mdb-engine 0.1.6__py3-none-any.whl → 0.4.12__py3-none-any.whl

mdb_engine/auth/dependencies.py

@@ -9,14 +9,17 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 import logging
 import os
 import uuid
+from collections.abc import Mapping
 from datetime import datetime, timedelta
-from typing import Any, Dict, Mapping, Optional, Tuple
+from typing import Any
 
 import jwt
 from fastapi import Cookie, Depends, HTTPException, Request, status
+from pymongo.errors import PyMongoError
 
 from ..exceptions import ConfigurationError
 from .jwt import decode_jwt_token, extract_token_metadata
+
 # Import from local modules
 from .provider import AuthorizationProvider
 from .session_manager import SessionManager
@@ -24,7 +27,7 @@ from .token_store import TokenBlacklist
 
 logger = logging.getLogger(__name__)
 
-_SECRET_KEY_CACHE: Optional[str] = None
+_SECRET_KEY_CACHE: str | None = None
 
 
 def _get_secret_key() -> str:
@@ -39,15 +42,20 @@ def _get_secret_key() -> str:
     if _SECRET_KEY_CACHE is not None:
         return _SECRET_KEY_CACHE
 
-    secret_key = os.environ.get("FLASK_SECRET_KEY") or os.environ.get("SECRET_KEY")
+    secret_key = (
+        os.environ.get("FLASK_SECRET_KEY")
+        or os.environ.get("SECRET_KEY")
+        or os.environ.get("APP_SECRET_KEY")
+    )
 
     if not secret_key:
         raise ConfigurationError(
-            "FLASK_SECRET_KEY environment variable is required for JWT token security. "
-            "Set a strong secret key (minimum 32 characters, cryptographically random). "
-            "Example: export FLASK_SECRET_KEY=$(python -c "
+            "SECRET_KEY environment variable is required for JWT token security. "
+            "Set FLASK_SECRET_KEY, SECRET_KEY, or APP_SECRET_KEY with a strong secret key "
+            "(minimum 32 characters, cryptographically random). "
+            "Example: export SECRET_KEY=$(python -c "
             "'import secrets; print(secrets.token_urlsafe(32))')",
-            config_key="FLASK_SECRET_KEY",
+            config_key="SECRET_KEY",
         )
 
     if len(secret_key) < 32:
@@ -87,7 +95,7 @@ def _get_secret_key_value() -> str:
 SECRET_KEY = _SecretKey()
 
 
-def _validate_next_url(next_url: Optional[str]) -> str:
+def _validate_next_url(next_url: str | None) -> str:
     """
     Sanitizes a 'next' URL parameter to prevent Open Redirect vulnerabilities.
     """
@@ -120,7 +128,7 @@ async def get_authz_provider(request: Request) -> AuthorizationProvider:
     return provider
 
 
-async def get_token_blacklist(request: Request) -> Optional[TokenBlacklist]:
+async def get_token_blacklist(request: Request) -> TokenBlacklist | None:
     """
     FastAPI Dependency: Retrieves token blacklist from app.state.
 
@@ -130,7 +138,7 @@ async def get_token_blacklist(request: Request) -> Optional[TokenBlacklist]:
     return blacklist
 
 
-async def get_session_manager(request: Request) -> Optional[SessionManager]:
+async def get_session_manager(request: Request) -> SessionManager | None:
     """
     FastAPI Dependency: Retrieves session manager from app.state.
 
@@ -142,8 +150,8 @@ async def get_session_manager(request: Request) -> Optional[SessionManager]:
 
 async def get_current_user(
     request: Request,
-    token: Optional[str] = Cookie(default=None),
-) -> Optional[Dict[str, Any]]:
+    token: str | None = Cookie(default=None),
+) -> dict[str, Any] | None:
     """
     FastAPI Dependency: Decodes and validates the JWT stored in the 'token' cookie.
 
@@ -164,9 +172,7 @@ async def get_current_user(
             if blacklist:
                 is_revoked = await blacklist.is_revoked(jti)
                 if is_revoked:
-                    logger.info(
-                        f"get_current_user: Token {jti} is blacklisted (revoked)"
-                    )
+                    logger.info(f"get_current_user: Token {jti} is blacklisted (revoked)")
                     return None
 
                 # Also check user-level revocation
@@ -174,9 +180,7 @@ async def get_current_user(
                 if user_id:
                     user_revoked = await blacklist.is_user_revoked(user_id)
                     if user_revoked:
-                        logger.info(
-                            f"get_current_user: All tokens for user {user_id} are revoked"
-                        )
+                        logger.info(f"get_current_user: All tokens for user {user_id} are revoked")
                         return None
 
         payload = decode_jwt_token(token, str(SECRET_KEY))
@@ -184,9 +188,7 @@ async def get_current_user(
         # Verify token type (should be access token for backward compatibility, or no type)
         token_type = payload.get("type")
         if token_type and token_type not in ("access", None):
-            logger.warning(
-                f"get_current_user: Invalid token type '{token_type}' for access token"
-            )
+            logger.warning(f"get_current_user: Invalid token type '{token_type}' for access token")
             return None
 
         logger.debug(
@@ -203,13 +205,15 @@ async def get_current_user(
     except (ValueError, TypeError):
         logger.exception("Validation error decoding JWT token")
         return None
-    except Exception:
-        logger.exception("Unexpected error decoding JWT token")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error checking token blacklist")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("State access error in get_current_user")
+        return None
 
 
-async def get_current_user_from_request(request: Request) -> Optional[Dict[str, Any]]:
+async def get_current_user_from_request(request: Request) -> dict[str, Any] | None:
     """
     Helper function to get current user from a Request object.
     This is useful when you need to call get_current_user outside of FastAPI dependency injection.
@@ -276,16 +280,18 @@ async def get_current_user_from_request(request: Request) -> Optional[Dict[str,
     except (ValueError, TypeError):
         logger.exception("Validation error decoding JWT token from request")
         return None
-    except Exception:
-        logger.exception("Unexpected error decoding JWT token from request")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error checking token blacklist from request")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("State access error in get_current_user_from_request")
+        return None
 
 
 async def get_refresh_token(
     request: Request,
-    refresh_token: Optional[str] = Cookie(default=None),
-) -> Optional[Dict[str, Any]]:
+    refresh_token: str | None = Cookie(default=None),
+) -> dict[str, Any] | None:
     """
     FastAPI Dependency: Validates refresh token from cookie.
 
@@ -314,9 +320,7 @@ async def get_refresh_token(
             if blacklist:
                 is_revoked = await blacklist.is_revoked(jti)
                 if is_revoked:
-                    logger.info(
-                        f"get_refresh_token: Refresh token {jti} is blacklisted"
-                    )
+                    logger.info(f"get_refresh_token: Refresh token {jti} is blacklisted")
                     return None
 
         payload = decode_jwt_token(refresh_token, str(SECRET_KEY))
@@ -350,13 +354,9 @@ async def get_refresh_token(
                 if stored_fingerprint:
                     from .utils import generate_session_fingerprint
 
-                    device_id = request.cookies.get("device_id") or payload.get(
-                        "device_id"
-                    )
+                    device_id = request.cookies.get("device_id") or payload.get("device_id")
                     if device_id:
-                        current_fingerprint = generate_session_fingerprint(
-                            request, device_id
-                        )
+                        current_fingerprint = generate_session_fingerprint(request, device_id)
                         if current_fingerprint != stored_fingerprint:
                             logger.warning(
                                 f"get_refresh_token: Session fingerprint mismatch "
@@ -377,16 +377,18 @@ async def get_refresh_token(
     except (ValueError, TypeError):
         logger.exception("Validation error decoding refresh token")
         return None
-    except Exception:
-        logger.exception("Unexpected error decoding refresh token")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error checking refresh token")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("State access error in get_refresh_token")
+        return None
 
 
 async def require_admin(
-    user: Optional[Mapping[str, Any]] = Depends(get_current_user),
+    user: Mapping[str, Any] | None = Depends(get_current_user),
     authz: AuthorizationProvider = Depends(get_authz_provider),
-) -> Dict[str, Any]:
+) -> dict[str, Any]:
     """
     FastAPI Dependency: Enforces admin privileges via the pluggable AuthZ provider.
     """
@@ -420,9 +422,9 @@ async def require_admin(
 
 
 async def require_admin_or_developer(
-    user: Optional[Mapping[str, Any]] = Depends(get_current_user),
+    user: Mapping[str, Any] | None = Depends(get_current_user),
     authz: AuthorizationProvider = Depends(get_authz_provider),
-) -> Dict[str, Any]:
+) -> dict[str, Any]:
     """
     FastAPI Dependency: Enforces admin OR developer privileges.
     Developers can upload apps, admins can upload any app.
@@ -481,8 +483,8 @@ async def require_admin_or_developer(
 
 
 async def get_current_user_or_redirect(
-    request: Request, user: Optional[Mapping[str, Any]] = Depends(get_current_user)
-) -> Dict[str, Any]:
+    request: Request, user: Mapping[str, Any] | None = Depends(get_current_user)
+) -> dict[str, Any]:
     """
     FastAPI Dependency: Enforces user authentication. Redirects to login if not authenticated.
     """
@@ -504,14 +506,14 @@ async def get_current_user_or_redirect(
                 headers={"Location": redirect_url},
                 detail="Not authenticated. Redirecting to login.",
             )
-        except (ValueError, KeyError, AttributeError):
+        except (ValueError, KeyError, AttributeError) as e:
             logger.exception(
                 f"Failed to generate login redirect URL for route '{login_route_name}'"
             )
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
                 detail="Authentication required, but redirect failed.",
-            )
+            ) from e
     return dict(user)
 
 
@@ -533,10 +535,10 @@ def require_permission(obj: str, act: str, force_login: bool = True):
 
     async def _check_permission(
         # 2. The type hint MUST be Optional now
-        user: Optional[Dict[str, Any]] = Depends(user_dependency),
+        user: dict[str, Any] | None = Depends(user_dependency),
         # 3. Ask for the generic INTERFACE
         authz: AuthorizationProvider = Depends(get_authz_provider),
-    ) -> Optional[Dict[str, Any]]:  # 4. Return type is also Optional
+    ) -> dict[str, Any] | None:  # 4. Return type is also Optional
         """Internal dependency function performing the AuthZ check."""
 
         # 5. Check for 'anonymous' if user is None
@@ -594,9 +596,9 @@ def require_permission(obj: str, act: str, force_login: bool = True):
 
 async def refresh_access_token(
     request: Request,
-    refresh_token_payload: Dict[str, Any],
-    device_info: Optional[Dict[str, Any]] = None,
-) -> Optional[Tuple[str, str, Dict[str, Any]]]:
+    refresh_token_payload: dict[str, Any],
+    device_info: dict[str, Any] | None = None,
+) -> tuple[str, str, dict[str, Any]] | None:
     """
     Refresh an access token using a valid refresh token.
 
@@ -619,9 +621,7 @@ async def refresh_access_token(
         from ..config import TOKEN_ROTATION_ENABLED
         from .jwt import generate_token_pair
 
-        user_id = refresh_token_payload.get("user_id") or refresh_token_payload.get(
-            "email"
-        )
+        user_id = refresh_token_payload.get("user_id") or refresh_token_payload.get("email")
         old_refresh_jti = refresh_token_payload.get("jti")
         device_id = refresh_token_payload.get("device_id")
 
@@ -653,9 +653,7 @@ async def refresh_access_token(
 
                     device_id = device_id or request.cookies.get("device_id")
                     if device_id:
-                        current_fingerprint = generate_session_fingerprint(
-                            request, device_id
-                        )
+                        current_fingerprint = generate_session_fingerprint(request, device_id)
                         if current_fingerprint != stored_fingerprint:
                             logger.warning(
                                 f"refresh_access_token: Session fingerprint mismatch "
@@ -671,9 +669,7 @@ async def refresh_access_token(
 
         # Use existing device_id or generate new one
         if not device_id:
-            device_id = (
-                str(uuid.uuid4()) if not device_info else device_info.get("device_id")
-            )
+            device_id = str(uuid.uuid4()) if not device_info else device_info.get("device_id")
 
         if device_info:
             device_info["device_id"] = device_id
@@ -741,7 +737,9 @@ async def refresh_access_token(
     except (ValueError, TypeError, jwt.InvalidTokenError):
         logger.exception("Validation error refreshing token")
         return None
-    except Exception:
-        logger.exception("Unexpected error refreshing token")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error refreshing token")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("State access error refreshing token")
+        return None

mdb_engine/auth/helpers.py

@@ -19,7 +19,7 @@ async def initialize_token_management(app, db):
 
     Args:
         app: FastAPI application instance
-        db: MongoDB database instance (Motor AsyncIOMotorDatabase)
+        db: Scoped MongoDB database instance (ScopedMongoWrapper)
 
     Example:
         from mdb_engine.auth.helpers import initialize_token_management
@@ -27,8 +27,8 @@ async def initialize_token_management(app, db):
 
         @app.on_event("startup")
         async def startup():
-            # Get database from engine
-            db = engine.get_database()
+            # Get scoped database from engine
+            db = engine.get_scoped_db("my_app")
 
             # Initialize token management
             await initialize_token_management(app, db)

mdb_engine/auth/integration.py

@@ -8,20 +8,23 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 
 import logging
 import os
-from typing import Any, Dict, Optional
+from typing import Any
 
 from fastapi import FastAPI
 
-from .config_defaults import (CORS_DEFAULTS, OBSERVABILITY_DEFAULTS,
-                              SECURITY_CONFIG_DEFAULTS,
-                              TOKEN_MANAGEMENT_DEFAULTS)
+from .config_defaults import (
+    CORS_DEFAULTS,
+    OBSERVABILITY_DEFAULTS,
+    SECURITY_CONFIG_DEFAULTS,
+    TOKEN_MANAGEMENT_DEFAULTS,
+)
 from .config_helpers import merge_config_with_defaults
 from .helpers import initialize_token_management
 
 logger = logging.getLogger(__name__)
 
 # Cache for auth configs
-_auth_config_cache: Dict[str, Dict[str, Any]] = {}
+_auth_config_cache: dict[str, dict[str, Any]] = {}
 
 
 def _has_cors_middleware(app: FastAPI) -> bool:
@@ -45,8 +48,7 @@ def _has_cors_middleware(app: FastAPI) -> bool:
                 middleware_cls = middleware[0]
                 # Check if it's CORSMiddleware or a subclass
                 if middleware_cls == CORSMiddleware or (
-                    hasattr(middleware_cls, "__name__")
-                    and "CORS" in middleware_cls.__name__
+                    hasattr(middleware_cls, "__name__") and "CORS" in middleware_cls.__name__
                 ):
                     return True
         return False
@@ -55,7 +57,7 @@ def _has_cors_middleware(app: FastAPI) -> bool:
         return False
 
 
-def invalidate_auth_config_cache(slug_id: Optional[str] = None) -> None:
+def invalidate_auth_config_cache(slug_id: str | None = None) -> None:
     """
     Invalidate auth config cache for a specific app or all apps.
 
@@ -70,7 +72,7 @@ def invalidate_auth_config_cache(slug_id: Optional[str] = None) -> None:
         logger.debug("Invalidated entire auth config cache")
 
 
-async def get_auth_config(slug_id: str, engine) -> Dict[str, Any]:
+async def get_auth_config(slug_id: str, engine) -> dict[str, Any]:
     """
     Retrieve authentication configuration from manifest.
 
@@ -119,7 +121,7 @@ async def get_auth_config(slug_id: str, engine) -> Dict[str, Any]:
 
 
 async def _setup_authorization_provider(
-    app: FastAPI, engine, slug_id: str, config: Dict[str, Any]
+    app: FastAPI, engine, slug_id: str, config: dict[str, Any]
 ) -> None:
     """Set up authorization provider (Casbin/OSO/custom) from manifest."""
     auth = config.get("auth", {})
@@ -131,18 +133,12 @@ async def _setup_authorization_provider(
         try:
             from .casbin_factory import initialize_casbin_from_manifest
 
-            authz_provider = await initialize_casbin_from_manifest(
-                engine, slug_id, config
-            )
+            authz_provider = await initialize_casbin_from_manifest(engine, slug_id, config)
             if authz_provider:
                 app.state.authz_provider = authz_provider
-                logger.info(
-                    f"Authorization provider (Casbin) auto-created for {slug_id}"
-                )
+                logger.info(f"Authorization provider (Casbin) auto-created for {slug_id}")
             else:
-                logger.debug(
-                    f"Casbin provider not created for {slug_id} (may not be installed)"
-                )
+                logger.debug(f"Casbin provider not created for {slug_id} (may not be installed)")
         except (
             ImportError,
             AttributeError,
@@ -160,9 +156,7 @@ async def _setup_authorization_provider(
             authz_provider = await initialize_oso_from_manifest(engine, slug_id, config)
             if authz_provider:
                 app.state.authz_provider = authz_provider
-                logger.info(
-                    f"✅ Authorization provider (OSO Cloud) auto-created for {slug_id}"
-                )
+                logger.info(f"✅ Authorization provider (OSO Cloud) auto-created for {slug_id}")
             else:
                 logger.error(
                     f"❌ OSO Cloud provider not created for {slug_id}. "
@@ -187,9 +181,7 @@ async def _setup_authorization_provider(
         logger.info(f"Custom provider specified for {slug_id} - manual setup required")
 
 
-async def _setup_demo_users(
-    app: FastAPI, engine, slug_id: str, config: Dict[str, Any]
-) -> list:
+async def _setup_demo_users(app: FastAPI, engine, slug_id: str, config: dict[str, Any]) -> list:
     """Set up demo users and link with OSO roles if applicable."""
     auth = config.get("auth", {})
     users_config = auth.get("users", {})
@@ -260,9 +252,7 @@ async def _setup_demo_users(
             f"Demo user creation disabled for {slug_id} (demo_user_seed_strategy: disabled)"
         )
     elif seed_strategy == "manual":
-        logger.debug(
-            f"Demo user creation set to manual for {slug_id} - skipping auto-creation"
-        )
+        logger.debug(f"Demo user creation set to manual for {slug_id} - skipping auto-creation")
 
     # Link demo users with OSO initial_roles if auth provider is OSO
     if hasattr(app.state, "authz_provider") and demo_users:
@@ -283,14 +273,30 @@ async def _setup_demo_users(
                         if role_assignment.get("user") == user_email:
                             role = role_assignment.get("role")
                             resource = role_assignment.get("resource", "documents")
+
+                            # Check if provider is Casbin (uses email as subject for initial_roles)
+                            is_casbin = hasattr(app.state.authz_provider, "_enforcer")
+
                             try:
-                                await app.state.authz_provider.add_role_for_user(
-                                    user_email, role, resource
-                                )
-                                logger.info(
-                                    f"✅ Assigned role '{role}' on resource '{resource}' "
-                                    f"to demo user '{user_email}' for {slug_id}"
-                                )
+                                if is_casbin:
+                                    # For Casbin, use email as subject to match initial_roles format
+                                    # This ensures consistency with how initial_roles are set up
+                                    await app.state.authz_provider.add_role_for_user(
+                                        user_email, role
+                                    )
+                                    logger.info(
+                                        f"✅ Assigned Casbin role '{role}' "
+                                        f"to demo user '{user_email}' for {slug_id}"
+                                    )
+                                else:
+                                    # For OSO, use email, role, resource
+                                    await app.state.authz_provider.add_role_for_user(
+                                        user_email, role, resource
+                                    )
+                                    logger.info(
+                                        f"✅ Assigned role '{role}' on resource '{resource}' "
+                                        f"to demo user '{user_email}' for {slug_id}"
+                                    )
                             except (
                                 ValueError,
                                 TypeError,
@@ -319,20 +325,18 @@ async def _setup_demo_users(
 
 
 async def _setup_token_management(
-    app: FastAPI, engine, slug_id: str, token_management: Dict[str, Any]
+    app: FastAPI, engine, slug_id: str, token_management: dict[str, Any]
 ) -> None:
     """Initialize token management (blacklist and session manager)."""
     if token_management.get("auto_setup", True):
         try:
-            db = engine.get_database()
+            db = engine.get_scoped_db(slug_id)
             await initialize_token_management(app, db)
 
             # Configure session fingerprinting if session manager exists
             session_mgr = getattr(app.state, "session_manager", None)
             if session_mgr:
-                fingerprinting_config = app.state.security_config.get(
-                    "session_fingerprinting", {}
-                )
+                fingerprinting_config = app.state.security_config.get("session_fingerprinting", {})
                 session_mgr.configure_fingerprinting(
                     enabled=fingerprinting_config.get("enabled", True),
                     strict=fingerprinting_config.get("strict_mode", False),
@@ -352,12 +356,10 @@ async def _setup_token_management(
 
 
 async def _setup_security_middleware(
-    app: FastAPI, slug_id: str, security_config: Dict[str, Any]
+    app: FastAPI, slug_id: str, security_config: dict[str, Any]
 ) -> None:
     """Set up security middleware (if not already added)."""
-    if security_config.get("csrf_protection", True) or security_config.get(
-        "require_https", False
-    ):
+    if security_config.get("csrf_protection", True) or security_config.get("require_https", False):
         try:
             from .middleware import SecurityMiddleware
 
@@ -384,15 +386,13 @@ async def _setup_security_middleware(
                         f"This is normal when using lifespan context managers."
                     )
                 else:
-                    logger.warning(
-                        f"Could not set up security middleware for {slug_id}: {e}"
-                    )
+                    logger.warning(f"Could not set up security middleware for {slug_id}: {e}")
         except (AttributeError, TypeError, ValueError, RuntimeError, ImportError) as e:
             logger.warning(f"Could not set up security middleware for {slug_id}: {e}")
 
 
 async def _setup_cors_and_observability(
-    app: FastAPI, engine, slug_id: str, config: Dict[str, Any]
+    app: FastAPI, engine, slug_id: str, config: dict[str, Any]
 ) -> None:
     """Set up CORS and observability configs and middleware."""
     # Get manifest data first if available
@@ -409,9 +409,7 @@ async def _setup_cors_and_observability(
     app.state.cors_config = merge_config_with_defaults(cors_config, CORS_DEFAULTS)
 
     # Extract and store observability config
-    observability_config = (
-        manifest_data.get("observability", {}) if manifest_data else {}
-    )
+    observability_config = manifest_data.get("observability", {}) if manifest_data else {}
     app.state.observability_config = merge_config_with_defaults(
         observability_config, OBSERVABILITY_DEFAULTS
     )
@@ -421,9 +419,7 @@ async def _setup_cors_and_observability(
         try:
             # Check if CORS middleware already exists to avoid duplication
             if _has_cors_middleware(app):
-                logger.debug(
-                    f"CORS middleware already exists for {slug_id}, skipping addition"
-                )
+                logger.debug(f"CORS middleware already exists for {slug_id}, skipping addition")
             else:
                 from fastapi.middleware.cors import CORSMiddleware
 
@@ -431,44 +427,29 @@ async def _setup_cors_and_observability(
                     try:
                         app.add_middleware(
                             CORSMiddleware,
-                            allow_origins=app.state.cors_config.get(
-                                "allow_origins", ["*"]
-                            ),
-                            allow_credentials=app.state.cors_config.get(
-                                "allow_credentials", False
-                            ),
+                            allow_origins=app.state.cors_config.get("allow_origins", ["*"]),
+                            allow_credentials=app.state.cors_config.get("allow_credentials", False),
                             allow_methods=app.state.cors_config.get(
                                 "allow_methods",
                                 ["GET", "POST", "PUT", "DELETE", "PATCH"],
                             ),
-                            allow_headers=app.state.cors_config.get(
-                                "allow_headers", ["*"]
-                            ),
-                            expose_headers=app.state.cors_config.get(
-                                "expose_headers", []
-                            ),
+                            allow_headers=app.state.cors_config.get("allow_headers", ["*"]),
+                            expose_headers=app.state.cors_config.get("expose_headers", []),
                             max_age=app.state.cors_config.get("max_age", 3600),
                         )
                         logger.info(f"CORS middleware added for {slug_id}")
                     except (RuntimeError, ValueError) as e:
                         error_msg = str(e).lower()
-                        if (
-                            "cannot add middleware" in error_msg
-                            or "middleware" in error_msg
-                        ):
+                        if "cannot add middleware" in error_msg or "middleware" in error_msg:
                             logger.debug(
                                 f"CORS middleware not added for {slug_id} - "
                                 f"app middleware stack already initialized. "
                                 f"This is normal when using lifespan context managers."
                             )
                         else:
-                            logger.warning(
-                                f"Could not set up CORS middleware for {slug_id}: {e}"
-                            )
+                            logger.warning(f"Could not set up CORS middleware for {slug_id}: {e}")
                 else:
-                    logger.warning(
-                        f"CORS middleware not added for {slug_id} - app already started"
-                    )
+                    logger.warning(f"CORS middleware not added for {slug_id} - app already started")
         except (AttributeError, TypeError, ValueError, RuntimeError, ImportError) as e:
             logger.warning(f"Could not set up CORS middleware for {slug_id}: {e}")
 
@@ -480,9 +461,7 @@ async def _setup_cors_and_observability(
             from .middleware import StaleSessionMiddleware
 
             try:
-                app.add_middleware(
-                    StaleSessionMiddleware, slug_id=slug_id, engine=engine
-                )
+                app.add_middleware(StaleSessionMiddleware, slug_id=slug_id, engine=engine)
                 logger.info(f"Stale session cleanup middleware added for {slug_id}")
             except (RuntimeError, ValueError) as e:
                 error_msg = str(e).lower()
@@ -493,13 +472,9 @@ async def _setup_cors_and_observability(
                         f"This is normal when using lifespan context managers."
                     )
                 else:
-                    logger.warning(
-                        f"Could not set up stale session middleware for {slug_id}: {e}"
-                    )
+                    logger.warning(f"Could not set up stale session middleware for {slug_id}: {e}")
         except (AttributeError, TypeError, ValueError, RuntimeError, ImportError) as e:
-            logger.warning(
-                f"Could not set up stale session middleware for {slug_id}: {e}"
-            )
+            logger.warning(f"Could not set up stale session middleware for {slug_id}: {e}")
 
 
 async def setup_auth_from_manifest(app: FastAPI, engine, slug_id: str) -> bool:
@@ -572,7 +547,5 @@ async def setup_auth_from_manifest(app: FastAPI, engine, slug_id: str) -> bool:
         KeyError,
         ConnectionError,
     ) as e:
-        logger.error(
-            f"Error setting up auth from manifest for {slug_id}: {e}", exc_info=True
-        )
+        logger.error(f"Error setting up auth from manifest for {slug_id}: {e}", exc_info=True)
         return False