mdb-engine 0.1.6__py3-none-any.whl → 0.4.12__py3-none-any.whl

mdb_engine/auth/jwt.py

@@ -10,7 +10,7 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 import logging
 import uuid
 from datetime import datetime, timedelta
-from typing import Any, Dict, Optional, Tuple
+from typing import Any
 
 import jwt
 
@@ -21,7 +21,7 @@ from ..constants import CURRENT_TOKEN_VERSION
 logger = logging.getLogger(__name__)
 
 
-def decode_jwt_token(token: Any, secret_key: str) -> Dict[str, Any]:
+def decode_jwt_token(token: Any, secret_key: str) -> dict[str, Any]:
     """
     Helper function to decode JWT tokens with automatic fallback to bytes format.
 
@@ -74,7 +74,7 @@ def decode_jwt_token(token: Any, secret_key: str) -> Dict[str, Any]:
 
 
 def encode_jwt_token(
-    payload: Dict[str, Any], secret_key: str, expires_in: Optional[int] = None
+    payload: dict[str, Any], secret_key: str, expires_in: int | None = None
 ) -> str:
     """
     Encode a JWT token with enhanced claims.
@@ -123,12 +123,12 @@ def encode_jwt_token(
 
 
 def generate_token_pair(
-    user_data: Dict[str, Any],
+    user_data: dict[str, Any],
     secret_key: str,
-    device_info: Optional[Dict[str, Any]] = None,
-    access_token_ttl: Optional[int] = None,
-    refresh_token_ttl: Optional[int] = None,
-) -> Tuple[str, str, Dict[str, Any]]:
+    device_info: dict[str, Any] | None = None,
+    access_token_ttl: int | None = None,
+    refresh_token_ttl: int | None = None,
+) -> tuple[str, str, dict[str, Any]]:
     """
     Generate a pair of access and refresh tokens.
 
@@ -164,9 +164,7 @@ def generate_token_pair(
         "jti": access_jti,
         "device_id": device_id,
     }
-    access_token = encode_jwt_token(
-        access_payload, secret_key, expires_in=access_token_ttl
-    )
+    access_token = encode_jwt_token(access_payload, secret_key, expires_in=access_token_ttl)
 
     # Generate refresh token
     refresh_jti = str(uuid.uuid4())
@@ -177,9 +175,7 @@ def generate_token_pair(
         "email": user_data.get("email"),
         "device_id": device_id,
     }
-    refresh_token = encode_jwt_token(
-        refresh_payload, secret_key, expires_in=refresh_token_ttl
-    )
+    refresh_token = encode_jwt_token(refresh_payload, secret_key, expires_in=refresh_token_ttl)
 
     # Token metadata
     token_metadata = {
@@ -194,7 +190,7 @@ def generate_token_pair(
     return access_token, refresh_token, token_metadata
 
 
-def extract_token_metadata(token: str, secret_key: str) -> Optional[Dict[str, Any]]:
+def extract_token_metadata(token: str, secret_key: str) -> dict[str, Any] | None:
     """
     Extract metadata from a token without full validation.
 

mdb_engine/auth/middleware.py

@@ -4,12 +4,19 @@ Security Middleware
 Middleware for enforcing security settings from manifest configuration.
 
 This module is part of MDB_ENGINE - MongoDB Engine.
+
+Security Features:
+    - HTTPS enforcement in production
+    - HSTS (HTTP Strict Transport Security) header
+    - Security headers (X-Content-Type-Options, X-Frame-Options, etc.)
+    - CSRF token generation (legacy, prefer CSRFMiddleware for new apps)
 """
 
 import logging
 import os
 import secrets
-from typing import Awaitable, Callable
+from collections.abc import Awaitable, Callable
+from typing import Any
 
 from fastapi import HTTPException, Request, Response, status
 from fastapi.responses import RedirectResponse
@@ -17,6 +24,18 @@ from starlette.middleware.base import BaseHTTPMiddleware
 
 logger = logging.getLogger(__name__)
 
+# Default HSTS settings
+DEFAULT_HSTS_MAX_AGE = 31536000  # 1 year in seconds
+
+
+def _is_production() -> bool:
+    """Check if we're running in production environment."""
+    return (
+        os.getenv("MDB_ENGINE_ENV", "").lower() == "production"
+        or os.getenv("ENVIRONMENT", "").lower() == "production"
+        or os.getenv("G_NOME_ENV", "").lower() == "production"
+    )
+
 
 class SecurityMiddleware(BaseHTTPMiddleware):
     """
@@ -24,9 +43,9 @@ class SecurityMiddleware(BaseHTTPMiddleware):
 
     Features:
     - HTTPS enforcement in production
-    - CSRF token generation and validation
-    - Security headers
-    - Token validation
+    - HSTS header for forcing HTTPS
+    - Security headers (X-Content-Type-Options, X-Frame-Options, etc.)
+    - Legacy CSRF token generation (prefer CSRFMiddleware for new apps)
     """
 
     def __init__(
@@ -35,6 +54,7 @@ class SecurityMiddleware(BaseHTTPMiddleware):
         require_https: bool = False,
         csrf_protection: bool = True,
         security_headers: bool = True,
+        hsts_config: dict[str, Any] | None = None,
     ):
         """
         Initialize security middleware.
@@ -42,38 +62,60 @@ class SecurityMiddleware(BaseHTTPMiddleware):
         Args:
             app: FastAPI application
             require_https: Require HTTPS in production (default: False, auto-detected)
-            csrf_protection: Enable CSRF protection (default: True)
+            csrf_protection: Enable legacy CSRF protection (default: True)
             security_headers: Add security headers (default: True)
+            hsts_config: HSTS configuration dict with keys:
+                - enabled: Enable HSTS (default: True in production)
+                - max_age: Max-age in seconds (default: 31536000)
+                - include_subdomains: Include subdomains (default: True)
+                - preload: Add preload directive (default: False)
         """
         super().__init__(app)
         self.require_https = require_https
         self.csrf_protection = csrf_protection
         self.security_headers = security_headers
 
+        # HSTS configuration
+        self.hsts_config = hsts_config or {}
+        self.hsts_enabled = self.hsts_config.get("enabled", True)
+        self.hsts_max_age = self.hsts_config.get("max_age", DEFAULT_HSTS_MAX_AGE)
+        self.hsts_include_subdomains = self.hsts_config.get("include_subdomains", True)
+        self.hsts_preload = self.hsts_config.get("preload", False)
+
+    def _build_hsts_header(self) -> str:
+        """Build the HSTS header value."""
+        parts = [f"max-age={self.hsts_max_age}"]
+
+        if self.hsts_include_subdomains:
+            parts.append("includeSubDomains")
+
+        if self.hsts_preload:
+            parts.append("preload")
+
+        return "; ".join(parts)
+
     async def dispatch(
         self, request: Request, call_next: Callable[[Request], Awaitable[Response]]
     ) -> Response:
         """
         Process request through security middleware.
         """
+        is_production = _is_production()
+        is_https = request.url.scheme == "https"
+
         # Check HTTPS requirement
-        if self.require_https:
-            is_production = (
-                os.getenv("G_NOME_ENV") == "production"
-                or os.getenv("ENVIRONMENT") == "production"
-            )
-            if is_production and request.url.scheme != "https":
-                if request.method == "GET":
-                    # Redirect to HTTPS
-                    https_url = str(request.url).replace("http://", "https://", 1)
-                    return RedirectResponse(url=https_url, status_code=301)
-                else:
-                    raise HTTPException(
-                        status_code=status.HTTP_403_FORBIDDEN,
-                        detail="HTTPS required in production",
-                    )
-
-        # Generate CSRF token if not present (for GET requests)
+        if self.require_https and is_production and not is_https:
+            if request.method == "GET":
+                # Redirect to HTTPS
+                https_url = str(request.url).replace("http://", "https://", 1)
+                return RedirectResponse(url=https_url, status_code=301)
+            else:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="HTTPS required in production",
+                )
+
+        # Generate CSRF token if not present (for GET requests) - legacy support
         if self.csrf_protection and request.method == "GET":
             csrf_token = request.cookies.get("csrf_token")
             if not csrf_token:
@@ -90,19 +132,27 @@ class SecurityMiddleware(BaseHTTPMiddleware):
             response.headers["X-XSS-Protection"] = "1; mode=block"
             response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
 
+            # Permissions-Policy (modern replacement for some legacy headers)
+            response.headers["Permissions-Policy"] = (
+                "accelerometer=(), camera=(), geolocation=(), gyroscope=(), "
+                "magnetometer=(), microphone=(), payment=(), usb=()"
+            )
+
             # Content Security Policy (basic)
             if request.url.path.startswith("/api"):
                 response.headers["Content-Security-Policy"] = "default-src 'self'"
 
-        # Set CSRF token cookie if generated
+        # Add HSTS header in production (only over HTTPS or always if configured)
+        if self.hsts_enabled and (is_production or is_https):
+            response.headers["Strict-Transport-Security"] = self._build_hsts_header()
+
+        # Set CSRF token cookie if generated (legacy support)
         if (
             self.csrf_protection
             and request.method == "GET"
             and not request.cookies.get("csrf_token")
         ):
             csrf_token = secrets.token_urlsafe(32)
-            is_https = request.url.scheme == "https"
-            is_production = os.getenv("G_NOME_ENV") == "production"
             response.set_cookie(
                 key="csrf_token",
                 value=csrf_token,
@@ -154,10 +204,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
         # Check if we need to clear a stale session cookie
         # Only act if explicitly flagged - this ensures we don't interfere with
         # apps that don't use get_app_user()
-        if (
-            hasattr(request.state, "clear_stale_session")
-            and request.state.clear_stale_session
-        ):
+        if hasattr(request.state, "clear_stale_session") and request.state.clear_stale_session:
             try:
                 # Get cookie name from app config
                 cookie_name = None
@@ -188,7 +235,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
                                     "session_cookie_name", "app_session"
                                 )
                                 cookie_name = f"{session_cookie_name}_{self.slug_id}"
-                    except (AttributeError, KeyError, TypeError, Exception):
+                    except (AttributeError, KeyError, TypeError):
                         pass
 
                 # Final fallback to default naming convention
@@ -197,8 +244,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
 
                 # Get cookie settings to match how it was set
                 should_use_secure = (
-                    request.url.scheme == "https"
-                    or os.getenv("G_NOME_ENV") == "production"
+                    request.url.scheme == "https" or os.getenv("G_NOME_ENV") == "production"
                 )
 
                 # Delete the stale cookie
@@ -208,9 +254,7 @@ class StaleSessionMiddleware(BaseHTTPMiddleware):
                     secure=should_use_secure,
                     samesite="lax",
                 )
-                logger.debug(
-                    f"Cleared stale session cookie '{cookie_name}' for {self.slug_id}"
-                )
+                logger.debug(f"Cleared stale session cookie '{cookie_name}' for {self.slug_id}")
             except (ValueError, TypeError, AttributeError, RuntimeError) as e:
                 # Don't fail the request if cookie cleanup fails
                 logger.warning(

mdb_engine/auth/oso_factory.py

@@ -11,7 +11,7 @@ from __future__ import annotations
 
 import logging
 import os
-from typing import TYPE_CHECKING, Any, Dict, List, Optional
+from typing import TYPE_CHECKING, Any
 
 if TYPE_CHECKING:
     from .provider import OsoAdapter
@@ -20,8 +20,8 @@ logger = logging.getLogger(__name__)
 
 
 async def create_oso_cloud_client(
-    api_key: Optional[str] = None,
-    url: Optional[str] = None,
+    api_key: str | None = None,
+    url: str | None = None,
     max_retries: int = 3,
     retry_delay: float = 2.0,
 ) -> Any:
@@ -46,13 +46,11 @@ async def create_oso_cloud_client(
 
     # Import OSO Cloud SDK - the class is named "Oso"
     try:
-        from oso_cloud import Oso
+        from oso_cloud import Oso  # type: ignore
 
         logger.debug("✅ Imported Oso from oso_cloud")
-    except ImportError:
-        raise ImportError(
-            "OSO Cloud SDK not installed. Install with: pip install oso-cloud"
-        )
+    except ImportError as e:
+        raise ImportError("OSO Cloud SDK not installed. Install with: pip install oso-cloud") from e
 
     # Get API key from parameter or environment
     if not api_key:
@@ -81,9 +79,7 @@ async def create_oso_cloud_client(
 
             # Note: OSO client creation doesn't actually connect to the server
             # The connection happens on first API call, so we'll catch errors then
-            logger.info(
-                f"✅ OSO Cloud client created successfully (URL: {url or 'default'})"
-            )
+            logger.info(f"✅ OSO Cloud client created successfully (URL: {url or 'default'})")
             if url:
                 logger.info(f"   Using OSO Dev Server at: {url}")
             return oso_client
@@ -118,8 +114,8 @@ async def create_oso_cloud_client(
 
 async def setup_initial_oso_facts(
     authz_provider: OsoAdapter,
-    initial_roles: Optional[List[Dict[str, Any]]] = None,
-    initial_policies: Optional[List[Dict[str, Any]]] = None,
+    initial_roles: list[dict[str, Any]] | None = None,
+    initial_policies: list[dict[str, Any]] | None = None,
 ) -> None:
     """
     Set up initial roles and policies in OSO Cloud.
@@ -137,29 +133,23 @@ async def setup_initial_oso_facts(
             try:
                 user = role_assignment.get("user")
                 role = role_assignment.get("role")
-                resource = role_assignment.get(
-                    "resource", "documents"
-                )  # Default to "documents"
+                resource = role_assignment.get("resource", "documents")  # Default to "documents"
 
                 if user and role:
                     # For OSO Cloud, we add has_role facts with resource context
                     # This supports resource-based authorization
                     await authz_provider.add_role_for_user(user, role, resource)
-                    logger.debug(
-                        f"Added role '{role}' for user '{user}' on resource '{resource}'"
-                    )
+                    logger.debug(f"Added role '{role}' for user '{user}' on resource '{resource}'")
             except (ValueError, TypeError, AttributeError, RuntimeError) as e:
-                logger.warning(
-                    f"Failed to add initial role assignment {role_assignment}: {e}"
-                )
+                logger.warning(f"Failed to add initial role assignment {role_assignment}: {e}")
 
     # Note: initial_policies are not used - we use has_role facts instead
     # The policy derives permissions from roles, not from explicit grants_permission facts
 
 
 async def initialize_oso_from_manifest(
-    engine, app_slug: str, auth_config: Dict[str, Any]
-) -> Optional[OsoAdapter]:
+    engine, app_slug: str, auth_config: dict[str, Any]
+) -> OsoAdapter | None:
     """
     Initialize OSO Cloud provider from manifest configuration.
 
@@ -181,9 +171,7 @@ async def initialize_oso_from_manifest(
 
         # Only proceed if provider is oso
         if provider != "oso":
-            logger.debug(
-                f"Provider is '{provider}', not 'oso' - skipping OSO initialization"
-            )
+            logger.debug(f"Provider is '{provider}', not 'oso' - skipping OSO initialization")
             return None
 
         logger.info(f"Initializing OSO Cloud provider for app '{app_slug}'...")
@@ -224,24 +212,18 @@ async def initialize_oso_from_manifest(
             try:
                 import asyncio
 
-                from oso_cloud import Value
+                from oso_cloud import Value  # type: ignore
 
                 # Try a simple test authorization to verify connection
                 test_actor = Value("User", "test")
                 test_resource = Value("Document", "test")
                 # This might fail, but it tests if the server is responding
-                await asyncio.to_thread(
-                    oso_client.authorize, test_actor, "read", test_resource
-                )
+                await asyncio.to_thread(oso_client.authorize, test_actor, "read", test_resource)
                 logger.debug("✅ OSO Dev Server connection test successful")
             except (TimeoutError, OSError, RuntimeError) as test_error:
                 # Type 2: Recoverable - connection test failed, check if it's a connection error
                 error_str = str(test_error).lower()
-                if (
-                    "connection" in error_str
-                    or "refused" in error_str
-                    or "timeout" in error_str
-                ):
+                if "connection" in error_str or "refused" in error_str or "timeout" in error_str:
                     logger.warning(
                         f"⚠️  OSO Dev Server connection test failed - "
                         f"server might not be ready: {test_error}"
@@ -289,9 +271,7 @@ async def initialize_oso_from_manifest(
                 )
                 logger.info("✅ Initial OSO facts set up successfully")
             except (ValueError, TypeError, AttributeError, RuntimeError) as e:
-                logger.warning(
-                    f"⚠️  Failed to set up initial OSO facts: {e}", exc_info=True
-                )
+                logger.warning(f"⚠️  Failed to set up initial OSO facts: {e}", exc_info=True)
                 # Continue anyway - adapter is still usable
 
         logger.info(f"✅ OSO Cloud provider initialized for app '{app_slug}'")
@@ -299,13 +279,13 @@ async def initialize_oso_from_manifest(
         return adapter
 
     except ImportError as e:
-        logger.error(
+        logger.exception(
             f"❌ OSO Cloud SDK not available for app '{app_slug}': {e}. "
             "Install with: pip install oso-cloud"
         )
         return None
     except ValueError as e:
-        logger.error(f"❌ OSO Cloud configuration error for app '{app_slug}': {e}")
+        logger.exception(f"❌ OSO Cloud configuration error for app '{app_slug}': {e}")
         return None
     except (
         ImportError,