plain 0.57.0__py3-none-any.whl → 0.58.0__py3-none-any.whl

plain/CHANGELOG.md

@@ -1,5 +1,20 @@
 # plain changelog
 
+## [0.58.0](https://github.com/dropseed/plain/releases/plain@0.58.0) (2025-08-19)
+
+### What's changed
+
+- Complete rewrite of CSRF protection using modern Sec-Fetch-Site headers and origin validation ([955150800c](https://github.com/dropseed/plain/commit/955150800c))
+- Replaced CSRF view mixin with path-based exemptions using `CSRF_EXEMPT_PATHS` setting ([2a50a9154e](https://github.com/dropseed/plain/commit/2a50a9154e))
+- Renamed `HTTPS_REDIRECT_EXEMPT` to `HTTPS_REDIRECT_EXEMPT_PATHS` with leading slash requirement ([b53d3bb7a7](https://github.com/dropseed/plain/commit/b53d3bb7a7))
+- Agent commands now print prompts directly when running in Claude Code or Codex Sandbox environments ([6eaed8ae3b](https://github.com/dropseed/plain/commit/6eaed8ae3b))
+
+### Upgrade instructions
+
+- Remove any usage of `CsrfExemptViewMixin` and `request.csrf_exempt` and add exempt paths to the `CSRF_EXEMPT_PATHS` setting instead (ex. `CSRF_EXEMPT_PATHS = [r"^/api/", r"/webhooks/.*"]` -- but consider first whether the view still needs CSRF exemption under the new implementation)
+- Replace `HTTPS_REDIRECT_EXEMPT` with `HTTPS_REDIRECT_EXEMPT_PATHS` and ensure patterns include leading slash (ex. `[r"^/health$", r"/api/internal/.*"]`)
+- Remove all CSRF cookie and token related settings - the new implementation doesn't use cookies or tokens (ex. `{{ csrf_input }}` and `{{ csrf_token }}`)
+
 ## [0.57.0](https://github.com/dropseed/plain/releases/plain@0.57.0) (2025-08-15)
 
 ### What's changed

plain/cli/agent.py

@@ -1,3 +1,4 @@
+import os
 import shlex
 import subprocess
 
@@ -20,6 +21,11 @@ def prompt_agent(
         True if the agent command succeeded (or no agent command was provided),
         False if the agent command failed.
     """
+    # Check if running inside an agent and just print the prompt if so
+    if os.environ.get("CLAUDECODE") or os.environ.get("CODEX_SANDBOX"):
+        click.echo(prompt)
+        return True
+
     if print_only or not agent_command:
         click.echo(prompt)
         if not print_only:

plain/csrf/README.md

@@ -1,23 +1,75 @@
 # CSRF
 
-**Cross-Site Request Forgery (CSRF) protection.**
+**Cross-Site Request Forgery (CSRF) protection using modern request headers.**
 
 - [Overview](#overview)
 - [Usage](#usage)
+- [CSRF Exempt Paths](#csrf-exempt-paths)
+- [Trusted Origins](#trusted-origins)
 
 ## Overview
 
-Plain protects against [CSRF attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery) through a [middleware](./middleware.py#CsrfViewMiddleware) that compares the generated `csrftoken` cookie with the CSRF token from the request (either `_csrftoken` in form data or the `CSRF-Token` header).
+Plain provides modern CSRF protection based on [Filippo Valsorda's 2025 research](https://words.filippo.io/csrf/) using `Sec-Fetch-Site` headers and origin validation.
 
 ## Usage
 
-The `CsrfViewMiddleware` is [automatically installed](../internal/handlers/base.py#BUILTIN_BEFORE_MIDDLEWARE), so you don't need to add it to your `settings.MIDDLEWARE`.
+The `CsrfViewMiddleware` is [automatically installed](../internal/handlers/base.py#BUILTIN_BEFORE_MIDDLEWARE) and works transparently. **No changes to your forms or templates are needed.**
 
-When you use HTML forms, you should include the CSRF token in the form data via a hidden input:
+## CSRF Exempt Paths
 
-```html
-<form method="post">
-    {{ csrf_input }}
-    <!-- other form fields here -->
-</form>
+In some cases, you may need to disable CSRF protection for specific paths (like API endpoints or webhooks). Configure exempt paths using regex patterns in your settings:
+
+```python
+# settings.py
+CSRF_EXEMPT_PATHS = [
+    r"^/api/",             # All API endpoints
+    r"^/api/v\d+/",        # Versioned APIs: /api/v1/, /api/v2/, etc.
+    r"/webhooks/.*",       # All webhook paths
+    r"/webhooks/github/",  # Specific webhook
+    r"/health$",           # Exact match for /health endpoint
+]
 ```
+
+**Pattern Matching**: Exempt paths use Python regex patterns with `re.search()` against the full URL path including the leading slash.
+
+**Examples:**
+
+- `r"^/api/"` - matches `/api/users/`, `/api/posts/`
+- `r"/webhooks/.*"` - matches `/webhooks/github/push`, `/webhooks/stripe/payment`
+- `r"/health$"` - matches `/health` but not `/health-check`
+- `r"^/api/v\d+/"` - matches `/api/v1/users/`, `/api/v2/posts/`
+
+**Common Use Cases:**
+
+```python
+CSRF_EXEMPT_PATHS = [
+    # API endpoints (often consumed by JavaScript/mobile apps)
+    r"^/api/",
+
+    # Webhooks (external services posting data)
+    r"/webhooks/.*",
+
+    # Health checks and monitoring
+    r"/health$",
+    r"/status$",
+    r"/metrics$",
+
+    # File uploads (if using direct POST)
+    r"/upload/",
+]
+```
+
+## Trusted Origins
+
+In some cases, you may need to allow requests from specific external origins (like API clients or mobile apps). You can configure trusted origins in your settings:
+
+```python
+# settings.py
+CSRF_TRUSTED_ORIGINS = [
+    "https://api.example.com",
+    "https://mobile.example.com:8443",
+    "https://trusted-partner.com",
+]
+```
+
+**Important**: Trusted origins bypass **all** CSRF protection. Only add origins you completely trust, as they can make requests that appear to come from your users.

plain/csrf/middleware.py

@@ -1,230 +1,126 @@
-"""
-Cross Site Request Forgery Middleware.
-
-This module provides a middleware that implements protection
-against request forgeries from other sites.
-"""
-
 import logging
-import string
-from collections import defaultdict
-from functools import cached_property
+import re
 from urllib.parse import urlparse
 
 from plain.exceptions import DisallowedHost
-from plain.http import HttpHeaders, UnreadablePostError
 from plain.logs import log_response
 from plain.runtime import settings
-from plain.utils.cache import patch_vary_headers
-from plain.utils.crypto import constant_time_compare, get_random_string
-from plain.utils.http import is_same_domain
-from plain.utils.regex_helper import _lazy_re_compile
-
-logger = logging.getLogger("plain.security.csrf")
-# This matches if any character is not in CSRF_ALLOWED_CHARS.
-invalid_token_chars_re = _lazy_re_compile("[^a-zA-Z0-9]")
-
-REASON_BAD_ORIGIN = "Origin checking failed - %s does not match any trusted origins."
-REASON_NO_REFERER = "Referer checking failed - no Referer."
-REASON_BAD_REFERER = "Referer checking failed - %s does not match any trusted origins."
-REASON_NO_CSRF_COOKIE = "CSRF cookie not set."
-REASON_CSRF_TOKEN_MISSING = "CSRF token missing."
-REASON_MALFORMED_REFERER = "Referer checking failed - Referer is malformed."
-REASON_INSECURE_REFERER = (
-    "Referer checking failed - Referer is insecure while host is secure."
-)
-# The reason strings below are for passing to InvalidTokenFormat. They are
-# phrases without a subject because they can be in reference to either the CSRF
-# cookie or non-cookie token.
-REASON_INCORRECT_LENGTH = "has incorrect length"
-REASON_INVALID_CHARACTERS = "has invalid characters"
-
-CSRF_SECRET_LENGTH = 32
-CSRF_TOKEN_LENGTH = 2 * CSRF_SECRET_LENGTH
-CSRF_ALLOWED_CHARS = string.ascii_letters + string.digits
-
-
-def _get_new_csrf_string():
-    return get_random_string(CSRF_SECRET_LENGTH, allowed_chars=CSRF_ALLOWED_CHARS)
-
-
-def _mask_cipher_secret(secret):
-    """
-    Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a
-    token by adding a mask and applying it to the secret.
-    """
-    mask = _get_new_csrf_string()
-    chars = CSRF_ALLOWED_CHARS
-    pairs = zip((chars.index(x) for x in secret), (chars.index(x) for x in mask))
-    cipher = "".join(chars[(x + y) % len(chars)] for x, y in pairs)
-    return mask + cipher
-
-
-def _unmask_cipher_token(token):
-    """
-    Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length
-    CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt
-    the second half to produce the original secret.
-    """
-    mask = token[:CSRF_SECRET_LENGTH]
-    token = token[CSRF_SECRET_LENGTH:]
-    chars = CSRF_ALLOWED_CHARS
-    pairs = zip((chars.index(x) for x in token), (chars.index(x) for x in mask))
-    return "".join(chars[x - y] for x, y in pairs)  # Note negative values are ok
-
-
-def _add_new_csrf_cookie(request):
-    """Generate a new random CSRF_COOKIE value, and add it to request.meta."""
-    csrf_secret = _get_new_csrf_string()
-    request.meta.update(
-        {
-            "CSRF_COOKIE": csrf_secret,
-            "CSRF_COOKIE_NEEDS_UPDATE": True,
-        }
-    )
-    return csrf_secret
-
-
-def get_token(request):
-    """
-    Return the CSRF token required for a POST form. The token is an
-    alphanumeric value. A new token is created if one is not already set.
-
-    A side effect of calling this function is to make the csrf_protect
-    decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie'
-    header to the outgoing response.  For this reason, you may need to use this
-    function lazily, as is done by the csrf context processor.
-    """
-    if "CSRF_COOKIE" in request.meta:
-        csrf_secret = request.meta["CSRF_COOKIE"]
-        # Since the cookie is being used, flag to send the cookie in
-        # process_response() (even if the client already has it) in order to
-        # renew the expiry timer.
-        request.meta["CSRF_COOKIE_NEEDS_UPDATE"] = True
-    else:
-        csrf_secret = _add_new_csrf_cookie(request)
-    return _mask_cipher_secret(csrf_secret)
 
+from .views import CsrfFailureView
 
-def rotate_token(request):
-    """
-    Change the CSRF token in use for a request - should be done on login
-    for security purposes.
-    """
-    _add_new_csrf_cookie(request)
-
-
-class InvalidTokenFormat(Exception):
-    def __init__(self, reason):
-        self.reason = reason
-
-
-def _check_token_format(token):
-    """
-    Raise an InvalidTokenFormat error if the token has an invalid length or
-    characters that aren't allowed. The token argument can be a CSRF cookie
-    secret or non-cookie CSRF token, and either masked or unmasked.
-    """
-    if len(token) not in (CSRF_TOKEN_LENGTH, CSRF_SECRET_LENGTH):
-        raise InvalidTokenFormat(REASON_INCORRECT_LENGTH)
-    # Make sure all characters are in CSRF_ALLOWED_CHARS.
-    if invalid_token_chars_re.search(token):
-        raise InvalidTokenFormat(REASON_INVALID_CHARACTERS)
-
-
-def _does_token_match(request_csrf_token, csrf_secret):
-    """
-    Return whether the given CSRF token matches the given CSRF secret, after
-    unmasking the token if necessary.
-
-    This function assumes that the request_csrf_token argument has been
-    validated to have the correct length (CSRF_SECRET_LENGTH or
-    CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has
-    length CSRF_TOKEN_LENGTH, it is a masked secret.
-    """
-    # Only unmask tokens that are exactly CSRF_TOKEN_LENGTH characters long.
-    if len(request_csrf_token) == CSRF_TOKEN_LENGTH:
-        request_csrf_token = _unmask_cipher_token(request_csrf_token)
-    assert len(request_csrf_token) == CSRF_SECRET_LENGTH
-    return constant_time_compare(request_csrf_token, csrf_secret)
-
-
-class RejectRequest(Exception):
-    def __init__(self, reason):
-        self.reason = reason
+logger = logging.getLogger("plain.security.csrf")
 
 
 class CsrfViewMiddleware:
     """
-    Require a present and correct _csrftoken for POST requests that
-    have a CSRF cookie, and set an outgoing CSRF cookie.
+    Modern CSRF protection middleware using Sec-Fetch-Site headers and origin validation.
+    Based on Filippo Valsorda's 2025 research (https://words.filippo.io/csrf/).
 
-    This middleware should be used in conjunction with the {% csrf_token %}
-    template tag.
+    Note: This provides same-origin (not same-site) protection. Same-site origins
+    like subdomains can have different trust levels and are rejected.
     """
 
     def __init__(self, get_response):
         self.get_response = get_response
 
+        # Compile CSRF exempt patterns once for performance
+        self.csrf_exempt_patterns = [re.compile(r) for r in settings.CSRF_EXEMPT_PATHS]
+
     def __call__(self, request):
-        try:
-            csrf_secret = self._get_secret(request)
-        except InvalidTokenFormat:
-            _add_new_csrf_cookie(request)
+        allowed, reason = self.should_allow_request(request)
+
+        if allowed:
+            return self.get_response(request)
         else:
-            if csrf_secret is not None:
-                # Use the same secret next time. If the secret was originally
-                # masked, this also causes it to be replaced with the unmasked
-                # form, but only in cases where the secret is already getting
-                # saved anyways.
-                request.meta["CSRF_COOKIE"] = csrf_secret
+            return self.reject(request, reason)
+
+    def should_allow_request(self, request) -> tuple[bool, str]:
+        # 1. Allow safe methods (GET, HEAD, OPTIONS)
+        if request.method in ("GET", "HEAD", "OPTIONS"):
+            return True, f"Safe HTTP method: {request.method}"
+
+        # 2. Path-based exemption (regex patterns)
+        for pattern in self.csrf_exempt_patterns:
+            if pattern.search(request.path_info):
+                return (
+                    True,
+                    f"Path {request.path_info} matches exempt pattern {pattern.pattern}",
+                )
 
-        if csrf_response := self._get_csrf_response(request):
-            return csrf_response
+        origin = request.headers.get("Origin")
+        sec_fetch_site = request.headers.get("Sec-Fetch-Site", "").lower()
 
-        response = self.get_response(request)
+        # 3. Check trusted origins allow-list
 
-        if request.meta.get("CSRF_COOKIE_NEEDS_UPDATE"):
-            self._set_csrf_cookie(request, response)
-            # Unset the flag to prevent _set_csrf_cookie() from being
-            # unnecessarily called again in process_response() by other
-            # instances of CsrfViewMiddleware. This can happen e.g. when both a
-            # decorator and middleware are used. However,
-            # CSRF_COOKIE_NEEDS_UPDATE is still respected in subsequent calls
-            # e.g. in case rotate_token() is called in process_response() later
-            # by custom middleware but before those subsequent calls.
-            request.meta["CSRF_COOKIE_NEEDS_UPDATE"] = False
+        if origin and origin in settings.CSRF_TRUSTED_ORIGINS:
+            return True, f"Trusted origin: {origin}"
 
-        return response
+        # 4. Primary protection: Check Sec-Fetch-Site header
+        if sec_fetch_site in ("same-origin", "none"):
+            return (
+                True,
+                f"Same-origin request from Sec-Fetch-Site: {sec_fetch_site}",
+            )
+        elif sec_fetch_site in ("cross-site", "same-site"):
+            return (
+                False,
+                f"Cross-origin request detected from Sec-Fetch-Site: {sec_fetch_site}",
+            )
 
-    @cached_property
-    def csrf_trusted_origins_hosts(self):
-        return [
-            urlparse(origin).netloc.lstrip("*")
-            for origin in settings.CSRF_TRUSTED_ORIGINS
-        ]
+        # 5. No fetch metadata or Origin headers - allow (non-browser requests)
+        if not origin and not sec_fetch_site:
+            return (
+                True,
+                "No Origin or Sec-Fetch-Site header - likely non-browser or old browser",
+            )
+
+        # 6. Fallback: Origin vs Host comparison for older browsers
+        # Note: On pre-2023 browsers, HTTP→HTTPS transitions may cause mismatches
+        # (Origin shows :443, request sees :80 if TLS terminated upstream).
+        # HSTS helps here; otherwise add external origins to CSRF_TRUSTED_ORIGINS.
+        if origin == "null":
+            return False, "Cross-origin request detected - null Origin header"
+
+        try:
+            if (parsed_origin := urlparse(origin)) and (host := request.get_host()):
+                # Scheme-agnostic host:port comparison
+                origin_host = parsed_origin.hostname
+                origin_port = parsed_origin.port or (
+                    80
+                    if parsed_origin.scheme == "http"
+                    else 443
+                    if parsed_origin.scheme == "https"
+                    else None
+                )
 
-    @cached_property
-    def allowed_origins_exact(self):
-        return {origin for origin in settings.CSRF_TRUSTED_ORIGINS if "*" not in origin}
+                # Extract hostname from request host (similar to how we parse origin)
+                # Use a fake scheme since we only care about host parsing
+                parsed_host = urlparse(f"http://{host}")
+                request_host = parsed_host.hostname or host
+                request_port = request.get_port()
+
+                # Compare hostname and port (scheme-agnostic)
+                # Both origin_host and request_host are normalized by urlparse (IPv6 brackets stripped)
+                if origin_host and origin_port and request_host and request_port:
+                    if (
+                        origin_host.lower() == request_host.lower()
+                        and origin_port == int(request_port)
+                    ):
+                        return (
+                            True,
+                            f"Same-origin request - Origin {origin} matches Host {host}",
+                        )
+        except (ValueError, DisallowedHost):
+            pass
 
-    @cached_property
-    def allowed_origin_subdomains(self):
-        """
-        A mapping of allowed schemes to list of allowed netlocs, where all
-        subdomains of the netloc are allowed.
-        """
-        allowed_origin_subdomains = defaultdict(list)
-        for parsed in (
-            urlparse(origin)
-            for origin in settings.CSRF_TRUSTED_ORIGINS
-            if "*" in origin
-        ):
-            allowed_origin_subdomains[parsed.scheme].append(parsed.netloc.lstrip("*"))
-        return allowed_origin_subdomains
+        # Origin present but doesn't match host
+        return (
+            False,
+            f"Cross-origin request detected - Origin {origin} does not match Host",
+        )
 
-    def _reject(self, request, reason):
-        from .views import CsrfFailureView
+    def reject(self, request, reason):
+        """Reject a request with a 403 Forbidden response."""
 
         response = CsrfFailureView.as_view()(request, reason=reason)
         log_response(
@@ -236,210 +132,3 @@ class CsrfViewMiddleware:
             logger=logger,
         )
         return response
-
-    def _get_secret(self, request):
-        """
-        Return the CSRF secret originally associated with the request, or None
-        if it didn't have one.
-
-        If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
-        the request's secret has invalid characters or an invalid length.
-        """
-        try:
-            csrf_secret = request.cookies[settings.CSRF_COOKIE_NAME]
-        except KeyError:
-            csrf_secret = None
-        else:
-            # This can raise InvalidTokenFormat.
-            _check_token_format(csrf_secret)
-
-        if csrf_secret is None:
-            return None
-        return csrf_secret
-
-    def _set_csrf_cookie(self, request, response):
-        response.set_cookie(
-            settings.CSRF_COOKIE_NAME,
-            request.meta["CSRF_COOKIE"],
-            max_age=settings.CSRF_COOKIE_AGE,
-            domain=settings.CSRF_COOKIE_DOMAIN,
-            path=settings.CSRF_COOKIE_PATH,
-            secure=settings.CSRF_COOKIE_SECURE,
-            httponly=settings.CSRF_COOKIE_HTTPONLY,
-            samesite=settings.CSRF_COOKIE_SAMESITE,
-        )
-        # Set the Vary header since content varies with the CSRF cookie.
-        patch_vary_headers(response, ("Cookie",))
-
-    def _origin_verified(self, request):
-        request_origin = request.meta["HTTP_ORIGIN"]
-        try:
-            good_host = request.get_host()
-        except DisallowedHost:
-            pass
-        else:
-            good_origin = "{}://{}".format(
-                "https" if request.is_https() else "http",
-                good_host,
-            )
-            if request_origin == good_origin:
-                return True
-        if request_origin in self.allowed_origins_exact:
-            return True
-        try:
-            parsed_origin = urlparse(request_origin)
-        except ValueError:
-            return False
-        request_scheme = parsed_origin.scheme
-        request_netloc = parsed_origin.netloc
-        return any(
-            is_same_domain(request_netloc, host)
-            for host in self.allowed_origin_subdomains.get(request_scheme, ())
-        )
-
-    def _check_referer(self, request):
-        referer = request.meta.get("HTTP_REFERER")
-        if referer is None:
-            raise RejectRequest(REASON_NO_REFERER)
-
-        try:
-            referer = urlparse(referer)
-        except ValueError:
-            raise RejectRequest(REASON_MALFORMED_REFERER)
-
-        # Make sure we have a valid URL for Referer.
-        if "" in (referer.scheme, referer.netloc):
-            raise RejectRequest(REASON_MALFORMED_REFERER)
-
-        # Ensure that our Referer is also secure.
-        if referer.scheme != "https":
-            raise RejectRequest(REASON_INSECURE_REFERER)
-
-        if any(
-            is_same_domain(referer.netloc, host)
-            for host in self.csrf_trusted_origins_hosts
-        ):
-            return
-        # Allow matching the configured cookie domain.
-        good_referer = settings.CSRF_COOKIE_DOMAIN
-        if good_referer is None:
-            # If no cookie domain is configured, allow matching the current
-            # host:port exactly if it's permitted by ALLOWED_HOSTS.
-            try:
-                # request.get_host() includes the port.
-                good_referer = request.get_host()
-            except DisallowedHost:
-                raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
-        else:
-            server_port = request.get_port()
-            if server_port not in ("443", "80"):
-                good_referer = f"{good_referer}:{server_port}"
-
-        if not is_same_domain(referer.netloc, good_referer):
-            raise RejectRequest(REASON_BAD_REFERER % referer.geturl())
-
-    def _bad_token_message(self, reason, token_source):
-        if token_source != "POST":
-            # Assume it is a settings.CSRF_HEADER_NAME value.
-            header_name = HttpHeaders.parse_header_name(token_source)
-            token_source = f"the {header_name!r} HTTP header"
-        return f"CSRF token from {token_source} {reason}."
-
-    def _check_token(self, request):
-        # Access csrf_secret via self._get_secret() as rotate_token() may have
-        # been called by an authentication middleware during the
-        # process_request() phase.
-        try:
-            csrf_secret = self._get_secret(request)
-        except InvalidTokenFormat as exc:
-            raise RejectRequest(f"CSRF cookie {exc.reason}.")
-
-        if csrf_secret is None:
-            # No CSRF cookie. For POST requests, we insist on a CSRF cookie,
-            # and in this way we can avoid all CSRF attacks, including login
-            # CSRF.
-            raise RejectRequest(REASON_NO_CSRF_COOKIE)
-
-        # Check non-cookie token for match.
-        request_csrf_token = ""
-        if request.method == "POST":
-            try:
-                request_csrf_token = request.data.get(settings.CSRF_FIELD_NAME, "")
-            except UnreadablePostError:
-                # Handle a broken connection before we've completed reading the
-                # POST data. process_view shouldn't raise any exceptions, so
-                # we'll ignore and serve the user a 403 (assuming they're still
-                # listening, which they probably aren't because of the error).
-                pass
-
-        if request_csrf_token == "":
-            # Fall back to X-CSRFToken, to make things easier for AJAX, and
-            # possible for PUT/DELETE.
-            try:
-                # This can have length CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH,
-                # depending on whether the client obtained the token from
-                # the DOM or the cookie (and if the cookie, whether the cookie
-                # was masked or unmasked).
-                request_csrf_token = request.headers[settings.CSRF_HEADER_NAME]
-            except KeyError:
-                raise RejectRequest(REASON_CSRF_TOKEN_MISSING)
-            token_source = settings.CSRF_HEADER_NAME
-        else:
-            token_source = "POST"
-
-        try:
-            _check_token_format(request_csrf_token)
-        except InvalidTokenFormat as exc:
-            reason = self._bad_token_message(exc.reason, token_source)
-            raise RejectRequest(reason)
-
-        if not _does_token_match(request_csrf_token, csrf_secret):
-            reason = self._bad_token_message("incorrect", token_source)
-            raise RejectRequest(reason)
-
-    def _get_csrf_response(self, request):
-        # Wait until request.meta["CSRF_COOKIE"] has been manipulated before
-        # bailing out, so that get_token still works
-        if getattr(request, "csrf_exempt", True):
-            return None
-
-        # Assume that anything not defined as 'safe' by RFC 9110 needs protection
-        if request.method in ("GET", "HEAD", "OPTIONS", "TRACE"):
-            return None
-
-        # Reject the request if the Origin header doesn't match an allowed
-        # value.
-        if "HTTP_ORIGIN" in request.meta:
-            if not self._origin_verified(request):
-                return self._reject(
-                    request, REASON_BAD_ORIGIN % request.meta["HTTP_ORIGIN"]
-                )
-        elif request.is_https():
-            # If the Origin header wasn't provided, reject HTTPS requests if
-            # the Referer header doesn't match an allowed value.
-            #
-            # Suppose user visits http://example.com/
-            # An active network attacker (man-in-the-middle, MITM) sends a
-            # POST form that targets https://example.com/detonate-bomb/ and
-            # submits it via JavaScript.
-            #
-            # The attacker will need to provide a CSRF cookie and token, but
-            # that's no problem for a MITM and the session-independent secret
-            # we're using. So the MITM can circumvent the CSRF protection. This
-            # is true for any HTTP connection, but anyone using HTTPS expects
-            # better! For this reason, for https://example.com/ we need
-            # additional protection that treats http://example.com/ as
-            # completely untrusted. Under HTTPS, Barth et al. found that the
-            # Referer header is missing for same-domain requests in only about
-            # 0.2% of cases or less, so we can use strict Referer checking.
-            try:
-                self._check_referer(request)
-            except RejectRequest as exc:
-                return self._reject(request, exc.reason)
-
-        try:
-            self._check_token(request)
-        except RejectRequest as exc:
-            return self._reject(request, exc.reason)
-
-        return None

plain/exceptions.py

@@ -6,6 +6,23 @@ import operator
 
 from plain.utils.hashable import make_hashable
 
+# MARK: Configuration and Registry
+
+
+class PackageRegistryNotReady(Exception):
+    """The plain.packages registry is not populated yet"""
+
+    pass
+
+
+class ImproperlyConfigured(Exception):
+    """Plain is somehow improperly configured"""
+
+    pass
+
+
+# MARK: Model and Field Errors
+
 
 class FieldDoesNotExist(Exception):
     """The requested model field does not exist"""
@@ -13,8 +30,8 @@ class FieldDoesNotExist(Exception):
     pass
 
 
-class PackageRegistryNotReady(Exception):
-    """The plain.packages registry is not populated yet"""
+class FieldError(Exception):
+    """Some kind of problem with a model field."""
 
     pass
 
@@ -31,6 +48,9 @@ class MultipleObjectsReturned(Exception):
     pass
 
 
+# MARK: Security and Suspicious Operations
+
+
 class SuspiciousOperation(Exception):
     """The user did something suspicious"""
 
@@ -80,6 +100,9 @@ class RequestDataTooBig(SuspiciousOperation):
     pass
 
 
+# MARK: HTTP and Request Errors
+
+
 class BadRequest(Exception):
     """The request is malformed and cannot be processed."""
 
@@ -92,17 +115,7 @@ class PermissionDenied(Exception):
     pass
 
 
-class ImproperlyConfigured(Exception):
-    """Plain is somehow improperly configured"""
-
-    pass
-
-
-class FieldError(Exception):
-    """Some kind of problem with a model field."""
-
-    pass
-
+# MARK: Validation
 
 NON_FIELD_ERRORS = "__all__"
 
@@ -205,6 +218,9 @@ class ValidationError(Exception):
         return hash(tuple(sorted(self.error_list, key=operator.attrgetter("message"))))
 
 
+# MARK: Database
+
+
 class EmptyResultSet(Exception):
     """A database query predicate is impossible."""
 

plain/forms/README.md

@@ -33,8 +33,6 @@ Then in your template, you can render the form fields.
 {% block content %}
 
 <form method="post">
-    {{ csrf_input }}
-
     <!-- Render general form errors -->
     {% for error in form.non_field_errors %}
     <div>{{ error }}</div>

plain/internal/middleware/https.py

@@ -12,7 +12,7 @@ class HttpsRedirectMiddleware:
         self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
         self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
         self.https_redirect_exempt = [
-            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT
+            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT_PATHS
         ]
 
     def __call__(self, request):
@@ -26,11 +26,13 @@ class HttpsRedirectMiddleware:
         return self.get_response(request)
 
     def maybe_https_redirect(self, request):
-        path = request.path.lstrip("/")
         if (
             self.https_redirect_enabled
             and not request.is_https()
-            and not any(pattern.search(path) for pattern in self.https_redirect_exempt)
+            and not any(
+                pattern.search(request.path_info)
+                for pattern in self.https_redirect_exempt
+            )
         ):
             host = self.https_redirect_host or request.get_host()
             return ResponseRedirect(

plain/runtime/global_settings.py

@@ -3,31 +3,20 @@ Default Plain settings. Override these with settings in the module pointed to
 by the PLAIN_SETTINGS_MODULE environment variable.
 """
 
-####################
-# CORE             #
-####################
+# MARK: Core Settings
 
 DEBUG: bool = False
 
-# Hosts/domain names that are valid for this site.
-# "*" matches anything, ".example.com" matches example.com and all subdomains
-ALLOWED_HOSTS: list[str] = []
-
-# Local time zone for this installation. All choices can be found here:
-# https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
-# systems may support all possibilities). This is interpreted as the default
-# user time zone.
-TIME_ZONE: str = "UTC"
-
-# Default charset to use for all Response objects, if a MIME type isn't
-# manually specified. It's used to construct the Content-Type header.
-DEFAULT_CHARSET = "utf-8"
-
 # List of strings representing installed packages.
 INSTALLED_PACKAGES: list[str] = []
 
-# Whether to append trailing slashes to URLs.
-APPEND_SLASH = True
+URLS_ROUTER: str
+
+# MARK: HTTP and Security
+
+# Hosts/domain names that are valid for this site.
+# "*" matches anything, ".example.com" matches example.com and all subdomains
+ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.
 DEFAULT_RESPONSE_HEADERS = {
@@ -42,7 +31,13 @@ DEFAULT_RESPONSE_HEADERS = {
 
 # Whether to redirect all non-HTTPS requests to HTTPS.
 HTTPS_REDIRECT_ENABLED = True
-HTTPS_REDIRECT_EXEMPT = []
+
+# Regex patterns for paths that should be exempt from HTTPS redirect
+# Examples: [r"^/health$", r"/api/internal/.*", r"/dev/.*"]
+HTTPS_REDIRECT_EXEMPT_PATHS: list[str] = []
+
+# Custom host to redirect to for HTTPS. If None, uses the same host as the request.
+# Useful for redirecting to a different domain (e.g., "secure.example.com")
 HTTPS_REDIRECT_HOST = None
 
 # If your Plain app is behind a proxy that sets a header to specify secure
@@ -68,7 +63,24 @@ SECRET_KEY: str
 # secret key rotation.
 SECRET_KEY_FALLBACKS: list[str] = []
 
-URLS_ROUTER: str
+# MARK: Internationalization
+
+# Local time zone for this installation. All choices can be found here:
+# https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
+# systems may support all possibilities). This is interpreted as the default
+# user time zone.
+TIME_ZONE: str = "UTC"
+
+# Default charset to use for all Response objects, if a MIME type isn't
+# manually specified. It's used to construct the Content-Type header.
+DEFAULT_CHARSET = "utf-8"
+
+# MARK: URL Configuration
+
+# Whether to append trailing slashes to URLs.
+APPEND_SLASH = True
+
+# MARK: File Uploads
 
 # List of upload handler classes to be applied in order.
 FILE_UPLOAD_HANDLERS = [
@@ -100,41 +112,30 @@ FILE_UPLOAD_TEMP_DIR = None
 # User-defined overrides for error views by status code
 HTTP_ERROR_VIEWS: dict[int] = {}
 
-##############
-# MIDDLEWARE #
-##############
+# MARK: Middleware
 
 # List of middleware to use. Order is important; in the request phase, these
 # middleware will be applied in the order given, and in the response
 # phase the middleware will be applied in reverse order.
 MIDDLEWARE: list[str] = []
 
-########
-# CSRF #
-########
-
-# Settings for CSRF cookie.
-CSRF_COOKIE_NAME = "csrftoken"
-CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52  # 1 year
-CSRF_COOKIE_DOMAIN = None
-CSRF_COOKIE_PATH = "/"
-CSRF_COOKIE_SECURE = True
-CSRF_COOKIE_HTTPONLY = False
-CSRF_COOKIE_SAMESITE = "Lax"
-CSRF_HEADER_NAME = "CSRF-Token"
-CSRF_FIELD_NAME = "_csrftoken"
+# MARK: CSRF
+
+# A list of trusted origins for unsafe (POST/PUT/DELETE etc.) requests.
+# These origins will be allowed regardless of the normal CSRF checks.
+# Each origin should be a full origin like "https://example.com" or "https://sub.example.com:8080"
 CSRF_TRUSTED_ORIGINS: list[str] = []
 
-###########
-# LOGGING #
-###########
+# Regex patterns for paths that should be exempt from CSRF protection
+# Examples: [r"^/api/", r"/webhooks/.*", r"/health$"]
+CSRF_EXEMPT_PATHS: list[str] = []
+
+# MARK: Logging
 
 # Custom logging configuration.
 LOGGING = {}
 
-###############
-# ASSETS #
-###############
+# MARK: Assets
 
 # Whether to redirect the original asset path to the fingerprinted path.
 ASSETS_REDIRECT_ORIGINAL = True
@@ -143,9 +144,7 @@ ASSETS_REDIRECT_ORIGINAL = True
 # Ex. "https://cdn.example.com/assets/"
 ASSETS_BASE_URL: str = ""
 
-####################
-# PREFLIGHT CHECKS #
-####################
+# MARK: Preflight Checks
 
 # List of all issues generated by system checks that should be silenced. Light
 # issues like warnings, infos or debugs will not generate a message. Silencing
@@ -153,14 +152,10 @@ ASSETS_BASE_URL: str = ""
 # message, but Plain will not stop you from e.g. running server.
 PREFLIGHT_SILENCED_CHECKS = []
 
-#############
-# Templates #
-#############
+# MARK: Templates
 
 TEMPLATES_JINJA_ENVIRONMENT = "plain.templates.jinja.DefaultEnvironment"
 
-#########
-# Shell #
-#########
+# MARK: Shell
 
 SHELL_IMPORT: str = ""

plain/templates/README.md

@@ -70,7 +70,6 @@ class HTMXJSExtension(InclusionTagExtension):
 
     def get_context(self, context, *args, **kwargs):
         return {
-            "csrf_token": context["csrf_token"],
             "DEBUG": settings.DEBUG,
             "extensions": kwargs.get("extensions", []),
         }

plain/test/client.py

@@ -114,8 +114,7 @@ class ClientHandler(BaseHandler):
     the originating WSGIRequest attached to its ``wsgi_request`` attribute.
     """
 
-    def __init__(self, enforce_csrf_checks=True, *args, **kwargs):
-        self.enforce_csrf_checks = enforce_csrf_checks
+    def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
     def __call__(self, environ):
@@ -126,12 +125,6 @@ class ClientHandler(BaseHandler):
 
         request_started.send(sender=self.__class__, environ=environ)
         request = WSGIRequest(environ)
-        # sneaky little hack so that we can easily get round
-        # CsrfViewMiddleware.  This makes life easier, and is probably
-        # required for backwards compatibility with external tests against
-        # admin views.
-        if not self.enforce_csrf_checks:
-            request.csrf_exempt = True
 
         # Request goes through middleware.
         response = self.get_response(request)
@@ -420,14 +413,13 @@ class Client(RequestFactory):
 
     def __init__(
         self,
-        enforce_csrf_checks=False,
         raise_request_exception=True,
         *,
         headers=None,
         **defaults,
     ):
         super().__init__(headers=headers, **defaults)
-        self.handler = ClientHandler(enforce_csrf_checks)
+        self.handler = ClientHandler()
         self.raise_request_exception = raise_request_exception
         self.exc_info = None
         self.extra = None

plain/views/README.md

@@ -142,8 +142,6 @@ Rendering forms is done directly in the HTML.
 {% block content %}
 
 <form method="post">
-    {{ csrf_input }}
-
     <!-- Render general form errors -->
     {% for error in form.non_field_errors %}
     <div>{{ error }}</div>

plain/views/templates.py

@@ -1,27 +1,11 @@
-from plain.csrf.middleware import get_token
 from plain.exceptions import ImproperlyConfigured
 from plain.http import Response
 from plain.runtime import settings
 from plain.templates import Template, TemplateFileMissing
-from plain.utils.functional import lazy
-from plain.utils.html import format_html
-from plain.utils.safestring import SafeString
 
 from .base import View
 
 
-def csrf_input(request):
-    return format_html(
-        '<input type="hidden" name="{}" value="{}">',
-        settings.CSRF_FIELD_NAME,
-        get_token(request),
-    )
-
-
-csrf_input_lazy = lazy(csrf_input, SafeString, str)
-csrf_token_lazy = lazy(get_token, str)
-
-
 class TemplateView(View):
     """
     Render a template.
@@ -37,8 +21,6 @@ class TemplateView(View):
         return {
             "request": self.request,
             "template_names": self.get_template_names(),
-            "csrf_input": csrf_input_lazy(self.request),
-            "csrf_token": csrf_token_lazy(self.request),
             "DEBUG": settings.DEBUG,
         }
 

{plain-0.57.0.dist-info → plain-0.58.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.57.0
+Version: 0.58.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.57.0.dist-info → plain-0.58.0.dist-info}/RECORD

@@ -1,8 +1,8 @@
-plain/CHANGELOG.md,sha256=S6LqQuC4QwAYLG_Txkz7OyIT8FgyIFXD_3fX6WP7w3I,8219
+plain/CHANGELOG.md,sha256=NnYEqRRQ2lTPIgppmEarKtSZRoLq_N80pgXjyGf6c00,9602
 plain/README.md,sha256=5BJyKhf0TDanWVbOQyZ3zsi5Lov9xk-LlJYCDWofM6Y,4078
 plain/__main__.py,sha256=GK39854Lc_LO_JP8DzY9Y2MIQ4cQEl7SXFJy244-lC8,110
 plain/debug.py,sha256=XdjnXcbPGsi0J2SpHGaLthhYU5AjhBlkHdemaP4sbYY,758
-plain/exceptions.py,sha256=bx2_d1udQrGfw-F_k5GmXatgW1ecWSsWnX6jBoD0CH8,5786
+plain/exceptions.py,sha256=ljOLqgVwPKlGWqaNmjHcHQf6y053bZ9ogkLFEGcs-Gg,5973
 plain/json.py,sha256=McJdsbMT1sYwkGRG--f2NSZz0hVXPMix9x3nKaaak2o,1262
 plain/paginator.py,sha256=iXiOyt2r_YwNrkqCRlaU7V-M_BKaaQ8XZElUBVa6yeU,5844
 plain/signing.py,sha256=r2KvCOxkrSWCULFxYa9BHYx3L3a2oLq8RDnq_92inTw,8207
@@ -20,7 +20,7 @@ plain/chores/__init__.py,sha256=r9TXtQCH-VbvfnIJ5F8FxgQC35GRWFOfmMZN3q9niLg,67
 plain/chores/registry.py,sha256=V3WjuekRI22LFvJbqSkUXQtiOtuE2ZK8gKV1TRvxRUI,1866
 plain/cli/README.md,sha256=5C7vsH0ISxu7q5H6buC25MBOILkI_rzdySitswpQgJw,1032
 plain/cli/__init__.py,sha256=6w9T7K2WrPwh6DcaMb2oNt_CWU6Bc57nUTO2Bt1p38Y,63
-plain/cli/agent.py,sha256=T3jG9hpbndiBsRYf_MhT3GvHrnpLjCh3tgi4pR6Ipmg,1477
+plain/cli/agent.py,sha256=nf-Tuc3abxpyV-nShBn1wq0JWjfgd3zY9lLH6rAZSRs,1678
 plain/cli/build.py,sha256=Lo6AYghJz0DM9fIVUSiBSOKa5vR0XCOxZWEjza6sc8Q,3172
 plain/cli/changelog.py,sha256=j-k1yZk9mpm-fLZgeWastiyIisxNSuAJfXTQ2B6WQmk,3457
 plain/cli/chores.py,sha256=xXSSFvr8T5jWfLWqe6E8YVMw1BkQxyOHHVuY0x9RH0A,2412
@@ -40,10 +40,10 @@ plain/cli/startup.py,sha256=wLaFuyUb4ewWhtehBCGicrRCXIIGCRbeCT3ce9hUv-A,1022
 plain/cli/upgrade.py,sha256=f1rL9M285i4D5UKlEk4ijmAUN3mAMfHCrbDPwBf1ePo,5514
 plain/cli/urls.py,sha256=ghCW36aRszxmTo06A50FIvYopb6kQ07QekkDzM6_A1o,3824
 plain/cli/utils.py,sha256=VwlIh0z7XxzVV8I3qM2kZo07fkJFPoeeVZa1ODG616k,258
-plain/csrf/README.md,sha256=cTqQ9oOa3BcMRhMPzqhI2wat1ZOS7aQwJTIFArdMTsk,794
-plain/csrf/middleware.py,sha256=U3B9R7ciO_UAf7O3jdNtVu6QZ_3Yrm8isRdnW6bVKX4,17401
+plain/csrf/README.md,sha256=ApWpB-qlEf0LkOKm9Yr-6f_lB9XJEvGFDo_fraw8ghI,2391
+plain/csrf/middleware.py,sha256=d_vb8l0-KxzyqCivVq0jTCsFOm-ljwjmjVuZXKVYR5U,5113
 plain/csrf/views.py,sha256=HwQqfI6KPelHP9gSXhjfZaTLQic71PKsoZ6DPhr1rKI,572
-plain/forms/README.md,sha256=SeqRBAPynu-aNR8FPXesOIjPuUi4X1pT_ZlDK4bD7UA,2280
+plain/forms/README.md,sha256=7MJQxNBoKkg0rW16qF6bGpUBxZrMrWjl2DZZk6gjzAU,2258
 plain/forms/__init__.py,sha256=UxqPwB8CiYPCQdHmUc59jadqaXqDmXBH8y4bt9vTPms,226
 plain/forms/boundfield.py,sha256=LhydhCVR0okrli0-QBMjGjAJ8-06gTCXVEaBZhBouQk,1741
 plain/forms/exceptions.py,sha256=NYk1wjYDkk-lA_XMJQDItOebQcL_m_r2eNRc2mkLQkg,315
@@ -70,7 +70,7 @@ plain/internal/handlers/exception.py,sha256=vfha_6-fz6S6VYCP1PMBfue2Gw-_th6jqaTE
 plain/internal/handlers/wsgi.py,sha256=dgPT29t_F9llB-c5RYU3SHxGuZNaZ83xRjOfuOmtOl8,8209
 plain/internal/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 plain/internal/middleware/headers.py,sha256=ENIW1Gwat54hv-ejgp2R8QTZm-PlaI7k44WU01YQrNk,964
-plain/internal/middleware/https.py,sha256=HcOEWOpoblrFGbrsNOtAj8aEK1sgWbKcPqwEJoDw0no,1232
+plain/internal/middleware/https.py,sha256=mS1YejfLB_5qlAoMfanh8Wn2O-RdSpOBdhvw2DRcTHs,1257
 plain/internal/middleware/slash.py,sha256=JWcIfGbXEKH00I7STq1AMdHhFGmQHC8lkKENa6280ko,2846
 plain/logs/README.md,sha256=ON6Zylg_WA_V7QiIbRY7sgsl2nfG7KFzIbxK2x3rPuc,1419
 plain/logs/__init__.py,sha256=rASvo4qFBDIHfkACmGLNGa6lRGbG9PbNjW6FmBt95ys,168
@@ -90,14 +90,14 @@ plain/preflight/security.py,sha256=oxUZBp2M0bpBfUoLYepIxoex2Y90nyjlrL8XU8UTHYY,2
 plain/preflight/urls.py,sha256=cQ-WnFa_5oztpKdtwhuIGb7pXEml__bHsjs1SWO2YNI,1468
 plain/runtime/README.md,sha256=sTqXXJkckwqkk9O06XMMSNRokAYjrZBnB50JD36BsYI,4873
 plain/runtime/__init__.py,sha256=8GtvKROf3HUCtneDYXTbEioPcCtwnV76dP57n2PnjuE,2343
-plain/runtime/global_settings.py,sha256=MpJ6vtBMO2EYALaKXrtgcGoxLh9Y549zwwErC5D5K7I,5343
+plain/runtime/global_settings.py,sha256=6vy8SacB4w4x_BAGsJv6zM3Sa7zcvnEcF2VzHfZs8qk,5645
 plain/runtime/user_settings.py,sha256=OzMiEkE6ZQ50nxd1WIqirXPiNuMAQULklYHEzgzLWgA,11027
 plain/signals/README.md,sha256=XefXqROlDhzw7Z5l_nx6Mhq6n9jjQ-ECGbH0vvhKWYg,272
 plain/signals/__init__.py,sha256=eAs0kLqptuP6I31dWXeAqRNji3svplpAV4Ez6ktjwXM,131
 plain/signals/dispatch/__init__.py,sha256=FzEygqV9HsM6gopio7O2Oh_X230nA4d5Q9s0sUjMq0E,292
 plain/signals/dispatch/dispatcher.py,sha256=VxSlqn9PCOTghPPJLOqZPs6FNQZfV2BJpMfFMSg6Dtc,11531
 plain/signals/dispatch/license.txt,sha256=o9EhDhsC4Q5HbmD-IfNGVTEkXtNE33r5rIt3lleJ8gc,1727
-plain/templates/README.md,sha256=3eCnQvgLNAnbJENxCWevtiwVpop3_sfJMBWUVGQP2qQ,2614
+plain/templates/README.md,sha256=QAQxoygpc0CE13fh4eH4ZILwl2xc-oMdGKtiZLLrNCk,2565
 plain/templates/__init__.py,sha256=bX76FakE9T7mfK3N0deN85HlwHNQpeigytSC9Z8LcOs,451
 plain/templates/core.py,sha256=mbcH0yTeFOI3XOg9dYSroXRIcdv9sETEy4HzY-ugwco,1258
 plain/templates/jinja/__init__.py,sha256=xvYif0feMYR9pWjN0czthq2dk3qI4D5UQjgj9yp4dNA,2776
@@ -107,7 +107,7 @@ plain/templates/jinja/filters.py,sha256=ft5XUr4OLeQayn-MSxrycpFLyyN_yEo7j5WhWMwp
 plain/templates/jinja/globals.py,sha256=VMpuMZvwWOmb5MbzKK-ox-QEX_WSsXFxq0mm8biJgaU,558
 plain/test/README.md,sha256=wem0myAd-ij74nNV1MB9g4iH6FZUgii7-_euRq45oHs,1142
 plain/test/__init__.py,sha256=MhNHtp7MYBl9kq-pMRGY11kJ6kU1I6vOkjNkit1TYRg,94
-plain/test/client.py,sha256=XjLjkeDl1rQRaFoeiCvvD5GXfxIxpuic2OnxjoX05tA,25573
+plain/test/client.py,sha256=OcL8wQDOu6PUNYvwcmslT5IGt81ffcPsXn05n-2n9oA,25128
 plain/test/encoding.py,sha256=YJBOIE-BQRA5yl4zHnQy-9l67mJDTFmfy1DQXK0Wk-Q,3199
 plain/test/exceptions.py,sha256=b-GHicg87Gh73W3g8QGWuSHi9PrQFVsxgWvEXDLt8gQ,290
 plain/urls/README.md,sha256=026RkCK6I0GdqK3RE2QBLcCLIsiwtyKxgI2F0KBX95E,3882
@@ -142,18 +142,17 @@ plain/utils/text.py,sha256=42hJv06sadbWfsaAHNhqCQaP1W9qZ69trWDTS-Xva7k,9496
 plain/utils/timesince.py,sha256=a_-ZoPK_s3Pt998CW4rWp0clZ1XyK2x04hCqak2giII,5928
 plain/utils/timezone.py,sha256=6u0sE-9RVp0_OCe0Y1KiYYQoq5THWLokZFQYY8jf78g,6221
 plain/utils/tree.py,sha256=wdWzmfsgc26YDF2wxhAY3yVxXTixQYqYDKE9mL3L3ZY,4383
-plain/views/README.md,sha256=wKwC6pgxUyIZdCZq5roPpzbGa0Y-tR7mPifr5z659Uk,7245
+plain/views/README.md,sha256=JmRGCQJgSr17uzUfsJfZbix1md3Qj6mmCkzWuoTFurQ,7223
 plain/views/__init__.py,sha256=a-N1nkklVohJTtz0yD1MMaS0g66HviEjsKydNVVjvVc,392
 plain/views/base.py,sha256=CC9UvMZeAjVvi90vGjoZzsQ0jnhbg3-7qCKQ8-Pb6cg,4184
-plain/views/csrf.py,sha256=7q6l5xzLWhRnMY64aNj0hR6G-3pxI2yhRwG6k_5j00E,144
 plain/views/errors.py,sha256=jbNCJIzowwCsEvqyJ3opMeZpPDqTyhtrbqb0VnAm2HE,1263
 plain/views/exceptions.py,sha256=b4euI49ZUKS9O8AGAcFfiDpstzkRAuuj_uYQXzWNHME,138
 plain/views/forms.py,sha256=ESZOXuo6IeYixp1RZvPb94KplkowRiwO2eGJCM6zJI0,2400
 plain/views/objects.py,sha256=GGbcfg_9fPZ-PiaBwIHG2e__8GfWDR7JQtQ15wTyiHg,5970
 plain/views/redirect.py,sha256=Xpb3cB7nZYvKgkNqcAxf9Jwm2SWcQ0u2xz4oO5M3vP8,1909
-plain/views/templates.py,sha256=ivkI7LU7BXDQ0d4Geab96Is4-Cp03KbIntXRT1J8e6I,2139
-plain-0.57.0.dist-info/METADATA,sha256=9lvnS7TXZ1hqmYFkuMUTtafl0v4nmaTTdI0zh9-4kPU,4488
-plain-0.57.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-plain-0.57.0.dist-info/entry_points.txt,sha256=nn4uKTRRZuEKOJv3810s3jtSMW0Gew7XDYiKIvBRR6M,93
-plain-0.57.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.57.0.dist-info/RECORD,,
+plain/views/templates.py,sha256=TeVKxfyXwQTmWfWzwjtlZ8GXogcHUDZ1osc--G4YLVw,1588
+plain-0.58.0.dist-info/METADATA,sha256=yNuHnxpkBcNUME3wBUBvYxV-X6brEHQaXUGeMdFC3qc,4488
+plain-0.58.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+plain-0.58.0.dist-info/entry_points.txt,sha256=nn4uKTRRZuEKOJv3810s3jtSMW0Gew7XDYiKIvBRR6M,93
+plain-0.58.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.58.0.dist-info/RECORD,,

plain/views/csrf.py

@@ -1,4 +0,0 @@
-class CsrfExemptViewMixin:
-    def setup(self, *args, **kwargs):
-        super().setup(*args, **kwargs)
-        self.request.csrf_exempt = True