PyPI - hawkapi-sqlalchemy - Versions diffs - 0.1.0__tar.gz → 0.2.0__tar.gz - Mend

hawkapi-sqlalchemy 0.1.0tar.gz → 0.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,25 @@
 # Changelog
+## 0.2.0 — 2026-05-16
+Security hardening.
+### Breaking
+- `open_session(app, *, name=...)` no longer accepts a `commit` parameter.
+  It was silently ignored — callers expecting auto-commit ran without one.
+  Manage the session lifecycle (close/commit/rollback) yourself.
+### Changed
+- `Database.get` emits a WARNING when a non-`primary` engine is requested
+  but only `primary` is registered, so silently-misrouted replicas are
+  discoverable from logs.
+- `run_migrations` raises a clear `RuntimeError` instead of nested-loop
+  errors when invoked from inside a running event loop.
+- The active-database registry uses `WeakKeyDictionary` to eliminate the
+  `id(app)` ABA hazard.
 ## 0.1.0 — 2026-05-16
 Initial release.

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: hawkapi-sqlalchemy
-Version: 0.1.0
+Version: 0.2.0
 Summary: SQLAlchemy integration for HawkAPI — async sessions, multi-database routing, Alembic helpers, pytest fixtures
 Project-URL: Homepage, https://pypi.org/project/hawkapi-sqlalchemy/
 Project-URL: Repository, https://github.com/ashimov/hawkapi-sqlalchemy

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hawkapi-sqlalchemy"
-version = "0.1.0"
+version = "0.2.0"
 description = "SQLAlchemy integration for HawkAPI — async sessions, multi-database routing, Alembic helpers, pytest fixtures"
 readme = "README.md"
 license = { file = "LICENSE" }

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/src/hawkapi_sqlalchemy/__init__.py RENAMED Viewed

@@ -14,7 +14,7 @@ from ._models import Base, DataclassBase, TimestampMixin, UUIDMixin
 from ._session import get_replica_session, get_session, open_session, session_for
 from ._testing import temporary_database, temporary_session
-__version__ = "0.1.0"
+__version__ = "0.2.0"
 __all__ = [
     "Base",

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/src/hawkapi_sqlalchemy/_alembic.py RENAMED Viewed

@@ -56,6 +56,16 @@ def run_migrations(
             context.run_migrations()
         return
+    # ``asyncio.run`` cannot be invoked from inside a running loop — produce a
+    # clear error rather than the obscure RuntimeError that nested loops give.
+    try:
+        asyncio.get_running_loop()
+    except RuntimeError:
+        running = False
+    else:
+        running = True
+    if running:
+        raise RuntimeError("run_migrations must be called from a non-async context")
     asyncio.run(_run_online(target_metadata, url, compare_type, render_as_batch, configure_kwargs))

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/src/hawkapi_sqlalchemy/_database.py RENAMED Viewed

@@ -12,15 +12,20 @@ and ask for them by name via :func:`get_session(name=...)`.
 from __future__ import annotations
+import contextlib
+import logging
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 from dataclasses import dataclass, field
 from typing import Any
+from weakref import WeakKeyDictionary
 from sqlalchemy.ext.asyncio import AsyncSession
 from ._engine import DatabaseConfig, Engine, create_engine
+logger = logging.getLogger("hawkapi_sqlalchemy")
 @dataclass
 class Database:
@@ -35,7 +40,10 @@ class Database:
         if name in self.engines:
             return self.engines[name]
         if name != "primary" and "primary" in self.engines:
-            # Fall back to primary for replicas / analytics shards that are not configured.
+            # Fall back to primary for replicas / analytics shards that are not
+            # configured. Warn so misconfigured replicas don't silently route
+            # to the primary forever (CWE-440-ish).
+            logger.warning("falling back to primary for engine %r — not configured", name)
             return self.engines["primary"]
         raise KeyError(f"no engine registered under {name!r}")
@@ -68,7 +76,9 @@ class _StateNamespace:
     db: Any
-_ACTIVE_DATABASES: dict[int, Database] = {}
+# WeakKeyDictionary avoids the ``id(app)`` ABA hazard if an app is GC'd and
+# Python reuses the address for a new object.
+_ACTIVE_DATABASES: WeakKeyDictionary[Any, Database] = WeakKeyDictionary()
 _LAST_DATABASE: list[Database | None] = [None]
@@ -106,7 +116,8 @@ def init_database(
     if getattr(app, "state", None) is None:
         app.state = _StateNamespace()
     app.state.db = database
-    _ACTIVE_DATABASES[id(app)] = database
+    with contextlib.suppress(TypeError):
+        _ACTIVE_DATABASES[app] = database
     _LAST_DATABASE[0] = database
     if dispose_on_shutdown and hasattr(app, "on_shutdown"):
@@ -121,7 +132,10 @@ def init_database(
 def resolve_database(app: Any) -> Database | None:
     if app is None:
         return _LAST_DATABASE[0]
-    db = _ACTIVE_DATABASES.get(id(app))
+    try:
+        db = _ACTIVE_DATABASES.get(app)
+    except TypeError:
+        db = None
     if db is not None:
         return db
     state = getattr(app, "state", None)

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/src/hawkapi_sqlalchemy/_session.py RENAMED Viewed

@@ -51,13 +51,18 @@ async def _session_iter(
 # Helper for non-handler code — e.g. background workers.
-async def open_session(app: Any, *, name: str = "primary", commit: bool = True) -> AsyncSession:
-    """Open a raw session without going through DI. Caller is responsible for closing it."""
+async def open_session(app: Any, *, name: str = "primary") -> AsyncSession:
+    """Open a raw session without going through DI.
+    The caller owns the session lifecycle — close, commit, and rollback are the
+    caller's responsibility. This API intentionally has no ``commit`` flag:
+    historically one was accepted but ignored, which encouraged callers to
+    assume auto-commit semantics that never existed (CWE-400).
+    """
     db = resolve_database(app)
     if db is None:
         raise RuntimeError("Database not configured — call init_database(app, ...) first")
     engine = db.get(name)
-    _ = commit  # callers manage commit themselves
     return engine.sessionmaker()

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/tests/test_plugin.py RENAMED Viewed

@@ -96,7 +96,7 @@ def test_get_session_500_when_not_configured() -> None:
     saved = _d._LAST_DATABASE[0]
     _d._LAST_DATABASE[0] = None
-    _d._ACTIVE_DATABASES.pop(id(app), None)
+    _d._ACTIVE_DATABASES.pop(app, None)
     try:
         client = TestClient(app)
         r = client.get("/x")

hawkapi_sqlalchemy-0.2.0/tests/test_security.py ADDED Viewed

@@ -0,0 +1,41 @@
+"""Regression tests for 0.2.0 hardening fixes."""
+from __future__ import annotations
+import logging
+import pytest
+from hawkapi import HawkAPI
+from hawkapi_sqlalchemy import (
+    Database,
+    DatabaseConfig,
+    init_database,
+    open_session,
+)
+def test_open_session_no_commit_param() -> None:
+    """The misleading ``commit`` kwarg must be gone."""
+    app = HawkAPI(openapi_url=None, docs_url=None, redoc_url=None, scalar_url=None)
+    init_database(app, url="sqlite+aiosqlite:///:memory:")
+    import asyncio
+    async def _go() -> None:
+        with pytest.raises(TypeError):
+            await open_session(app, commit=True)  # type: ignore[call-arg]
+    asyncio.run(_go())
+def test_replica_fallback_warns(caplog: pytest.LogCaptureFixture) -> None:
+    """Looking up an unregistered engine must log a WARNING when it falls back."""
+    db = Database()
+    db.add("primary", DatabaseConfig(url="sqlite+aiosqlite:///:memory:"))
+    with caplog.at_level(logging.WARNING, logger="hawkapi_sqlalchemy"):
+        engine = db.get("replica")
+    assert engine is db.engines["primary"]
+    assert any("falling back to primary" in record.message for record in caplog.records), [
+        r.message for r in caplog.records
+    ]

{hawkapi_sqlalchemy-0.1.0 → hawkapi_sqlalchemy-0.2.0}/uv.lock RENAMED Viewed

@@ -147,7 +147,7 @@ wheels = [
 [[package]]
 name = "hawkapi-sqlalchemy"
-version = "0.1.0"
+version = "0.2.0"
 source = { editable = "." }
 dependencies = [
     { name = "aiosqlite" },