mdb-engine 0.5.1__py3-none-any.whl → 0.6.0__py3-none-any.whl

mdb_engine/__init__.py

@@ -82,15 +82,19 @@ from .repositories import Entity, MongoRepository, Repository, UnitOfWork
 from .utils import clean_mongo_doc, clean_mongo_docs
 
 __version__ = (
-    "0.5.0"  # Major WebSocket security overhaul - cookie-based authentication
-    # - BREAKING CHANGE: Removed subprotocol tunneling support
-    # - NEW: Exclusive httpOnly cookie-based WebSocket authentication
-    # - Comprehensive security guide (WEBSOCKET_SECURITY_MULTI_APP_SSO.md)
-    # - Updated all documentation to reflect cookie-based authentication
-    # - Enhanced CSRF protection for WebSocket upgrades
-    # - Added integration tests for cookie-based WebSocket authentication
-    # - Complete test coverage for WebSocket security scenarios
-    # - Multi-app SSO compatibility with path="/" cookies
+    "0.6.0"  # Secure-by-default WebSocket authentication with encrypted session keys
+    # - NEW: WebSocket session key generation and management
+    # - NEW: Envelope encryption for WebSocket session keys
+    # - NEW: Secure-by-default CSRF protection (csrf_required: true)
+    # - NEW: WebSocketSessionManager with private collection storage
+    # - NEW: Session key endpoint (/auth/websocket-session)
+    # - NEW: Session key integration in login flow
+    # - ENHANCED: WebSocket authentication with session key support
+    # - ENHANCED: CSRF middleware session key validation
+    # - ENHANCED: Multi-app WebSocket routing with session keys
+    # - BACKWARD COMPATIBLE: Cookie-based authentication fallback
+    # - UPDATED: All documentation for secure-by-default approach
+    # - COMPREHENSIVE: Unit and integration tests for session keys
 )
 
 __all__ = [

mdb_engine/auth/__init__.py

@@ -125,6 +125,12 @@ from .utils import (
     validate_password_strength_async,
 )
 
+# WebSocket sessions
+from .websocket_sessions import (
+    WebSocketSessionManager,
+    create_websocket_session_endpoint,
+)
+
 __all__ = [
     # Base classes
     "BaseAuthorizationProvider",
@@ -232,4 +238,7 @@ __all__ = [
     "generate_csrf_token",
     "validate_csrf_token",
     "get_csrf_token",
+    # WebSocket sessions
+    "WebSocketSessionManager",
+    "create_websocket_session_endpoint",
 ]

mdb_engine/auth/csrf.py

@@ -102,14 +102,16 @@ def validate_csrf_token(
         try:
             parts = token.split(":")
             if len(parts) != 3:
+                logger.debug("CSRF token has wrong format (expected 3 parts)")
                 return False
 
             raw_token, timestamp_str, signature = parts
             timestamp = int(timestamp_str)
 
             # Check age
-            if time.time() - timestamp > max_age:
-                logger.debug("CSRF token expired")
+            age = time.time() - timestamp
+            if age > max_age:
+                logger.debug(f"CSRF token expired (age: {age:.0f}s, max: {max_age}s)")
                 return False
 
             # Verify signature
@@ -119,7 +121,10 @@ def validate_csrf_token(
             ]
 
             if not hmac.compare_digest(signature, expected_sig):
-                logger.warning("CSRF token signature mismatch")
+                logger.warning(
+                    f"CSRF token signature mismatch. "
+                    f"Token format: signed, Has secret: {bool(secret)}"
+                )
                 return False
 
             return True
@@ -128,7 +133,10 @@ def validate_csrf_token(
             return False
 
     # Simple token validation (just check it exists and has reasonable length)
-    return len(token) >= CSRF_TOKEN_LENGTH
+    is_valid = len(token) >= CSRF_TOKEN_LENGTH
+    if not is_valid:
+        logger.debug(f"CSRF token too short (length: {len(token)}, required: {CSRF_TOKEN_LENGTH})")
+    return is_valid
 
 
 class CSRFMiddleware(BaseHTTPMiddleware):
@@ -197,10 +205,116 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                 return True
         return False
 
+    def _websocket_requires_csrf(self, request: Request, path: str) -> bool:
+        """
+        Check if WebSocket endpoint requires CSRF validation.
+
+        Defaults to True (security by default). Can be disabled per-endpoint via manifest.json:
+        websockets.{endpoint}.auth.csrf_required = false
+
+        Args:
+            request: FastAPI request
+            path: WebSocket path (e.g., "/app-3/ws")
+
+        Returns:
+            True if CSRF validation is required, False otherwise
+        """
+        # Check parent app state for WebSocket configs
+        websocket_configs = getattr(request.app.state, "websocket_configs", None)
+        if not websocket_configs:
+            # No WebSocket configs found - use default (CSRF required for security by default)
+            return True
+
+        # Normalize path for matching
+        normalized_path = path.rstrip("/")
+
+        # Try to find matching app config
+        # WebSocket paths are registered as /app-slug/endpoint-path
+        # e.g., /app-3/ws where app_slug="app-3" and endpoint_path="/ws"
+        for app_slug, config in websocket_configs.items():
+            # Check each endpoint in this app's config
+            for endpoint_name, endpoint_config in config.items():
+                endpoint_path = endpoint_config.get("path", "")
+                # Normalize endpoint path
+                normalized_endpoint = endpoint_path.rstrip("/")
+
+                # Match patterns:
+                # 1. Full path match: /app-slug/endpoint-path
+                # 2. Endpoint-only match: /endpoint-path (if path starts with endpoint)
+                expected_full_path = f"/{app_slug}{normalized_endpoint}"
+                if (
+                    normalized_path == expected_full_path
+                    or normalized_path.endswith(normalized_endpoint)
+                    or normalized_path == normalized_endpoint
+                ):
+                    auth_config = endpoint_config.get("auth", {})
+                    if isinstance(auth_config, dict):
+                        # Return csrf_required setting (defaults to True - security by default)
+                        csrf_required = auth_config.get("csrf_required", True)
+                        logger.debug(
+                            f"WebSocket {path} csrf_required={csrf_required} "
+                            f"(from app={app_slug}, endpoint={endpoint_name})"
+                        )
+                        return csrf_required
+
+        # No matching config found - use default (CSRF required for security by default)
+        logger.debug(f"No WebSocket config match for {path}, using default csrf_required=true")
+        return True
+
     def _is_websocket_upgrade(self, request: Request) -> bool:
         """Check if request is a WebSocket upgrade request."""
         upgrade_header = request.headers.get("upgrade", "").lower()
-        return upgrade_header == "websocket"
+        connection_header = request.headers.get("connection", "").lower()
+
+        # Primary check: WebSocket upgrade requires both Upgrade: websocket
+        # and Connection: Upgrade headers
+        has_upgrade_header = upgrade_header == "websocket"
+        has_connection_upgrade = "upgrade" in connection_header or "websocket" in connection_header
+
+        # Secondary check: If upgrade header is present but connection is
+        # overridden (e.g., by TestClient), check if path matches a known
+        # WebSocket route pattern
+        path_matches_websocket_route = False
+        if has_upgrade_header and not has_connection_upgrade:
+            # Check if path matches any configured WebSocket route
+            websocket_configs = getattr(request.app.state, "websocket_configs", None)
+            if websocket_configs:
+                path = request.url.path.rstrip("/") or "/"
+                for app_slug, config in websocket_configs.items():
+                    for _endpoint_name, endpoint_config in config.items():
+                        endpoint_path = endpoint_config.get("path", "").rstrip("/") or "/"
+                        # Try various path matching patterns
+                        expected_full_path = (
+                            f"/{app_slug}{endpoint_path}"
+                            if endpoint_path != "/"
+                            else f"/{app_slug}"
+                        )
+                        # Match patterns:
+                        # 1. Exact match with app prefix: /app-slug/endpoint-path
+                        # 2. Endpoint-only match: /endpoint-path (if path ends with endpoint)
+                        # 3. Root match: / matches / or /app-slug
+                        if (
+                            path == expected_full_path
+                            or path.endswith(endpoint_path)
+                            or path == endpoint_path
+                            or (path == "/" and endpoint_path == "/")
+                            or (path == f"/{app_slug}" and endpoint_path == "/")
+                        ):
+                            path_matches_websocket_route = True
+                            break
+                    if path_matches_websocket_route:
+                        break
+
+        is_websocket = has_upgrade_header and (
+            has_connection_upgrade or path_matches_websocket_route
+        )
+        if is_websocket:
+            logger.debug(
+                f"WebSocket upgrade detected: path={request.url.path}, "
+                f"upgrade={upgrade_header}, connection={connection_header}, "
+                f"path_match={path_matches_websocket_route}"
+            )
+        return is_websocket
 
     def _get_allowed_origins(self, request: Request) -> list[str]:
         """
@@ -298,9 +412,22 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         path = request.url.path
         method = request.method
 
+        # Debug: Log all requests to see what's happening
+        upgrade_header = request.headers.get("upgrade", "").lower()
+        connection_header = request.headers.get("connection", "").lower()
+        if upgrade_header or "websocket" in path.lower():
+            logger.info(
+                f"🔍 CSRF middleware: {method} {path}, "
+                f"upgrade={upgrade_header}, connection={connection_header}"
+            )
+
         # CRITICAL: Handle WebSocket upgrade requests BEFORE other CSRF checks
         # WebSocket upgrades use cookie-based authentication and require CSRF validation
         if self._is_websocket_upgrade(request):
+            logger.info(
+                f"🔌 CSRF middleware processing WebSocket upgrade: {path}, "
+                f"origin: {request.headers.get('origin')}"
+            )
             # Always validate origin for WebSocket connections (CSWSH protection)
             if not self._validate_websocket_origin(request):
                 logger.warning(
@@ -320,49 +447,155 @@ class CSRFMiddleware(BaseHTTPMiddleware):
 
             auth_token_cookie = request.cookies.get(AUTH_COOKIE_NAME)
             if auth_token_cookie:
-                # For WebSocket upgrades, CSRF protection relies on:
+                # SECURITY BY DEFAULT: WebSocket CSRF protection uses encrypted session keys
+                # stored in private collection via envelope encryption.
+                #
+                # Security Model:
                 # 1. Origin validation (already done above) - primary defense
-                # 2. SameSite cookies - prevents cross-site cookie sending
-                # 3. CSRF cookie presence - ensures session is established
+                # 2. Encrypted session key validation - CSRF protection via database
+                # 3. SameSite cookies - prevents cross-site cookie sending
                 #
-                # Note: JavaScript WebSocket API cannot set custom headers,
-                # so we cannot use double-submit cookie pattern (cookie + header).
-                # Instead, we rely on Origin validation + SameSite cookies for CSRF protection.
-                csrf_cookie_token = request.cookies.get(self.cookie_name)
-                if not csrf_cookie_token:
-                    logger.warning(f"WebSocket upgrade missing CSRF cookie for {path}")
-                    return JSONResponse(
-                        status_code=status.HTTP_403_FORBIDDEN,
-                        content={"detail": "CSRF token missing for WebSocket authentication"},
+                # Session keys are:
+                # - Generated on authentication
+                # - Encrypted using envelope encryption (same as app secrets)
+                # - Stored in _mdb_engine_websocket_sessions private collection
+                # - Validated during WebSocket upgrade
+
+                # Check if this WebSocket endpoint requires CSRF validation
+                csrf_required = self._websocket_requires_csrf(request, path)
+
+                if csrf_required:
+                    # Try to get WebSocket session manager from app state
+                    websocket_session_manager = getattr(
+                        request.app.state, "websocket_session_manager", None
                     )
 
-                # Validate CSRF token signature if secret is used
-                if self.secret and not validate_csrf_token(
-                    csrf_cookie_token, self.secret, self.token_ttl
-                ):
-                    logger.warning(f"WebSocket CSRF token validation failed for {path}")
-                    return JSONResponse(
-                        status_code=status.HTTP_403_FORBIDDEN,
-                        content={
-                            "detail": "CSRF token expired or invalid for WebSocket connection"
-                        },
+                    if websocket_session_manager:
+                        # Use encrypted session key validation (secure-by-default)
+                        session_key = request.query_params.get(
+                            "session_key"
+                        ) or request.headers.get("X-WebSocket-Session-Key")
+
+                        if not session_key:
+                            logger.error(
+                                f"❌ WebSocket upgrade missing session key for {path}. "
+                                f"Auth cookie present: {bool(auth_token_cookie)}. "
+                                f"Tip: Generate session key via /auth/websocket-session endpoint."
+                            )
+                            return JSONResponse(
+                                status_code=status.HTTP_403_FORBIDDEN,
+                                content={
+                                    "detail": (
+                                        "WebSocket session key missing. "
+                                        "Generate session key via /auth/websocket-session endpoint."
+                                    )
+                                },
+                            )
+
+                        # Validate session key against encrypted storage
+                        try:
+                            session_data = await websocket_session_manager.validate_session(
+                                session_key
+                            )
+                            if not session_data:
+                                logger.error(
+                                    f"❌ WebSocket session key validation failed for {path}. "
+                                    f"Session key: {session_key[:16]}..."
+                                )
+                                return JSONResponse(
+                                    status_code=status.HTTP_403_FORBIDDEN,
+                                    content={
+                                        "detail": (
+                                            "WebSocket session key expired or invalid. "
+                                            "Generate a new session key."
+                                        )
+                                    },
+                                )
+
+                            # Store session data in request state for WebSocket handler
+                            request.state.websocket_session = session_data
+                            logger.debug(
+                                f"✅ WebSocket session key validated for {path} "
+                                f"(user: {session_data.get('user_id')})"
+                            )
+                        except (
+                            ValueError,
+                            TypeError,
+                            AttributeError,
+                            RuntimeError,
+                        ):
+                            logger.exception("Error validating WebSocket session key")
+                            return JSONResponse(
+                                status_code=status.HTTP_403_FORBIDDEN,
+                                content={"detail": "WebSocket session validation error"},
+                            )
+                    else:
+                        # Fallback to cookie-based CSRF (backward compatibility)
+                        csrf_cookie_token = request.cookies.get(self.cookie_name)
+                        if not csrf_cookie_token:
+                            logger.error(
+                                f"❌ WebSocket upgrade missing CSRF cookie for {path}. "
+                                f"Auth cookie present: {bool(auth_token_cookie)}, "
+                                f"CSRF cookie name: {self.cookie_name}, "
+                                f"Available cookies: {list(request.cookies.keys())}. "
+                                f"Tip: Make a GET request first to receive CSRF cookie."
+                            )
+                            return JSONResponse(
+                                status_code=status.HTTP_403_FORBIDDEN,
+                                content={
+                                    "detail": (
+                                        "CSRF token missing for WebSocket authentication. "
+                                        "Make a GET request first to receive the CSRF cookie."
+                                    )
+                                },
+                            )
+
+                        # Validate CSRF token signature if secret is used
+                        if self.secret and not validate_csrf_token(
+                            csrf_cookie_token, self.secret, self.token_ttl
+                        ):
+                            logger.error(f"❌ WebSocket CSRF token validation failed for {path}.")
+                            return JSONResponse(
+                                status_code=status.HTTP_403_FORBIDDEN,
+                                content={
+                                    "detail": (
+                                        "CSRF token expired or invalid for WebSocket connection"
+                                    )
+                                },
+                            )
+
+                        # If CSRF header is provided, validate it matches the cookie
+                        # (Header is optional for WebSocket, but if present, must match cookie)
+                        csrf_header_token = request.headers.get(self.header_name)
+                        if csrf_header_token:
+                            if not hmac.compare_digest(csrf_cookie_token, csrf_header_token):
+                                logger.error(
+                                    f"❌ WebSocket CSRF header mismatch for {path}. "
+                                    f"Cookie token and header token do not match."
+                                )
+                                return JSONResponse(
+                                    status_code=status.HTTP_403_FORBIDDEN,
+                                    content={
+                                        "detail": (
+                                            "CSRF token mismatch: header token does not "
+                                            "match cookie token"
+                                        )
+                                    },
+                                )
+                            logger.debug(
+                                f"✅ CSRF header validated and matches cookie for WebSocket {path}"
+                            )
+
+                        logger.debug(f"✅ CSRF cookie validation passed for WebSocket {path}")
+                else:
+                    logger.debug(
+                        f"✅ WebSocket CSRF validation skipped for {path} "
+                        f"(csrf_required=false, Origin validation sufficient)"
                     )
 
-                # Optional: If CSRF header is provided, validate it matches cookie
-                # (Some clients may send it, but it's not required for WebSocket upgrades)
-                header_token = request.headers.get(self.header_name)
-                if header_token:
-                    # If header is provided, validate it matches cookie (double-submit pattern)
-                    if not hmac.compare_digest(csrf_cookie_token, header_token):
-                        logger.warning(f"WebSocket CSRF token mismatch for {path}")
-                        return JSONResponse(
-                            status_code=status.HTTP_403_FORBIDDEN,
-                            content={"detail": "CSRF token invalid for WebSocket connection"},
-                        )
-
                 logger.debug(
                     f"WebSocket upgrade CSRF validation passed for {path} "
-                    f"(Origin validated, CSRF cookie present)"
+                    f"(Origin validated, CSRF validated)"
                 )
 
             # Origin validated (and CSRF validated if authenticated)

mdb_engine/auth/shared_users.py

@@ -120,6 +120,7 @@ class SharedUserPool:
         token_expiry_hours: int = DEFAULT_TOKEN_EXPIRY_HOURS,
         allow_insecure_dev: bool = False,
         blacklist_fail_closed: bool = True,
+        websocket_session_manager: Any | None = None,
     ):
         """
         Initialize the shared user pool.
@@ -174,6 +175,7 @@ class SharedUserPool:
 
         self._token_expiry_hours = token_expiry_hours
         self._blacklist_indexes_created = False
+        self._websocket_session_manager = websocket_session_manager
 
         logger.info(f"SharedUserPool initialized (algorithm={jwt_algorithm})")
 
@@ -340,7 +342,9 @@ class SharedUserPool:
         ip_address: str | None = None,
         fingerprint: str | None = None,
         session_binding: dict[str, Any] | None = None,
-    ) -> str | None:
+        generate_websocket_session: bool = True,
+        app_slug: str | None = None,
+    ) -> str | tuple[str, str] | None:
         """
         Authenticate user and return JWT token.
 
@@ -352,9 +356,14 @@ class SharedUserPool:
             session_binding: Session binding config from manifest:
                 - bind_ip: Include IP in token claims
                 - bind_fingerprint: Include fingerprint in token claims
+            generate_websocket_session: If True and WebSocket session manager available,
+                                       also generate WebSocket session key (default: True)
+            app_slug: Optional app slug for WebSocket session scoping
 
         Returns:
-            JWT token if authentication succeeds, None otherwise
+            JWT token if authentication succeeds, None otherwise.
+            If generate_websocket_session=True and session manager available,
+            returns tuple (jwt_token, websocket_session_key), otherwise just jwt_token.
         """
         user = await self._collection.find_one(
             {
@@ -392,7 +401,28 @@ class SharedUserPool:
         # Generate JWT token with session binding claims
         token = self._generate_token(user, extra_claims=extra_claims or None)
 
+        # Generate WebSocket session key if requested and manager available
+        websocket_session_key = None
+        if generate_websocket_session and self._websocket_session_manager:
+            try:
+                user_id = str(user["_id"])
+                websocket_session_key = await self._websocket_session_manager.create_session(
+                    user_id=user_id,
+                    user_email=email,
+                    app_slug=app_slug,
+                )
+                logger.debug(
+                    f"Generated WebSocket session key for user '{email}' " f"(app: {app_slug})"
+                )
+            except (ValueError, TypeError, AttributeError, RuntimeError) as e:
+                # Log but don't fail authentication if WebSocket session generation fails
+                logger.warning(f"Failed to generate WebSocket session key: {e}")
+
         logger.info(f"User '{email}' authenticated successfully")
+
+        # Return tuple if WebSocket session key was generated, otherwise just token
+        if websocket_session_key:
+            return (token, websocket_session_key)
         return token
 
     async def validate_token(self, token: str) -> dict[str, Any] | None:

mdb_engine/auth/utils.py

@@ -514,16 +514,41 @@ async def login_user(
                 ip_address=device_info.get("ip_address"),
             )
 
+        # Generate WebSocket session key if WebSocket session manager available
+        websocket_session_key = None
+        try:
+            # Try to get WebSocket session manager from app state
+            app = getattr(request, "app", None)
+            if app:
+                websocket_session_manager = getattr(app.state, "websocket_session_manager", None)
+                if websocket_session_manager:
+                    # Get app slug from request state if available
+                    app_slug = getattr(request.state, "app_slug", None)
+                    websocket_session_key = await websocket_session_manager.create_session(
+                        user_id=str(user["_id"]),
+                        user_email=user["email"],
+                        app_slug=app_slug,
+                    )
+                    logger.debug(
+                        f"Generated WebSocket session key for user '{user['email']}' "
+                        f"(app: {app_slug})"
+                    )
+        except (ValueError, TypeError, AttributeError, RuntimeError) as e:
+            # Log but don't fail login if WebSocket session generation fails
+            logger.warning(f"Failed to generate WebSocket session key during login: {e}")
+
         # Create response
+        response_data = {
+            "success": True,
+            "user": {"email": user["email"], "user_id": str(user["_id"])},
+        }
+        if websocket_session_key:
+            response_data["websocket_session_key"] = websocket_session_key
+
         if redirect_url:
             response = RedirectResponse(url=redirect_url, status_code=302)
         else:
-            response = JSONResponse(
-                {
-                    "success": True,
-                    "user": {"email": user["email"], "user_id": str(user["_id"])},
-                }
-            )
+            response = JSONResponse(response_data)
 
         # Set cookies
         set_auth_cookies(

mdb_engine/auth/websocket_sessions.py

@@ -0,0 +1,433 @@
+"""
+WebSocket Session Manager with Envelope Encryption
+
+Manages WebSocket session keys using envelope encryption and private collections.
+Provides secure-by-default WebSocket authentication without relying on CSRF cookies.
+
+This module is part of MDB_ENGINE - MongoDB Engine.
+
+Security Model:
+- Session keys generated on authentication
+- Stored encrypted in _mdb_engine_websocket_sessions collection
+- Validated during WebSocket upgrade
+- Uses envelope encryption (same as app secrets)
+- Security by default: CSRF always required
+"""
+
+import base64
+import logging
+import secrets
+from collections.abc import Callable
+from datetime import datetime, timedelta
+from typing import Any
+
+from motor.motor_asyncio import AsyncIOMotorDatabase
+from pymongo.errors import OperationFailure, PyMongoError
+
+from ..core.encryption import EnvelopeEncryptionService
+
+logger = logging.getLogger(__name__)
+
+# Collection name for storing encrypted WebSocket session keys
+WEBSOCKET_SESSIONS_COLLECTION_NAME = "_mdb_engine_websocket_sessions"
+
+# Session key configuration
+SESSION_KEY_SIZE = 32  # 256 bits
+SESSION_TTL_HOURS = 24  # Sessions expire after 24 hours
+
+
+class WebSocketSessionManager:
+    """
+    Manages WebSocket session keys using envelope encryption.
+
+    Session keys are:
+    - Generated on user authentication
+    - Encrypted using envelope encryption
+    - Stored in private collection (_mdb_engine_websocket_sessions)
+    - Validated during WebSocket upgrade
+    - Automatically expired after TTL
+    """
+
+    def __init__(
+        self,
+        mongo_db: AsyncIOMotorDatabase,
+        encryption_service: EnvelopeEncryptionService,
+    ):
+        """
+        Initialize the WebSocket session manager.
+
+        Args:
+            mongo_db: MongoDB database instance (raw, not scoped)
+            encryption_service: Envelope encryption service instance
+        """
+        self._mongo_db = mongo_db
+        self._encryption_service = encryption_service
+        self._sessions_collection = mongo_db[WEBSOCKET_SESSIONS_COLLECTION_NAME]
+
+    @staticmethod
+    def generate_session_key() -> str:
+        """
+        Generate a random WebSocket session key.
+
+        Returns:
+            Base64-encoded session key string
+        """
+        key_bytes = secrets.token_bytes(SESSION_KEY_SIZE)
+        return base64.urlsafe_b64encode(key_bytes).decode().rstrip("=")
+
+    async def create_session(
+        self,
+        user_id: str,
+        user_email: str | None = None,
+        app_slug: str | None = None,
+    ) -> str:
+        """
+        Create a new WebSocket session with encrypted session key.
+
+        Args:
+            user_id: User ID
+            user_email: Optional user email
+            app_slug: Optional app slug for scoping
+
+        Returns:
+            Plaintext session key (to be sent to client)
+
+        Raises:
+            OperationFailure: If MongoDB operation fails
+        """
+        try:
+            # Generate session key
+            session_key = self.generate_session_key()
+
+            # Encrypt session key using envelope encryption
+            encrypted_key, encrypted_dek = self._encryption_service.encrypt_secret(session_key)
+
+            # Encode as base64 for storage
+            encrypted_key_b64 = base64.b64encode(encrypted_key).decode()
+            encrypted_dek_b64 = base64.b64encode(encrypted_dek).decode()
+
+            # Calculate expiration
+            expires_at = datetime.utcnow() + timedelta(hours=SESSION_TTL_HOURS)
+
+            # Prepare document
+            document = {
+                "_id": session_key,  # Use session key as ID for fast lookup
+                "user_id": user_id,
+                "user_email": user_email,
+                "app_slug": app_slug,
+                "encrypted_key": encrypted_key_b64,
+                "encrypted_dek": encrypted_dek_b64,
+                "algorithm": "AES-256-GCM",
+                "created_at": datetime.utcnow(),
+                "expires_at": expires_at,
+            }
+
+            # Store in private collection
+            await self._sessions_collection.insert_one(document)
+
+            logger.info(
+                f"Created WebSocket session for user '{user_id}' "
+                f"(app: {app_slug}, expires: {expires_at})"
+            )
+
+            return session_key
+
+        except (OperationFailure, PyMongoError):
+            logger.exception("Failed to create WebSocket session")
+            raise
+
+    async def validate_session(
+        self,
+        session_key: str,
+        user_id: str | None = None,
+    ) -> dict[str, Any] | None:
+        """
+        Validate a WebSocket session key.
+
+        Args:
+            session_key: Session key to validate
+            user_id: Optional user ID for additional validation
+
+        Returns:
+            Session document if valid, None otherwise
+
+        Raises:
+            OperationFailure: If MongoDB operation fails
+        """
+        try:
+            # Find session by key
+            session_doc = await self._sessions_collection.find_one({"_id": session_key})
+
+            if not session_doc:
+                logger.warning(f"WebSocket session not found: {session_key[:16]}...")
+                return None
+
+            # Check expiration
+            expires_at = session_doc.get("expires_at")
+            if expires_at and expires_at < datetime.utcnow():
+                logger.warning(
+                    f"WebSocket session expired: {session_key[:16]}... " f"(expired: {expires_at})"
+                )
+                # Clean up expired session
+                await self._sessions_collection.delete_one({"_id": session_key})
+                return None
+
+            # Optional: Validate user_id matches
+            if user_id and session_doc.get("user_id") != user_id:
+                logger.warning(
+                    f"WebSocket session user mismatch: "
+                    f"session_user={session_doc.get('user_id')}, "
+                    f"provided_user={user_id}"
+                )
+                return None
+
+            # Decrypt session key to verify it's valid
+            try:
+                encrypted_key = base64.b64decode(session_doc["encrypted_key"])
+                encrypted_dek = base64.b64decode(session_doc["encrypted_dek"])
+                decrypted_key = self._encryption_service.decrypt_secret(
+                    encrypted_key, encrypted_dek
+                )
+
+                # Verify decrypted key matches session_key
+                if decrypted_key != session_key:
+                    logger.error(
+                        f"WebSocket session key decryption mismatch: "
+                        f"session_key={session_key[:16]}..."
+                    )
+                    return None
+
+            except (ValueError, TypeError, AttributeError, KeyError):
+                logger.exception("Failed to decrypt WebSocket session key")
+                return None
+
+            logger.debug(
+                f"Validated WebSocket session for user '{session_doc.get('user_id')}' "
+                f"(app: {session_doc.get('app_slug')})"
+            )
+
+            return {
+                "user_id": session_doc.get("user_id"),
+                "user_email": session_doc.get("user_email"),
+                "app_slug": session_doc.get("app_slug"),
+                "created_at": session_doc.get("created_at"),
+                "expires_at": session_doc.get("expires_at"),
+            }
+
+        except (OperationFailure, PyMongoError):
+            logger.exception("Failed to validate WebSocket session")
+            raise
+
+    async def revoke_session(self, session_key: str) -> bool:
+        """
+        Revoke a WebSocket session.
+
+        Args:
+            session_key: Session key to revoke
+
+        Returns:
+            True if session was revoked, False if not found
+        """
+        try:
+            result = await self._sessions_collection.delete_one({"_id": session_key})
+            if result.deleted_count > 0:
+                logger.info(f"Revoked WebSocket session: {session_key[:16]}...")
+                return True
+            return False
+        except (OperationFailure, PyMongoError):
+            logger.exception("Failed to revoke WebSocket session")
+            return False
+
+    async def revoke_user_sessions(self, user_id: str, app_slug: str | None = None) -> int:
+        """
+        Revoke all sessions for a user.
+
+        Args:
+            user_id: User ID
+            app_slug: Optional app slug filter
+
+        Returns:
+            Number of sessions revoked
+        """
+        try:
+            query = {"user_id": user_id}
+            if app_slug:
+                query["app_slug"] = app_slug
+
+            result = await self._sessions_collection.delete_many(query)
+            logger.info(
+                f"Revoked {result.deleted_count} WebSocket sessions "
+                f"for user '{user_id}' (app: {app_slug})"
+            )
+            return result.deleted_count
+        except (OperationFailure, PyMongoError):
+            logger.exception("Failed to revoke user WebSocket sessions")
+            return 0
+
+    async def cleanup_expired_sessions(self) -> int:
+        """
+        Clean up expired WebSocket sessions.
+
+        Returns:
+            Number of sessions cleaned up
+        """
+        try:
+            result = await self._sessions_collection.delete_many(
+                {"expires_at": {"$lt": datetime.utcnow()}}
+            )
+            if result.deleted_count > 0:
+                logger.info(f"Cleaned up {result.deleted_count} expired WebSocket sessions")
+            return result.deleted_count
+        except (OperationFailure, PyMongoError):
+            logger.exception("Failed to cleanup expired WebSocket sessions")
+            return 0
+
+
+def create_websocket_session_endpoint(
+    session_manager: WebSocketSessionManager,
+) -> Callable:
+    """
+    Create a FastAPI endpoint for generating WebSocket session keys.
+
+    This endpoint requires authentication and generates a new WebSocket session key
+    for the authenticated user. The session key is encrypted and stored in the
+    private collection.
+
+    Args:
+        session_manager: WebSocketSessionManager instance
+
+    Returns:
+        FastAPI route handler function
+
+    Example:
+        ```python
+        from mdb_engine.auth.websocket_sessions import (
+            WebSocketSessionManager,
+            create_websocket_session_endpoint,
+        )
+        from mdb_engine.core.encryption import EnvelopeEncryptionService
+
+        # Initialize session manager
+        encryption_service = EnvelopeEncryptionService()
+        session_manager = WebSocketSessionManager(
+            mongo_db=db,
+            encryption_service=encryption_service,
+        )
+
+        # Create endpoint
+        endpoint = create_websocket_session_endpoint(session_manager)
+        app.get("/auth/websocket-session")(endpoint)
+        ```
+
+    The endpoint:
+    - Requires authentication (user must be logged in)
+    - Returns JSON: `{"session_key": "...", "expires_at": "..."}`
+    - Uses user info from `request.state.user` (set by SharedAuthMiddleware)
+    """
+    from fastapi import Request, status
+    from fastapi.responses import JSONResponse
+
+    async def websocket_session_endpoint(request: Request) -> JSONResponse:
+        """
+        Generate a WebSocket session key for the authenticated user.
+
+        Requires:
+        - User to be authenticated (via request.state.user or auth cookie)
+        - WebSocket session manager to be available
+
+        Returns:
+        - JSONResponse with session_key and expires_at
+        """
+        # Check if user is authenticated (set by middleware)
+        user = getattr(request.state, "user", None)
+
+        # If not set by middleware, try to authenticate using cookie
+        # This handles the case where endpoint is on parent app without auth middleware
+        if not user:
+            from .shared_middleware import AUTH_COOKIE_NAME
+
+            # Get user pool from app state
+            user_pool = None
+            try:
+                if hasattr(request, "app") and hasattr(request.app, "state"):
+                    user_pool = getattr(request.app.state, "user_pool", None)
+            except (AttributeError, TypeError):
+                pass
+
+            # Only try to authenticate if we have a real user pool (not None)
+            if user_pool is not None:
+                # Extract token from cookie
+                token = None
+                try:
+                    if hasattr(request, "cookies"):
+                        token = request.cookies.get(AUTH_COOKIE_NAME)
+                except (AttributeError, TypeError):
+                    pass
+
+                if token:
+                    try:
+                        # Validate token and get user
+                        user = await user_pool.validate_token(token)
+                    except (TypeError, AttributeError):
+                        # If user_pool is a mock that can't be awaited, ignore
+                        pass
+
+            if not user:
+                return JSONResponse(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    content={"detail": "Authentication required"},
+                )
+
+        # Extract user info
+        # Prefer user_id, sub (JWT standard), or _id (MongoDB document ID)
+        user_id = user.get("user_id") or user.get("sub") or user.get("_id")
+        if not user_id:
+            # Email is not a valid user_id - it's just metadata
+            logger.error("Cannot generate WebSocket session: user_id not found in user data")
+            return JSONResponse(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                content={"detail": "Invalid user data"},
+            )
+        user_email = user.get("email")
+        app_slug = getattr(request.state, "app_slug", None)
+
+        try:
+            # Generate session key
+            session_key = await session_manager.create_session(
+                user_id=str(user_id),
+                user_email=user_email,
+                app_slug=app_slug,
+            )
+
+            # Get expiration time (24 hours from now)
+            from datetime import datetime, timedelta
+
+            expires_at = datetime.utcnow() + timedelta(hours=SESSION_TTL_HOURS)
+
+            logger.info(
+                f"Generated WebSocket session key for user '{user_id}' " f"(app: {app_slug})"
+            )
+
+            return JSONResponse(
+                {
+                    "session_key": session_key,
+                    "expires_at": expires_at.isoformat(),
+                    "ttl_hours": SESSION_TTL_HOURS,
+                }
+            )
+
+        except (
+            ValueError,
+            TypeError,
+            AttributeError,
+            RuntimeError,
+            OperationFailure,
+            PyMongoError,
+        ):
+            logger.exception("Failed to generate WebSocket session key")
+            return JSONResponse(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                content={"detail": "Failed to generate WebSocket session key"},
+            )
+
+    return websocket_session_endpoint

mdb_engine/core/engine.py

@@ -148,6 +148,7 @@ class MongoDBEngine:
         self._service_initializer: ServiceInitializer | None = None
         self._encryption_service: EnvelopeEncryptionService | None = None
         self._app_secrets_manager: AppSecretsManager | None = None
+        self._websocket_session_manager: Any | None = None  # WebSocketSessionManager
 
         # Store app read_scopes mapping for validation
         self._app_read_scopes: dict[str, list[str]] = {}
@@ -201,6 +202,13 @@ class MongoDBEngine:
                 mongo_db=self._connection_manager.mongo_db,
                 encryption_service=self._encryption_service,
             )
+            # Initialize WebSocket session manager for secure-by-default WebSocket auth
+            from ..auth.websocket_sessions import WebSocketSessionManager
+
+            self._websocket_session_manager = WebSocketSessionManager(
+                mongo_db=self._connection_manager.mongo_db,
+                encryption_service=self._encryption_service,
+            )
 
         # Set up component managers
         self._app_registration_manager = AppRegistrationManager(
@@ -2283,6 +2291,11 @@ class MongoDBEngine:
                 logger.debug(f"No WebSocket configuration found for app '{slug}'")
                 return
 
+            # Store WebSocket config in parent app state for CSRF middleware to access
+            if not hasattr(parent_app.state, "websocket_configs"):
+                parent_app.state.websocket_configs = {}
+            parent_app.state.websocket_configs[slug] = websockets_config
+
             try:
                 from fastapi import APIRouter
 
@@ -2489,6 +2502,13 @@ class MongoDBEngine:
                             child_app.state.audit_log = app.state.audit_log
                         logger.debug(f"Shared user_pool with child app '{slug}'")
 
+                    # Share WebSocket session manager with child app
+                    if hasattr(app.state, "websocket_session_manager"):
+                        child_app.state.websocket_session_manager = (
+                            app.state.websocket_session_manager
+                        )
+                        logger.debug(f"Shared WebSocket session manager with child app '{slug}'")
+
                     # Add middleware for app context helpers
                     from starlette.middleware.base import BaseHTTPMiddleware
                     from starlette.requests import Request
@@ -2836,12 +2856,31 @@ class MongoDBEngine:
             # Create CSRF middleware with default config (will use parent app's CORS config)
             # Exempt routes that don't need CSRF (health checks, public routes from child apps)
             # all_public_routes includes base routes + child app public routes with path prefixes
+            # Add WebSocket session endpoint to public routes (it handles its own auth)
+            public_routes_with_session_endpoint = list(all_public_routes) + [
+                "/auth/websocket-session"
+            ]
             parent_csrf_config = {
                 "csrf_protection": True,
-                "public_routes": all_public_routes,
+                "public_routes": public_routes_with_session_endpoint,
             }
             csrf_middleware = create_csrf_middleware(parent_csrf_config)
             parent_app.add_middleware(csrf_middleware)
+
+            # Store WebSocket session manager in app state for CSRF middleware and endpoints
+            if self._websocket_session_manager:
+                parent_app.state.websocket_session_manager = self._websocket_session_manager
+                logger.info("WebSocket session manager stored in parent app state")
+
+                # Register WebSocket session endpoint on parent app
+                from ..auth.websocket_sessions import create_websocket_session_endpoint
+
+                session_endpoint = create_websocket_session_endpoint(
+                    self._websocket_session_manager
+                )
+                parent_app.get("/auth/websocket-session")(session_endpoint)
+                logger.info("WebSocket session endpoint registered at /auth/websocket-session")
+
             logger.info("CSRFMiddleware added to parent app for WebSocket origin validation")
 
         # Add shared CORS middleware if configured
@@ -3320,6 +3359,7 @@ class MongoDBEngine:
                 self._shared_user_pool = SharedUserPool(
                     self._connection_manager.mongo_db,
                     allow_insecure_dev=is_dev,
+                    websocket_session_manager=self._websocket_session_manager,
                 )
                 await self._shared_user_pool.ensure_indexes()
                 logger.info("SharedUserPool initialized")

mdb_engine/core/manifest.py

@@ -1338,6 +1338,18 @@ MANIFEST_SCHEMA_V2 = {
                                         "auth is required (default: false)"
                                     ),
                                 },
+                                "csrf_required": {
+                                    "type": "boolean",
+                                    "default": True,
+                                    "description": (
+                                        "Require CSRF validation for WebSocket connections "
+                                        "(default: true - security by default). "
+                                        "When true, uses encrypted session keys stored in "
+                                        "private collection for CSRF protection. "
+                                        "Set to false to use Origin validation + "
+                                        "SameSite cookies only."
+                                    ),
+                                },
                             },
                             "additionalProperties": False,
                             "description": (

mdb_engine/core/types.py

@@ -243,6 +243,7 @@ class WebSocketAuthDict(TypedDict, total=False):
 
     required: bool
     allow_anonymous: bool
+    csrf_required: bool  # Whether CSRF cookie is required (default: False)
 
 
 class WebSocketEndpointDict(TypedDict, total=False):

mdb_engine/routing/websockets.py

@@ -365,12 +365,11 @@ async def authenticate_websocket(
     require_auth: bool = True,
 ) -> tuple[str | None, str | None]:
     """
-    Authenticate a WebSocket connection via httpOnly cookies.
+    Authenticate a WebSocket connection via session key or httpOnly cookies.
 
-    Uses cookie-based authentication with CSRF protection:
-    - Token stored in httpOnly cookie (not accessible to JavaScript)
-    - CSRF token validated via double-submit cookie pattern
-    - Origin validation provides additional protection
+    Authentication methods (in order of preference):
+    1. Session key (query param or header) - secure-by-default, uses envelope encryption
+    2. Cookie-based authentication - backward compatibility fallback
 
     Args:
         websocket: FastAPI WebSocket instance (can access headers before accept)
@@ -394,8 +393,51 @@ async def authenticate_websocket(
         return None, None
 
     try:
-        # Extract token from httpOnly cookie
-        # Use same cookie name as SharedAuthMiddleware for consistency
+        # Try to get WebSocket session manager from app
+        websocket_session_manager = None
+        try:
+            app = getattr(websocket, "app", None)
+            if app:
+                websocket_session_manager = getattr(app.state, "websocket_session_manager", None)
+        except (AttributeError, TypeError):
+            pass
+
+        # Method 1: Try session key authentication (secure-by-default)
+        session_key = None
+        try:
+            # Check query params first
+            if hasattr(websocket, "query_params"):
+                session_key = websocket.query_params.get("session_key")
+
+            # Check headers if not in query params
+            if not session_key and hasattr(websocket, "headers"):
+                session_key = websocket.headers.get("X-WebSocket-Session-Key")
+        except (AttributeError, TypeError, KeyError):
+            pass
+
+        if session_key and websocket_session_manager:
+            try:
+                # Validate session key
+                session_data = await websocket_session_manager.validate_session(session_key)
+                if session_data:
+                    user_id = session_data.get("user_id")
+                    user_email = session_data.get("user_email")
+
+                    logger.info(
+                        f"WebSocket authenticated successfully for app '{app_slug}': {user_email} "
+                        f"(method: session_key)"
+                    )
+                    return user_id, user_email
+                else:
+                    logger.warning(
+                        f"WebSocket session key validation failed for app '{app_slug}'. "
+                        f"Session key: {session_key[:16]}..."
+                    )
+            except (ValueError, TypeError, AttributeError, KeyError, RuntimeError) as e:
+                logger.warning(f"WebSocket session key validation error for app '{app_slug}': {e}")
+                # Fall through to cookie-based auth
+
+        # Method 2: Fall back to cookie-based authentication (backward compatibility)
         from ..auth.shared_middleware import AUTH_COOKIE_NAME
 
         cookies = _get_cookies_from_websocket(websocket)
@@ -403,17 +445,19 @@ async def authenticate_websocket(
 
         if not token:
             logger.error(
-                f"❌ No token cookie found for WebSocket connection to app '{app_slug}' "
+                f"❌ No authentication found for WebSocket connection to app '{app_slug}' "
                 f"(require_auth={require_auth}). "
+                f"Session key: {bool(session_key)}, Cookie: {bool(token)}, "
                 f"Available cookies: {list(cookies.keys()) if cookies else 'none'}. "
-                f"Ensure httpOnly cookie is set during authentication."
+                f"Ensure session key or httpOnly cookie is set during authentication."
             )
             if require_auth:
                 return None, None  # Signal auth failure
             return None, None
 
         logger.info(
-            f"WebSocket token found in cookie for app '{app_slug}' " "(cookie-based authentication)"
+            f"WebSocket token found in cookie for app '{app_slug}' "
+            "(cookie-based authentication, fallback)"
         )
 
         # Decode and validate token

{mdb_engine-0.5.1.dist-info → mdb_engine-0.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mdb-engine
-Version: 0.5.1
+Version: 0.6.0
 Summary: MongoDB Engine
 Home-page: https://github.com/ranfysvalle02/mdb-engine
 Author: Fabian Valle

{mdb_engine-0.5.1.dist-info → mdb_engine-0.6.0.dist-info}/RECORD

@@ -1,12 +1,12 @@
 mdb_engine/README.md,sha256=T3EFGcPopY9LslYW3lxgG3hohWkAOmBNbYG0FDMUJiY,3502
-mdb_engine/__init__.py,sha256=Uz23q_g7sJjuMs5TzIZbS34wMO0oAtS1SWa6cqBdhqw,3705
+mdb_engine/__init__.py,sha256=vishQ3BF6oGQOmAsrMG1UJ-5C-3FNM49JSHC35MhH0k,3937
 mdb_engine/config.py,sha256=DTAyxfKB8ogyI0v5QR9Y-SJOgXQr_eDBCKxNBSqEyLc,7269
 mdb_engine/constants.py,sha256=eaotvW57TVOg7rRbLziGrVNoP7adgw_G9iVByHezc_A,7837
 mdb_engine/dependencies.py,sha256=MJuYQhZ9ZGzXlip1ha5zba9Rvn04HDPWahJFJH81Q2s,14107
 mdb_engine/exceptions.py,sha256=NkBSdTBNP9bVTtI6w6mAoEfeVZDq-Bg7vCF2L26ZDZo,8442
 mdb_engine/auth/ARCHITECTURE.md,sha256=JXZsjEIpNz4Szk18KaOiEabhEuz1pmYWXQRN-EJEHDM,4076
 mdb_engine/auth/README.md,sha256=IVlUOat96V3yM6wk4T-u4GxJ4-WF05eBSJBlvIexyBo,37285
-mdb_engine/auth/__init__.py,sha256=QemWqAVvqlxjF-UbzMTGP5AUOeuaAsUEtK4PMxmozmA,5852
+mdb_engine/auth/__init__.py,sha256=SWyMZZvCx2u1IXMlOBbw2h1CHAhIBPuwMQ6iDzlqMsQ,6075
 mdb_engine/auth/audit.py,sha256=UQ0Bj5Zxp5et9A21YZCVkUjaABFqO1CXaMrWxNcdxm8,17352
 mdb_engine/auth/base.py,sha256=4E3XkbruZLG9lc6aC56w0ypjnfiR5RbtjQKwn4am8to,7418
 mdb_engine/auth/casbin_factory.py,sha256=oZLHIPyVA1hiho__ledRVDoBisaZgo96WZIKa0-kQic,16610
@@ -14,7 +14,7 @@ mdb_engine/auth/casbin_models.py,sha256=7XtFmRBhhjw1nKprnluvjyJoTj5fzdPeQwVvo6fI
 mdb_engine/auth/config_defaults.py,sha256=1YI_hIHuTiEXpkEYMcufNHdLr1oxPiJylg3CKrJCSGY,2012
 mdb_engine/auth/config_helpers.py,sha256=Qharb2YagLOKDGtE7XhYRDbBoQ_KGykrcIKrsOwWIJ4,6303
 mdb_engine/auth/cookie_utils.py,sha256=glsSocSmy-_wRTLro0xy17s84oBk3HPDPL-FVXl7Rv8,5302
-mdb_engine/auth/csrf.py,sha256=O6q7BOZuzUy6N71EUuabhBqYsRYHuAcCr5Fyabcy1vw,20538
+mdb_engine/auth/csrf.py,sha256=s3OfZjLSIaABmLORbAGrTfVp4dWEbP7l9T_lf2bNEi0,32538
 mdb_engine/auth/decorators.py,sha256=LkVVEuRrT0Iz8EwctN14BEi3fSV-xtN6DaGXgtbiYYo,12287
 mdb_engine/auth/dependencies.py,sha256=JB1iYvZJgTR6gcaiGe_GJFCS6NdUKMxWBZRv6vVxnzw,27112
 mdb_engine/auth/helpers.py,sha256=BCrid985cYh-3h5ZMUV9TES0q40uJXio4oYKQZta7KA,1970
@@ -27,11 +27,12 @@ mdb_engine/auth/rate_limiter.py,sha256=l3EYZE1Kz9yVfZwNrKq_1AgdD7GXB1WOLSqqGQVSS
 mdb_engine/auth/restrictions.py,sha256=tOyQBO_w0bK9zmTsOPZf9cbvh4oITvpNfSxIXt-XrcU,8824
 mdb_engine/auth/session_manager.py,sha256=ywWJjTarm-obgJ3zO3s-1cdqEYe0XrozlY00q_yMJ8I,15396
 mdb_engine/auth/shared_middleware.py,sha256=0iSbRkwdivL1NIj7Gr161qPJiqcw0JafOpZLCkXjT7k,37633
-mdb_engine/auth/shared_users.py,sha256=KTc4D9zRaYaIVto7PqyWd5RT4J97cp6AnJ5i_PR_7eg,27775
+mdb_engine/auth/shared_users.py,sha256=huE7e3ywqA7fZ2HYIPNc-kQ9syEdpYUrCYjYbX3bVhA,29456
 mdb_engine/auth/token_lifecycle.py,sha256=Q9S1X2Y6W7Ckt5PvyYXswBRh2Tg9DGpyRv_3Xve7VYQ,6708
 mdb_engine/auth/token_store.py,sha256=-B8j5RH5YEoKsswF4rnMoI51BaxMe4icke3kuehXmcI,9121
 mdb_engine/auth/users.py,sha256=t9Us2_A_wKOL9qy1O_SBwTvapAyNztn0v8padxJVq6A,49891
-mdb_engine/auth/utils.py,sha256=g7fXkxIb8yuvlZrhKeQxAR0KxiUakXRK5WtKG4opihk,26019
+mdb_engine/auth/utils.py,sha256=YkexCo0xV37mpOJUI32cntRHVOUUS7r19TIMPWHcgpA,27348
+mdb_engine/auth/websocket_sessions.py,sha256=7eFNagY2K3Rp1x7d_cO5JcpT-DrYkc__cmVhl6pAC2M,15081
 mdb_engine/cli/__init__.py,sha256=PANRi4THmL34d1mawlqxIrnuItXMdqoMTq5Z1zHd7rM,301
 mdb_engine/cli/main.py,sha256=Y5ELFhvsr8zxFWv4WScOGNHiLUTdSXAJeUFLpRXCelg,811
 mdb_engine/cli/utils.py,sha256=bNRGJgdzxUjXAOVe1aoxWJ5M_IqtAE-eW4pfAkwiDDM,2760
@@ -46,13 +47,13 @@ mdb_engine/core/app_registration.py,sha256=7szt2a7aBkpSppjmhdkkPPYMKGKo0MkLKZeEe
 mdb_engine/core/app_secrets.py,sha256=bo-syg9UUATibNyXEZs-0TTYWG-JaY-2S0yNSGA12n0,10524
 mdb_engine/core/connection.py,sha256=XnwuPG34pJ7kJGJ84T0mhj1UZ6_CLz_9qZf6NRYGIS8,8346
 mdb_engine/core/encryption.py,sha256=RZ5LPF5g28E3ZBn6v1IMw_oas7u9YGFtBcEj8lTi9LM,7515
-mdb_engine/core/engine.py,sha256=ydYt2z53scf4GzufD8rY5X6gSJEF80VSDm1QDR2pwWQ,151507
+mdb_engine/core/engine.py,sha256=s-lzI3UdmXjAsiemYUAlpVElSlHhhjPeekoQHaxbb2o,153755
 mdb_engine/core/index_management.py,sha256=9-r7MIy3JnjQ35sGqsbj8K_I07vAUWtAVgSWC99lJcE,5555
-mdb_engine/core/manifest.py,sha256=jguhjVPAHMZGxOJcdSGouv9_XiKmxUjDmyjn2yXHCj4,139205
+mdb_engine/core/manifest.py,sha256=9g-r8HBr308rDxtpzPvZgP9Bc1VeN9pW7D073KXas-U,139989
 mdb_engine/core/ray_integration.py,sha256=vexYOzztscvRYje1xTNmXJbi99oJxCaVJAwKfTNTF_E,13610
 mdb_engine/core/seeding.py,sha256=c5IhdwlqUf_4Q5FFTAhPLaHPaUr_Txo3z_DUwZmWsFs,6421
 mdb_engine/core/service_initialization.py,sha256=rtb6BaPvFqomwT_s7bdbbvqi5m74llT0LkJFEhVG9Gg,12996
-mdb_engine/core/types.py,sha256=x7ahgb61vXVikn7nKHWGxQRW3StMG9lTHwr-Uvpnt_g,11150
+mdb_engine/core/types.py,sha256=RGQeO8ctTBytZmiezmtffsT5kMhHKm1Dv8sz4QnjEgc,11226
 mdb_engine/database/README.md,sha256=-31mVxBeVQaYsF3AD1-gQbD2NCYVcPjdFoA6sZ6b02Y,19354
 mdb_engine/database/__init__.py,sha256=rrc3eZFli3K2zrvVdDbMBi8YkmoHYzP6JNT0AUBE5VU,981
 mdb_engine/database/abstraction.py,sha256=H6f2WYY80r3onqN6s139uDSyG9W_QpadaoQ84hJuG1E,23438
@@ -86,12 +87,12 @@ mdb_engine/repositories/mongo.py,sha256=Wg32_6v0KHAHumhz5z8QkoqJRWAMJFA7Y2lYIJ7L
 mdb_engine/repositories/unit_of_work.py,sha256=XvmwGOspEDj4hsfOULPsQKjB1QZqh83TJo6vGV4tiqU,5118
 mdb_engine/routing/README.md,sha256=WVvTQXDq0amryrjkCu0wP_piOEwFjLukjmPz2mroWHY,13658
 mdb_engine/routing/__init__.py,sha256=reupjHi_RTc2ZBA4AH5XzobAmqy4EQIsfSUcTkFknUM,2438
-mdb_engine/routing/websockets.py,sha256=ox9mKDVhQmKdAtdomQ99UXxp9ZrBn-OkMhR6rtZ_HiA,31887
+mdb_engine/routing/websockets.py,sha256=gOYZPDCIicqRkWIVrNWTmY2ALUnZs1s0nTPmckgxgHQ,33922
 mdb_engine/utils/__init__.py,sha256=lDxQSGqkV4fVw5TWIk6FA6_eey_ZnEtMY0fir3cpAe8,236
 mdb_engine/utils/mongo.py,sha256=Oqtv4tQdpiiZzrilGLEYQPo8Vmh8WsTQypxQs8Of53s,3369
-mdb_engine-0.5.1.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
-mdb_engine-0.5.1.dist-info/METADATA,sha256=5_gq3GBHSvvct52eMIi7zXDZ_KOK_A3rzDSc7RXmhRU,15810
-mdb_engine-0.5.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-mdb_engine-0.5.1.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
-mdb_engine-0.5.1.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
-mdb_engine-0.5.1.dist-info/RECORD,,
+mdb_engine-0.6.0.dist-info/licenses/LICENSE,sha256=hIahDEOTzuHCU5J2nd07LWwkLW7Hko4UFO__ffsvB-8,34523
+mdb_engine-0.6.0.dist-info/METADATA,sha256=d7bW5MiTEH918H4IWkoZuDVAlZiQ6iwastveacmAN70,15810
+mdb_engine-0.6.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+mdb_engine-0.6.0.dist-info/entry_points.txt,sha256=INCbYdFbBzJalwPwxliEzLmPfR57IvQ7RAXG_pn8cL8,48
+mdb_engine-0.6.0.dist-info/top_level.txt,sha256=PH0UEBwTtgkm2vWvC9He_EOMn7hVn_Wg_Jyc0SmeO8k,11
+mdb_engine-0.6.0.dist-info/RECORD,,