mdb-engine 0.4.5__py3-none-any.whl → 0.4.8__py3-none-any.whl

mdb_engine/__init__.py

@@ -82,8 +82,8 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 from .utils import clean_mongo_doc, clean_mongo_docs
 
 __version__ = (
-    "0.4.3"  # Feature: Automatic route import for multi-app deployments
-    # Routes from web.py/routes.py are now automatically imported when using create_multi_app()
+    "0.4.8"  # Fix: WebSocket routes now work correctly with mounted apps
+    # WebSocket routes are registered on parent app with full mount path prefix
 )
 
 __all__ = [

mdb_engine/auth/csrf.py

@@ -195,6 +195,62 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                 return True
         return False
 
+    def _is_websocket_upgrade(self, request: Request) -> bool:
+        """Check if request is a WebSocket upgrade request."""
+        upgrade_header = request.headers.get("upgrade", "").lower()
+        return upgrade_header == "websocket"
+
+    def _get_allowed_origins(self, request: Request) -> list[str]:
+        """Get allowed origins from app state (CORS config) or use request host as fallback."""
+        try:
+            cors_config = getattr(request.app.state, "cors_config", None)
+            if cors_config and cors_config.get("allow_origins"):
+                return cors_config["allow_origins"]
+        except (AttributeError, TypeError, KeyError):
+            pass
+
+        try:
+            host = request.url.hostname
+            scheme = request.url.scheme
+            port = request.url.port
+            if port and port not in [80, 443]:
+                origin = f"{scheme}://{host}:{port}"
+            else:
+                origin = f"{scheme}://{host}"
+            return [origin]
+        except (AttributeError, TypeError):
+            return []
+
+    def _validate_websocket_origin(self, request: Request) -> bool:
+        """
+        Validate Origin header for WebSocket upgrade requests.
+
+        Primary defense against Cross-Site WebSocket Hijacking (CSWSH).
+        Returns True if Origin is valid, False otherwise.
+        """
+        origin = request.headers.get("origin")
+        if not origin:
+            logger.warning(f"WebSocket upgrade missing Origin header: {request.url.path}")
+            return False
+
+        allowed_origins = self._get_allowed_origins(request)
+
+        for allowed in allowed_origins:
+            if allowed == "*":
+                logger.warning(
+                    "WebSocket Origin validation using wildcard '*' - "
+                    "not recommended for production"
+                )
+                return True
+            if origin == allowed or origin.rstrip("/") == allowed.rstrip("/"):
+                return True
+
+        logger.warning(
+            f"WebSocket upgrade rejected - invalid Origin: {origin} "
+            f"(allowed: {allowed_origins})"
+        )
+        return False
+
     async def dispatch(
         self,
         request: Request,
@@ -206,7 +262,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         path = request.url.path
         method = request.method
 
-        # Skip exempt routes
+        if self._is_websocket_upgrade(request):
+            if not self._validate_websocket_origin(request):
+                return JSONResponse(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    content={"detail": "Invalid origin for WebSocket connection"},
+                )
+            return await call_next(request)
+
         if self._is_exempt(path):
             return await call_next(request)
 

mdb_engine/core/engine.py

@@ -2375,6 +2375,73 @@ class MongoDBEngine:
 
                     # Mount child app at path prefix
                     app.mount(path_prefix, child_app)
+
+                    # CRITICAL FIX: Register WebSocket routes on parent app with full path
+                    # FastAPI's app.mount() doesn't handle WebSocket routes correctly,
+                    # so we need to register them on the parent app with the mount prefix
+                    # Get WebSocket config from manifest directly (app registration happens
+                    # asynchronously in lifespan, so config may not be available yet)
+                    websockets_config = app_manifest_data.get("websockets")
+                    if websockets_config:
+                        try:
+                            from fastapi import APIRouter
+
+                            from ..routing.websockets import create_websocket_endpoint
+
+                            for endpoint_name, endpoint_config in websockets_config.items():
+                                ws_path = endpoint_config.get("path", f"/{endpoint_name}")
+                                # Combine mount prefix with WebSocket path
+                                full_ws_path = f"{path_prefix.rstrip('/')}{ws_path}"
+
+                                # Handle auth configuration
+                                auth_config = endpoint_config.get("auth", {})
+                                if isinstance(auth_config, dict) and "required" in auth_config:
+                                    require_auth = auth_config.get("required", True)
+                                elif "require_auth" in endpoint_config:
+                                    require_auth = endpoint_config.get("require_auth", True)
+                                else:
+                                    # Use app's auth_policy if available
+                                    if "auth_policy" in app_manifest_data:
+                                        require_auth = app_manifest_data["auth_policy"].get(
+                                            "required", True
+                                        )
+                                    else:
+                                        require_auth = True
+
+                                ping_interval = endpoint_config.get("ping_interval", 30)
+
+                                # Create WebSocket handler
+                                # Use original path for handler (mount handled internally)
+                                handler = create_websocket_endpoint(
+                                    app_slug=slug,
+                                    path=ws_path,
+                                    endpoint_name=endpoint_name,
+                                    handler=None,
+                                    require_auth=require_auth,
+                                    ping_interval=ping_interval,
+                                )
+
+                                # Register on parent app with full path
+                                ws_router = APIRouter()
+                                ws_router.websocket(full_ws_path)(handler)
+                                app.include_router(ws_router)
+
+                                logger.info(
+                                    f"✅ Registered WebSocket route '{full_ws_path}' "
+                                    f"for mounted app '{slug}' (mounted at '{path_prefix}')"
+                                )
+                        except ImportError:
+                            logger.warning(
+                                f"WebSocket support not available - skipping WebSocket routes "
+                                f"for mounted app '{slug}'"
+                            )
+                        except (ValueError, TypeError, AttributeError, RuntimeError) as e:
+                            logger.error(
+                                f"Failed to register WebSocket routes for mounted app "
+                                f"'{slug}': {e}",
+                                exc_info=True,
+                            )
+
                     # Update existing entry instead of appending
                     entry = _find_mounted_app_entry(slug)
                     if entry:

{mdb_engine-0.4.5.dist-info → mdb_engine-0.4.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.5
+Version: 0.4.8
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.5.dist-info → mdb_engine-0.4.8.dist-info}/RECORD

@@ -1,5 +1,5 @@
 mdb_engine/README.md,sha256=T3EFGcPopY9LslYW3lxgG3hohWkAOmBNbYG0FDMUJiY,3502
-mdb_engine/__init__.py,sha256=Hm7dL74-37z0tXYLcgCV5f6CZ_ZDOaTACYw4N863OCA,3262
+mdb_engine/__init__.py,sha256=7zLdK6_1wi46ioNWkSwTdp8-hjVyu1KFVK5xqN1iqOE,3247
 mdb_engine/config.py,sha256=DTAyxfKB8ogyI0v5QR9Y-SJOgXQr_eDBCKxNBSqEyLc,7269
 mdb_engine/constants.py,sha256=eaotvW57TVOg7rRbLziGrVNoP7adgw_G9iVByHezc_A,7837
 mdb_engine/dependencies.py,sha256=MJuYQhZ9ZGzXlip1ha5zba9Rvn04HDPWahJFJH81Q2s,14107
@@ -14,7 +14,7 @@ mdb_engine/auth/casbin_models.py,sha256=7XtFmRBhhjw1nKprnluvjyJoTj5fzdPeQwVvo6fI
 mdb_engine/auth/config_defaults.py,sha256=1YI_hIHuTiEXpkEYMcufNHdLr1oxPiJylg3CKrJCSGY,2012
 mdb_engine/auth/config_helpers.py,sha256=Qharb2YagLOKDGtE7XhYRDbBoQ_KGykrcIKrsOwWIJ4,6303
 mdb_engine/auth/cookie_utils.py,sha256=j04qXq5GiJrnnJUAP5Z_N1CAFbx9CZiyF5u9xIiQ3vo,4876
-mdb_engine/auth/csrf.py,sha256=u6lhb3YighSaGsmFTkHt2ohHUYnBDdSU4dCBFiH_gYI,12440
+mdb_engine/auth/csrf.py,sha256=Xt_u4V8QXxsCS6KPh5Q54pN5BTbvWMBdJW-CFmBQtEY,14916
 mdb_engine/auth/decorators.py,sha256=LkVVEuRrT0Iz8EwctN14BEi3fSV-xtN6DaGXgtbiYYo,12287
 mdb_engine/auth/dependencies.py,sha256=JB1iYvZJgTR6gcaiGe_GJFCS6NdUKMxWBZRv6vVxnzw,27112
 mdb_engine/auth/helpers.py,sha256=BCrid985cYh-3h5ZMUV9TES0q40uJXio4oYKQZta7KA,1970
@@ -46,7 +46,7 @@ mdb_engine/core/app_registration.py,sha256=7szt2a7aBkpSppjmhdkkPPYMKGKo0MkLKZeEe
 mdb_engine/core/app_secrets.py,sha256=bo-syg9UUATibNyXEZs-0TTYWG-JaY-2S0yNSGA12n0,10524
 mdb_engine/core/connection.py,sha256=XnwuPG34pJ7kJGJ84T0mhj1UZ6_CLz_9qZf6NRYGIS8,8346
 mdb_engine/core/encryption.py,sha256=RZ5LPF5g28E3ZBn6v1IMw_oas7u9YGFtBcEj8lTi9LM,7515
-mdb_engine/core/engine.py,sha256=uknOG_98LIkmgwTUAnm_8ue-S8pWs3XjMZKa9oDAIxM,133799
+mdb_engine/core/engine.py,sha256=vSHQT-ZWTD4tpcodvnCUn5CDCElpL4__i6-l7_4HwTg,137691
 mdb_engine/core/index_management.py,sha256=9-r7MIy3JnjQ35sGqsbj8K_I07vAUWtAVgSWC99lJcE,5555
 mdb_engine/core/manifest.py,sha256=jguhjVPAHMZGxOJcdSGouv9_XiKmxUjDmyjn2yXHCj4,139205
 mdb_engine/core/ray_integration.py,sha256=vexYOzztscvRYje1xTNmXJbi99oJxCaVJAwKfTNTF_E,13610
@@ -89,9 +89,9 @@ mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknU
 mdb_engine/routing/websockets.py,sha256=3X4OjQv_Nln4UmeifJky0gFhMG8A6alR77I8g1iIOLY,29311
 mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
 mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
-mdb_engine-0.4.5.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-mdb_engine-0.4.5.dist-info/METADATA,sha256=MYepAL2DmfIy6r5F3tQVVkaikMounBAqvHbXMUvukkU,15810
-mdb_engine-0.4.5.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-mdb_engine-0.4.5.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
-mdb_engine-0.4.5.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
-mdb_engine-0.4.5.dist-info/RECORD,,
+mdb_engine-0.4.8.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+mdb_engine-0.4.8.dist-info/METADATA,sha256=lQYaHnEn84QZ_RvPLl5AfcXrKw2nEH2le519x7SnNB8,15810
+mdb_engine-0.4.8.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+mdb_engine-0.4.8.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
+mdb_engine-0.4.8.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
+mdb_engine-0.4.8.dist-info/RECORD,,