mdb-engine 0.4.14__py3-none-any.whl → 0.5.0__py3-none-any.whl

mdb_engine/__init__.py

@@ -82,12 +82,15 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 from .utils import clean_mongo_doc, clean_mongo_docs
 
 __version__ = (
-    "0.4.14"  # WebSocket security documentation and test updates
+    "0.5.0"  # Major WebSocket security overhaul - cookie-based authentication
+    # - BREAKING CHANGE: Removed subprotocol tunneling support
+    # - NEW: Exclusive httpOnly cookie-based WebSocket authentication
     # - Comprehensive security guide (WEBSOCKET_SECURITY_MULTI_APP_SSO.md)
-    # - Updated all documentation to reflect subprotocol-only authentication
-    # - Added integration tests for subprotocol authentication in multi-app SSO
-    # - Enhanced unit test documentation with security-focused explanations
+    # - Updated all documentation to reflect cookie-based authentication
+    # - Enhanced CSRF protection for WebSocket upgrades
+    # - Added integration tests for cookie-based WebSocket authentication
     # - Complete test coverage for WebSocket security scenarios
+    # - Multi-app SSO compatibility with path="/" cookies
 )
 
 __all__ = [

mdb_engine/auth/cookie_utils.py

@@ -116,8 +116,14 @@ def set_auth_cookies(
         refresh_token_ttl = 604800  # Default 7 days
 
     # Set access token cookie
+    # CRITICAL: path="/" ensures cookie is available to all mounted sub-apps
+    # Without explicit path, cookies default to request path and won't work with app.mount()
     response.set_cookie(
-        key="token", value=access_token, max_age=access_token_ttl, **cookie_settings
+        key="token",
+        value=access_token,
+        max_age=access_token_ttl,
+        path="/",  # Required for FastAPI mounted apps
+        **cookie_settings,
     )
 
     # Set refresh token cookie if provided
@@ -126,6 +132,7 @@ def set_auth_cookies(
             key="refresh_token",
             value=refresh_token,
             max_age=refresh_token_ttl,
+            path="/",  # Required for FastAPI mounted apps
             **cookie_settings,
         )
 
@@ -148,7 +155,10 @@ def clear_auth_cookies(response, request: Request | None = None):
         secure = os.getenv("G_NOME_ENV") == "production"
 
     # Delete access token cookie
-    response.delete_cookie(key="token", httponly=True, secure=secure, samesite=samesite)
+    # CRITICAL: path="/" ensures cookie deletion works across all mounted sub-apps
+    response.delete_cookie(key="token", httponly=True, secure=secure, samesite=samesite, path="/")
 
     # Delete refresh token cookie
-    response.delete_cookie(key="refresh_token", httponly=True, secure=secure, samesite=samesite)
+    response.delete_cookie(
+        key="refresh_token", httponly=True, secure=secure, samesite=samesite, path="/"
+    )

mdb_engine/auth/csrf.py

@@ -299,9 +299,9 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         method = request.method
 
         # CRITICAL: Handle WebSocket upgrade requests BEFORE other CSRF checks
-        # WebSocket upgrades don't use CSRF tokens, but need origin validation
+        # WebSocket upgrades use cookie-based authentication and require CSRF validation
         if self._is_websocket_upgrade(request):
-            # Validate origin for WebSocket connections (CSWSH protection)
+            # Always validate origin for WebSocket connections (CSWSH protection)
             if not self._validate_websocket_origin(request):
                 logger.warning(
                     f"WebSocket origin validation failed for {path}: "
@@ -312,8 +312,58 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                     status_code=status.HTTP_403_FORBIDDEN,
                     content={"detail": "Invalid origin for WebSocket connection"},
                 )
-            # Origin validated - allow WebSocket upgrade to proceed
-            # No CSRF token check needed for WebSocket upgrades
+
+            # Cookie-based authentication requires CSRF protection
+            # Check if authentication token cookie is present
+            auth_token_cookie = request.cookies.get("token")
+            if auth_token_cookie:
+                # For WebSocket upgrades, CSRF protection relies on:
+                # 1. Origin validation (already done above) - primary defense
+                # 2. SameSite cookies - prevents cross-site cookie sending
+                # 3. CSRF cookie presence - ensures session is established
+                #
+                # Note: JavaScript WebSocket API cannot set custom headers,
+                # so we cannot use double-submit cookie pattern (cookie + header).
+                # Instead, we rely on Origin validation + SameSite cookies for CSRF protection.
+                csrf_cookie_token = request.cookies.get(self.cookie_name)
+                if not csrf_cookie_token:
+                    logger.warning(f"WebSocket upgrade missing CSRF cookie for {path}")
+                    return JSONResponse(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        content={"detail": "CSRF token missing for WebSocket authentication"},
+                    )
+
+                # Validate CSRF token signature if secret is used
+                if self.secret and not validate_csrf_token(
+                    csrf_cookie_token, self.secret, self.token_ttl
+                ):
+                    logger.warning(f"WebSocket CSRF token validation failed for {path}")
+                    return JSONResponse(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        content={
+                            "detail": "CSRF token expired or invalid for WebSocket connection"
+                        },
+                    )
+
+                # Optional: If CSRF header is provided, validate it matches cookie
+                # (Some clients may send it, but it's not required for WebSocket upgrades)
+                header_token = request.headers.get(self.header_name)
+                if header_token:
+                    # If header is provided, validate it matches cookie (double-submit pattern)
+                    if not hmac.compare_digest(csrf_cookie_token, header_token):
+                        logger.warning(f"WebSocket CSRF token mismatch for {path}")
+                        return JSONResponse(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            content={"detail": "CSRF token invalid for WebSocket connection"},
+                        )
+
+                logger.debug(
+                    f"WebSocket upgrade CSRF validation passed for {path} "
+                    f"(Origin validated, CSRF cookie present)"
+                )
+
+            # Origin validated (and CSRF validated if authenticated)
+            # Allow WebSocket upgrade to proceed
             return await call_next(request)
 
         if self._is_exempt(path):

mdb_engine/routing/websockets.py

@@ -307,16 +307,70 @@ def get_websocket_manager_sync(app_slug: str) -> WebSocketConnectionManager:
     return _websocket_managers[app_slug]
 
 
+def _get_cookies_from_websocket(websocket: Any) -> dict[str, str]:
+    """
+    Extract cookies from WebSocket request.
+
+    Supports both FastAPI WebSocket .cookies attribute and ASGI scope Cookie header.
+
+    Args:
+        websocket: FastAPI WebSocket instance
+
+    Returns:
+        Dictionary of cookie name -> cookie value
+    """
+    cookies: dict[str, str] = {}
+
+    try:
+        # Try FastAPI WebSocket .cookies attribute (if available)
+        if hasattr(websocket, "cookies") and websocket.cookies is not None:
+            # FastAPI WebSocket.cookies is a dict-like object
+            cookies = dict(websocket.cookies)
+            logger.debug(f"Extracted {len(cookies)} cookies from WebSocket.cookies attribute")
+            return cookies
+    except (AttributeError, TypeError) as e:
+        logger.debug(f"Could not access WebSocket.cookies attribute: {e}")
+
+    try:
+        # Fallback: Extract from Cookie header in ASGI scope
+        if hasattr(websocket, "scope") and "headers" in websocket.scope:
+            headers_dict = dict(websocket.scope["headers"])
+            cookie_header_bytes = headers_dict.get(b"cookie")
+            if not cookie_header_bytes:
+                # Try case-insensitive lookup
+                for key, value in headers_dict.items():
+                    if isinstance(key, bytes) and key.lower() == b"cookie":
+                        cookie_header_bytes = value
+                        break
+
+            if cookie_header_bytes:
+                cookie_header = cookie_header_bytes.decode("utf-8")
+                # Parse cookie string: "name1=value1; name2=value2"
+                for cookie_pair in cookie_header.split(";"):
+                    cookie_pair = cookie_pair.strip()
+                    if "=" in cookie_pair:
+                        name, value = cookie_pair.split("=", 1)
+                        cookies[name.strip()] = value.strip()
+                logger.debug(f"Extracted {len(cookies)} cookies from Cookie header in ASGI scope")
+                return cookies
+    except (AttributeError, TypeError, KeyError, UnicodeDecodeError, ValueError) as e:
+        logger.debug(f"Could not extract cookies from ASGI scope: {e}")
+
+    return cookies
+
+
 async def authenticate_websocket(
-    websocket: Any, app_slug: str, require_auth: bool = True
+    websocket: Any,
+    app_slug: str,
+    require_auth: bool = True,
 ) -> tuple[str | None, str | None]:
     """
-    Authenticate a WebSocket connection via Sec-WebSocket-Protocol header.
+    Authenticate a WebSocket connection via httpOnly cookies.
 
-    Uses subprotocol tunneling to pass JWT tokens securely:
-    - Client: new WebSocket(url, [token])
-    - Server: Extracts token from sec-websocket-protocol header
-    - Bypasses CSRF issues and avoids URL logging risks
+    Uses cookie-based authentication with CSRF protection:
+    - Token stored in httpOnly cookie (not accessible to JavaScript)
+    - CSRF token validated via double-submit cookie pattern
+    - Origin validation provides additional protection
 
     Args:
         websocket: FastAPI WebSocket instance (can access headers before accept)
@@ -340,56 +394,24 @@ async def authenticate_websocket(
         return None, None
 
     try:
-        token = None
-        selected_subprotocol = None
-
-        # Sec-WebSocket-Protocol (Subprotocol Tunneling)
-        # Browsers allow: new WebSocket(url, ["token", "THE_JWT_STRING"])
-        # This bypasses CSRF issues and avoids URL logging risks
-        try:
-            protocol_header = None
-            # Try multiple ways to access headers (FastAPI WebSocket compatibility)
-            if hasattr(websocket, "headers") and websocket.headers is not None:
-                # FastAPI WebSocket.headers is case-insensitive dict-like
-                protocol_header = websocket.headers.get("sec-websocket-protocol")
-
-            # Fallback: access via scope (ASGI standard) if headers not available
-            if not protocol_header and hasattr(websocket, "scope") and "headers" in websocket.scope:
-                headers_dict = dict(websocket.scope["headers"])
-                # Headers are bytes in ASGI, need to decode
-                protocol_header_bytes = headers_dict.get(b"sec-websocket-protocol")
-                if protocol_header_bytes:
-                    protocol_header = protocol_header_bytes.decode("utf-8")
-
-            if protocol_header:
-                # Header format: "protocol1, protocol2, ..." or just "token"
-                protocols = [p.strip() for p in protocol_header.split(",")]
-                logger.debug(f"WebSocket subprotocols for app '{app_slug}': {protocols}")
-
-                # Look for a JWT-like token in the protocols
-                # JWTs are typically long (>20 chars) and don't contain spaces
-                for protocol in protocols:
-                    if len(protocol) > 20 and " " not in protocol:
-                        token = protocol
-                        selected_subprotocol = protocol
-                        logger.info(
-                            f"WebSocket token found in subprotocol for app '{app_slug}' "
-                            f"(length: {len(protocol)})"
-                        )
-                        break
-        except (AttributeError, TypeError, KeyError, UnicodeDecodeError) as e:
-            logger.debug(f"Could not access WebSocket headers for subprotocol check: {e}")
+        # Extract token from httpOnly cookie
+        cookies = _get_cookies_from_websocket(websocket)
+        token = cookies.get("token")  # Standard auth token cookie name
 
         if not token:
             logger.warning(
-                f"No token found in subprotocol header for WebSocket connection to app "
-                f"'{app_slug}' (require_auth={require_auth}). "
-                f"Use: new WebSocket(url, [token]) to pass JWT token as subprotocol."
+                f"No token cookie found for WebSocket connection to app '{app_slug}' "
+                f"(require_auth={require_auth}). "
+                f"Ensure httpOnly cookie is set during authentication."
             )
             if require_auth:
                 return None, None  # Signal auth failure
             return None, None
 
+        logger.info(
+            f"WebSocket token found in cookie for app '{app_slug}' " "(cookie-based authentication)"
+        )
+
         # Decode and validate token
         import jwt
 
@@ -401,14 +423,10 @@ async def authenticate_websocket(
             user_id = payload.get("sub") or payload.get("user_id")
             user_email = payload.get("email")
 
-            # Store selected subprotocol on websocket scope for accept() to use
-            if selected_subprotocol:
-                # Store in scope so _accept_websocket_connection can access it
-                if hasattr(websocket, "scope"):
-                    websocket.scope["_selected_subprotocol"] = selected_subprotocol
-                logger.debug(f"Stored subprotocol '{selected_subprotocol}' for WebSocket accept")
-
-            logger.info(f"WebSocket authenticated successfully for app '{app_slug}': {user_email}")
+            logger.info(
+                f"WebSocket authenticated successfully for app '{app_slug}': {user_email} "
+                f"(method: cookie)"
+            )
             return user_id, user_email
         except (jwt.ExpiredSignatureError, jwt.InvalidTokenError) as decode_error:
             logger.error(f"JWT decode error for app '{app_slug}': {decode_error}", exc_info=True)
@@ -480,29 +498,13 @@ def get_message_handler(
 
 async def _accept_websocket_connection(websocket: Any, app_slug: str) -> None:
     """
-    Accept WebSocket connection with subprotocol support.
+    Accept WebSocket connection.
 
-    If authentication found a token in the Sec-WebSocket-Protocol header,
-    we must accept with that specific subprotocol or the browser will reject
-    the connection.
+    Cookie-based authentication uses httpOnly cookies automatically sent by the browser.
     """
     try:
-        # Check if auth stored a selected subprotocol
-        selected_subprotocol = None
-        if hasattr(websocket, "scope"):
-            selected_subprotocol = websocket.scope.get("_selected_subprotocol")
-
-        if selected_subprotocol:
-            # Accept with the specific subprotocol the client requested
-            await websocket.accept(subprotocol=selected_subprotocol)
-            logger.info(
-                f"✅ WebSocket accepted for app '{app_slug}' "
-                f"with subprotocol '{selected_subprotocol}'"
-            )
-        else:
-            # Standard accept without subprotocol
-            await websocket.accept()
-            logger.info(f"✅ WebSocket accepted for app '{app_slug}'")
+        await websocket.accept()
+        logger.info(f"✅ WebSocket accepted for app '{app_slug}'")
 
         print(f"✅ [WEBSOCKET ACCEPTED] App: '{app_slug}'")
     except (RuntimeError, ConnectionError, OSError) as accept_error:
@@ -699,7 +701,7 @@ def create_websocket_endpoint(
                 # The connection will be rejected by the server
                 return
 
-            # Accept connection (with subprotocol if token was in protocol header)
+            # Accept connection
             await _accept_websocket_connection(websocket, app_slug)
 
             # Connect with metadata (websocket already accepted)

{mdb_engine-0.4.14.dist-info → mdb_engine-0.5.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.14
+Version: 0.5.0
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.14.dist-info → mdb_engine-0.5.0.dist-info}/RECORD

@@ -1,5 +1,5 @@
 mdb_engine/README.md,sha256=T3EFGcPopY9LslYW3lxgG3hohWkAOmBNbYG0FDMUJiY,3502
-mdb_engine/__init__.py,sha256=wfZJ6njS5_immp5ErJ2BzevHJUeZtkXG_xytdni0mH0,3531
+mdb_engine/__init__.py,sha256=Uz23q_g7sJjuMs5TzIZbS34wMO0oAtS1SWa6cqBdhqw,3705
 mdb_engine/config.py,sha256=DTAyxfKB8ogyI0v5QR9Y-SJOgXQr_eDBCKxNBSqEyLc,7269
 mdb_engine/constants.py,sha256=eaotvW57TVOg7rRbLziGrVNoP7adgw_G9iVByHezc_A,7837
 mdb_engine/dependencies.py,sha256=MJuYQhZ9ZGzXlip1ha5zba9Rvn04HDPWahJFJH81Q2s,14107
@@ -13,8 +13,8 @@ mdb_engine/auth/casbin_factory.py,sha256=oZLHIPyVA1hiho__ledRVDoBisaZgo96WZIKa0-
 mdb_engine/auth/casbin_models.py,sha256=7XtFmRBhhjw1nKprnluvjyJoTj5fzdPeQwVvo6fI-r0,955
 mdb_engine/auth/config_defaults.py,sha256=1YI_hIHuTiEXpkEYMcufNHdLr1oxPiJylg3CKrJCSGY,2012
 mdb_engine/auth/config_helpers.py,sha256=Qharb2YagLOKDGtE7XhYRDbBoQ_KGykrcIKrsOwWIJ4,6303
-mdb_engine/auth/cookie_utils.py,sha256=j04qXq5GiJrnnJUAP5Z_N1CAFbx9CZiyF5u9xIiQ3vo,4876
-mdb_engine/auth/csrf.py,sha256=7zLiX9IEvgBXp3DjVBmcaYATS6cTelQReUYYkiVas6M,17626
+mdb_engine/auth/cookie_utils.py,sha256=glsSocSmy-_wRTLro0xy17s84oBk3HPDPL-FVXl7Rv8,5302
+mdb_engine/auth/csrf.py,sha256=1MQuLI1gtWtm6ce0NhARRkD7bk6JfUaLUR0YCL7RL4Q,20393
 mdb_engine/auth/decorators.py,sha256=LkVVEuRrT0Iz8EwctN14BEi3fSV-xtN6DaGXgtbiYYo,12287
 mdb_engine/auth/dependencies.py,sha256=JB1iYvZJgTR6gcaiGe_GJFCS6NdUKMxWBZRv6vVxnzw,27112
 mdb_engine/auth/helpers.py,sha256=BCrid985cYh-3h5ZMUV9TES0q40uJXio4oYKQZta7KA,1970
@@ -86,12 +86,12 @@ mdb_engine/repositories/mongo.py,sha256=Wg32_6v0KHAHumhz5z8QkoqJRWAMJFA7Y2lYIJ7L
 mdb_engine/repositories/unit_of_work.py,sha256=XvmwGOspEDj4hsfOULPsQKjB1QZqh83TJo6vGV4tiqU,5118
 mdb_engine/routing/README.md,sha256=WVvTQXDq0amryrjkCu0wP_piOEwFjLukjmPz2mroWHY,13658
 mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknUM,2438
-mdb_engine/routing/websockets.py,sha256=vMpfnGzMrMvqF2ZBwWazS-8cL73nwO1rHoR2XZJTI9k,31667
+mdb_engine/routing/websockets.py,sha256=WBdJui0VMi5n30suXa8RPGkGgeHON4x3FyjbdsqHudY,30860
 mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
 mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
-mdb_engine-0.4.14.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-mdb_engine-0.4.14.dist-info/METADATA,sha256=e6T3Bsq0hTdDSLDQHwb5MyJpsL5-HY2pP9iYev5oAm0,15811
-mdb_engine-0.4.14.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-mdb_engine-0.4.14.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
-mdb_engine-0.4.14.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
-mdb_engine-0.4.14.dist-info/RECORD,,
+mdb_engine-0.5.0.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+mdb_engine-0.5.0.dist-info/METADATA,sha256=15KsimjJFGd_mmGzVJG9S4PIV-gI9m4yHuGmqAev7dM,15810
+mdb_engine-0.5.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+mdb_engine-0.5.0.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
+mdb_engine-0.5.0.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
+mdb_engine-0.5.0.dist-info/RECORD,,