mdb-engine 0.4.4__tar.gz → 0.4.6__tar.gz

{mdb_engine-0.4.4/mdb_engine.egg-info → mdb_engine-0.4.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.4
+Version: 0.4.6
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.4 → mdb_engine-0.4.6}/mdb_engine/auth/csrf.py

@@ -195,6 +195,62 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                 return True
         return False
 
+    def _is_websocket_upgrade(self, request: Request) -> bool:
+        """Check if request is a WebSocket upgrade request."""
+        upgrade_header = request.headers.get("upgrade", "").lower()
+        return upgrade_header == "websocket"
+
+    def _get_allowed_origins(self, request: Request) -> list[str]:
+        """Get allowed origins from app state (CORS config) or use request host as fallback."""
+        try:
+            cors_config = getattr(request.app.state, "cors_config", None)
+            if cors_config and cors_config.get("allow_origins"):
+                return cors_config["allow_origins"]
+        except (AttributeError, TypeError, KeyError):
+            pass
+
+        try:
+            host = request.url.hostname
+            scheme = request.url.scheme
+            port = request.url.port
+            if port and port not in [80, 443]:
+                origin = f"{scheme}://{host}:{port}"
+            else:
+                origin = f"{scheme}://{host}"
+            return [origin]
+        except (AttributeError, TypeError):
+            return []
+
+    def _validate_websocket_origin(self, request: Request) -> bool:
+        """
+        Validate Origin header for WebSocket upgrade requests.
+
+        Primary defense against Cross-Site WebSocket Hijacking (CSWSH).
+        Returns True if Origin is valid, False otherwise.
+        """
+        origin = request.headers.get("origin")
+        if not origin:
+            logger.warning(f"WebSocket upgrade missing Origin header: {request.url.path}")
+            return False
+
+        allowed_origins = self._get_allowed_origins(request)
+
+        for allowed in allowed_origins:
+            if allowed == "*":
+                logger.warning(
+                    "WebSocket Origin validation using wildcard '*' - "
+                    "not recommended for production"
+                )
+                return True
+            if origin == allowed or origin.rstrip("/") == allowed.rstrip("/"):
+                return True
+
+        logger.warning(
+            f"WebSocket upgrade rejected - invalid Origin: {origin} "
+            f"(allowed: {allowed_origins})"
+        )
+        return False
+
     async def dispatch(
         self,
         request: Request,
@@ -206,7 +262,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         path = request.url.path
         method = request.method
 
-        # Skip exempt routes
+        if self._is_websocket_upgrade(request):
+            if not self._validate_websocket_origin(request):
+                return JSONResponse(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    content={"detail": "Invalid origin for WebSocket connection"},
+                )
+            return await call_next(request)
+
         if self._is_exempt(path):
             return await call_next(request)
 

{mdb_engine-0.4.4 → mdb_engine-0.4.6}/mdb_engine/core/engine.py

@@ -2252,6 +2252,12 @@ class MongoDBEngine:
                         on_shutdown=on_shutdown,
                     )
 
+                    # CRITICAL: Set engine state BEFORE importing routes
+                    # Routes may use dependencies that need request.app.state.engine
+                    # This must be set before route decorators execute
+                    child_app.state.engine = engine
+                    child_app.state.app_slug = slug
+
                     # Automatically import routes from app module
                     # This discovers and imports route modules (web.py, routes.py, etc.)
                     # so that route decorators are executed and routes are registered
@@ -2292,10 +2298,8 @@ class MongoDBEngine:
                         auth_hub_url = os.getenv("AUTH_HUB_URL", "/auth-hub")
 
                     # Store parent app reference and current app info for middleware
+                    # Note: engine and app_slug are already set above (before route import)
                     child_app.state.parent_app = app
-                    child_app.state.app_slug = slug
-                    # Required for get_scoped_db and other dependencies
-                    child_app.state.engine = engine
                     child_app.state.app_base_path = path_prefix
                     child_app.state.app_auth_hub_url = auth_hub_url
                     child_app.state.app_manifest = app_manifest_data

{mdb_engine-0.4.4 → mdb_engine-0.4.6/mdb_engine.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.4
+Version: 0.4.6
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.4 → mdb_engine-0.4.6}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mdb-engine"
-version = "0.4.4"
+version = "0.4.6"
 description = "MongoDB Engine"
 readme = "README.md"
 requires-python = ">=3.10"