mdb-engine 0.4.6__py3-none-any.whl → 0.4.9__py3-none-any.whl

mdb_engine/__init__.py

@@ -82,8 +82,11 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 from .utils import clean_mongo_doc, clean_mongo_docs
 
 __version__ = (
-    "0.4.3"  # Feature: Automatic route import for multi-app deployments
-    # Routes from web.py/routes.py are now automatically imported when using create_multi_app()
+    "0.4.9"  # Fix: WebSocket + CSRF + Multi-App architecture
+    # - CSRF middleware now added to parent app when child apps use shared auth
+    # - CORS config properly merged from child apps to parent app
+    # - WebSocket origin validation uses parent app's CORS config
+    # - Comprehensive integration tests added
 )
 
 __all__ = [

mdb_engine/auth/csrf.py

@@ -190,6 +190,8 @@ class CSRFMiddleware(BaseHTTPMiddleware):
 
     def _is_exempt(self, path: str) -> bool:
         """Check if a path is exempt from CSRF validation."""
+        # WebSocket upgrade requests are handled separately in dispatch()
+        # Don't exempt them here - they need origin validation
         for pattern in self.exempt_routes:
             if fnmatch.fnmatch(path, pattern):
                 return True
@@ -201,14 +203,42 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         return upgrade_header == "websocket"
 
     def _get_allowed_origins(self, request: Request) -> list[str]:
-        """Get allowed origins from app state (CORS config) or use request host as fallback."""
+        """
+        Get allowed origins from app state (CORS config) or use request host as fallback.
+
+        For multi-app setups, checks parent app's CORS config first (since WebSocket routes
+        are registered on parent app), then falls back to request host.
+        """
         try:
+            # Check current app's CORS config (parent app for WebSocket routes in multi-app)
             cors_config = getattr(request.app.state, "cors_config", None)
             if cors_config and cors_config.get("allow_origins"):
-                return cors_config["allow_origins"]
+                origins = cors_config["allow_origins"]
+                if origins:
+                    return origins if isinstance(origins, list) else [origins]
         except (AttributeError, TypeError, KeyError):
             pass
 
+        # Fallback: Check if this is a multi-app setup and try to find mounted app's CORS config
+        try:
+            if hasattr(request.app.state, "mounted_apps"):
+                # This is a parent app in multi-app setup
+                # Try to find which mounted app this request is for
+                path = request.url.path
+                mounted_apps = request.app.state.mounted_apps
+
+                # Find matching mounted app by path prefix
+                for app_info in mounted_apps:
+                    path_prefix = app_info.get("path_prefix", "")
+                    if path_prefix and path.startswith(path_prefix):
+                        # Try to get child app's CORS config if available
+                        # Note: Child app might not be directly accessible, so we rely on
+                        # parent app's merged CORS config (set during mounting)
+                        break
+        except (AttributeError, TypeError, KeyError):
+            pass
+
+        # Final fallback: Use request host
         try:
             host = request.url.hostname
             scheme = request.url.scheme
@@ -247,7 +277,8 @@ class CSRFMiddleware(BaseHTTPMiddleware):
 
         logger.warning(
             f"WebSocket upgrade rejected - invalid Origin: {origin} "
-            f"(allowed: {allowed_origins})"
+            f"(allowed: {allowed_origins}, app: {getattr(request.app, 'title', 'unknown')}, "
+            f"has_cors_config: {hasattr(request.app.state, 'cors_config')})"
         )
         return False
 
@@ -262,12 +293,22 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         path = request.url.path
         method = request.method
 
+        # CRITICAL: Handle WebSocket upgrade requests BEFORE other CSRF checks
+        # WebSocket upgrades don't use CSRF tokens, but need origin validation
         if self._is_websocket_upgrade(request):
+            # Validate origin for WebSocket connections (CSWSH protection)
             if not self._validate_websocket_origin(request):
+                logger.warning(
+                    f"WebSocket origin validation failed for {path}: "
+                    f"origin={request.headers.get('origin')}, "
+                    f"allowed={self._get_allowed_origins(request)}"
+                )
                 return JSONResponse(
                     status_code=status.HTTP_403_FORBIDDEN,
                     content={"detail": "Invalid origin for WebSocket connection"},
                 )
+            # Origin validated - allow WebSocket upgrade to proceed
+            # No CSRF token check needed for WebSocket upgrades
             return await call_next(request)
 
         if self._is_exempt(path):

mdb_engine/core/engine.py

@@ -2179,6 +2179,116 @@ class MongoDBEngine:
                     return entry
             return None
 
+        async def _merge_cors_config_to_parent(
+            parent_app: "FastAPI",
+            child_app: "FastAPI",
+            child_manifest: dict[str, Any],
+            slug: str,
+        ) -> None:
+            """Merge CORS config from child app to parent app."""
+            child_cors = None
+            if hasattr(child_app.state, "cors_config"):
+                child_cors = child_app.state.cors_config
+            else:
+                # CORS config might not be set yet (lifespan runs asynchronously)
+                # Get it from manifest directly
+                cors_config_from_manifest = child_manifest.get("cors", {})
+                if cors_config_from_manifest:
+                    from ..auth.config_helpers import (
+                        CORS_DEFAULTS,
+                        merge_config_with_defaults,
+                    )
+
+                    child_cors = merge_config_with_defaults(
+                        cors_config_from_manifest, CORS_DEFAULTS
+                    )
+                    # Also set it on child app state for future reference
+                    child_app.state.cors_config = child_cors
+
+            if child_cors:
+                if hasattr(parent_app.state, "cors_config"):
+                    # Merge child CORS into parent (child takes precedence for its routes)
+                    parent_cors = parent_app.state.cors_config
+                    # Merge allow_origins lists
+                    child_origins = child_cors.get("allow_origins", [])
+                    parent_origins = parent_cors.get("allow_origins", [])
+                    merged_origins = list(set(parent_origins + child_origins))
+                    parent_app.state.cors_config = {
+                        **parent_cors,
+                        **child_cors,
+                        "allow_origins": merged_origins if merged_origins else ["*"],
+                    }
+                else:
+                    # Parent has no CORS config, use child's
+                    parent_app.state.cors_config = child_cors
+                logger.debug(f"✅ Merged CORS config from child app '{slug}' to parent app")
+
+        async def _register_websocket_routes(
+            parent_app: "FastAPI",
+            child_manifest: dict[str, Any],
+            slug: str,
+            path_prefix: str,
+        ) -> None:
+            """Register WebSocket routes on parent app for a child app."""
+            websockets_config = child_manifest.get("websockets")
+            if not websockets_config:
+                return
+
+            try:
+                from fastapi import APIRouter
+
+                from ..routing.websockets import create_websocket_endpoint
+
+                for endpoint_name, endpoint_config in websockets_config.items():
+                    ws_path = endpoint_config.get("path", f"/{endpoint_name}")
+                    # Combine mount prefix with WebSocket path
+                    full_ws_path = f"{path_prefix.rstrip('/')}{ws_path}"
+
+                    # Handle auth configuration
+                    auth_config = endpoint_config.get("auth", {})
+                    if isinstance(auth_config, dict) and "required" in auth_config:
+                        require_auth = auth_config.get("required", True)
+                    elif "require_auth" in endpoint_config:
+                        require_auth = endpoint_config.get("require_auth", True)
+                    else:
+                        # Use app's auth_policy if available
+                        if "auth_policy" in child_manifest:
+                            require_auth = child_manifest["auth_policy"].get("required", True)
+                        else:
+                            require_auth = True
+
+                    ping_interval = endpoint_config.get("ping_interval", 30)
+
+                    # Create WebSocket handler
+                    handler = create_websocket_endpoint(
+                        app_slug=slug,
+                        path=ws_path,
+                        endpoint_name=endpoint_name,
+                        handler=None,
+                        require_auth=require_auth,
+                        ping_interval=ping_interval,
+                    )
+
+                    # Register on parent app with full path
+                    ws_router = APIRouter()
+                    ws_router.websocket(full_ws_path)(handler)
+                    parent_app.include_router(ws_router)
+
+                    logger.info(
+                        f"✅ Registered WebSocket route '{full_ws_path}' "
+                        f"for mounted app '{slug}' (mounted at '{path_prefix}')"
+                    )
+            except ImportError:
+                logger.warning(
+                    f"WebSocket support not available - skipping WebSocket routes "
+                    f"for mounted app '{slug}'"
+                )
+            except (ValueError, TypeError, AttributeError, RuntimeError) as e:
+                logger.error(
+                    f"Failed to register WebSocket routes for mounted app '{slug}': {e}",
+                    exc_info=True,
+                )
+
         @asynccontextmanager
         async def lifespan(app: FastAPI):
             """Lifespan context manager for parent app."""
@@ -2375,6 +2485,13 @@ class MongoDBEngine:
 
                     # Mount child app at path prefix
                     app.mount(path_prefix, child_app)
+
+                    # CRITICAL FIX: Merge CORS config from child app to parent app
+                    await _merge_cors_config_to_parent(app, child_app, app_manifest_data, slug)
+
+                    # CRITICAL FIX: Register WebSocket routes on parent app with full path
+                    await _register_websocket_routes(app, app_manifest_data, slug, path_prefix)
+
                     # Update existing entry instead of appending
                     entry = _find_mounted_app_entry(slug)
                     if entry:
@@ -2550,6 +2667,16 @@ class MongoDBEngine:
         parent_app.state.is_multi_app = True
         parent_app.state.engine = engine
 
+        # Set default CORS config on parent app for WebSocket origin validation
+        # This ensures CSRF middleware can validate WebSocket origins even if child apps
+        # don't configure CORS
+        from ..auth.config_helpers import CORS_DEFAULTS
+
+        parent_app.state.cors_config = CORS_DEFAULTS.copy()
+        parent_app.state.cors_config["enabled"] = True
+        parent_app.state.cors_config["allow_origins"] = ["*"]  # Default to allow all for WebSocket
+        logger.debug("Set default CORS config on parent app for WebSocket origin validation")
+
         # Store app reference in engine for get_mounted_apps()
         engine._multi_app_instance = parent_app
 
@@ -2572,15 +2699,35 @@ class MongoDBEngine:
         parent_app.add_middleware(RequestScopeMiddleware)
         logger.debug("RequestScopeMiddleware added for parent app")
 
+        # CRITICAL: Add CSRF middleware to parent app if any child app uses shared auth
+        # WebSocket routes are registered on parent app, so parent app middleware runs first
+        # CSRF middleware on parent app validates WebSocket origin using parent app's CORS config
+        if has_shared_auth:
+            from ..auth.csrf import create_csrf_middleware
+
+            # Create CSRF middleware with default config (will use parent app's CORS config)
+            # Exempt routes that don't need CSRF (health checks, etc.)
+            parent_csrf_config = {
+                "csrf_protection": True,
+                "public_routes": ["/health", "/docs", "/openapi.json", "/_mdb/routes"],
+            }
+            csrf_middleware = create_csrf_middleware(parent_csrf_config)
+            parent_app.add_middleware(csrf_middleware)
+            logger.info("CSRFMiddleware added to parent app for WebSocket origin validation")
+
         # Add shared CORS middleware if configured
         # (Individual apps can add their own CORS, but parent-level is useful)
         try:
             from fastapi.middleware.cors import CORSMiddleware
 
+            # Use CORS config from parent app state (set above)
+            cors_origins = parent_app.state.cors_config.get("allow_origins", ["*"])
+            cors_credentials = parent_app.state.cors_config.get("allow_credentials", True)
+
             parent_app.add_middleware(
                 CORSMiddleware,
-                allow_origins=["*"],  # Can be configured via manifest later
-                allow_credentials=True,
+                allow_origins=cors_origins,
+                allow_credentials=cors_credentials,
                 allow_methods=["*"],
                 allow_headers=["*"],
             )

{mdb_engine-0.4.6.dist-info → mdb_engine-0.4.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.4.6
+Version: 0.4.9
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.4.6.dist-info → mdb_engine-0.4.9.dist-info}/RECORD

@@ -1,5 +1,5 @@
 mdb_engine/README.md,sha256=T3EFGcPopY9LslYW3lxgG3hohWkAOmBNbYG0FDMUJiY,3502
-mdb_engine/__init__.py,sha256=Hm7dL74-37z0tXYLcgCV5f6CZ_ZDOaTACYw4N863OCA,3262
+mdb_engine/__init__.py,sha256=AFQ20lpN4UqRakhVC_JPQzqJkvLAbwgYbgCnFBaYet4,3413
 mdb_engine/config.py,sha256=DTAyxfKB8ogyI0v5QR9Y-SJOgXQr_eDBCKxNBSqEyLc,7269
 mdb_engine/constants.py,sha256=eaotvW57TVOg7rRbLziGrVNoP7adgw_G9iVByHezc_A,7837
 mdb_engine/dependencies.py,sha256=MJuYQhZ9ZGzXlip1ha5zba9Rvn04HDPWahJFJH81Q2s,14107
@@ -14,7 +14,7 @@ mdb_engine/auth/casbin_models.py,sha256=7XtFmRBhhjw1nKprnluvjyJoTj5fzdPeQwVvo6fI
 mdb_engine/auth/config_defaults.py,sha256=1YI_hIHuTiEXpkEYMcufNHdLr1oxPiJylg3CKrJCSGY,2012
 mdb_engine/auth/config_helpers.py,sha256=Qharb2YagLOKDGtE7XhYRDbBoQ_KGykrcIKrsOwWIJ4,6303
 mdb_engine/auth/cookie_utils.py,sha256=j04qXq5GiJrnnJUAP5Z_N1CAFbx9CZiyF5u9xIiQ3vo,4876
-mdb_engine/auth/csrf.py,sha256=Xt_u4V8QXxsCS6KPh5Q54pN5BTbvWMBdJW-CFmBQtEY,14916
+mdb_engine/auth/csrf.py,sha256=__vbWkqt6LcEoib53q14Or7hGkG7yKC2UZdbf8Si3h4,17211
 mdb_engine/auth/decorators.py,sha256=LkVVEuRrT0Iz8EwctN14BEi3fSV-xtN6DaGXgtbiYYo,12287
 mdb_engine/auth/dependencies.py,sha256=JB1iYvZJgTR6gcaiGe_GJFCS6NdUKMxWBZRv6vVxnzw,27112
 mdb_engine/auth/helpers.py,sha256=BCrid985cYh-3h5ZMUV9TES0q40uJXio4oYKQZta7KA,1970
@@ -46,7 +46,7 @@ mdb_engine/core/app_registration.py,sha256=7szt2a7aBkpSppjmhdkkPPYMKGKo0MkLKZeEe
 mdb_engine/core/app_secrets.py,sha256=bo-syg9UUATibNyXEZs-0TTYWG-JaY-2S0yNSGA12n0,10524
 mdb_engine/core/connection.py,sha256=XnwuPG34pJ7kJGJ84T0mhj1UZ6_CLz_9qZf6NRYGIS8,8346
 mdb_engine/core/encryption.py,sha256=RZ5LPF5g28E3ZBn6v1IMw_oas7u9YGFtBcEj8lTi9LM,7515
-mdb_engine/core/engine.py,sha256=uknOG_98LIkmgwTUAnm_8ue-S8pWs3XjMZKa9oDAIxM,133799
+mdb_engine/core/engine.py,sha256=1coGBNfC1f-tFV5mlRMN9WBkk3IkV3atH36dSUZyETQ,140964
 mdb_engine/core/index_management.py,sha256=9-r7MIy3JnjQ35sGqsbj8K_I07vAUWtAVgSWC99lJcE,5555
 mdb_engine/core/manifest.py,sha256=jguhjVPAHMZGxOJcdSGouv9_XiKmxUjDmyjn2yXHCj4,139205
 mdb_engine/core/ray_integration.py,sha256=vexYOzztscvRYje1xTNmXJbi99oJxCaVJAwKfTNTF_E,13610
@@ -89,9 +89,9 @@ mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknU
 mdb_engine/routing/websockets.py,sha256=3X4OjQv_Nln4UmeifJky0gFhMG8A6alR77I8g1iIOLY,29311
 mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
 mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
-mdb_engine-0.4.6.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-mdb_engine-0.4.6.dist-info/METADATA,sha256=LJYFe_FP0gBUVt2uDSXtvS15Vp7qNQxe4WVrX8zsthY,15810
-mdb_engine-0.4.6.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-mdb_engine-0.4.6.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
-mdb_engine-0.4.6.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
-mdb_engine-0.4.6.dist-info/RECORD,,
+mdb_engine-0.4.9.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+mdb_engine-0.4.9.dist-info/METADATA,sha256=ncHUSb3JIKOLV1bUrn1BZWoMR-qUg2QEvmWQ0dzFlnM,15810
+mdb_engine-0.4.9.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+mdb_engine-0.4.9.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
+mdb_engine-0.4.9.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
+mdb_engine-0.4.9.dist-info/RECORD,,