mdb-engine 0.4.12__py3-none-any.whl → 0.5.0__py3-none-any.whl

mdb_engine/__init__.py

@@ -82,11 +82,15 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 from .utils import clean_mongo_doc, clean_mongo_docs
 
 __version__ = (
-    "0.4.12"  # Fix CSRF middleware rejecting WebSocket connections
-    # - Skip CSRF middleware on child apps in multi-app setups (parent handles it)
-    # - Merge child app public routes into parent CSRF exempt list
-    # - WebSocket connections now work correctly in multi-app SSO setups
-    # - Security maintained: parent app CSRF middleware protects all routes
+    "0.5.0"  # Major WebSocket security overhaul - cookie-based authentication
+    # - BREAKING CHANGE: Removed subprotocol tunneling support
+    # - NEW: Exclusive httpOnly cookie-based WebSocket authentication
+    # - Comprehensive security guide (WEBSOCKET_SECURITY_MULTI_APP_SSO.md)
+    # - Updated all documentation to reflect cookie-based authentication
+    # - Enhanced CSRF protection for WebSocket upgrades
+    # - Added integration tests for cookie-based WebSocket authentication
+    # - Complete test coverage for WebSocket security scenarios
+    # - Multi-app SSO compatibility with path="/" cookies
 )
 
 __all__ = [

mdb_engine/auth/cookie_utils.py

@@ -116,8 +116,14 @@ def set_auth_cookies(
         refresh_token_ttl = 604800  # Default 7 days
 
     # Set access token cookie
+    # CRITICAL: path="/" ensures cookie is available to all mounted sub-apps
+    # Without explicit path, cookies default to request path and won't work with app.mount()
     response.set_cookie(
-        key="token", value=access_token, max_age=access_token_ttl, **cookie_settings
+        key="token",
+        value=access_token,
+        max_age=access_token_ttl,
+        path="/",  # Required for FastAPI mounted apps
+        **cookie_settings,
     )
 
     # Set refresh token cookie if provided
@@ -126,6 +132,7 @@ def set_auth_cookies(
             key="refresh_token",
             value=refresh_token,
             max_age=refresh_token_ttl,
+            path="/",  # Required for FastAPI mounted apps
             **cookie_settings,
         )
 
@@ -148,7 +155,10 @@ def clear_auth_cookies(response, request: Request | None = None):
         secure = os.getenv("G_NOME_ENV") == "production"
 
     # Delete access token cookie
-    response.delete_cookie(key="token", httponly=True, secure=secure, samesite=samesite)
+    # CRITICAL: path="/" ensures cookie deletion works across all mounted sub-apps
+    response.delete_cookie(key="token", httponly=True, secure=secure, samesite=samesite, path="/")
 
     # Delete refresh token cookie
-    response.delete_cookie(key="refresh_token", httponly=True, secure=secure, samesite=samesite)
+    response.delete_cookie(
+        key="refresh_token", httponly=True, secure=secure, samesite=samesite, path="/"
+    )

mdb_engine/auth/csrf.py

@@ -299,9 +299,9 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         method = request.method
 
         # CRITICAL: Handle WebSocket upgrade requests BEFORE other CSRF checks
-        # WebSocket upgrades don't use CSRF tokens, but need origin validation
+        # WebSocket upgrades use cookie-based authentication and require CSRF validation
         if self._is_websocket_upgrade(request):
-            # Validate origin for WebSocket connections (CSWSH protection)
+            # Always validate origin for WebSocket connections (CSWSH protection)
             if not self._validate_websocket_origin(request):
                 logger.warning(
                     f"WebSocket origin validation failed for {path}: "
@@ -312,8 +312,58 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                     status_code=status.HTTP_403_FORBIDDEN,
                     content={"detail": "Invalid origin for WebSocket connection"},
                 )
-            # Origin validated - allow WebSocket upgrade to proceed
-            # No CSRF token check needed for WebSocket upgrades
+
+            # Cookie-based authentication requires CSRF protection
+            # Check if authentication token cookie is present
+            auth_token_cookie = request.cookies.get("token")
+            if auth_token_cookie:
+                # For WebSocket upgrades, CSRF protection relies on:
+                # 1. Origin validation (already done above) - primary defense
+                # 2. SameSite cookies - prevents cross-site cookie sending
+                # 3. CSRF cookie presence - ensures session is established
+                #
+                # Note: JavaScript WebSocket API cannot set custom headers,
+                # so we cannot use double-submit cookie pattern (cookie + header).
+                # Instead, we rely on Origin validation + SameSite cookies for CSRF protection.
+                csrf_cookie_token = request.cookies.get(self.cookie_name)
+                if not csrf_cookie_token:
+                    logger.warning(f"WebSocket upgrade missing CSRF cookie for {path}")
+                    return JSONResponse(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        content={"detail": "CSRF token missing for WebSocket authentication"},
+                    )
+
+                # Validate CSRF token signature if secret is used
+                if self.secret and not validate_csrf_token(
+                    csrf_cookie_token, self.secret, self.token_ttl
+                ):
+                    logger.warning(f"WebSocket CSRF token validation failed for {path}")
+                    return JSONResponse(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        content={
+                            "detail": "CSRF token expired or invalid for WebSocket connection"
+                        },
+                    )
+
+                # Optional: If CSRF header is provided, validate it matches cookie
+                # (Some clients may send it, but it's not required for WebSocket upgrades)
+                header_token = request.headers.get(self.header_name)
+                if header_token:
+                    # If header is provided, validate it matches cookie (double-submit pattern)
+                    if not hmac.compare_digest(csrf_cookie_token, header_token):
+                        logger.warning(f"WebSocket CSRF token mismatch for {path}")
+                        return JSONResponse(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            content={"detail": "CSRF token invalid for WebSocket connection"},
+                        )
+
+                logger.debug(
+                    f"WebSocket upgrade CSRF validation passed for {path} "
+                    f"(Origin validated, CSRF cookie present)"
+                )
+
+            # Origin validated (and CSRF validated if authenticated)
+            # Allow WebSocket upgrade to proceed
             return await call_next(request)
 
         if self._is_exempt(path):

mdb_engine/routing/websockets.py

@@ -307,14 +307,73 @@ def get_websocket_manager_sync(app_slug: str) -> WebSocketConnectionManager:
     return _websocket_managers[app_slug]
 
 
+def _get_cookies_from_websocket(websocket: Any) -> dict[str, str]:
+    """
+    Extract cookies from WebSocket request.
+
+    Supports both FastAPI WebSocket .cookies attribute and ASGI scope Cookie header.
+
+    Args:
+        websocket: FastAPI WebSocket instance
+
+    Returns:
+        Dictionary of cookie name -> cookie value
+    """
+    cookies: dict[str, str] = {}
+
+    try:
+        # Try FastAPI WebSocket .cookies attribute (if available)
+        if hasattr(websocket, "cookies") and websocket.cookies is not None:
+            # FastAPI WebSocket.cookies is a dict-like object
+            cookies = dict(websocket.cookies)
+            logger.debug(f"Extracted {len(cookies)} cookies from WebSocket.cookies attribute")
+            return cookies
+    except (AttributeError, TypeError) as e:
+        logger.debug(f"Could not access WebSocket.cookies attribute: {e}")
+
+    try:
+        # Fallback: Extract from Cookie header in ASGI scope
+        if hasattr(websocket, "scope") and "headers" in websocket.scope:
+            headers_dict = dict(websocket.scope["headers"])
+            cookie_header_bytes = headers_dict.get(b"cookie")
+            if not cookie_header_bytes:
+                # Try case-insensitive lookup
+                for key, value in headers_dict.items():
+                    if isinstance(key, bytes) and key.lower() == b"cookie":
+                        cookie_header_bytes = value
+                        break
+
+            if cookie_header_bytes:
+                cookie_header = cookie_header_bytes.decode("utf-8")
+                # Parse cookie string: "name1=value1; name2=value2"
+                for cookie_pair in cookie_header.split(";"):
+                    cookie_pair = cookie_pair.strip()
+                    if "=" in cookie_pair:
+                        name, value = cookie_pair.split("=", 1)
+                        cookies[name.strip()] = value.strip()
+                logger.debug(f"Extracted {len(cookies)} cookies from Cookie header in ASGI scope")
+                return cookies
+    except (AttributeError, TypeError, KeyError, UnicodeDecodeError, ValueError) as e:
+        logger.debug(f"Could not extract cookies from ASGI scope: {e}")
+
+    return cookies
+
+
 async def authenticate_websocket(
-    websocket: Any, app_slug: str, require_auth: bool = True
+    websocket: Any,
+    app_slug: str,
+    require_auth: bool = True,
 ) -> tuple[str | None, str | None]:
     """
-    Authenticate a WebSocket connection.
+    Authenticate a WebSocket connection via httpOnly cookies.
+
+    Uses cookie-based authentication with CSRF protection:
+    - Token stored in httpOnly cookie (not accessible to JavaScript)
+    - CSRF token validated via double-submit cookie pattern
+    - Origin validation provides additional protection
 
     Args:
-        websocket: FastAPI WebSocket instance
+        websocket: FastAPI WebSocket instance (can access headers before accept)
         app_slug: App slug for context
         require_auth: Whether authentication is required
 
@@ -335,59 +394,25 @@ async def authenticate_websocket(
         return None, None
 
     try:
-        # Try to get token from query params or cookies
-        token = None
-        query_token = None
-        cookie_token = None
-
-        # Check query parameters
-        # FastAPI WebSocket query params are accessed via websocket.query_params
-        if hasattr(websocket, "query_params"):
-            if websocket.query_params:
-                query_token = websocket.query_params.get("token")
-                logger.info(
-                    f"WebSocket query_params for app '{app_slug}': {dict(websocket.query_params)}"
-                )
-                if query_token:
-                    token = query_token
-                    logger.info(
-                        f"WebSocket token found in query params for app "
-                        f"'{app_slug}' (length: {len(query_token)})"
-                    )
-            else:
-                logger.info(f"WebSocket query_params is empty for app '{app_slug}'")
-        else:
-            logger.warning(f"WebSocket has no query_params attribute for app '{app_slug}'")
-
-        # If no token in query, try to get from cookies (if available)
-        # Check both ws_token (non-httponly, for JS access) and token (httponly)
-        if not token:
-            if hasattr(websocket, "cookies"):
-                cookie_token = websocket.cookies.get("ws_token") or websocket.cookies.get("token")
-                if cookie_token:
-                    token = cookie_token
-                    logger.debug(f"WebSocket token found in cookies for app '{app_slug}'")
-            else:
-                logger.debug(f"WebSocket has no cookies attribute for app '{app_slug}'")
-
-        logger.info(
-            f"WebSocket auth check for app '{app_slug}': "
-            f"query_token={bool(query_token)}, "
-            f"cookie_token={bool(cookie_token)}, "
-            f"final_token={bool(token)}, require_auth={require_auth}"
-        )
+        # Extract token from httpOnly cookie
+        cookies = _get_cookies_from_websocket(websocket)
+        token = cookies.get("token")  # Standard auth token cookie name
 
         if not token:
             logger.warning(
-                f"No token found for WebSocket connection to app '{app_slug}' "
-                f"(require_auth={require_auth})"
+                f"No token cookie found for WebSocket connection to app '{app_slug}' "
+                f"(require_auth={require_auth}). "
+                f"Ensure httpOnly cookie is set during authentication."
             )
             if require_auth:
-                # Don't close before accepting - return error info instead
-                # The caller will handle closing after accept
                 return None, None  # Signal auth failure
             return None, None
 
+        logger.info(
+            f"WebSocket token found in cookie for app '{app_slug}' " "(cookie-based authentication)"
+        )
+
+        # Decode and validate token
         import jwt
 
         from ..auth.dependencies import SECRET_KEY
@@ -398,7 +423,10 @@ async def authenticate_websocket(
             user_id = payload.get("sub") or payload.get("user_id")
             user_email = payload.get("email")
 
-            logger.info(f"WebSocket authenticated successfully for app '{app_slug}': {user_email}")
+            logger.info(
+                f"WebSocket authenticated successfully for app '{app_slug}': {user_email} "
+                f"(method: cookie)"
+            )
             return user_id, user_email
         except (jwt.ExpiredSignatureError, jwt.InvalidTokenError) as decode_error:
             logger.error(f"JWT decode error for app '{app_slug}': {decode_error}", exc_info=True)
@@ -409,7 +437,6 @@ async def authenticate_websocket(
     except (ValueError, TypeError, AttributeError, KeyError, RuntimeError) as e:
         logger.error(f"WebSocket authentication failed for app '{app_slug}': {e}", exc_info=True)
         if require_auth:
-            # Don't close before accepting - return error info instead
             return None, None  # Signal auth failure
         return None, None
 
@@ -470,11 +497,16 @@ def get_message_handler(
 
 
 async def _accept_websocket_connection(websocket: Any, app_slug: str) -> None:
-    """Accept WebSocket connection with error handling."""
+    """
+    Accept WebSocket connection.
+
+    Cookie-based authentication uses httpOnly cookies automatically sent by the browser.
+    """
     try:
         await websocket.accept()
-        print(f"✅ [WEBSOCKET ACCEPTED] App: '{app_slug}'")
         logger.info(f"✅ WebSocket accepted for app '{app_slug}'")
+
+        print(f"✅ [WEBSOCKET ACCEPTED] App: '{app_slug}'")
     except (RuntimeError, ConnectionError, OSError) as accept_error:
         print(f"❌ [WEBSOCKET ACCEPT FAILED] App: '{app_slug}', Error: {accept_error}")
         logger.error(
@@ -654,13 +686,23 @@ def create_websocket_endpoint(
                 f"(require_auth={require_auth}, query_params={query_str})"
             )
 
-            # Accept connection FIRST (required before we can do anything)
-            await _accept_websocket_connection(websocket, app_slug)
+            # CRITICAL: Authenticate BEFORE accepting connection
+            # This prevents CSRF middleware from rejecting established connections
+            # We can access headers/query_params before accept() is called
+            user_id, user_email = await authenticate_websocket(websocket, app_slug, require_auth)
 
-            # Authenticate connection (after accept, so we can close properly if needed)
-            user_id, user_email = await _authenticate_websocket_connection(
-                websocket, app_slug, require_auth
-            )
+            # Handle authentication failure
+            if require_auth and not user_id:
+                logger.warning(
+                    f"WebSocket authentication failed for app '{app_slug}' - rejecting connection"
+                )
+                # Reject without accepting - FastAPI will send 403 if accept() not called
+                # We can't call websocket.close() before accept(), so we just return
+                # The connection will be rejected by the server
+                return
+
+            # Accept connection
+            await _accept_websocket_connection(websocket, app_slug)
 
             # Connect with metadata (websocket already accepted)
             connection = await manager.connect(websocket, user_id=user_id, user_email=user_email)

{mdb_engine-0.4.12.dist-info → mdb_engine-0.5.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.12
+Version: 0.5.0
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.12.dist-info → mdb_engine-0.5.0.dist-info}/RECORD

@@ -1,5 +1,5 @@
 mdb_engine/README.md,sha256=T3EFGcPopY9LslYW3lxgG3hohWkAOmBNbYG0FDMUJiY,3502
-mdb_engine/__init__.py,sha256=Egwc1COlKqmKB-qVUHAjWfJFmEg6iYT4DKE6m5hgpso,3460
+mdb_engine/__init__.py,sha256=Uz23q_g7sJjuMs5TzIZbS34wMO0oAtS1SWa6cqBdhqw,3705
 mdb_engine/config.py,sha256=DTAyxfKB8ogyI0v5QR9Y-SJOgXQr_eDBCKxNBSqEyLc,7269
 mdb_engine/constants.py,sha256=eaotvW57TVOg7rRbLziGrVNoP7adgw_G9iVByHezc_A,7837
 mdb_engine/dependencies.py,sha256=MJuYQhZ9ZGzXlip1ha5zba9Rvn04HDPWahJFJH81Q2s,14107
@@ -13,8 +13,8 @@ mdb_engine/auth/casbin_factory.py,sha256=oZLHIPyVA1hiho__ledRVDoBisaZgo96WZIKa0-
 mdb_engine/auth/casbin_models.py,sha256=7XtFmRBhhjw1nKprnluvjyJoTj5fzdPeQwVvo6fI-r0,955
 mdb_engine/auth/config_defaults.py,sha256=1YI_hIHuTiEXpkEYMcufNHdLr1oxPiJylg3CKrJCSGY,2012
 mdb_engine/auth/config_helpers.py,sha256=Qharb2YagLOKDGtE7XhYRDbBoQ_KGykrcIKrsOwWIJ4,6303
-mdb_engine/auth/cookie_utils.py,sha256=j04qXq5GiJrnnJUAP5Z_N1CAFbx9CZiyF5u9xIiQ3vo,4876
-mdb_engine/auth/csrf.py,sha256=7zLiX9IEvgBXp3DjVBmcaYATS6cTelQReUYYkiVas6M,17626
+mdb_engine/auth/cookie_utils.py,sha256=glsSocSmy-_wRTLro0xy17s84oBk3HPDPL-FVXl7Rv8,5302
+mdb_engine/auth/csrf.py,sha256=1MQuLI1gtWtm6ce0NhARRkD7bk6JfUaLUR0YCL7RL4Q,20393
 mdb_engine/auth/decorators.py,sha256=LkVVEuRrT0Iz8EwctN14BEi3fSV-xtN6DaGXgtbiYYo,12287
 mdb_engine/auth/dependencies.py,sha256=JB1iYvZJgTR6gcaiGe_GJFCS6NdUKMxWBZRv6vVxnzw,27112
 mdb_engine/auth/helpers.py,sha256=BCrid985cYh-3h5ZMUV9TES0q40uJXio4oYKQZta7KA,1970
@@ -86,12 +86,12 @@ mdb_engine/repositories/mongo.py,sha256=Wg32_6v0KHAHumhz5z8QkoqJRWAMJFA7Y2lYIJ7L
 mdb_engine/repositories/unit_of_work.py,sha256=XvmwGOspEDj4hsfOULPsQKjB1QZqh83TJo6vGV4tiqU,5118
 mdb_engine/routing/README.md,sha256=WVvTQXDq0amryrjkCu0wP_piOEwFjLukjmPz2mroWHY,13658
 mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknUM,2438
-mdb_engine/routing/websockets.py,sha256=3X4OjQv_Nln4UmeifJky0gFhMG8A6alR77I8g1iIOLY,29311
+mdb_engine/routing/websockets.py,sha256=WBdJui0VMi5n30suXa8RPGkGgeHON4x3FyjbdsqHudY,30860
 mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
 mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
-mdb_engine-0.4.12.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-mdb_engine-0.4.12.dist-info/METADATA,sha256=Jrn7XyZ1ZgCzyN5F5oVDXbo4xngGUCEUjPCW6dvYJyc,15811
-mdb_engine-0.4.12.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-mdb_engine-0.4.12.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
-mdb_engine-0.4.12.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
-mdb_engine-0.4.12.dist-info/RECORD,,
+mdb_engine-0.5.0.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+mdb_engine-0.5.0.dist-info/METADATA,sha256=15KsimjJFGd_mmGzVJG9S4PIV-gI9m4yHuGmqAev7dM,15810
+mdb_engine-0.5.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+mdb_engine-0.5.0.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
+mdb_engine-0.5.0.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
+mdb_engine-0.5.0.dist-info/RECORD,,