@@ -1020,6 +1075,42 @@ class BaseSerializer:
         )
         return cls._apply_validators(schema, validators)
 
+    @classmethod
+    def _generate_model_schema(
+        cls,
+        schema_type: type[SCHEMA_TYPES],
+        depth: int = None,
+    ) -> Schema:
+        """
+        Core schema factory bridging serializer configuration to ``ninja.orm.create_schema``.
+
+        Dispatches to the appropriate field/custom/exclude gathering logic based
+        on the requested schema type and delegates to Django Ninja's
+        ``create_schema`` for the actual Pydantic model construction.
+
+        Parameters
+        ----------
+        schema_type : SCHEMA_TYPES
+            One of ``"In"``, ``"Patch"``, ``"Out"``, ``"Detail"``, or ``"Related"``.
+        depth : int, optional
+            Nesting depth for related model schemas (used by ``Out`` and ``Detail``).
+
+        Returns
+        -------
+        Schema | None
+            Generated Pydantic schema, or ``None`` if no fields are configured.
+        """
+        model = cls._get_model()
+        validators = cls._get_validators(schema_type)
+
+        if schema_type in ("Out", "Detail"):
+            return cls._create_out_or_detail_schema(schema_type, model, validators, depth)
+
+        if schema_type == "Related":
+            return cls._create_related_schema(model, validators)
+
+        return cls._create_in_or_patch_schema(schema_type, model, validators)
+
     @classmethod
     def get_related_schema_data(cls):
         """
@@ -1055,10 +1146,13 @@ class BaseSerializer:
         return non_relation_fields, customs
 
     @classmethod
+    @lru_cache(maxsize=128)
     def generate_read_s(cls, depth: int = 1) -> Schema:
         """
         Generate the read (Out) schema for list responses.
 
+        Performance: Results are cached per (class, depth) combination.
+
         Parameters
         ----------
         depth : int, optional
@@ -1072,6 +1166,7 @@ class BaseSerializer:
         return cls._generate_model_schema("Out", depth)
 
     @classmethod
+    @lru_cache(maxsize=128)
     def generate_detail_s(cls, depth: int = 1) -> Schema:
         """
         Generate the detail (single-object) read schema.
@@ -1079,6 +1174,8 @@ class BaseSerializer:
         Falls back to the standard read schema if no detail-specific
         configuration is defined.
 
+        Performance: Results are cached per (class, depth) combination.
+
         Parameters
         ----------
         depth : int, optional
@@ -1092,10 +1189,13 @@ class BaseSerializer:
         return cls._generate_model_schema("Detail", depth) or cls.generate_read_s(depth)
 
     @classmethod
+    @lru_cache(maxsize=128)
     def generate_create_s(cls) -> Schema:
         """
         Generate the create (In) schema for input validation.
 
+        Performance: Results are cached per class.
+
         Returns
         -------
         Schema | None
@@ -1104,10 +1204,13 @@ class BaseSerializer:
         return cls._generate_model_schema("In")
 
     @classmethod
+    @lru_cache(maxsize=128)
     def generate_update_s(cls) -> Schema:
         """
         Generate the update (Patch) schema for partial updates.
 
+        Performance: Results are cached per class.
+
         Returns
         -------
         Schema | None
@@ -1116,6 +1219,7 @@ class BaseSerializer:
         return cls._generate_model_schema("Patch")
 
     @classmethod
+    @lru_cache(maxsize=128)
     def generate_related_s(cls) -> Schema:
         """
         Generate the related (nested) schema for embedding in parent schemas.
@@ -1123,6 +1227,8 @@ class BaseSerializer:
         Includes only non-relational model fields and custom fields, preventing
         infinite nesting of related objects.
 
+        Performance: Results are cached per class.
+
         Returns
         -------
         Schema | None

ninja_aio/models/utils.py

@@ -94,6 +94,9 @@ class ModelUtil:
     - Stateless wrapper; safe per-request instantiation.
     """
 
+    # Performance: Class-level cache for relation discovery (model structure is static)
+    _relation_cache: dict[tuple[type, str, str], list[str]] = {}
+
     def __init__(
         self, model: type["ModelSerializer"] | models.Model, serializer_class=None
     ):
@@ -192,6 +195,7 @@ class ModelUtil:
         """
         return [field.name for field in self.model._meta.get_fields()]
 
+
     @property
     def model_name(self) -> str:
         """
@@ -518,6 +522,9 @@ class ModelUtil:
         """
         Discover reverse relation names for safe prefetching.
 
+        Performance: Results are cached per (model, serializer_class, is_for) tuple
+        since model structure is static.
+
         Parameters
         ----------
         is_for : Literal["read", "detail"]
@@ -528,9 +535,17 @@ class ModelUtil:
         list[str]
             Relation attribute names.
         """
+        # Check cache first (performance optimization)
+        cache_key = (self.model, str(self.serializer_class), is_for)
+        if cache_key in self._relation_cache:
+            return self._relation_cache[cache_key].copy()
+
         reverse_rels = self._get_read_optimizations(is_for).prefetch_related.copy()
         if reverse_rels:
+            # Cache and return
+            self._relation_cache[cache_key] = reverse_rels
             return reverse_rels
+
         serializable_fields = self._get_serializable_field_names(is_for)
         for f in serializable_fields:
             field_obj = getattr(self.model, f)
@@ -542,6 +557,9 @@ class ModelUtil:
                 continue
             if isinstance(field_obj, ReverseOneToOneDescriptor):
                 reverse_rels.append(field_obj.related.name)
+
+        # Cache the result
+        self._relation_cache[cache_key] = reverse_rels
         return reverse_rels
 
     def get_select_relateds(
@@ -550,6 +568,9 @@ class ModelUtil:
         """
         Discover forward relation names for safe select_related.
 
+        Performance: Results are cached per (model, serializer_class, is_for) tuple
+        since model structure is static.
+
         Parameters
         ----------
         is_for : Literal["read", "detail"]
@@ -560,9 +581,17 @@ class ModelUtil:
         list[str]
             Relation attribute names.
         """
+        # Check cache first (performance optimization)
+        cache_key = (self.model, str(self.serializer_class) + "_select", is_for)
+        if cache_key in self._relation_cache:
+            return self._relation_cache[cache_key].copy()
+
         select_rels = self._get_read_optimizations(is_for).select_related.copy()
         if select_rels:
+            # Cache and return
+            self._relation_cache[cache_key] = select_rels
             return select_rels
+
         serializable_fields = self._get_serializable_field_names(is_for)
         for f in serializable_fields:
             field_obj = getattr(self.model, f)
@@ -571,12 +600,17 @@ class ModelUtil:
                 continue
             if isinstance(field_obj, ForwardManyToOneDescriptor):
                 select_rels.append(f)
+
+        # Cache the result
+        self._relation_cache[cache_key] = select_rels
         return select_rels
 
-    async def _get_field(self, k: str):
+    async def _get_field(self, k: str) -> models.Field:
+        """Get Django field object for a given field name."""
         return (await agetattr(self.model, k)).field
 
-    def _decode_binary(self, payload: dict, k: str, v: Any, field_obj: models.Field):
+    def _decode_binary(self, payload: dict, k: str, v: Any, field_obj: models.Field) -> None:
+        """Decode base64-encoded binary field values in place."""
         if not isinstance(field_obj, models.BinaryField):
             return
         try:
@@ -591,7 +625,8 @@ class ModelUtil:
         k: str,
         v: Any,
         field_obj: models.Field,
-    ):
+    ) -> None:
+        """Resolve foreign key ID to model instance in place."""
         if not isinstance(field_obj, models.ForeignKey):
             return
         rel_util = ModelUtil(field_obj.related_model)
@@ -600,10 +635,11 @@ class ModelUtil:
 
     async def _bump_object_from_schema(
         self, obj: type["ModelSerializer"] | models.Model, schema: Schema
-    ):
+    ) -> dict:
+        """Convert model instance to dict using Pydantic schema."""
         return (await sync_to_async(schema.from_orm)(obj)).model_dump()
 
-    def _validate_read_params(self, request: HttpRequest, query_data: QuerySchema):
+    def _validate_read_params(self, request: HttpRequest, query_data: QuerySchema) -> None:
         """Validate required parameters for read operations."""
         if request is None:
             raise SerializeError(
@@ -667,12 +703,115 @@ class ModelUtil:
         obj = await self.get_object(request, query_data=query_data, is_for=is_for)
         return await self._bump_object_from_schema(obj, obj_schema)
 
+
+    def _collect_custom_and_optional_fields(
+        self, payload: dict, is_serializer: bool, serializer
+    ) -> tuple[dict[str, Any], list[str]]:
+        """
+        Collect custom and optional fields from payload.
+
+        Parameters
+        ----------
+        payload : dict
+            Input payload.
+        is_serializer : bool
+            Whether using a ModelSerializer.
+        serializer : ModelSerializer | Serializer
+            Serializer instance if applicable.
+
+        Returns
+        -------
+        tuple[dict[str, Any], list[str]]
+            (custom_fields_dict, optional_field_names)
+        """
+        customs: dict[str, Any] = {}
+        optionals: list[str] = []
+
+        if not is_serializer:
+            return customs, optionals
+
+        customs = {
+            k: v
+            for k, v in payload.items()
+            if serializer.is_custom(k) and k not in self.model_fields
+        }
+        optionals = [
+            k for k, v in payload.items() if serializer.is_optional(k) and v is None
+        ]
+
+        return customs, optionals
+
+    def _determine_skip_keys(
+        self, payload: dict, is_serializer: bool, serializer
+    ) -> set[str]:
+        """
+        Determine which keys to skip during model field processing.
+
+        Parameters
+        ----------
+        payload : dict
+            Input payload.
+        is_serializer : bool
+            Whether using a ModelSerializer.
+        serializer : ModelSerializer | Serializer
+            Serializer instance if applicable.
+
+        Returns
+        -------
+        set[str]
+            Set of keys to skip.
+        """
+        if not is_serializer:
+            return set()
+
+        skip_keys = {
+            k
+            for k, v in payload.items()
+            if (serializer.is_custom(k) and k not in self.model_fields)
+            or (serializer.is_optional(k) and v is None)
+        }
+        return skip_keys
+
+    async def _process_payload_fields(
+        self, request: HttpRequest, payload: dict, fields_to_process: list[tuple[str, Any]]
+    ) -> None:
+        """
+        Process payload fields: decode binary and resolve foreign keys.
+
+        Parameters
+        ----------
+        request : HttpRequest
+            HTTP request object.
+        payload : dict
+            Payload dict to modify in place.
+        fields_to_process : list[tuple[str, Any]]
+            List of (field_name, field_value) tuples to process.
+        """
+        if not fields_to_process:
+            return
+
+        # Fetch all field objects in parallel
+        field_tasks = [self._get_field(k) for k, _ in fields_to_process]
+        field_objs = await asyncio.gather(*field_tasks)
+
+        # Decode binary fields (synchronous, must be sequential)
+        for (k, v), field_obj in zip(fields_to_process, field_objs):
+            self._decode_binary(payload, k, v, field_obj)
+
+        # Resolve all FK fields in parallel
+        fk_tasks = [
+            self._resolve_fk(request, payload, k, v, field_obj)
+            for (k, v), field_obj in zip(fields_to_process, field_objs)
+        ]
+        await asyncio.gather(*fk_tasks)
+
     async def parse_input_data(self, request: HttpRequest, data: Schema):
         """
         Transform inbound schema data to a model-ready payload.
 
         Steps
         -----
+        - Validate fields against schema (including aliases and custom fields).
         - Strip custom fields (retain separately).
         - Drop optional fields with None (ModelSerializer only).
         - Decode BinaryField base64 values.
@@ -692,7 +831,7 @@ class ModelUtil:
         Raises
         ------
         SerializeError
-            On base64 decoding failure.
+            On base64 decoding failure or invalid field names.
         """
         payload = data.model_dump(mode="json")
 
@@ -701,36 +840,20 @@ class ModelUtil:
         )
         serializer = self.serializer if self.with_serializer else self.model
 
-        # Collect custom and optional fields (only if ModelSerializerMeta)
-        customs: dict[str, Any] = {}
-        optionals: list[str] = []
-        if is_serializer:
-            customs = {
-                k: v
-                for k, v in payload.items()
-                if serializer.is_custom(k) and k not in self.model_fields
-            }
-            optionals = [
-                k for k, v in payload.items() if serializer.is_optional(k) and v is None
-            ]
+        # Note: Field validation is handled by Pydantic during schema deserialization
+        # No additional validation needed here since data is already a validated Schema instance
 
-        skip_keys = set()
-        if is_serializer:
-            # Keys to skip during model field processing
-            skip_keys = {
-                k
-                for k, v in payload.items()
-                if (serializer.is_custom(k) and k not in self.model_fields)
-                or (serializer.is_optional(k) and v is None)
-            }
-
-        # Process payload fields
-        for k, v in payload.items():
-            if k in skip_keys:
-                continue
-            field_obj = await self._get_field(k)
-            self._decode_binary(payload, k, v, field_obj)
-            await self._resolve_fk(request, payload, k, v, field_obj)
+        # Collect custom and optional fields
+        customs, optionals = self._collect_custom_and_optional_fields(
+            payload, is_serializer, serializer
+        )
+
+        # Determine which keys to skip during model field processing
+        skip_keys = self._determine_skip_keys(payload, is_serializer, serializer)
+
+        # Process payload fields - gather field objects in parallel for better performance
+        fields_to_process = [(k, v) for k, v in payload.items() if k not in skip_keys]
+        await self._process_payload_fields(request, payload, fields_to_process)
 
         # Preserve original exclusion semantics (customs if present else optionals)
         exclude_keys = customs.keys() or optionals

ninja_aio/types.py

@@ -10,6 +10,44 @@ SCHEMA_TYPES = Literal["In", "Out", "Detail", "Patch", "Related"]
 VIEW_TYPES = Literal["list", "retrieve", "create", "update", "delete", "all"]
 JwtKeys: TypeAlias = jwk.RSAKey | jwk.ECKey | jwk.OctKey
 
+# Django ORM field lookup suffixes for QuerySet filtering
+# See: https://docs.djangoproject.com/en/stable/ref/models/querysets/#field-lookups
+DjangoLookup = Literal[
+    "exact",
+    "iexact",
+    "contains",
+    "icontains",
+    "in",
+    "gt",
+    "gte",
+    "lt",
+    "lte",
+    "startswith",
+    "istartswith",
+    "endswith",
+    "iendswith",
+    "range",
+    "date",
+    "year",
+    "iso_year",
+    "month",
+    "day",
+    "week",
+    "week_day",
+    "iso_week_day",
+    "quarter",
+    "time",
+    "hour",
+    "minute",
+    "second",
+    "isnull",
+    "regex",
+    "iregex",
+]
+
+# Set of valid Django lookup suffixes for runtime validation
+VALID_DJANGO_LOOKUPS: set[str] = set(DjangoLookup.__args__)
+
 
 class SerializerMeta(type):
     """Metaclass for serializers - extend with custom behavior as needed."""

ninja_aio/views/api.py

@@ -6,6 +6,7 @@ from ninja.pagination import paginate, AsyncPaginationBase, PageNumberPagination
 from django.http import HttpRequest
 from django.db.models import Model, QuerySet
 from django.conf import settings
+from django.core.exceptions import FieldDoesNotExist
 from pydantic import create_model
 
 from ninja_aio.schemas.helpers import ModelQuerySetSchema, QuerySchema, DecoratorsSchema
@@ -16,7 +17,7 @@ from ninja_aio.schemas import (
     M2MRelationSchema,
 )
 from ninja_aio.helpers.api import ManyToManyAPI
-from ninja_aio.types import ModelSerializerMeta, VIEW_TYPES
+from ninja_aio.types import ModelSerializerMeta, VIEW_TYPES, VALID_DJANGO_LOOKUPS
 from ninja_aio.decorators import unique_view, decorate_view, aatomic
 from ninja_aio.models import serializers
 
@@ -31,7 +32,7 @@ class API:
     auth: list | None = NOT_SET
     router: Router = None
 
-    def views(self):
+    def views(self) -> None:
         """
         Override this method to add your custom views. For example:
         @self.router.get(some_path, response=some_schema)
@@ -65,13 +66,15 @@ class API:
         """
         pass
 
-    def _add_views(self):
+    def _add_views(self) -> Router:
+        """Register views decorated with @api_register."""
         for name in dir(self.__class__):
             method = getattr(self.__class__, name)
             if hasattr(method, "_api_register"):
                 method._api_register(self)
+        return self.router
 
-    def add_views_to_route(self):
+    def add_views_to_route(self) -> Router:
         return self.api.add_router(f"{self.api_route_path}", self._add_views())
 
 
@@ -322,6 +325,98 @@ class APIViewSet(API):
             filter
         )
 
+    def _is_lookup_suffix(self, part: str) -> bool:
+        """
+        Check if a part is a valid Django lookup suffix.
+
+        Args:
+            part: The part to check
+
+        Returns:
+            bool: True if the part is a valid lookup suffix
+        """
+        return part in VALID_DJANGO_LOOKUPS
+
+    def _get_related_model(self, field):
+        """
+        Extract the related model from a field if it exists.
+
+        Args:
+            field: The Django field object
+
+        Returns:
+            Model class or None
+        """
+        if hasattr(field, 'related_model') and field.related_model:
+            return field.related_model
+        if hasattr(field, 'remote_field') and field.remote_field and hasattr(field.remote_field, 'model'):
+            return field.remote_field.model
+        return None
+
+    def _validate_non_relation_field(self, parts: list[str], i: int) -> bool:
+        """
+        Validate a non-relation field that appears before the end of the path.
+
+        Args:
+            parts: List of field path parts
+            i: Current index in parts
+
+        Returns:
+            bool: True if valid, False otherwise
+        """
+        if i >= len(parts) - 1:
+            return True
+        next_part = parts[i + 1]
+        return self._is_lookup_suffix(next_part)
+
+    def _validate_filter_field(self, field_path: str) -> bool:
+        """
+        Validate that a filter field path corresponds to valid model fields.
+
+        Security: Prevents field injection attacks by ensuring only valid model
+        fields can be used in filters.
+
+        Args:
+            field_path: The field path to validate (e.g., "name", "author__name")
+
+        Returns:
+            bool: True if the field path is valid, False otherwise
+
+        Examples:
+            "name" -> validates against direct model field
+            "author__name" -> validates author is a relation, then name on related model
+            "created_at__gte" -> validates created_at field, lookup suffix is allowed
+        """
+        if not field_path:
+            return False
+
+        parts = field_path.split('__')
+        current_model = self.model
+
+        # Iterate through the path, validating each part
+        for i, part in enumerate(parts):
+            # Check if this is the last part and might be a lookup suffix
+            is_last_part = i == len(parts) - 1
+            if is_last_part and self._is_lookup_suffix(part):
+                return True
+
+            try:
+                field = current_model._meta.get_field(part)
+            except (FieldDoesNotExist, AttributeError):
+                # Field doesn't exist on this model
+                return False
+
+            # If this is a relation field and not the last part, traverse to related model
+            related_model = self._get_related_model(field)
+            if related_model and not is_last_part:
+                current_model = related_model
+            elif not is_last_part:
+                # Non-relation field in the middle - must be followed by a lookup suffix
+                if not self._validate_non_relation_field(parts, i):
+                    return False
+
+        return True
+
     def _auth_view(self, view_type: str):
         """
         Resolve auth for a specific HTTP verb; falls back to self.auth if NOT_SET.
@@ -329,16 +424,20 @@ class APIViewSet(API):
         auth = getattr(self, f"{view_type}_auth", None)
         return auth if auth is not NOT_SET else self.auth
 
-    def get_view_auth(self):
+    def get_view_auth(self) -> list | None:
+        """Get authentication configuration for GET endpoints."""
         return self._auth_view("get")
 
-    def post_view_auth(self):
+    def post_view_auth(self) -> list | None:
+        """Get authentication configuration for POST endpoints."""
         return self._auth_view("post")
 
-    def patch_view_auth(self):
+    def patch_view_auth(self) -> list | None:
+        """Get authentication configuration for PATCH endpoints."""
         return self._auth_view("patch")
 
-    def delete_view_auth(self):
+    def delete_view_auth(self) -> list | None:
+        """Get authentication configuration for DELETE endpoints."""
         return self._auth_view("delete")
 
     def _generate_schema(self, fields: dict, name: str) -> Schema:
@@ -347,7 +446,7 @@ class APIViewSet(API):
         """
         return create_model(f"{self.model_util.model_name}{name}", **fields)
 
-    def _generate_path_schema(self):
+    def _generate_path_schema(self) -> Schema:
         """
         Schema containing only the primary key field for path resolution.
         """

ninja_aio/views/mixins.py

@@ -56,7 +56,9 @@ class IcontainsFilterViewSetMixin(APIViewSet):
             **{
                 f"{key}__icontains": value
                 for key, value in filters.items()
-                if isinstance(value, str) and not self._is_special_filter(key)
+                if isinstance(value, str)
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -98,7 +100,9 @@ class BooleanFilterViewSetMixin(APIViewSet):
             **{
                 key: value
                 for key, value in filters.items()
-                if isinstance(value, bool) and not self._is_special_filter(key)
+                if isinstance(value, bool)
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -140,7 +144,9 @@ class NumericFilterViewSetMixin(APIViewSet):
             **{
                 key: value
                 for key, value in filters.items()
-                if isinstance(value, (int, float)) and not self._is_special_filter(key)
+                if isinstance(value, (int, float))
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -182,7 +188,9 @@ class DateFilterViewSetMixin(APIViewSet):
             **{
                 f"{key}{self._compare_attr}": value
                 for key, value in filters.items()
-                if hasattr(value, "isoformat") and not self._is_special_filter(key)
+                if hasattr(value, "isoformat")
+                and not self._is_special_filter(key)
+                and self._validate_filter_field(key)
             }
         )
 
@@ -341,7 +349,8 @@ class RelationFilterViewSetMixin(APIViewSet):
         rel_filters = {}
         for rel_filter in self.relations_filters:
             value = filters.get(rel_filter.query_param)
-            if value is not None:
+            # Validate the configured query_filter path for security
+            if value is not None and self._validate_filter_field(rel_filter.query_filter):
                 rel_filters[rel_filter.query_filter] = value
         return base_qs.filter(**rel_filters) if rel_filters else base_qs
 
@@ -406,8 +415,15 @@ class MatchCaseFilterViewSetMixin(APIViewSet):
                     filter_match.cases.true if value else filter_match.cases.false
                 )
                 lookup = case_filter.query_filter
-                if case_filter.include:
-                    base_qs = base_qs.filter(**lookup)
-                else:
-                    base_qs = base_qs.exclude(**lookup)
+                # Validate all filter fields in the lookup dictionary for security
+                validated_lookup = {
+                    k: v
+                    for k, v in lookup.items()
+                    if self._validate_filter_field(k)
+                }
+                if validated_lookup:
+                    if case_filter.include:
+                        base_qs = base_qs.filter(**validated_lookup)
+                    else:
+                        base_qs = base_qs.exclude(**validated_lookup)
         return base_qs