mdb-engine 0.4.5__tar.gz → 0.4.8__tar.gz

{mdb_engine-0.4.5/mdb_engine.egg-info → mdb_engine-0.4.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.5
+Version: 0.4.8
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.5 → mdb_engine-0.4.8}/mdb_engine/__init__.py

@@ -82,8 +82,8 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 from .utils import clean_mongo_doc, clean_mongo_docs
 
 __version__ = (
-    "0.4.3"  # Feature: Automatic route import for multi-app deployments
-    # Routes from web.py/routes.py are now automatically imported when using create_multi_app()
+    "0.4.8"  # Fix: WebSocket routes now work correctly with mounted apps
+    # WebSocket routes are registered on parent app with full mount path prefix
 )
 
 __all__ = [

{mdb_engine-0.4.5 → mdb_engine-0.4.8}/mdb_engine/auth/csrf.py

@@ -195,6 +195,62 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                 return True
         return False
 
+    def _is_websocket_upgrade(self, request: Request) -> bool:
+        """Check if request is a WebSocket upgrade request."""
+        upgrade_header = request.headers.get("upgrade", "").lower()
+        return upgrade_header == "websocket"
+
+    def _get_allowed_origins(self, request: Request) -> list[str]:
+        """Get allowed origins from app state (CORS config) or use request host as fallback."""
+        try:
+            cors_config = getattr(request.app.state, "cors_config", None)
+            if cors_config and cors_config.get("allow_origins"):
+                return cors_config["allow_origins"]
+        except (AttributeError, TypeError, KeyError):
+            pass
+
+        try:
+            host = request.url.hostname
+            scheme = request.url.scheme
+            port = request.url.port
+            if port and port not in [80, 443]:
+                origin = f"{scheme}://{host}:{port}"
+            else:
+                origin = f"{scheme}://{host}"
+            return [origin]
+        except (AttributeError, TypeError):
+            return []
+
+    def _validate_websocket_origin(self, request: Request) -> bool:
+        """
+        Validate Origin header for WebSocket upgrade requests.
+
+        Primary defense against Cross-Site WebSocket Hijacking (CSWSH).
+        Returns True if Origin is valid, False otherwise.
+        """
+        origin = request.headers.get("origin")
+        if not origin:
+            logger.warning(f"WebSocket upgrade missing Origin header: {request.url.path}")
+            return False
+
+        allowed_origins = self._get_allowed_origins(request)
+
+        for allowed in allowed_origins:
+            if allowed == "*":
+                logger.warning(
+                    "WebSocket Origin validation using wildcard '*' - "
+                    "not recommended for production"
+                )
+                return True
+            if origin == allowed or origin.rstrip("/") == allowed.rstrip("/"):
+                return True
+
+        logger.warning(
+            f"WebSocket upgrade rejected - invalid Origin: {origin} "
+            f"(allowed: {allowed_origins})"
+        )
+        return False
+
     async def dispatch(
         self,
         request: Request,
@@ -206,7 +262,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         path = request.url.path
         method = request.method
 
-        # Skip exempt routes
+        if self._is_websocket_upgrade(request):
+            if not self._validate_websocket_origin(request):
+                return JSONResponse(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    content={"detail": "Invalid origin for WebSocket connection"},
+                )
+            return await call_next(request)
+
         if self._is_exempt(path):
             return await call_next(request)
 

{mdb_engine-0.4.5 → mdb_engine-0.4.8}/mdb_engine/core/engine.py

@@ -2375,6 +2375,73 @@ class MongoDBEngine:
 
                     # Mount child app at path prefix
                     app.mount(path_prefix, child_app)
+
+                    # CRITICAL FIX: Register WebSocket routes on parent app with full path
+                    # FastAPI's app.mount() doesn't handle WebSocket routes correctly,
+                    # so we need to register them on the parent app with the mount prefix
+                    # Get WebSocket config from manifest directly (app registration happens
+                    # asynchronously in lifespan, so config may not be available yet)
+                    websockets_config = app_manifest_data.get("websockets")
+                    if websockets_config:
+                        try:
+                            from fastapi import APIRouter
+
+                            from ..routing.websockets import create_websocket_endpoint
+
+                            for endpoint_name, endpoint_config in websockets_config.items():
+                                ws_path = endpoint_config.get("path", f"/{endpoint_name}")
+                                # Combine mount prefix with WebSocket path
+                                full_ws_path = f"{path_prefix.rstrip('/')}{ws_path}"
+
+                                # Handle auth configuration
+                                auth_config = endpoint_config.get("auth", {})
+                                if isinstance(auth_config, dict) and "required" in auth_config:
+                                    require_auth = auth_config.get("required", True)
+                                elif "require_auth" in endpoint_config:
+                                    require_auth = endpoint_config.get("require_auth", True)
+                                else:
+                                    # Use app's auth_policy if available
+                                    if "auth_policy" in app_manifest_data:
+                                        require_auth = app_manifest_data["auth_policy"].get(
+                                            "required", True
+                                        )
+                                    else:
+                                        require_auth = True
+
+                                ping_interval = endpoint_config.get("ping_interval", 30)
+
+                                # Create WebSocket handler
+                                # Use original path for handler (mount handled internally)
+                                handler = create_websocket_endpoint(
+                                    app_slug=slug,
+                                    path=ws_path,
+                                    endpoint_name=endpoint_name,
+                                    handler=None,
+                                    require_auth=require_auth,
+                                    ping_interval=ping_interval,
+                                )
+
+                                # Register on parent app with full path
+                                ws_router = APIRouter()
+                                ws_router.websocket(full_ws_path)(handler)
+                                app.include_router(ws_router)
+
+                                logger.info(
+                                    f"✅ Registered WebSocket route '{full_ws_path}' "
+                                    f"for mounted app '{slug}' (mounted at '{path_prefix}')"
+                                )
+                        except ImportError:
+                            logger.warning(
+                                f"WebSocket support not available - skipping WebSocket routes "
+                                f"for mounted app '{slug}'"
+                            )
+                        except (ValueError, TypeError, AttributeError, RuntimeError) as e:
+                            logger.error(
+                                f"Failed to register WebSocket routes for mounted app "
+                                f"'{slug}': {e}",
+                                exc_info=True,
+                            )
+
                     # Update existing entry instead of appending
                     entry = _find_mounted_app_entry(slug)
                     if entry:

{mdb_engine-0.4.5 → mdb_engine-0.4.8/mdb_engine.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.5
+Version: 0.4.8
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.5 → mdb_engine-0.4.8}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mdb-engine"
-version = "0.4.5"
+version = "0.4.8"
 description = "MongoDB Engine"
 readme = "README.md"
 requires-python = ">=3.10"

{mdb_engine-0.4.5 → mdb_engine-0.4.8}/setup.py

@@ -14,7 +14,7 @@ if readme_file.exists():
 
 setup(
     name="mdb-engine",
-    version="0.4.1",
+    version="0.4.8",
     description="MongoDB Engine",
     long_description=long_description,
     long_description_content_type="text/markdown",