mdb-engine 0.4.1__py3-none-any.whl → 0.4.2__py3-none-any.whl

mdb_engine/__init__.py

@@ -81,7 +81,10 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 # Utilities
 from .utils import clean_mongo_doc, clean_mongo_docs
 
-__version__ = "0.4.1"  # Patch version: Bug fixes for path prefix handling and test improvements
+__version__ = (
+    "0.4.2"  # Security release: Fixed auto-role assignment, token blacklist
+    # fail-closed, race conditions, session binding, and path traversal
+)
 
 __all__ = [
     # Core Engine

mdb_engine/auth/shared_middleware.py

@@ -92,7 +92,10 @@ def _get_request_path(request: Request) -> str:
 
     This ensures public routes in manifests (which are relative paths like "/")
     match correctly when apps are mounted at prefixes like "/auth-hub".
+
+    SECURITY: Normalizes and validates paths to prevent path traversal attacks.
     """
+
     # Check if this is a mounted app with a path prefix
     app_base_path = getattr(request.state, "app_base_path", None)
     # Ensure app_base_path is a string (not a MagicMock in tests)
@@ -102,21 +105,78 @@ def _get_request_path(request: Request) -> str:
         if url_path and url_path.startswith(app_base_path):
             # Strip the path prefix to get relative path
             relative_path = url_path[len(app_base_path) :]
+            # Normalize and sanitize path to prevent traversal attacks
+            relative_path = _normalize_path(relative_path)
             # Ensure path starts with / (handle case where prefix is entire path)
             return relative_path if relative_path else "/"
 
     # Fall back to scope["path"] for mounted apps (if available)
     # This handles cases where Starlette/FastAPI sets it correctly
     if "path" in request.scope:
-        return request.scope["path"]
+        return _normalize_path(request.scope["path"])
 
     # Default to url.path for non-mounted apps
     # Ensure we return a string
     if hasattr(request.url, "path"):
-        return str(request.url.path)
+        return _normalize_path(str(request.url.path))
     return "/"
 
 
+def _normalize_path(path: str) -> str:
+    """
+    Normalize and sanitize a path to prevent path traversal attacks.
+
+    Args:
+        path: Raw path string
+
+    Returns:
+        Normalized path starting with /
+    """
+    from pathlib import PurePath
+    from urllib.parse import unquote
+
+    if not path:
+        return "/"
+
+    # Preserve trailing slash (except for root)
+    has_trailing_slash = path.endswith("/") and path != "/"
+
+    # Decode URL encoding
+    try:
+        decoded = unquote(path)
+    except (ValueError, UnicodeDecodeError):
+        # If decoding fails, use original path
+        decoded = path
+
+    # Normalize path separators and resolve relative components
+    try:
+        # Use PurePath to normalize without accessing filesystem
+        normalized = PurePath(decoded).as_posix()
+    except (ValueError, TypeError):
+        # If normalization fails, use decoded path
+        normalized = decoded
+
+    # Reject path traversal attempts
+    if ".." in normalized or normalized.startswith("/") and normalized != "/":
+        # Check if it's a legitimate absolute path (starts with /)
+        if normalized.startswith("/") and ".." not in normalized:
+            # Valid absolute path
+            pass
+        else:
+            logger.warning(f"Path traversal attempt detected: {path} -> {normalized}")
+            return "/"  # Return root path for safety
+
+    # Ensure path starts with /
+    if not normalized.startswith("/"):
+        normalized = "/" + normalized
+
+    # Restore trailing slash if it was present (except for root)
+    if has_trailing_slash and normalized != "/" and not normalized.endswith("/"):
+        normalized = normalized + "/"
+
+    return normalized
+
+
 class SharedAuthMiddleware(BaseHTTPMiddleware):
     """
     Middleware for shared authentication across multi-app deployments.
@@ -142,6 +202,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
         public_routes: list[str] | None = None,
         role_hierarchy: dict[str, list[str]] | None = None,
         session_binding: dict[str, Any] | None = None,
+        auto_assign_default_role: bool = False,
         cookie_name: str = AUTH_COOKIE_NAME,
         header_name: str = AUTH_HEADER_NAME,
         header_prefix: str = AUTH_HEADER_PREFIX,
@@ -161,6 +222,10 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
                 - bind_ip: Strict - reject if IP changes
                 - bind_fingerprint: Soft - log warning if fingerprint changes
                 - allow_ip_change_with_reauth: Allow IP change on re-authentication
+            auto_assign_default_role: If True, automatically assign require_role to users
+                                     with no roles for this app (default: False).
+                                     SECURITY: Only enable if explicitly needed - requires
+                                     default_role in manifest to match require_role.
             cookie_name: Name of auth cookie (default: mdb_auth_token)
             header_name: Name of auth header (default: Authorization)
             header_prefix: Prefix for header value (default: "Bearer ")
@@ -172,6 +237,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
         self._public_routes = public_routes or []
         self._role_hierarchy = role_hierarchy
         self._session_binding = session_binding or {}
+        self._auto_assign_default_role = auto_assign_default_role
         self._cookie_name = cookie_name
         self._header_name = header_name
         self._header_prefix = header_prefix
@@ -249,11 +315,10 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
             )
 
             if not has_required_role:
-                # Auto-assign required role if user has no roles for this app
-                # This is a fallback for SSO scenarios where users might be authenticated
-                # but not yet assigned roles. Only do this if they have NO roles (not if
-                # they have other roles but not the required one - prevents privilege escalation).
-                if not user_roles:
+                # Auto-assign required role ONLY if explicitly enabled and user has no roles
+                # SECURITY: This is opt-in to prevent privilege escalation. Only enable if
+                # explicitly needed and default_role matches require_role in manifest.
+                if not user_roles and self._auto_assign_default_role:
                     user_email = user.get("email")
                     if user_email:
                         try:
@@ -269,7 +334,8 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
                                     request.state.user_roles = [self._require_role]
                                     logger.info(
                                         f"Auto-assigned role '{self._require_role}' to user "
-                                        f"{user_email} for app '{self._app_slug}'"
+                                        f"{user_email} for app '{self._app_slug}' "
+                                        f"(auto_assign_default_role enabled)"
                                     )
                                 else:
                                     logger.warning(
@@ -327,17 +393,29 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
                         logger.warning(f"Session IP mismatch: token={token_ip}, client={client_ip}")
                         return "Session bound to different IP address"
 
-            # Check fingerprint binding (soft check - just warn)
-            if self._session_binding.get("bind_fingerprint", True):
+            # Check fingerprint binding (strict by default for security)
+            bind_fingerprint = self._session_binding.get("bind_fingerprint", True)
+            strict_fingerprint = self._session_binding.get(
+                "strict_fingerprint", True
+            )  # Default: strict
+            if bind_fingerprint:
                 token_fp = payload.get("fp")
                 if token_fp:
                     client_fp = _compute_fingerprint(request)
                     if client_fp != token_fp:
-                        logger.warning(
-                            f"Session fingerprint mismatch for user {payload.get('email')}"
-                        )
-                        # Soft check - don't reject, just log
-                        # Could be legitimate (browser update, different device)
+                        if strict_fingerprint:
+                            logger.warning(
+                                f"Session fingerprint mismatch for user {payload.get('email')} - "
+                                f"rejecting request (strict_fingerprint=True)"
+                            )
+                            return "Session bound to different device/fingerprint"
+                        else:
+                            logger.warning(
+                                f"Session fingerprint mismatch for user {payload.get('email')} - "
+                                f"allowing (strict_fingerprint=False)"
+                            )
+                            # Soft check - don't reject, just log
+                            # Could be legitimate (browser update, different device)
 
             return None
 
@@ -421,6 +499,17 @@ def create_shared_auth_middleware(
     """
     require_role = manifest_auth.get("require_role")
     public_routes = manifest_auth.get("public_routes", [])
+    auto_assign_default_role = manifest_auth.get("auto_assign_default_role", False)
+    default_role = manifest_auth.get("default_role")
+
+    # Security: Only allow auto-assignment if default_role matches require_role
+    if auto_assign_default_role and require_role and default_role != require_role:
+        logger.warning(
+            f"Security: auto_assign_default_role enabled but default_role '{default_role}' "
+            f"does not match require_role '{require_role}' for app '{app_slug}'. "
+            f"Auto-assignment disabled for security."
+        )
+        auto_assign_default_role = False
 
     # Build role hierarchy from manifest if available
     role_hierarchy = None
@@ -443,6 +532,7 @@ def create_shared_auth_middleware(
                 require_role=require_role,
                 public_routes=public_routes,
                 role_hierarchy=role_hierarchy,
+                auto_assign_default_role=auto_assign_default_role,
             )
 
     return ConfiguredSharedAuthMiddleware
@@ -503,12 +593,13 @@ def _extract_token_helper(
     return None
 
 
-def _create_lazy_middleware_class(
+def _create_lazy_middleware_class(  # noqa: C901
     app_slug: str,
     require_role: str | None,
     public_routes: list[str],
     role_hierarchy: dict[str, list[str]] | None,
     session_binding: dict[str, Any],
+    auto_assign_default_role: bool = False,
 ) -> type:
     """Create the LazySharedAuthMiddleware class with configuration."""
 
@@ -527,6 +618,7 @@ def _create_lazy_middleware_class(
             self._public_routes = public_routes
             self._role_hierarchy = role_hierarchy
             self._session_binding = session_binding
+            self._auto_assign_default_role = auto_assign_default_role
             self._cookie_name = AUTH_COOKIE_NAME
             self._header_name = AUTH_HEADER_NAME
             self._header_prefix = AUTH_HEADER_PREFIX
@@ -681,8 +773,9 @@ def _create_lazy_middleware_class(
             if has_required_role:
                 return None
 
-            # Auto-assign required role if user has no roles for this app
-            if not user_roles:
+            # Auto-assign required role ONLY if explicitly enabled and user has no roles
+            # SECURITY: This is opt-in to prevent privilege escalation
+            if not user_roles and self._auto_assign_default_role:
                 await self._try_auto_assign_role(user, user_pool, request)
 
             # Check again after potential auto-assignment
@@ -707,10 +800,8 @@ def _create_lazy_middleware_class(
             """
             Attempt to auto-assign required role to user.
 
-            This is a fallback for SSO scenarios where users might be authenticated
-            but not yet assigned roles. Only do this if they have NO roles (not if
-            they have other roles but not the required one - prevents privilege
-            escalation).
+            SECURITY: Only called if auto_assign_default_role is enabled and user has
+            no roles. This prevents privilege escalation.
             """
             user_email = user.get("email")
             if not user_email:
@@ -729,7 +820,8 @@ def _create_lazy_middleware_class(
                         request.state.user_roles = [self._require_role]
                         logger.info(
                             f"Auto-assigned role '{self._require_role}' to user "
-                            f"{user_email} for app '{self._app_slug}'"
+                            f"{user_email} for app '{self._app_slug}' "
+                            f"(auto_assign_default_role enabled)"
                         )
                     else:
                         logger.warning(
@@ -769,8 +861,10 @@ def _create_lazy_middleware_class(
                 if ip_error:
                     return ip_error
 
-                # Check fingerprint binding (soft check - just warn)
-                self._check_fingerprint_binding(request, payload)
+                # Check fingerprint binding (strict by default)
+                fingerprint_error = await self._check_fingerprint_binding(request, payload)
+                if fingerprint_error:
+                    return fingerprint_error
 
                 return None
 
@@ -794,19 +888,38 @@ def _create_lazy_middleware_class(
 
             return None
 
-        def _check_fingerprint_binding(self, request: Request, payload: dict) -> None:
-            """Check fingerprint binding from token payload (soft check - just warn)."""
+        async def _check_fingerprint_binding(self, request: Request, payload: dict) -> str | None:
+            """
+            Check fingerprint binding from token payload.
+
+            Returns error message if validation fails, None if OK.
+            """
             if not self._session_binding.get("bind_fingerprint", True):
-                return
+                return None
 
             token_fp = payload.get("fp")
             if not token_fp:
-                return
+                return None
 
+            strict_fingerprint = self._session_binding.get(
+                "strict_fingerprint", True
+            )  # Default: strict
             client_fp = _compute_fingerprint(request)
             if client_fp != token_fp:
-                logger.warning(f"Session fingerprint mismatch for user {payload.get('email')}")
-                # Soft check - don't reject, just log
+                if strict_fingerprint:
+                    logger.warning(
+                        f"Session fingerprint mismatch for user {payload.get('email')} - "
+                        f"rejecting request (strict_fingerprint=True)"
+                    )
+                    return "Session bound to different device/fingerprint"
+                else:
+                    logger.warning(
+                        f"Session fingerprint mismatch for user {payload.get('email')} - "
+                        f"allowing (strict_fingerprint=False)"
+                    )
+                    # Soft check - don't reject, just log
+                    return None
+            return None
 
     return LazySharedAuthMiddleware
 
@@ -839,9 +952,26 @@ def create_shared_auth_middleware_lazy(
     """
     require_role = manifest_auth.get("require_role")
     public_routes = manifest_auth.get("public_routes", [])
+    auto_assign_default_role = manifest_auth.get("auto_assign_default_role", False)
+    default_role = manifest_auth.get("default_role")
+
+    # Security: Only allow auto-assignment if default_role matches require_role
+    if auto_assign_default_role and require_role and default_role != require_role:
+        logger.warning(
+            f"Security: auto_assign_default_role enabled but default_role '{default_role}' "
+            f"does not match require_role '{require_role}' for app '{app_slug}'. "
+            f"Auto-assignment disabled for security."
+        )
+        auto_assign_default_role = False
+
     role_hierarchy = _build_role_hierarchy(manifest_auth)
     session_binding = manifest_auth.get("session_binding", {})
 
     return _create_lazy_middleware_class(
-        app_slug, require_role, public_routes, role_hierarchy, session_binding
+        app_slug,
+        require_role,
+        public_routes,
+        role_hierarchy,
+        session_binding,
+        auto_assign_default_role,
     )

mdb_engine/auth/shared_users.py

@@ -119,6 +119,7 @@ class SharedUserPool:
         jwt_algorithm: str = DEFAULT_JWT_ALGORITHM,
         token_expiry_hours: int = DEFAULT_TOKEN_EXPIRY_HOURS,
         allow_insecure_dev: bool = False,
+        blacklist_fail_closed: bool = True,
     ):
         """
         Initialize the shared user pool.
@@ -138,6 +139,9 @@ class SharedUserPool:
             token_expiry_hours: Token expiry in hours (default: 24)
             allow_insecure_dev: Allow insecure auto-generated secret for local
                                development only. NEVER use in production!
+            blacklist_fail_closed: If True (default), reject tokens when blacklist check
+                                  fails (secure). If False, allow tokens when check fails
+                                  (availability). SECURITY: Default is True for security.
 
         Raises:
             JWTSecretError: If no JWT secret is provided and allow_insecure_dev=False
@@ -146,6 +150,7 @@ class SharedUserPool:
         self._db = mongo_db
         self._collection = mongo_db[SHARED_USERS_COLLECTION]
         self._blacklist_collection = mongo_db[TOKEN_BLACKLIST_COLLECTION]
+        self._blacklist_fail_closed = blacklist_fail_closed
 
         # Validate algorithm
         if jwt_algorithm not in SUPPORTED_ALGORITHMS:
@@ -453,8 +458,19 @@ class SharedUserPool:
             return False
         except PyMongoError as e:
             logger.exception(f"Error checking token blacklist: {e}")
-            # Fail open for availability (can be changed to fail closed for security)
-            return False
+            # Fail closed for security by default (reject token if we can't verify)
+            if self._blacklist_fail_closed:
+                logger.warning(
+                    "Token blacklist check failed - rejecting token for security "
+                    "(blacklist_fail_closed=True)"
+                )
+                return True  # Token IS revoked (reject access)
+            # Fail open only if explicitly configured (availability over security)
+            logger.warning(
+                "Token blacklist check failed - allowing token for availability "
+                "(blacklist_fail_closed=False). SECURITY RISK: Revoked tokens may be accepted."
+            )
+            return False  # Token NOT revoked (allow access)
 
     async def revoke_token(
         self,

mdb_engine/core/engine.py

@@ -155,6 +155,12 @@ class MongoDBEngine:
         # Store app token cache for auto-retrieval
         self._app_token_cache: dict[str, str] = {}
 
+        # Async lock for thread-safe shared user pool initialization
+        import asyncio
+
+        self._shared_user_pool_lock = asyncio.Lock()
+        self._shared_user_pool_initializing = False
+
     async def initialize(self) -> None:
         """
         Initialize the MongoDB Engine.
@@ -1960,9 +1966,26 @@ class MongoDBEngine:
                 )
 
         # State for parent app
-        mounted_apps: list[dict[str, Any]] = []
+        # Build initial mounted_apps metadata synchronously so get_mounted_apps() works
+        # immediately after create_multi_app() returns (before lifespan runs)
+        mounted_apps: list[dict[str, Any]] = [
+            {
+                "slug": app_config["slug"],
+                "path_prefix": app_config["path_prefix"],
+                "status": "pending",  # Will be updated in lifespan to "mounted" or "failed"
+                "manifest_path": str(app_config["manifest"]),
+            }
+            for app_config in apps
+        ]
         shared_user_pool_initialized = False
 
+        def _find_mounted_app_entry(slug: str) -> dict[str, Any] | None:
+            """Find mounted app entry by slug."""
+            for entry in mounted_apps:
+                if entry.get("slug") == slug:
+                    return entry
+            return None
+
         @asynccontextmanager
         async def lifespan(app: FastAPI):
             """Lifespan context manager for parent app."""
@@ -2133,14 +2156,25 @@ class MongoDBEngine:
 
                     # Mount child app at path prefix
                     app.mount(path_prefix, child_app)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "mounted",
-                            "manifest": app_manifest_data,
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "mounted",
+                                "manifest": app_manifest_data,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "mounted",
+                                "manifest": app_manifest_data,
+                            }
+                        )
                     logger.info(f"Mounted app '{slug}' at path prefix '{path_prefix}'")
 
                 except FileNotFoundError as e:
@@ -2149,15 +2183,26 @@ class MongoDBEngine:
                         f"manifest.json not found at {manifest_path}"
                     )
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise ValueError(error_msg) from e
                     continue
@@ -2167,71 +2212,111 @@ class MongoDBEngine:
                         f"Invalid JSON in manifest.json at {manifest_path}: {e}"
                     )
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise ValueError(error_msg) from e
                     continue
                 except ValueError as e:
                     error_msg = f"Failed to mount app '{slug}' at {path_prefix}: {e}"
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise ValueError(error_msg) from e
                     continue
                 except (KeyError, RuntimeError) as e:
                     error_msg = f"Failed to mount app '{slug}' at {path_prefix}: {e}"
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise RuntimeError(error_msg) from e
                     continue
                 except (OSError, PermissionError, ImportError, AttributeError, TypeError) as e:
                     error_msg = f"Unexpected error mounting app '{slug}' at {path_prefix}: {e}"
                     logger.error(error_msg, exc_info=True)
-                    mounted_apps.append(
-                        {
-                            "slug": slug,
-                            "path_prefix": path_prefix,
-                            "status": "failed",
-                            "error": error_msg,
-                            "manifest_path": str(manifest_path),
-                        }
-                    )
+                    # Update existing entry instead of appending
+                    entry = _find_mounted_app_entry(slug)
+                    if entry:
+                        entry.update(
+                            {
+                                "status": "failed",
+                                "error": error_msg,
+                            }
+                        )
+                    else:
+                        # Fallback: append if entry not found (shouldn't happen)
+                        mounted_apps.append(
+                            {
+                                "slug": slug,
+                                "path_prefix": path_prefix,
+                                "status": "failed",
+                                "error": error_msg,
+                                "manifest_path": str(manifest_path),
+                            }
+                        )
                     if strict:
                         raise RuntimeError(error_msg) from e
                     continue
 
-            # Expose engine and mounted apps info on parent app state
-            app.state.engine = engine
+            # Update app.state.mounted_apps with final status (entries already updated in place)
+            # This ensures the state reflects the final mounted_apps list
             app.state.mounted_apps = mounted_apps
-            app.state.is_multi_app = True
-
-            # Store app reference in engine for get_mounted_apps()
-            engine._multi_app_instance = app
 
             yield
 
@@ -2241,6 +2326,14 @@ class MongoDBEngine:
         # Create parent FastAPI app
         parent_app = FastAPI(title=title, lifespan=lifespan, root_path=root_path, **fastapi_kwargs)
 
+        # Set mounted_apps immediately so get_mounted_apps() works before lifespan runs
+        parent_app.state.mounted_apps = mounted_apps
+        parent_app.state.is_multi_app = True
+        parent_app.state.engine = engine
+
+        # Store app reference in engine for get_mounted_apps()
+        engine._multi_app_instance = parent_app
+
         # Add request scope middleware
         from starlette.middleware.base import BaseHTTPMiddleware
 
@@ -2629,17 +2722,41 @@ class MongoDBEngine:
             or os.getenv("DEBUG", "").lower() in ("true", "1", "yes")
         )
 
-        # Create or get shared user pool
-        if not hasattr(self, "_shared_user_pool") or self._shared_user_pool is None:
-            self._shared_user_pool = SharedUserPool(
-                self._connection_manager.mongo_db,
-                allow_insecure_dev=is_dev,
-            )
-            await self._shared_user_pool.ensure_indexes()
-            logger.info("SharedUserPool initialized")
+        # Thread-safe initialization with async lock to prevent race conditions
+        async with self._shared_user_pool_lock:
+            # Check if another coroutine is initializing
+            if self._shared_user_pool_initializing:
+                # Wait for other initialization to complete
+                while self._shared_user_pool_initializing:
+                    import asyncio
+
+                    await asyncio.sleep(0.01)  # Small delay to avoid busy-waiting
+                # After waiting, check if pool was initialized
+                if hasattr(self, "_shared_user_pool") and self._shared_user_pool is not None:
+                    app.state.user_pool = self._shared_user_pool
+                    return
+
+            # Check if already initialized (double-check pattern)
+            if hasattr(self, "_shared_user_pool") and self._shared_user_pool is not None:
+                app.state.user_pool = self._shared_user_pool
+                return
 
-        # Expose user pool on app.state for middleware to access
-        app.state.user_pool = self._shared_user_pool
+            # Mark as initializing
+            self._shared_user_pool_initializing = True
+            try:
+                # Create shared user pool
+                self._shared_user_pool = SharedUserPool(
+                    self._connection_manager.mongo_db,
+                    allow_insecure_dev=is_dev,
+                )
+                await self._shared_user_pool.ensure_indexes()
+                logger.info("SharedUserPool initialized")
+
+                # Expose user pool on app.state for middleware to access
+                app.state.user_pool = self._shared_user_pool
+            finally:
+                # Always clear the initializing flag
+                self._shared_user_pool_initializing = False
 
         # Seed demo users to SharedUserPool if configured in manifest
         if manifest:

{mdb_engine-0.4.1.dist-info → mdb_engine-0.4.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.1
+Version: 0.4.2
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.1.dist-info → mdb_engine-0.4.2.dist-info}/RECORD

@@ -1,5 +1,5 @@
 mdb_engine/README.md,sha256=T3EFGcPopY9LslYW3lxgG3hohWkAOmBNbYG0FDMUJiY,3502
-mdb_engine/__init__.py,sha256=hYVtAlyPN9kRthzuVQ5A_m-5IIh5Q4LJIyzOzUQtGE8,3172
+mdb_engine/__init__.py,sha256=6Uve36cIfvCcTfYTZEHKkZoD9sz4zw3Wfz76y0FEvUo,3242
 mdb_engine/config.py,sha256=DTAyxfKB8ogyI0v5QR9Y-SJOgXQr_eDBCKxNBSqEyLc,7269
 mdb_engine/constants.py,sha256=eaotvW57TVOg7rRbLziGrVNoP7adgw_G9iVByHezc_A,7837
 mdb_engine/dependencies.py,sha256=MJuYQhZ9ZGzXlip1ha5zba9Rvn04HDPWahJFJH81Q2s,14107
@@ -26,8 +26,8 @@ mdb_engine/auth/provider.py,sha256=FOSHn-jp4VYtxvmjnzho5kH6y-xDKWbcKUorYRRl1C4,2
 mdb_engine/auth/rate_limiter.py,sha256=l3EYZE1Kz9yVfZwNrKq_1AgdD7GXB1WOLSqqGQVSSgA,15808
 mdb_engine/auth/restrictions.py,sha256=tOyQBO_w0bK9zmTsOPZf9cbvh4oITvpNfSxIXt-XrcU,8824
 mdb_engine/auth/session_manager.py,sha256=ywWJjTarm-obgJ3zO3s-1cdqEYe0XrozlY00q_yMJ8I,15396
-mdb_engine/auth/shared_middleware.py,sha256=nOiswgK8ptx7zUG70YN7LQNhF8PSwwkM_atAO2CAzo4,32100
-mdb_engine/auth/shared_users.py,sha256=25OBks4VRHaYZW7R61vnplV7wmr7RRpDctSgnej_nxc,26773
+mdb_engine/auth/shared_middleware.py,sha256=0iSbRkwdivL1NIj7Gr161qPJiqcw0JafOpZLCkXjT7k,37633
+mdb_engine/auth/shared_users.py,sha256=KTc4D9zRaYaIVto7PqyWd5RT4J97cp6AnJ5i_PR_7eg,27775
 mdb_engine/auth/token_lifecycle.py,sha256=Q9S1X2Y6W7Ckt5PvyYXswBRh2Tg9DGpyRv_3Xve7VYQ,6708
 mdb_engine/auth/token_store.py,sha256=-B8j5RH5YEoKsswF4rnMoI51BaxMe4icke3kuehXmcI,9121
 mdb_engine/auth/users.py,sha256=t9Us2_A_wKOL9qy1O_SBwTvapAyNztn0v8padxJVq6A,49891
@@ -46,7 +46,7 @@ mdb_engine/core/app_registration.py,sha256=7szt2a7aBkpSppjmhdkkPPYMKGKo0MkLKZeEe
 mdb_engine/core/app_secrets.py,sha256=bo-syg9UUATibNyXEZs-0TTYWG-JaY-2S0yNSGA12n0,10524
 mdb_engine/core/connection.py,sha256=XnwuPG34pJ7kJGJ84T0mhj1UZ6_CLz_9qZf6NRYGIS8,8346
 mdb_engine/core/encryption.py,sha256=RZ5LPF5g28E3ZBn6v1IMw_oas7u9YGFtBcEj8lTi9LM,7515
-mdb_engine/core/engine.py,sha256=EH3vPgdJuNsg8JiIki4Auz1slrM8dA1WXwfOjPeuh8Y,118185
+mdb_engine/core/engine.py,sha256=ManZZUCGsI0mNlBKL7CxofX1L1tkJDNI4-8YHBKGYYk,123708
 mdb_engine/core/index_management.py,sha256=9-r7MIy3JnjQ35sGqsbj8K_I07vAUWtAVgSWC99lJcE,5555
 mdb_engine/core/manifest.py,sha256=jguhjVPAHMZGxOJcdSGouv9_XiKmxUjDmyjn2yXHCj4,139205
 mdb_engine/core/ray_integration.py,sha256=vexYOzztscvRYje1xTNmXJbi99oJxCaVJAwKfTNTF_E,13610
@@ -89,9 +89,9 @@ mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknU
 mdb_engine/routing/websockets.py,sha256=3X4OjQv_Nln4UmeifJky0gFhMG8A6alR77I8g1iIOLY,29311
 mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
 mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
-mdb_engine-0.4.1.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-mdb_engine-0.4.1.dist-info/METADATA,sha256=kyV21MMeAU9NF0MuVLYHWX6k1I-GIG01YZ45iNEZIj4,15810
-mdb_engine-0.4.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-mdb_engine-0.4.1.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
-mdb_engine-0.4.1.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
-mdb_engine-0.4.1.dist-info/RECORD,,
+mdb_engine-0.4.2.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+mdb_engine-0.4.2.dist-info/METADATA,sha256=1wI8au6nvUczKwC6e-MoS7fvqHv-TozwjswYSg5TT6w,15810
+mdb_engine-0.4.2.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+mdb_engine-0.4.2.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
+mdb_engine-0.4.2.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
+mdb_engine-0.4.2.dist-info/RECORD,,