mdb-engine 0.4.5__py3-none-any.whl → 0.4.6__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- mdb_engine/auth/csrf.py +64 -1
- {mdb_engine-0.4.5.dist-info → mdb_engine-0.4.6.dist-info}/METADATA +1 -1
- {mdb_engine-0.4.5.dist-info → mdb_engine-0.4.6.dist-info}/RECORD +7 -7
- {mdb_engine-0.4.5.dist-info → mdb_engine-0.4.6.dist-info}/WHEEL +0 -0
- {mdb_engine-0.4.5.dist-info → mdb_engine-0.4.6.dist-info}/entry_points.txt +0 -0
- {mdb_engine-0.4.5.dist-info → mdb_engine-0.4.6.dist-info}/licenses/LICENSE +0 -0
- {mdb_engine-0.4.5.dist-info → mdb_engine-0.4.6.dist-info}/top_level.txt +0 -0
mdb_engine/auth/csrf.py
CHANGED
|
@@ -195,6 +195,62 @@ class CSRFMiddleware(BaseHTTPMiddleware):
|
|
|
195
195
|
return True
|
|
196
196
|
return False
|
|
197
197
|
|
|
198
|
+
def _is_websocket_upgrade(self, request: Request) -> bool:
|
|
199
|
+
"""Check if request is a WebSocket upgrade request."""
|
|
200
|
+
upgrade_header = request.headers.get("upgrade", "").lower()
|
|
201
|
+
return upgrade_header == "websocket"
|
|
202
|
+
|
|
203
|
+
def _get_allowed_origins(self, request: Request) -> list[str]:
|
|
204
|
+
"""Get allowed origins from app state (CORS config) or use request host as fallback."""
|
|
205
|
+
try:
|
|
206
|
+
cors_config = getattr(request.app.state, "cors_config", None)
|
|
207
|
+
if cors_config and cors_config.get("allow_origins"):
|
|
208
|
+
return cors_config["allow_origins"]
|
|
209
|
+
except (AttributeError, TypeError, KeyError):
|
|
210
|
+
pass
|
|
211
|
+
|
|
212
|
+
try:
|
|
213
|
+
host = request.url.hostname
|
|
214
|
+
scheme = request.url.scheme
|
|
215
|
+
port = request.url.port
|
|
216
|
+
if port and port not in [80, 443]:
|
|
217
|
+
origin = f"{scheme}://{host}:{port}"
|
|
218
|
+
else:
|
|
219
|
+
origin = f"{scheme}://{host}"
|
|
220
|
+
return [origin]
|
|
221
|
+
except (AttributeError, TypeError):
|
|
222
|
+
return []
|
|
223
|
+
|
|
224
|
+
def _validate_websocket_origin(self, request: Request) -> bool:
|
|
225
|
+
"""
|
|
226
|
+
Validate Origin header for WebSocket upgrade requests.
|
|
227
|
+
|
|
228
|
+
Primary defense against Cross-Site WebSocket Hijacking (CSWSH).
|
|
229
|
+
Returns True if Origin is valid, False otherwise.
|
|
230
|
+
"""
|
|
231
|
+
origin = request.headers.get("origin")
|
|
232
|
+
if not origin:
|
|
233
|
+
logger.warning(f"WebSocket upgrade missing Origin header: {request.url.path}")
|
|
234
|
+
return False
|
|
235
|
+
|
|
236
|
+
allowed_origins = self._get_allowed_origins(request)
|
|
237
|
+
|
|
238
|
+
for allowed in allowed_origins:
|
|
239
|
+
if allowed == "*":
|
|
240
|
+
logger.warning(
|
|
241
|
+
"WebSocket Origin validation using wildcard '*' - "
|
|
242
|
+
"not recommended for production"
|
|
243
|
+
)
|
|
244
|
+
return True
|
|
245
|
+
if origin == allowed or origin.rstrip("/") == allowed.rstrip("/"):
|
|
246
|
+
return True
|
|
247
|
+
|
|
248
|
+
logger.warning(
|
|
249
|
+
f"WebSocket upgrade rejected - invalid Origin: {origin} "
|
|
250
|
+
f"(allowed: {allowed_origins})"
|
|
251
|
+
)
|
|
252
|
+
return False
|
|
253
|
+
|
|
198
254
|
async def dispatch(
|
|
199
255
|
self,
|
|
200
256
|
request: Request,
|
|
@@ -206,7 +262,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
|
|
|
206
262
|
path = request.url.path
|
|
207
263
|
method = request.method
|
|
208
264
|
|
|
209
|
-
|
|
265
|
+
if self._is_websocket_upgrade(request):
|
|
266
|
+
if not self._validate_websocket_origin(request):
|
|
267
|
+
return JSONResponse(
|
|
268
|
+
status_code=status.HTTP_403_FORBIDDEN,
|
|
269
|
+
content={"detail": "Invalid origin for WebSocket connection"},
|
|
270
|
+
)
|
|
271
|
+
return await call_next(request)
|
|
272
|
+
|
|
210
273
|
if self._is_exempt(path):
|
|
211
274
|
return await call_next(request)
|
|
212
275
|
|
|
@@ -14,7 +14,7 @@ mdb_engine/auth/casbin_models.py,sha256=7XtFmRBhhjw1nKprnluvjyJoTj5fzdPeQwVvo6fI
|
|
|
14
14
|
mdb_engine/auth/config_defaults.py,sha256=1YI_hIHuTiEXpkEYMcufNHdLr1oxPiJylg3CKrJCSGY,2012
|
|
15
15
|
mdb_engine/auth/config_helpers.py,sha256=Qharb2YagLOKDGtE7XhYRDbBoQ_KGykrcIKrsOwWIJ4,6303
|
|
16
16
|
mdb_engine/auth/cookie_utils.py,sha256=j04qXq5GiJrnnJUAP5Z_N1CAFbx9CZiyF5u9xIiQ3vo,4876
|
|
17
|
-
mdb_engine/auth/csrf.py,sha256=
|
|
17
|
+
mdb_engine/auth/csrf.py,sha256=Xt_u4V8QXxsCS6KPh5Q54pN5BTbvWMBdJW-CFmBQtEY,14916
|
|
18
18
|
mdb_engine/auth/decorators.py,sha256=LkVVEuRrT0Iz8EwctN14BEi3fSV-xtN6DaGXgtbiYYo,12287
|
|
19
19
|
mdb_engine/auth/dependencies.py,sha256=JB1iYvZJgTR6gcaiGe_GJFCS6NdUKMxWBZRv6vVxnzw,27112
|
|
20
20
|
mdb_engine/auth/helpers.py,sha256=BCrid985cYh-3h5ZMUV9TES0q40uJXio4oYKQZta7KA,1970
|
|
@@ -89,9 +89,9 @@ mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknU
|
|
|
89
89
|
mdb_engine/routing/websockets.py,sha256=3X4OjQv_Nln4UmeifJky0gFhMG8A6alR77I8g1iIOLY,29311
|
|
90
90
|
mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
|
|
91
91
|
mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
|
|
92
|
-
mdb_engine-0.4.
|
|
93
|
-
mdb_engine-0.4.
|
|
94
|
-
mdb_engine-0.4.
|
|
95
|
-
mdb_engine-0.4.
|
|
96
|
-
mdb_engine-0.4.
|
|
97
|
-
mdb_engine-0.4.
|
|
92
|
+
mdb_engine-0.4.6.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
|
|
93
|
+
mdb_engine-0.4.6.dist-info/METADATA,sha256=LJYFe_FP0gBUVt2uDSXtvS15Vp7qNQxe4WVrX8zsthY,15810
|
|
94
|
+
mdb_engine-0.4.6.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
|
|
95
|
+
mdb_engine-0.4.6.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
|
|
96
|
+
mdb_engine-0.4.6.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
|
|
97
|
+
mdb_engine-0.4.6.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|