easyapi-django 0.30__tar.gz → 0.32__tar.gz

{easyapi_django-0.30/easyapi_django.egg-info → easyapi_django-0.32}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: easyapi_django
-Version: 0.30
+Version: 0.32
 Summary: A simple rest api generator for django based on models
 Author-email: Stamatios Stamou Jr <bushier.outsets.0c@icloud.com>
 License: MIT
@@ -278,12 +278,15 @@ class TaskResource(BaseResource):
     cache_scope_fields = ['space_id', ('account', 'plan_id')]
 ```
 
-Strict by default: if the request has authenticated context but a
-configured field is **missing** from the session payload, the request
-fails with `HTTPException(500)` instead of silently merging caches
-across scopes. Anonymous requests skip the fold. `None`, `0` and `''`
-count as present (a real value). Use `before_cache` for the rare case
-that needs context outside `self.user` / `self.account`:
+Lenient by default: if the request has authenticated context but a
+configured field is **missing** from the session payload, the framework
+logs a `WARNING` (logger `easyapi.base`) and **skips the scope fold** —
+the request still serves, the cache may be shared across scopes until
+the operator updates the session payload. Anonymous requests also skip
+the fold. `None`, `0` and `''` count as present (a real value).
+
+Use `before_cache` for the rare case that needs context outside
+`self.user` / `self.account`:
 
 ```python
 async def before_cache(self, request):

{easyapi_django-0.30 → easyapi_django-0.32}/README.md

@@ -251,12 +251,15 @@ class TaskResource(BaseResource):
     cache_scope_fields = ['space_id', ('account', 'plan_id')]
 ```
 
-Strict by default: if the request has authenticated context but a
-configured field is **missing** from the session payload, the request
-fails with `HTTPException(500)` instead of silently merging caches
-across scopes. Anonymous requests skip the fold. `None`, `0` and `''`
-count as present (a real value). Use `before_cache` for the rare case
-that needs context outside `self.user` / `self.account`:
+Lenient by default: if the request has authenticated context but a
+configured field is **missing** from the session payload, the framework
+logs a `WARNING` (logger `easyapi.base`) and **skips the scope fold** —
+the request still serves, the cache may be shared across scopes until
+the operator updates the session payload. Anonymous requests also skip
+the fold. `None`, `0` and `''` count as present (a real value).
+
+Use `before_cache` for the rare case that needs context outside
+`self.user` / `self.account`:
 
 ```python
 async def before_cache(self, request):

{easyapi_django-0.30 → easyapi_django-0.32}/easyapi/base.py

@@ -393,18 +393,21 @@ class BaseResource(View):
         for source, field in self.cache_scope_fields:
             container = sources.get(source)
             if container is None:
-                raise HTTPException(
-                    500,
-                    f"Cache scope source {source!r} missing from session "
-                    f"for {self.__class__.__name__}",
+                logger.warning(
+                    "cache scope source %r missing from session for %s; "
+                    "skipping scope fold (cache may be shared across "
+                    "scopes — populate the session payload to fix)",
+                    source, self.__class__.__name__,
                 )
+                return None
             if field not in container:
-                raise HTTPException(
-                    500,
-                    f"Cache scope field {field!r} missing from "
-                    f"{source} session payload for "
-                    f"{self.__class__.__name__}",
+                logger.warning(
+                    "cache scope field %r missing from %s session payload "
+                    "for %s; skipping scope fold (cache may be shared "
+                    "across scopes — populate the session payload to fix)",
+                    field, source, self.__class__.__name__,
                 )
+                return None
             parts.append(f'{source}.{field}={container[field]!r}')
 
         digest = hashlib.md5(':'.join(parts).encode('utf-8')).hexdigest()[:16]
@@ -514,6 +517,33 @@ class BaseResource(View):
             )
 
     async def dispatch(self, request, *args, **kwargs) -> None:
+        """Outer wrapper — guarantees unhandled exceptions never reach
+        the wire silently. ``HTTPException`` re-raises (rendered by
+        :class:`ExceptionMiddleware`); anything else gets logged with
+        full traceback and returns a sanitized JSON 500.
+
+        Without this net, exceptions from ``_authenticate``, ``aset_tenant``,
+        ``_serve_cache``, ``pre_process``, ``_parse_body``, ``build_filters``
+        or ``serialize`` bubbled to Django's default async handler with no
+        easyapi-side log — Sentry stayed empty and operators were blind.
+        """
+        try:
+            return await self._dispatch(request, *args, **kwargs)
+        except HTTPException:
+            raise
+        except Exception:
+            logger.exception(
+                'Unhandled error in dispatch %s %s',
+                request.method, request.path,
+            )
+            if getattr(django_settings, 'DEBUG', False):
+                raise
+            return JsonResponse(
+                {'success': False, 'status': 500, 'detail': 'Internal error'},
+                status=500,
+            )
+
+    async def _dispatch(self, request, *args, **kwargs) -> None:
         self.identifier = get_client_ip(request)
 
         await self._enforce_rate_limit(request)

easyapi_django-0.32/easyapi/exception.py

@@ -0,0 +1,24 @@
+import logging
+
+from django.http import JsonResponse
+
+logger = logging.getLogger(__name__)
+
+
+class HTTPException(Exception):
+
+    def render(self, exception):
+        (status, detail) = exception.args
+        # 5xx is a server-side problem — emit a logged stack trace so the
+        # response body is not the only signal. Without this, every
+        # ``raise HTTPException(500, ...)`` was invisible to logs/Sentry
+        # and operators had to guess from black-box symptoms.
+        if isinstance(status, int) and status >= 500:
+            logger.exception(
+                'HTTPException %s: %s', status, detail,
+                exc_info=exception,
+            )
+        return JsonResponse(
+            {'success': False, 'status': status, 'detail': detail},
+            status=status,
+        )

{easyapi_django-0.30 → easyapi_django-0.32}/easyapi/rate_limit.py

@@ -1,8 +1,12 @@
+import logging
 import time
+
 from redis import StrictRedis
 
 from .redis_config import REDIS_SERVER, REDIS_DB, KEY_PREFIX
 
+logger = logging.getLogger(__name__)
+
 
 class RateLimit(StrictRedis):
     def __init__(self):
@@ -30,7 +34,15 @@ class RateLimit(StrictRedis):
         return {"blocked": False}
 
     def track_pattern(self, identifier, action="abuse"):
-        """Detect regular request patterns indicative of abuse."""
+        """Detect regular request patterns indicative of abuse.
+
+        Reports the signal but does NOT auto-write a block key. Frontends
+        retrying after a server-side error look identical to a bot when
+        you only consider request timing — auto-blocking that traffic
+        locked legitimate users out and was opaque to debug. Callers may
+        decide to escalate based on the returned ``suspicious`` flag plus
+        other signals (e.g. authenticated identity, response codes).
+        """
         pattern_key = f"{KEY_PREFIX}rate_limit:pattern:{action}:{identifier}"
         now = self.current_milli_time()
         last_req = self.get(f"{pattern_key}:last")
@@ -50,8 +62,11 @@ class RateLimit(StrictRedis):
             mean = sum(intervals) / len(intervals)
             variance = sum((x - mean) ** 2 for x in intervals) / len(intervals)
             if variance < 100:
-                block_key = f"{KEY_PREFIX}block:{action}:{identifier}"
-                self.setex(block_key, 300, "suspicious")
+                logger.warning(
+                    'rate_limit: suspicious request pattern from %s '
+                    '(action=%s, mean_interval_ms=%.0f, variance=%.2f)',
+                    identifier, action, mean, variance,
+                )
                 return {"suspicious": True, "reason": "Regular request intervals"}
         return {"suspicious": False}
 
@@ -69,9 +84,13 @@ class RateLimit(StrictRedis):
             return {"rate_limited": True, "abuse": False, "blocked": True}
 
         if action in ["api", "login"]:
-            pattern_result = self.track_pattern(identifier, "abuse")
-            if pattern_result["suspicious"]:
-                return {"rate_limited": True, "abuse": True, "reason": pattern_result["reason"]}
+            # Pattern detection is recorded for observability but no
+            # longer short-circuits to ``abuse=True``. Timing-only
+            # signals caught legitimate retry traffic (frontends
+            # retrying after server-side errors look identical to bots
+            # when judged by intervals alone). Real abuse is caught by
+            # the count thresholds below; pattern alone goes to logs.
+            self.track_pattern(identifier, "abuse")
 
         now = self.current_milli_time()
         type_to_check = action

{easyapi_django-0.30 → easyapi_django-0.32/easyapi_django.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: easyapi_django
-Version: 0.30
+Version: 0.32
 Summary: A simple rest api generator for django based on models
 Author-email: Stamatios Stamou Jr <bushier.outsets.0c@icloud.com>
 License: MIT
@@ -278,12 +278,15 @@ class TaskResource(BaseResource):
     cache_scope_fields = ['space_id', ('account', 'plan_id')]
 ```
 
-Strict by default: if the request has authenticated context but a
-configured field is **missing** from the session payload, the request
-fails with `HTTPException(500)` instead of silently merging caches
-across scopes. Anonymous requests skip the fold. `None`, `0` and `''`
-count as present (a real value). Use `before_cache` for the rare case
-that needs context outside `self.user` / `self.account`:
+Lenient by default: if the request has authenticated context but a
+configured field is **missing** from the session payload, the framework
+logs a `WARNING` (logger `easyapi.base`) and **skips the scope fold** —
+the request still serves, the cache may be shared across scopes until
+the operator updates the session payload. Anonymous requests also skip
+the fold. `None`, `0` and `''` count as present (a real value).
+
+Use `before_cache` for the rare case that needs context outside
+`self.user` / `self.account`:
 
 ```python
 async def before_cache(self, request):

{easyapi_django-0.30 → easyapi_django-0.32}/easyapi_django.egg-info/SOURCES.txt

@@ -50,6 +50,7 @@ tests/test_cache_auto_account_scope.py
 tests/test_cache_scope.py
 tests/test_client_ip.py
 tests/test_dispatch_error_handling.py
+tests/test_exception_render.py
 tests/test_exports.py
 tests/test_filter_validation.py
 tests/test_filters.py

{easyapi_django-0.30 → easyapi_django-0.32}/pyproject.toml

@@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "easyapi_django"
-version = "0.30"
+version = "0.32"
 authors = [
   { name="Stamatios Stamou Jr", email="bushier.outsets.0c@icloud.com" },
 ]

{easyapi_django-0.30 → easyapi_django-0.32}/tests/test_cache_scope.py

@@ -154,28 +154,44 @@ def test_multiple_dimensions_combine():
     assert a._build_cache_key(_request(), None) != b._build_cache_key(_request(), None)
 
 
-# ── strict semantics ───────────────────────────────────────────────
+# ── lenient semantics (warn + skip fold, never 500) ────────────────
 
 
-def test_authenticated_user_missing_field_raises_500():
+def test_missing_field_logs_warning_and_skips_fold(caplog):
+    """Missing scope field on authenticated request must not block the
+    request — silent leak between scopes is preferable to taking the
+    site down. Operators see a warning to fix the session payload."""
+    import logging as _logging
+
     class _R(_Resource):
         cache_scope_fields = ['space_id']
     res = _make(_R, user={'id': 1})  # space_id NOT in user
-    with pytest.raises(HTTPException) as exc:
-        res._build_cache_key(_request(), None)
-    assert exc.value.args[0] == 500
-    assert 'space_id' in exc.value.args[1]
 
+    with caplog.at_level(_logging.WARNING, logger='easyapi.base'):
+        key = res._build_cache_key(_request(), None)
+
+    assert 'scope=' not in key  # fold skipped
+    records = [r for r in caplog.records if r.name == 'easyapi.base']
+    assert records, 'expected a warning when scope field is missing'
+    msg = records[0].getMessage()
+    assert 'space_id' in msg
+    assert '_R' in msg or 'class' in msg.lower()
+
+
+def test_missing_account_source_logs_warning_and_skips_fold(caplog):
+    import logging as _logging
 
-def test_authenticated_user_missing_account_source_raises_500():
-    """User present, account expected but absent — refuses to cache."""
     class _R(_Resource):
         cache_scope_fields = [('account', 'plan_id')]
     res = _make(_R, user={'id': 1}, account=None)
-    with pytest.raises(HTTPException) as exc:
-        res._build_cache_key(_request(), None)
-    assert exc.value.args[0] == 500
-    assert 'account' in exc.value.args[1]
+
+    with caplog.at_level(_logging.WARNING, logger='easyapi.base'):
+        key = res._build_cache_key(_request(), None)
+
+    assert 'scope=' not in key
+    records = [r for r in caplog.records if r.name == 'easyapi.base']
+    assert records
+    assert 'account' in records[0].getMessage()
 
 
 # ── coexistence with session_cache ─────────────────────────────────

easyapi_django-0.32/tests/test_exception_render.py

@@ -0,0 +1,69 @@
+"""HTTPException.render must log 5xx errors so Sentry / log aggregators
+see them. Silent 5xx renders were the root of an opaque-error incident
+in production."""
+import json
+import logging
+
+import pytest
+
+from easyapi.exception import HTTPException
+
+
+def _render(status, detail='boom'):
+    exc = HTTPException(status, detail)
+    response = exc.render(exc)
+    body = json.loads(response.content.decode('utf-8'))
+    return response, body
+
+
+def test_500_logs_exception(caplog):
+    with caplog.at_level(logging.ERROR, logger='easyapi.exception'):
+        response, body = _render(500, 'database unreachable')
+
+    assert response.status_code == 500
+    assert body == {'success': False, 'status': 500, 'detail': 'database unreachable'}
+
+    records = [r for r in caplog.records if r.name == 'easyapi.exception']
+    assert records, 'expected a log record for 500 render'
+    record = records[0]
+    assert record.levelno == logging.ERROR
+    assert '500' in record.getMessage()
+    assert 'database unreachable' in record.getMessage()
+    # exc_info attached so traceback is preserved for Sentry-style sinks
+    assert record.exc_info is not None
+
+
+def test_503_also_logs(caplog):
+    with caplog.at_level(logging.ERROR, logger='easyapi.exception'):
+        _render(503, 'upstream down')
+    records = [r for r in caplog.records if r.name == 'easyapi.exception']
+    assert records, '5xx other than 500 must also log'
+
+
+def test_400_does_not_log(caplog):
+    """4xx is client-side; no log noise — they're routine."""
+    with caplog.at_level(logging.DEBUG, logger='easyapi.exception'):
+        response, body = _render(400, 'bad input')
+    assert response.status_code == 400
+    records = [r for r in caplog.records if r.name == 'easyapi.exception']
+    assert not records
+
+
+def test_403_does_not_log(caplog):
+    with caplog.at_level(logging.DEBUG, logger='easyapi.exception'):
+        _render(403, 'forbidden')
+    records = [r for r in caplog.records if r.name == 'easyapi.exception']
+    assert not records
+
+
+def test_404_does_not_log(caplog):
+    with caplog.at_level(logging.DEBUG, logger='easyapi.exception'):
+        _render(404, 'not found')
+    records = [r for r in caplog.records if r.name == 'easyapi.exception']
+    assert not records
+
+
+def test_response_body_unchanged_for_5xx():
+    """Logging is additive — must not change the wire response."""
+    response, body = _render(500, 'something')
+    assert body == {'success': False, 'status': 500, 'detail': 'something'}

easyapi_django-0.30/easyapi/exception.py

@@ -1,11 +0,0 @@
-from django.http import JsonResponse
-
-
-class HTTPException(Exception):
-
-    def render(self, exception):
-        (status, detail) = exception.args
-        return JsonResponse(
-            {'success': False, 'status': status, 'detail': detail},
-            status=status,
-        )