mdb-engine 0.4.0__tar.gz → 0.4.2__tar.gz

{mdb_engine-0.4.0/mdb_engine.egg-info → mdb_engine-0.4.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.0
+Version: 0.4.2
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.0 → mdb_engine-0.4.2}/mdb_engine/__init__.py

@@ -81,7 +81,10 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 # Utilities
 from .utils import clean_mongo_doc, clean_mongo_docs
 
-__version__ = "0.4.0"  # Minor version bump: Major multi-app improvements (12 new features)
+__version__ = (
+    "0.4.2"  # Security release: Fixed auto-role assignment, token blacklist
+    # fail-closed, race conditions, session binding, and path traversal
+)
 
 __all__ = [
     # Core Engine

{mdb_engine-0.4.0 → mdb_engine-0.4.2}/mdb_engine/auth/shared_middleware.py

@@ -86,16 +86,95 @@ def _get_request_path(request: Request) -> str:
     """
     Get the request path relative to the mount point.
 
-    For mounted apps (via create_multi_app), use request.scope["path"] which
-    contains the path relative to the mount point. For non-mounted apps,
-    fall back to request.url.path.
+    For mounted apps (via create_multi_app), strips the path prefix from
+    request.url.path using request.state.app_base_path. For non-mounted apps,
+    uses request.scope["path"] if available, otherwise falls back to request.url.path.
 
     This ensures public routes in manifests (which are relative paths like "/")
     match correctly when apps are mounted at prefixes like "/auth-hub".
+
+    SECURITY: Normalizes and validates paths to prevent path traversal attacks.
+    """
+
+    # Check if this is a mounted app with a path prefix
+    app_base_path = getattr(request.state, "app_base_path", None)
+    # Ensure app_base_path is a string (not a MagicMock in tests)
+    if app_base_path and isinstance(app_base_path, str):
+        # Ensure request.url.path is a string before calling startswith
+        url_path = str(request.url.path) if hasattr(request.url, "path") else None
+        if url_path and url_path.startswith(app_base_path):
+            # Strip the path prefix to get relative path
+            relative_path = url_path[len(app_base_path) :]
+            # Normalize and sanitize path to prevent traversal attacks
+            relative_path = _normalize_path(relative_path)
+            # Ensure path starts with / (handle case where prefix is entire path)
+            return relative_path if relative_path else "/"
+
+    # Fall back to scope["path"] for mounted apps (if available)
+    # This handles cases where Starlette/FastAPI sets it correctly
+    if "path" in request.scope:
+        return _normalize_path(request.scope["path"])
+
+    # Default to url.path for non-mounted apps
+    # Ensure we return a string
+    if hasattr(request.url, "path"):
+        return _normalize_path(str(request.url.path))
+    return "/"
+
+
+def _normalize_path(path: str) -> str:
+    """
+    Normalize and sanitize a path to prevent path traversal attacks.
+
+    Args:
+        path: Raw path string
+
+    Returns:
+        Normalized path starting with /
     """
-    # Use scope["path"] which is relative to mount point for mounted apps
-    # Fall back to url.path for non-mounted apps
-    return request.scope.get("path", request.url.path)
+    from pathlib import PurePath
+    from urllib.parse import unquote
+
+    if not path:
+        return "/"
+
+    # Preserve trailing slash (except for root)
+    has_trailing_slash = path.endswith("/") and path != "/"
+
+    # Decode URL encoding
+    try:
+        decoded = unquote(path)
+    except (ValueError, UnicodeDecodeError):
+        # If decoding fails, use original path
+        decoded = path
+
+    # Normalize path separators and resolve relative components
+    try:
+        # Use PurePath to normalize without accessing filesystem
+        normalized = PurePath(decoded).as_posix()
+    except (ValueError, TypeError):
+        # If normalization fails, use decoded path
+        normalized = decoded
+
+    # Reject path traversal attempts
+    if ".." in normalized or normalized.startswith("/") and normalized != "/":
+        # Check if it's a legitimate absolute path (starts with /)
+        if normalized.startswith("/") and ".." not in normalized:
+            # Valid absolute path
+            pass
+        else:
+            logger.warning(f"Path traversal attempt detected: {path} -> {normalized}")
+            return "/"  # Return root path for safety
+
+    # Ensure path starts with /
+    if not normalized.startswith("/"):
+        normalized = "/" + normalized
+
+    # Restore trailing slash if it was present (except for root)
+    if has_trailing_slash and normalized != "/" and not normalized.endswith("/"):
+        normalized = normalized + "/"
+
+    return normalized
 
 
 class SharedAuthMiddleware(BaseHTTPMiddleware):
@@ -123,6 +202,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
         public_routes: list[str] | None = None,
         role_hierarchy: dict[str, list[str]] | None = None,
         session_binding: dict[str, Any] | None = None,
+        auto_assign_default_role: bool = False,
         cookie_name: str = AUTH_COOKIE_NAME,
         header_name: str = AUTH_HEADER_NAME,
         header_prefix: str = AUTH_HEADER_PREFIX,
@@ -142,6 +222,10 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
                 - bind_ip: Strict - reject if IP changes
                 - bind_fingerprint: Soft - log warning if fingerprint changes
                 - allow_ip_change_with_reauth: Allow IP change on re-authentication
+            auto_assign_default_role: If True, automatically assign require_role to users
+                                     with no roles for this app (default: False).
+                                     SECURITY: Only enable if explicitly needed - requires
+                                     default_role in manifest to match require_role.
             cookie_name: Name of auth cookie (default: mdb_auth_token)
             header_name: Name of auth header (default: Authorization)
             header_prefix: Prefix for header value (default: "Bearer ")
@@ -153,6 +237,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
         self._public_routes = public_routes or []
         self._role_hierarchy = role_hierarchy
         self._session_binding = session_binding or {}
+        self._auto_assign_default_role = auto_assign_default_role
         self._cookie_name = cookie_name
         self._header_name = header_name
         self._header_prefix = header_prefix
@@ -230,11 +315,10 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
             )
 
             if not has_required_role:
-                # Auto-assign required role if user has no roles for this app
-                # This is a fallback for SSO scenarios where users might be authenticated
-                # but not yet assigned roles. Only do this if they have NO roles (not if
-                # they have other roles but not the required one - prevents privilege escalation).
-                if not user_roles:
+                # Auto-assign required role ONLY if explicitly enabled and user has no roles
+                # SECURITY: This is opt-in to prevent privilege escalation. Only enable if
+                # explicitly needed and default_role matches require_role in manifest.
+                if not user_roles and self._auto_assign_default_role:
                     user_email = user.get("email")
                     if user_email:
                         try:
@@ -250,7 +334,8 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
                                     request.state.user_roles = [self._require_role]
                                     logger.info(
                                         f"Auto-assigned role '{self._require_role}' to user "
-                                        f"{user_email} for app '{self._app_slug}'"
+                                        f"{user_email} for app '{self._app_slug}' "
+                                        f"(auto_assign_default_role enabled)"
                                     )
                                 else:
                                     logger.warning(
@@ -308,17 +393,29 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
                         logger.warning(f"Session IP mismatch: token={token_ip}, client={client_ip}")
                         return "Session bound to different IP address"
 
-            # Check fingerprint binding (soft check - just warn)
-            if self._session_binding.get("bind_fingerprint", True):
+            # Check fingerprint binding (strict by default for security)
+            bind_fingerprint = self._session_binding.get("bind_fingerprint", True)
+            strict_fingerprint = self._session_binding.get(
+                "strict_fingerprint", True
+            )  # Default: strict
+            if bind_fingerprint:
                 token_fp = payload.get("fp")
                 if token_fp:
                     client_fp = _compute_fingerprint(request)
                     if client_fp != token_fp:
-                        logger.warning(
-                            f"Session fingerprint mismatch for user {payload.get('email')}"
-                        )
-                        # Soft check - don't reject, just log
-                        # Could be legitimate (browser update, different device)
+                        if strict_fingerprint:
+                            logger.warning(
+                                f"Session fingerprint mismatch for user {payload.get('email')} - "
+                                f"rejecting request (strict_fingerprint=True)"
+                            )
+                            return "Session bound to different device/fingerprint"
+                        else:
+                            logger.warning(
+                                f"Session fingerprint mismatch for user {payload.get('email')} - "
+                                f"allowing (strict_fingerprint=False)"
+                            )
+                            # Soft check - don't reject, just log
+                            # Could be legitimate (browser update, different device)
 
             return None
 
@@ -402,6 +499,17 @@ def create_shared_auth_middleware(
     """
     require_role = manifest_auth.get("require_role")
     public_routes = manifest_auth.get("public_routes", [])
+    auto_assign_default_role = manifest_auth.get("auto_assign_default_role", False)
+    default_role = manifest_auth.get("default_role")
+
+    # Security: Only allow auto-assignment if default_role matches require_role
+    if auto_assign_default_role and require_role and default_role != require_role:
+        logger.warning(
+            f"Security: auto_assign_default_role enabled but default_role '{default_role}' "
+            f"does not match require_role '{require_role}' for app '{app_slug}'. "
+            f"Auto-assignment disabled for security."
+        )
+        auto_assign_default_role = False
 
     # Build role hierarchy from manifest if available
     role_hierarchy = None
@@ -424,6 +532,7 @@ def create_shared_auth_middleware(
                 require_role=require_role,
                 public_routes=public_routes,
                 role_hierarchy=role_hierarchy,
+                auto_assign_default_role=auto_assign_default_role,
             )
 
     return ConfiguredSharedAuthMiddleware
@@ -484,12 +593,13 @@ def _extract_token_helper(
     return None
 
 
-def _create_lazy_middleware_class(
+def _create_lazy_middleware_class(  # noqa: C901
     app_slug: str,
     require_role: str | None,
     public_routes: list[str],
     role_hierarchy: dict[str, list[str]] | None,
     session_binding: dict[str, Any],
+    auto_assign_default_role: bool = False,
 ) -> type:
     """Create the LazySharedAuthMiddleware class with configuration."""
 
@@ -508,6 +618,7 @@ def _create_lazy_middleware_class(
             self._public_routes = public_routes
             self._role_hierarchy = role_hierarchy
             self._session_binding = session_binding
+            self._auto_assign_default_role = auto_assign_default_role
             self._cookie_name = AUTH_COOKIE_NAME
             self._header_name = AUTH_HEADER_NAME
             self._header_prefix = AUTH_HEADER_PREFIX
@@ -662,8 +773,9 @@ def _create_lazy_middleware_class(
             if has_required_role:
                 return None
 
-            # Auto-assign required role if user has no roles for this app
-            if not user_roles:
+            # Auto-assign required role ONLY if explicitly enabled and user has no roles
+            # SECURITY: This is opt-in to prevent privilege escalation
+            if not user_roles and self._auto_assign_default_role:
                 await self._try_auto_assign_role(user, user_pool, request)
 
             # Check again after potential auto-assignment
@@ -688,10 +800,8 @@ def _create_lazy_middleware_class(
             """
             Attempt to auto-assign required role to user.
 
-            This is a fallback for SSO scenarios where users might be authenticated
-            but not yet assigned roles. Only do this if they have NO roles (not if
-            they have other roles but not the required one - prevents privilege
-            escalation).
+            SECURITY: Only called if auto_assign_default_role is enabled and user has
+            no roles. This prevents privilege escalation.
             """
             user_email = user.get("email")
             if not user_email:
@@ -710,7 +820,8 @@ def _create_lazy_middleware_class(
                         request.state.user_roles = [self._require_role]
                         logger.info(
                             f"Auto-assigned role '{self._require_role}' to user "
-                            f"{user_email} for app '{self._app_slug}'"
+                            f"{user_email} for app '{self._app_slug}' "
+                            f"(auto_assign_default_role enabled)"
                         )
                     else:
                         logger.warning(
@@ -750,8 +861,10 @@ def _create_lazy_middleware_class(
                 if ip_error:
                     return ip_error
 
-                # Check fingerprint binding (soft check - just warn)
-                self._check_fingerprint_binding(request, payload)
+                # Check fingerprint binding (strict by default)
+                fingerprint_error = await self._check_fingerprint_binding(request, payload)
+                if fingerprint_error:
+                    return fingerprint_error
 
                 return None
 
@@ -775,19 +888,38 @@ def _create_lazy_middleware_class(
 
             return None
 
-        def _check_fingerprint_binding(self, request: Request, payload: dict) -> None:
-            """Check fingerprint binding from token payload (soft check - just warn)."""
+        async def _check_fingerprint_binding(self, request: Request, payload: dict) -> str | None:
+            """
+            Check fingerprint binding from token payload.
+
+            Returns error message if validation fails, None if OK.
+            """
             if not self._session_binding.get("bind_fingerprint", True):
-                return
+                return None
 
             token_fp = payload.get("fp")
             if not token_fp:
-                return
+                return None
 
+            strict_fingerprint = self._session_binding.get(
+                "strict_fingerprint", True
+            )  # Default: strict
             client_fp = _compute_fingerprint(request)
             if client_fp != token_fp:
-                logger.warning(f"Session fingerprint mismatch for user {payload.get('email')}")
-                # Soft check - don't reject, just log
+                if strict_fingerprint:
+                    logger.warning(
+                        f"Session fingerprint mismatch for user {payload.get('email')} - "
+                        f"rejecting request (strict_fingerprint=True)"
+                    )
+                    return "Session bound to different device/fingerprint"
+                else:
+                    logger.warning(
+                        f"Session fingerprint mismatch for user {payload.get('email')} - "
+                        f"allowing (strict_fingerprint=False)"
+                    )
+                    # Soft check - don't reject, just log
+                    return None
+            return None
 
     return LazySharedAuthMiddleware
 
@@ -820,9 +952,26 @@ def create_shared_auth_middleware_lazy(
     """
     require_role = manifest_auth.get("require_role")
     public_routes = manifest_auth.get("public_routes", [])
+    auto_assign_default_role = manifest_auth.get("auto_assign_default_role", False)
+    default_role = manifest_auth.get("default_role")
+
+    # Security: Only allow auto-assignment if default_role matches require_role
+    if auto_assign_default_role and require_role and default_role != require_role:
+        logger.warning(
+            f"Security: auto_assign_default_role enabled but default_role '{default_role}' "
+            f"does not match require_role '{require_role}' for app '{app_slug}'. "
+            f"Auto-assignment disabled for security."
+        )
+        auto_assign_default_role = False
+
     role_hierarchy = _build_role_hierarchy(manifest_auth)
     session_binding = manifest_auth.get("session_binding", {})
 
     return _create_lazy_middleware_class(
-        app_slug, require_role, public_routes, role_hierarchy, session_binding
+        app_slug,
+        require_role,
+        public_routes,
+        role_hierarchy,
+        session_binding,
+        auto_assign_default_role,
     )

{mdb_engine-0.4.0 → mdb_engine-0.4.2}/mdb_engine/auth/shared_users.py

@@ -119,6 +119,7 @@ class SharedUserPool:
         jwt_algorithm: str = DEFAULT_JWT_ALGORITHM,
         token_expiry_hours: int = DEFAULT_TOKEN_EXPIRY_HOURS,
         allow_insecure_dev: bool = False,
+        blacklist_fail_closed: bool = True,
     ):
         """
         Initialize the shared user pool.
@@ -138,6 +139,9 @@ class SharedUserPool:
             token_expiry_hours: Token expiry in hours (default: 24)
             allow_insecure_dev: Allow insecure auto-generated secret for local
                                development only. NEVER use in production!
+            blacklist_fail_closed: If True (default), reject tokens when blacklist check
+                                  fails (secure). If False, allow tokens when check fails
+                                  (availability). SECURITY: Default is True for security.
 
         Raises:
             JWTSecretError: If no JWT secret is provided and allow_insecure_dev=False
@@ -146,6 +150,7 @@ class SharedUserPool:
         self._db = mongo_db
         self._collection = mongo_db[SHARED_USERS_COLLECTION]
         self._blacklist_collection = mongo_db[TOKEN_BLACKLIST_COLLECTION]
+        self._blacklist_fail_closed = blacklist_fail_closed
 
         # Validate algorithm
         if jwt_algorithm not in SUPPORTED_ALGORITHMS:
@@ -453,8 +458,19 @@ class SharedUserPool:
             return False
         except PyMongoError as e:
             logger.exception(f"Error checking token blacklist: {e}")
-            # Fail open for availability (can be changed to fail closed for security)
-            return False
+            # Fail closed for security by default (reject token if we can't verify)
+            if self._blacklist_fail_closed:
+                logger.warning(
+                    "Token blacklist check failed - rejecting token for security "
+                    "(blacklist_fail_closed=True)"
+                )
+                return True  # Token IS revoked (reject access)
+            # Fail open only if explicitly configured (availability over security)
+            logger.warning(
+                "Token blacklist check failed - allowing token for availability "
+                "(blacklist_fail_closed=False). SECURITY RISK: Revoked tokens may be accepted."
+            )
+            return False  # Token NOT revoked (allow access)
 
     async def revoke_token(
         self,

{mdb_engine-0.4.0 → mdb_engine-0.4.2}/mdb_engine/core/engine.py

@@ -155,6 +155,12 @@ class MongoDBEngine:
         # Store app token cache for auto-retrieval
         self._app_token_cache: dict[str, str] = {}
 
+        # Async lock for thread-safe shared user pool initialization
+        import asyncio
+
+        self._shared_user_pool_lock = asyncio.Lock()
+        self._shared_user_pool_initializing = False
+
     async def initialize(self) -> None:
         """
         Initialize the MongoDB Engine.
@@ -1960,9 +1966,26 @@ class MongoDBEngine:
                 )
 
         # State for parent app
-        mounted_apps: list[dict[str, Any]] = []
+        # Build initial mounted_apps metadata synchronously so get_mounted_apps() works
+        # immediately after create_multi_app() returns (before lifespan runs)
+        mounted_apps: list[dict[str, Any]] = [
+            {
+                "slug": app_config["slug"],
+                "path_prefix": app_config["path_prefix"],
+                "status": "pending",  # Will be updated in lifespan to "mounted" or "failed"
+                "manifest_path": str(app_config["manifest"]),
+            }
+            for app_config in apps
+        ]
         shared_user_pool_initialized = False
 
+        def _find_mounted_app_entry(slug: str) -> dict[str, Any] | None:
+            """Find mounted app entry by slug."""
+            for entry in mounted_apps:
+                if entry.get("slug") == slug:
+                    return entry
+            return None
+
         @asynccontextmanager
         async def lifespan(app: FastAPI):
             """Lifespan context manager for parent app."""
@@ -2133,14 +2156,25 @@ class MongoDBEngine:
 
                     # Mount child app at path prefix
                     app.mount(path_prefix, child_app)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "mounted",
-                            "manifest": app_manifest_data,
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "mounted",
+                                "manifest": app_manifest_data,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "mounted",
+                                "manifest": app_manifest_data,
+                            }
+                        )
                     logger.info(f"Mounted app '{slug}' at path prefix '{path_prefix}'")
 
                 except FileNotFoundError as e:
@@ -2149,15 +2183,26 @@ class MongoDBEngine:
                         f"manifest.json not found at {manifest_path}"
                     )
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise ValueError(error_msg) from e
                     continue
@@ -2167,71 +2212,111 @@ class MongoDBEngine:
                         f"Invalid JSON in manifest.json at {manifest_path}: {e}"
                     )
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise ValueError(error_msg) from e
                     continue
                 except ValueError as e:
                     error_msg = f"Failed to mount app '{slug}' at {path_prefix}: {e}"
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise ValueError(error_msg) from e
                     continue
                 except (KeyError, RuntimeError) as e:
                     error_msg = f"Failed to mount app '{slug}' at {path_prefix}: {e}"
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise RuntimeError(error_msg) from e
                     continue
                 except (OSError, PermissionError, ImportError, AttributeError, TypeError) as e:
                     error_msg = f"Unexpected error mounting app '{slug}' at {path_prefix}: {e}"
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise RuntimeError(error_msg) from e
                     continue
 
-            # Expose engine and mounted apps info on parent app state
-            app.state.engine = engine
+            # Update app.state.mounted_apps with final status (entries already updated in place)
+            # This ensures the state reflects the final mounted_apps list
             app.state.mounted_apps = mounted_apps
-            app.state.is_multi_app = True
-
-            # Store app reference in engine for get_mounted_apps()
-            engine._multi_app_instance = app
 
             yield
 
@@ -2241,6 +2326,14 @@ class MongoDBEngine:
         # Create parent FastAPI app
         parent_app = FastAPI(title=title, lifespan=lifespan, root_path=root_path, **fastapi_kwargs)
 
+        # Set mounted_apps immediately so get_mounted_apps() works before lifespan runs
+        parent_app.state.mounted_apps = mounted_apps
+        parent_app.state.is_multi_app = True
+        parent_app.state.engine = engine
+
+        # Store app reference in engine for get_mounted_apps()
+        engine._multi_app_instance = parent_app
+
         # Add request scope middleware
         from starlette.middleware.base import BaseHTTPMiddleware
 
@@ -2629,17 +2722,41 @@ class MongoDBEngine:
             or os.getenv("DEBUG", "").lower() in ("true", "1", "yes")
         )
 
-        # Create or get shared user pool
-        if not hasattr(self, "_shared_user_pool") or self._shared_user_pool is None:
-            self._shared_user_pool = SharedUserPool(
-                self._connection_manager.mongo_db,
-                allow_insecure_dev=is_dev,
-            )
-            await self._shared_user_pool.ensure_indexes()
-            logger.info("SharedUserPool initialized")
+        # Thread-safe initialization with async lock to prevent race conditions
+        async with self._shared_user_pool_lock:
+            # Check if another coroutine is initializing
+            if self._shared_user_pool_initializing:
+                # Wait for other initialization to complete
+                while self._shared_user_pool_initializing:
+                    import asyncio
+
+                    await asyncio.sleep(0.01)  # Small delay to avoid busy-waiting
+                # After waiting, check if pool was initialized
+                if hasattr(self, "_shared_user_pool") and self._shared_user_pool is not None:
+                    app.state.user_pool = self._shared_user_pool
+                    return
+
+            # Check if already initialized (double-check pattern)
+            if hasattr(self, "_shared_user_pool") and self._shared_user_pool is not None:
+                app.state.user_pool = self._shared_user_pool
+                return
 
-        # Expose user pool on app.state for middleware to access
-        app.state.user_pool = self._shared_user_pool
+            # Mark as initializing
+            self._shared_user_pool_initializing = True
+            try:
+                # Create shared user pool
+                self._shared_user_pool = SharedUserPool(
+                    self._connection_manager.mongo_db,
+                    allow_insecure_dev=is_dev,
+                )
+                await self._shared_user_pool.ensure_indexes()
+                logger.info("SharedUserPool initialized")
+
+                # Expose user pool on app.state for middleware to access
+                app.state.user_pool = self._shared_user_pool
+            finally:
+                # Always clear the initializing flag
+                self._shared_user_pool_initializing = False
 
         # Seed demo users to SharedUserPool if configured in manifest
         if manifest:

{mdb_engine-0.4.0 → mdb_engine-0.4.2/mdb_engine.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.0
+Version: 0.4.2
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.0 → mdb_engine-0.4.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mdb-engine"
-version = "0.4.0"
+version = "0.4.2"
 description = "MongoDB Engine"
 readme = "README.md"
 requires-python = ">=3.10"

{mdb_engine-0.4.0 → mdb_engine-0.4.2}/setup.py

@@ -14,7 +14,7 @@ if readme_file.exists():
 
 setup(
     name="mdb-engine",
-    version="0.4.0",
+    version="0.4.1",
     description="MongoDB Engine",
     long_description=long_description,
     long_description_content_type="text/markdown",