plain 0.6.0__py3-none-any.whl → 0.11.0__py3-none-any.whl

plain/cli/cli.py

@@ -5,6 +5,7 @@ import shutil
 import subprocess
 import sys
 import traceback
+from importlib.metadata import entry_points
 from importlib.util import find_spec
 from pathlib import Path
 
@@ -250,7 +251,7 @@ def preflight_checks(package_label, deploy, fail_level, databases):
             msg = header + body + footer
             click.echo(msg, err=True)
         else:
-            click.echo("Preflight check identified no issues.", err=True)
+            click.secho("✔ Preflight check identified no issues.", err=True, fg="green")
 
 
 @plain_cli.command()
@@ -286,17 +287,10 @@ def compile(keep_original, fingerprint, compress):
         )
         sys.exit(1)
 
-    # TODO make this an entrypoint instead
-    # Compile our Tailwind CSS (including templates in plain itself)
-    if find_spec("plain.tailwind") is not None:
-        click.secho("Compiling Tailwind CSS", bold=True)
-        result = subprocess.run(["plain", "tailwind", "compile", "--minify"])
+    for entry_point in entry_points(group="plain.assets.compile"):
+        click.secho(f"Running {entry_point.name}", bold=True)
+        result = entry_point.load()()
         print()
-        if result.returncode:
-            click.secho(
-                f"Error compiling Tailwind CSS (exit {result.returncode})", fg="red"
-            )
-            sys.exit(result.returncode)
 
     # TODO also look in [tool.plain.compile.run]
 

plain/csrf/middleware.py

@@ -9,7 +9,7 @@ import string
 from collections import defaultdict
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost, ImproperlyConfigured
+from plain.exceptions import DisallowedHost
 from plain.http import HttpHeaders, UnreadablePostError
 from plain.logs import log_response
 from plain.runtime import settings
@@ -242,44 +242,31 @@ class CsrfViewMiddleware:
         If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
         the request's secret has invalid characters or an invalid length.
         """
-        if settings.CSRF_USE_SESSIONS:
-            try:
-                csrf_secret = request.session.get(CSRF_SESSION_KEY)
-            except AttributeError:
-                raise ImproperlyConfigured(
-                    "CSRF_USE_SESSIONS is enabled, but request.session is not "
-                    "set. SessionMiddleware must appear before CsrfViewMiddleware "
-                    "in MIDDLEWARE."
-                )
+        try:
+            csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
+        except KeyError:
+            csrf_secret = None
         else:
-            try:
-                csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
-            except KeyError:
-                csrf_secret = None
-            else:
-                # This can raise InvalidTokenFormat.
-                _check_token_format(csrf_secret)
+            # This can raise InvalidTokenFormat.
+            _check_token_format(csrf_secret)
+
         if csrf_secret is None:
             return None
         return csrf_secret
 
     def _set_csrf_cookie(self, request, response):
-        if settings.CSRF_USE_SESSIONS:
-            if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]:
-                request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"]
-        else:
-            response.set_cookie(
-                settings.CSRF_COOKIE_NAME,
-                request.META["CSRF_COOKIE"],
-                max_age=settings.CSRF_COOKIE_AGE,
-                domain=settings.CSRF_COOKIE_DOMAIN,
-                path=settings.CSRF_COOKIE_PATH,
-                secure=settings.CSRF_COOKIE_SECURE,
-                httponly=settings.CSRF_COOKIE_HTTPONLY,
-                samesite=settings.CSRF_COOKIE_SAMESITE,
-            )
-            # Set the Vary header since content varies with the CSRF cookie.
-            patch_vary_headers(response, ("Cookie",))
+        response.set_cookie(
+            settings.CSRF_COOKIE_NAME,
+            request.META["CSRF_COOKIE"],
+            max_age=settings.CSRF_COOKIE_AGE,
+            domain=settings.CSRF_COOKIE_DOMAIN,
+            path=settings.CSRF_COOKIE_PATH,
+            secure=settings.CSRF_COOKIE_SECURE,
+            httponly=settings.CSRF_COOKIE_HTTPONLY,
+            samesite=settings.CSRF_COOKIE_SAMESITE,
+        )
+        # Set the Vary header since content varies with the CSRF cookie.
+        patch_vary_headers(response, ("Cookie",))
 
     def _origin_verified(self, request):
         request_origin = request.META["HTTP_ORIGIN"]
@@ -289,7 +276,7 @@ class CsrfViewMiddleware:
             pass
         else:
             good_origin = "{}://{}".format(
-                "https" if request.is_secure() else "http",
+                "https" if request.is_https() else "http",
                 good_host,
             )
             if request_origin == good_origin:
@@ -331,11 +318,7 @@ class CsrfViewMiddleware:
         ):
             return
         # Allow matching the configured cookie domain.
-        good_referer = (
-            settings.SESSION_COOKIE_DOMAIN
-            if settings.CSRF_USE_SESSIONS
-            else settings.CSRF_COOKIE_DOMAIN
-        )
+        good_referer = settings.CSRF_COOKIE_DOMAIN
         if good_referer is None:
             # If no cookie domain is configured, allow matching the current
             # host:port exactly if it's permitted by ALLOWED_HOSTS.
@@ -435,7 +418,7 @@ class CsrfViewMiddleware:
                 return self._reject(
                     request, REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]
                 )
-        elif request.is_secure():
+        elif request.is_https():
             # If the Origin header wasn't provided, reject HTTPS requests if
             # the Referer header doesn't match an allowed value.
             #

plain/http/request.py

@@ -140,7 +140,7 @@ class HttpRequest:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.META["SERVER_NAME"]
             server_port = self.get_port()
-            if server_port != ("443" if self.is_secure() else "80"):
+            if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
@@ -267,12 +267,12 @@ class HttpRequest:
 
     @property
     def scheme(self):
-        if settings.SECURE_PROXY_SSL_HEADER:
+        if settings.HTTPS_PROXY_HEADER:
             try:
-                header, secure_value = settings.SECURE_PROXY_SSL_HEADER
+                header, secure_value = settings.HTTPS_PROXY_HEADER
             except ValueError:
                 raise ImproperlyConfigured(
-                    "The SECURE_PROXY_SSL_HEADER setting must be a tuple containing "
+                    "The HTTPS_PROXY_HEADER setting must be a tuple containing "
                     "two values."
                 )
             header_value = self.META.get(header)
@@ -281,7 +281,7 @@ class HttpRequest:
                 return "https" if header_value.strip() == secure_value else "http"
         return self._get_scheme()
 
-    def is_secure(self):
+    def is_https(self):
         return self.scheme == "https"
 
     @property

plain/internal/handlers/base.py

@@ -13,6 +13,15 @@ from .exception import convert_exception_to_response
 logger = logging.getLogger("plain.request")
 
 
+# These middleware classes are always used by Plain.
+BUILTIN_MIDDLEWARE = [
+    "plain.internal.middleware.headers.DefaultHeadersMiddleware",
+    "plain.internal.middleware.https.HttpsRedirectMiddleware",
+    "plain.internal.middleware.slash.RedirectSlashMiddleware",
+    "plain.csrf.middleware.CsrfViewMiddleware",
+]
+
+
 class BaseHandler:
     _view_middleware = None
     _middleware_chain = None
@@ -27,7 +36,10 @@ class BaseHandler:
 
         get_response = self._get_response
         handler = convert_exception_to_response(get_response)
-        for middleware_path in reversed(settings.MIDDLEWARE):
+
+        middlewares = reversed(BUILTIN_MIDDLEWARE + settings.MIDDLEWARE)
+
+        for middleware_path in middlewares:
             middleware = import_string(middleware_path)
             mw_instance = middleware(handler)
 

plain/internal/middleware/headers.py

@@ -0,0 +1,19 @@
+from plain.runtime import settings
+
+
+class DefaultHeadersMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        for header, value in settings.DEFAULT_RESPONSE_HEADERS.items():
+            response.headers.setdefault(header, value)
+
+        # Add the Content-Length header to non-streaming responses if not
+        # already set.
+        if not response.streaming and not response.has_header("Content-Length"):
+            response.headers["Content-Length"] = str(len(response.content))
+
+        return response

plain/internal/middleware/https.py

@@ -0,0 +1,36 @@
+import re
+
+from plain.http import ResponsePermanentRedirect
+from plain.runtime import settings
+
+
+class HttpsRedirectMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+        # Settings for https (compile regexes once)
+        self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
+        self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
+        self.https_redirect_exempt = [
+            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT
+        ]
+
+    def __call__(self, request):
+        """
+        Rewrite the URL based on settings.APPEND_SLASH
+        """
+
+        if redirect_response := self.maybe_https_redirect(request):
+            return redirect_response
+
+        return self.get_response(request)
+
+    def maybe_https_redirect(self, request):
+        path = request.path.lstrip("/")
+        if (
+            self.https_redirect_enabled
+            and not request.is_https()
+            and not any(pattern.search(path) for pattern in self.https_redirect_exempt)
+        ):
+            host = self.https_redirect_host or request.get_host()
+            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")

plain/{middleware/common.py → internal/middleware/slash.py}

@@ -4,25 +4,7 @@ from plain.urls import is_valid_path
 from plain.utils.http import escape_leading_slashes
 
 
-class CommonMiddleware:
-    """
-    "Common" middleware for taking care of some basic operations:
-
-        - URL rewriting: Based on the APPEND_SLASH setting,
-          append missing slashes.
-
-            - If APPEND_SLASH is set and the initial URL doesn't end with a
-              slash, and it is not found in urlpatterns, form a new URL by
-              appending a slash at the end. If this new URL is found in
-              urlpatterns, return an HTTP redirect to this new URL; otherwise
-              process the initial URL as usual.
-
-          This behavior can be customized by subclassing CommonMiddleware and
-          overriding the response_redirect_class attribute.
-    """
-
-    response_redirect_class = ResponsePermanentRedirect
-
+class RedirectSlashMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
@@ -40,12 +22,7 @@ class CommonMiddleware:
         # If the given URL is "Not Found", then check if we should redirect to
         # a path with a slash appended.
         if response.status_code == 404 and self.should_redirect_with_slash(request):
-            return self.response_redirect_class(self.get_full_path_with_slash(request))
-
-        # Add the Content-Length header to non-streaming responses if not
-        # already set.
-        if not response.streaming and not response.has_header("Content-Length"):
-            response.headers["Content-Length"] = str(len(response.content))
+            return ResponsePermanentRedirect(self.get_full_path_with_slash(request))
 
         return response
 

plain/preflight/security/base.py

@@ -16,17 +16,18 @@ SECRET_KEY_WARNING_MSG = (
     f"vulnerable to attack."
 )
 
+# TODO
 W001 = Warning(
-    "You do not have 'plain.middleware.security.SecurityMiddleware' "
+    "You do not have 'plain.middleware.https.HttpsRedirectMiddleware' "
     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
     "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and HTTPS_REDIRECT_ENABLED settings will "
     "have no effect.",
     id="security.W001",
 )
 
 W008 = Warning(
-    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Your HTTPS_REDIRECT_ENABLED setting is not set to True. "
     "Unless your site should be available over both SSL and non-SSL "
     "connections, you may want to either set this setting True "
     "or configure a load balancer or reverse-proxy server "
@@ -52,22 +53,6 @@ W020 = Warning(
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
-def _security_middleware():
-    return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
-
-
-@register(deploy=True)
-def check_security_middleware(package_configs, **kwargs):
-    passed_check = _security_middleware()
-    return [] if passed_check else [W001]
-
-
-@register(deploy=True)
-def check_ssl_redirect(package_configs, **kwargs):
-    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
-    return [] if passed_check else [W008]
-
-
 def _check_secret_key(secret_key):
     return (
         len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS

plain/preflight/security/csrf.py

@@ -32,9 +32,5 @@ def check_csrf_middleware(package_configs, **kwargs):
 
 @register(deploy=True)
 def check_csrf_cookie_secure(package_configs, **kwargs):
-    passed_check = (
-        settings.CSRF_USE_SESSIONS
-        or not _csrf_middleware()
-        or settings.CSRF_COOKIE_SECURE is True
-    )
+    passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
     return [] if passed_check else [W016]

plain/runtime/README.md

@@ -54,10 +54,7 @@ SECRET_KEY = environ["SECRET_KEY"]
 DEBUG = environ.get("DEBUG", "false").lower() in ("true", "1", "yes")
 
 MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
 ]
 

plain/runtime/__init__.py

@@ -1,10 +1,8 @@
 import importlib.metadata
 import sys
-from os import environ
+from importlib.metadata import entry_points
 from pathlib import Path
 
-from dotenv import load_dotenv
-
 from .user_settings import Settings
 
 try:
@@ -16,7 +14,6 @@ except importlib.metadata.PackageNotFoundError:
 # Made available without setup or settings
 APP_PATH = Path.cwd() / "app"
 
-
 # from plain.runtime import settings
 settings = Settings()
 
@@ -30,6 +27,11 @@ def setup():
     Configure the settings (this happens as a side effect of accessing the
     first setting), configure logging and populate the app registry.
     """
+
+    # Packages can hook into the setup process through an entrypoint.
+    for entry_point in entry_points().select(group="plain.setup"):
+        entry_point.load()()
+
     from plain.logs import configure_logging
     from plain.packages import packages
 
@@ -38,15 +40,11 @@ def setup():
             "No app directory found. Are you sure you're in a Plain project?"
         )
 
-    # Automatically put the app dir on the Python path for convenience
-    if APP_PATH not in sys.path:
-        sys.path.insert(0, APP_PATH.as_posix())
-
-    # Load .env files automatically before settings
-    if app_env := environ.get("PLAIN_ENV", ""):
-        load_dotenv(f".env.{app_env}")
-    else:
-        load_dotenv(".env")
+    # Automatically put the project dir on the Python path
+    # which doesn't otherwise happen when you run `plain` commands.
+    # This makes "app.<module>" imports and relative imports work.
+    if APP_PATH.parent not in sys.path:
+        sys.path.insert(0, APP_PATH.parent.as_posix())
 
     configure_logging(settings.LOGGING)
 

plain/runtime/global_settings.py

@@ -29,11 +29,41 @@ TIME_ZONE: str = "UTC"
 DEFAULT_CHARSET = "utf-8"
 
 # List of strings representing installed packages.
-INSTALLED_PACKAGES: list = []
+INSTALLED_PACKAGES: list[str] = []
 
 # Whether to append trailing slashes to URLs.
 APPEND_SLASH = True
 
+# Default headers for all responses.
+DEFAULT_RESPONSE_HEADERS = {
+    # "Content-Security-Policy": "default-src 'self'",
+    # https://hstspreload.org/
+    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+    "Cross-Origin-Opener-Policy": "same-origin",
+    "Referrer-Policy": "same-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
+
+# Whether to redirect all non-HTTPS requests to HTTPS.
+HTTPS_REDIRECT_ENABLED = True
+HTTPS_REDIRECT_EXEMPT = []
+HTTPS_REDIRECT_HOST = None
+
+# If your Plain app is behind a proxy that sets a header to specify secure
+# connections, AND that proxy ensures that user-submitted headers with the
+# same name are ignored (so that people can't spoof it), set this value to
+# a tuple of (header_name, header_value). For any requests that come in with
+# that header/value, request.is_https() will return True.
+# WARNING! Only set this if you fully understand what you're doing. Otherwise,
+# you may be opening yourself up to a security risk.
+HTTPS_PROXY_HEADER = None
+
+# Whether to use the X-Forwarded-Host and X-Forwarded-Port headers
+# when determining the host and port for the request.
+USE_X_FORWARDED_HOST = False
+USE_X_FORWARDED_PORT = False
+
 # A secret key for this particular Plain installation. Used in secret-key
 # hashing algorithms. Set this in your settings, or Plain will complain
 # loudly.
@@ -43,7 +73,7 @@ SECRET_KEY: str
 # secret key rotation.
 SECRET_KEY_FALLBACKS: list[str] = []
 
-ROOT_URLCONF = "urls"
+ROOT_URLCONF = "app.urls"
 
 # List of upload handler classes to be applied in order.
 FILE_UPLOAD_HANDLERS = [
@@ -72,21 +102,9 @@ DATA_UPLOAD_MAX_NUMBER_FILES = 100
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-USE_X_FORWARDED_HOST = False
-USE_X_FORWARDED_PORT = False
-
 # User-defined overrides for error views by status code
 HTTP_ERROR_VIEWS: dict[int] = {}
 
-# If your Plain app is behind a proxy that sets a header to specify secure
-# connections, AND that proxy ensures that user-submitted headers with the
-# same name are ignored (so that people can't spoof it), set this value to
-# a tuple of (header_name, header_value). For any requests that come in with
-# that header/value, request.is_secure() will return True.
-# WARNING! Only set this if you fully understand what you're doing. Otherwise,
-# you may be opening yourself up to a security risk.
-SECURE_PROXY_SSL_HEADER = None
-
 ##############
 # MIDDLEWARE #
 ##############
@@ -94,11 +112,7 @@ SECURE_PROXY_SSL_HEADER = None
 # List of middleware to use. Order is important; in the request phase, these
 # middleware will be applied in the order given, and in the response
 # phase the middleware will be applied in reverse order.
-MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
-]
+MIDDLEWARE: list[str] = []
 
 ###########
 # SIGNING #
@@ -120,7 +134,6 @@ CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
 CSRF_TRUSTED_ORIGINS: list[str] = []
-CSRF_USE_SESSIONS = False
 
 ###########
 # LOGGING #
@@ -150,23 +163,6 @@ ASSETS_BASE_URL: str = ""
 # message, but Plain will not stop you from e.g. running server.
 SILENCED_PREFLIGHT_CHECKS = []
 
-#######################
-# SECURITY MIDDLEWARE #
-#######################
-SECURE_REDIRECT_EXEMPT = []
-SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = True
-
-SECURE_DEFAULT_HEADERS = {
-    # "Content-Security-Policy": "default-src 'self'",
-    # https://hstspreload.org/
-    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
-    "Cross-Origin-Opener-Policy": "same-origin",
-    "Referrer-Policy": "same-origin",
-    "X-Content-Type-Options": "nosniff",
-    "X-Frame-Options": "DENY",
-}
-
 #############
 # Templates #
 #############

plain/runtime/user_settings.py

@@ -41,7 +41,7 @@ class Settings:
 
         # Determine the settings module
         if self._settings_module is None:
-            self._settings_module = os.environ.get(ENVIRONMENT_VARIABLE, "settings")
+            self._settings_module = os.environ.get(ENVIRONMENT_VARIABLE, "app.settings")
 
         # First load the global settings from plain
         self._load_module_settings(

plain/test/client.py

@@ -379,7 +379,7 @@ class RequestFactory:
         # Refs comment in `get_bytes_from_wsgi()`.
         return path.decode("iso-8859-1")
 
-    def get(self, path, data=None, secure=False, *, headers=None, **extra):
+    def get(self, path, data=None, secure=True, *, headers=None, **extra):
         """Construct a GET request."""
         data = {} if data is None else data
         return self.generic(
@@ -398,7 +398,7 @@ class RequestFactory:
         path,
         data=None,
         content_type=MULTIPART_CONTENT,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -417,7 +417,7 @@ class RequestFactory:
             **extra,
         )
 
-    def head(self, path, data=None, secure=False, *, headers=None, **extra):
+    def head(self, path, data=None, secure=True, *, headers=None, **extra):
         """Construct a HEAD request."""
         data = {} if data is None else data
         return self.generic(
@@ -431,7 +431,7 @@ class RequestFactory:
             },
         )
 
-    def trace(self, path, secure=False, *, headers=None, **extra):
+    def trace(self, path, secure=True, *, headers=None, **extra):
         """Construct a TRACE request."""
         return self.generic("TRACE", path, secure=secure, headers=headers, **extra)
 
@@ -440,7 +440,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -455,7 +455,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -471,7 +471,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -487,7 +487,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -504,7 +504,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -704,7 +704,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data=None,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -725,7 +725,7 @@ class Client(ClientMixin, RequestFactory):
         data=None,
         content_type=MULTIPART_CONTENT,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -752,7 +752,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data=None,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -775,7 +775,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -803,7 +803,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -831,7 +831,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -859,7 +859,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -886,7 +886,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data="",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,

plain/views/base.py

@@ -15,6 +15,10 @@ logger = logging.getLogger("plain.request")
 
 
 class View:
+    request: HttpRequest
+    url_args: tuple
+    url_kwargs: dict
+
     def __init__(self, *args, **kwargs) -> None:
         # Views can customize their init, which receives
         # the args and kwargs from as_view()

{plain-0.6.0.dist-info → plain-0.11.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.6.0
+Version: 0.11.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev
@@ -8,9 +8,9 @@ Requires-Python: >=3.11,<4.0
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: click (>=8.0.0)
 Requires-Dist: jinja2 (>=3.1.2,<4.0.0)
-Requires-Dist: python-dotenv (>=1.0.0,<2.0.0)
 Description-Content-Type: text/markdown
 
 <!-- This file is compiled from plain/plain/README.md. Do not edit this file directly. -->

{plain-0.6.0.dist-info → plain-0.11.0.dist-info}/RECORD

@@ -9,13 +9,13 @@ plain/assets/urls.py,sha256=ZTIoM1Zq35JaXZ3wFhXhfGa7VoITDNlH9i5RS0R5xow,933
 plain/assets/views.py,sha256=dhjIpMu0GDR_VGbXM90_6RnC84C2C4bFv1RxDVklGBk,9173
 plain/cli/README.md,sha256=xjr1K-sIMTi5OWxdxL--O7aoo16Pd1xdawIZtz6BL7Q,2464
 plain/cli/__init__.py,sha256=9ByBOIdM8DebChjNz-RH2atdz4vWe8somlwNEsbhwh4,40
-plain/cli/cli.py,sha256=myxXjRRLt8GQdJ4m3wOgW383D4Z1t1v07PABU0IQ6RM,15095
+plain/cli/cli.py,sha256=Ns6Yi3fhrvvBsE-HrhqtaFoLiegni7d61ypj-MrLjss,14834
 plain/cli/formatting.py,sha256=1hZH13y1qwHcU2K2_Na388nw9uvoeQH8LrWL-O9h8Yc,2207
 plain/cli/packages.py,sha256=69VH1bIi1-5N5l2jlBcR5EP0pt-v16sPar9arO3gCSE,2052
 plain/cli/print.py,sha256=XraUYrgODOJquIiEv78wSCYGRBplHXtXSS9QtFG5hqY,217
 plain/cli/startup.py,sha256=PJYA-tNWGia-QbTlT0e5HvC8C7yDSq8wkAkIxgfKkvw,680
 plain/csrf/README.md,sha256=RXMWMtHmzf30gVVNOfj0kD4xlSqFIPgJh-n7dIciaEM,163
-plain/csrf/middleware.py,sha256=I7Ev-Y-VaR-Fgs_arVYNePt4qjwF_PozFBCqER2UMIY,18642
+plain/csrf/middleware.py,sha256=MlDQ55B4eRXySbzauFNs8gKhgQy32yWspBfPI0a3PzA,17775
 plain/csrf/views.py,sha256=YDgT451X16iUdCxpQ6rcHIy7nD0u7DAvCQl5-Mx5i9Y,219
 plain/debug.py,sha256=fdrWy4RNQOuXo80_jgwthCkMZKjjaF9lDj3Kqln_gJk,604
 plain/exceptions.py,sha256=tDS6l0epe_L9IlxpEdT2k2hWgEoAu8YBNIumNCtJ-WY,6333
@@ -29,7 +29,7 @@ plain/http/README.md,sha256=00zLFQ-FPjYXu3A8QsLhCCXxaT0ImvI5I-8xd3dp8WA,7
 plain/http/__init__.py,sha256=DIsDRbBsCGa4qZgq-fUuQS0kkxfbTU_3KpIM9VvH04w,1067
 plain/http/cookie.py,sha256=11FnSG3Plo6T3jZDbPoCw7SKh9ExdBio3pTmIO03URg,597
 plain/http/multipartparser.py,sha256=Z2PFDuGucj_nFnQagwdxowJcZHqzCfDApkXl5yRlRe4,27325
-plain/http/request.py,sha256=sRHjXOrxFMPIXSbwa6-hXJHNhR-EF4E5IprGtHUqeyE,26007
+plain/http/request.py,sha256=kOXN9uhgtgbd1IC25-oRupYlCofacE1jyoDZRlg2v5k,25990
 plain/http/response.py,sha256=h43Gx4PVPGEf63EHHrABYtwYu-8Y9mgAebwiGt8qeLE,24074
 plain/internal/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 plain/internal/files/README.md,sha256=kMux-NU5qiH0o1K8IajYQT8VjrYl_jLk9LkGG_kGuSc,45
@@ -42,20 +42,19 @@ plain/internal/files/uploadedfile.py,sha256=JRB7T3quQjg-1y3l1ASPxywtSQZhaeMc45uF
 plain/internal/files/uploadhandler.py,sha256=BZGQDHJMEUeBh9uJtxNVWQkFmHE7jzVTx9CLVt59Jqg,7197
 plain/internal/files/utils.py,sha256=XrHAs2tMqmywURgz5C6-GSj6sr2R-MCERcWT8yzBp5k,2652
 plain/internal/handlers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/internal/handlers/base.py,sha256=LcKKRtKlBk17Iy_8MRbx7wskULpnhHzA0fOlunzd9Lo,4506
+plain/internal/handlers/base.py,sha256=tpTrVhC_gZKrIoTJmCWD3bIpucOCGVV1DTkF0W2HZPI,4883
 plain/internal/handlers/exception.py,sha256=KUZSBzmzE6YSFxAZ336Mye_9vAPVIj9Av-w1SK5R4PA,4579
 plain/internal/handlers/wsgi.py,sha256=WIZvXlEAOn8lxwDM_HpSP82-ePKVu-Tzgpe65KkXEMk,7538
+plain/internal/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+plain/internal/middleware/headers.py,sha256=UnJWnlVVLD-10h7PB_QSYeREBzLo-TS3C-_ahmZ6w0I,636
+plain/internal/middleware/https.py,sha256=XpuQK8HicYX1jNanQHqNgyQ9rqe4NLUOZO3ZzKdsP8k,1203
+plain/internal/middleware/slash.py,sha256=LhQi5aUztE4kJnvRn75u8zaFvAVPPEl_Whu1gYWGs7g,2656
 plain/json.py,sha256=McJdsbMT1sYwkGRG--f2NSZz0hVXPMix9x3nKaaak2o,1262
 plain/logs/README.md,sha256=H6uVXdInYlasq0Z1WnhWnPmNwYQoZ1MSLPDQ4ZE7u4A,492
 plain/logs/__init__.py,sha256=rASvo4qFBDIHfkACmGLNGa6lRGbG9PbNjW6FmBt95ys,168
 plain/logs/configure.py,sha256=6mV7d1IxkDYT3VBz61qhIj0Esuy5l5QdQfsHaGCfI6w,1063
 plain/logs/loggers.py,sha256=iz9SYcwP9w5QAuwpULl48SFkVyJuuMoQ_fdLgdCHpNg,2121
 plain/logs/utils.py,sha256=9UzdCCQXJinGDs71Ngw297mlWkhgZStSd67ya4NOW98,1257
-plain/middleware/README.md,sha256=MgiLHwAfP8ooBSlDi1JhTwIHMlwphOqAkeWglYRbe8s,52
-plain/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/middleware/common.py,sha256=-YySkYUyaRujYA5Yg7GRD3xFjlQOZpeJP1Stpt6pias,3631
-plain/middleware/gzip.py,sha256=2NogLO6hPxVc3otxkhMDl7-r2Zw3vcIkAP29fx4j2eU,2383
-plain/middleware/security.py,sha256=WZRn5F9qx33wFTqh4CkBEtHrTuyr7RCt4Gwq4W2mBgE,1043
 plain/packages/README.md,sha256=Vq1Nw3mmEmZ2IriQavuVi4BjcQC2nb8k7YIbnm8QjIg,799
 plain/packages/__init__.py,sha256=DnHN1wwHXiXib4Y9BV__x9WrbUaTovoTIxW-tVyScTU,106
 plain/packages/config.py,sha256=6Vdf1TEQllZkkEvK0WK__zHJYT9nxmS3EyYrbuq0GkM,11201
@@ -67,13 +66,13 @@ plain/preflight/files.py,sha256=wbHCNgps7o1c1zQNBd8FDCaVaqX90UwuvLgEQ_DbUpY,510
 plain/preflight/messages.py,sha256=u0oc7q7YmBlKYJRcF5SQpzncfOkEzDhZTcpyclQDfHg,2427
 plain/preflight/registry.py,sha256=ZpxnZPIklXuT8xZVTxCUp_IER3zhd7DdfsmqIpAbLj4,2306
 plain/preflight/security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/preflight/security/base.py,sha256=EY9rgXi8qdzLY1mMq9lMqYJmIV2OhN66Vt96meblxoE,3541
-plain/preflight/security/csrf.py,sha256=EZy_DkVqc1kUmBA-UbNmhVsKhRINfmqgWSRlatKy5AA,1237
+plain/preflight/security/base.py,sha256=nsv-g-bFr_188mkOQwC1ZDnyS0rE6eZED8xZT-FEM8M,3074
+plain/preflight/security/csrf.py,sha256=8dKzs5kQwTTKeyfHbkrzdPk3OEoUN8mc-0xhSBo1KmM,1175
 plain/preflight/urls.py,sha256=O4PQ_v205VA2872fQlhPfxaihDDRCsVp0ZVKQ92aX4k,3019
-plain/runtime/README.md,sha256=wR0XrWAb4FGnOON2-O9ySSZCSMZmPkKGx-4DQXd_2h4,2209
-plain/runtime/__init__.py,sha256=vIh77lL4e5CoQZz-HxvXeJL5329s8VfPFpNxx9rHgxs,1384
-plain/runtime/global_settings.py,sha256=cVwGcdpDFf2OoYeGD3Lfv-mxGF48aKSGzZlLKwp8UKI,5566
-plain/runtime/user_settings.py,sha256=JhxmCCOmEMk0QHh82l5iTpEie-UdZh13aXGsLhE5PBw,11255
+plain/runtime/README.md,sha256=Q8VVO7JRGuYrDxzuYL6ptoilhclbecxKzpRXKgbWGkU,2061
+plain/runtime/__init__.py,sha256=DH8TwKTGJhjviOy4yh_d051v8YGaAWMlFBPhK8ZuC9g,1499
+plain/runtime/global_settings.py,sha256=_FaHDQjtLDoRCTv1-2EEA8GZWCiCVPJHIm_O7OxwrsU,5554
+plain/runtime/user_settings.py,sha256=-1xXUggueuOF3YlgnLfeyG55CUvR3azOGWr2UkTOmfs,11259
 plain/signals/README.md,sha256=cd3tKEgH-xc88CUWyDxl4-qv-HBXx8VT32BXVwA5azA,230
 plain/signals/__init__.py,sha256=eAs0kLqptuP6I31dWXeAqRNji3svplpAV4Ez6ktjwXM,131
 plain/signals/dispatch/__init__.py,sha256=FzEygqV9HsM6gopio7O2Oh_X230nA4d5Q9s0sUjMq0E,292
@@ -91,7 +90,7 @@ plain/templates/jinja/filters.py,sha256=3KJKKbxcv9dLzUDWPcaa88k3NU2m1GG3iMIgFhzX
 plain/templates/jinja/globals.py,sha256=qhvQuikkRkOTpHSW5FwdsvoViJNlRgHq3-O7ZyeajsE,669
 plain/test/README.md,sha256=Zso3Ir7a8vQerzKB6egjROQWkpveLAbscn7VTROPAiU,37
 plain/test/__init__.py,sha256=rXe88Y602NP8DBnReSyXb7dUzKoWweLuT43j-qwOUl4,138
-plain/test/client.py,sha256=cu43S-NL606VERUYi7NjvzIrVchlNLHqcKro7pnYmS4,31385
+plain/test/client.py,sha256=470yny2wfLEebdVjQckBqC9pqyDkHy8e0EH-rlVjsAQ,31368
 plain/urls/README.md,sha256=pWnCvgYkWN7rG7hSyBOtX4ZUP3iO7FhqM6lvwwYll6c,33
 plain/urls/__init__.py,sha256=3UzwIufXjIks2K_X_Vms2MV19IqvyPLrXUeHU3WP47c,753
 plain/urls/base.py,sha256=ECaOCEXs1ygKn4k1mt5XxSNPNlg5raJvx0aPaj7DFfE,3719
@@ -133,7 +132,7 @@ plain/utils/tree.py,sha256=wdWzmfsgc26YDF2wxhAY3yVxXTixQYqYDKE9mL3L3ZY,4383
 plain/validators.py,sha256=L9v9KtTe4iZhZVramZdKGf33R5Tt95FCdg2AJD2-2n0,19963
 plain/views/README.md,sha256=qndsXKyNMnipPlLaAvgQeGxqXknNQwlFh31Yxk8rHp8,5994
 plain/views/__init__.py,sha256=a-N1nkklVohJTtz0yD1MMaS0g66HviEjsKydNVVjvVc,392
-plain/views/base.py,sha256=WQy5btO4NNkEQAleII57oXUaDdd76a7OnFGdK7uFook,3160
+plain/views/base.py,sha256=wMkCAbr3XqXyP8dJr-O9atA1-N6K4-cTFflLhSYGOpY,3227
 plain/views/csrf.py,sha256=gO9npd_Ut_LoYF_u7Qb_ZsPRfSeE3aTPG97XlMp4oEo,724
 plain/views/errors.py,sha256=Y4oGX4Z6D2COKcDEfINvXE1acE8Ad15KwNNWPs5BCfc,967
 plain/views/exceptions.py,sha256=b4euI49ZUKS9O8AGAcFfiDpstzkRAuuj_uYQXzWNHME,138
@@ -142,8 +141,8 @@ plain/views/objects.py,sha256=9QBYyb8PgkRirXCQ8-Pms4_yMzP37dfeL30hWRYmtZg,7909
 plain/views/redirect.py,sha256=KLnlktzK6ZNMTlaEiZpMKQMEP5zeTgGLJ9BIkIJfwBo,1733
 plain/views/templates.py,sha256=nF9CcdhhjAyp3LB0RrSYnBaHpHzMfPSw719RCdcXk7o,2007
 plain/wsgi.py,sha256=R6k5FiAElvGDApEbMPTT0MPqSD7n2e2Az5chQqJZU0I,236
-plain-0.6.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.6.0.dist-info/METADATA,sha256=QbORBVO36VHvPSJS5waroaoHUkGHP8wZ5Q22GO1ocaM,2716
-plain-0.6.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-plain-0.6.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
-plain-0.6.0.dist-info/RECORD,,
+plain-0.11.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.11.0.dist-info/METADATA,sha256=tRnc7WP5pznuQMZQYEQXwyhi6cLywdRkcSikq-Vu9QI,2722
+plain-0.11.0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
+plain-0.11.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
+plain-0.11.0.dist-info/RECORD,,

{plain-0.6.0.dist-info → plain-0.11.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.9.0
+Generator: poetry-core 1.9.1
 Root-Is-Purelib: true
 Tag: py3-none-any

plain/middleware/README.md

@@ -1,3 +0,0 @@
-# Middleware
-
-Hook into the request/response cycle.

plain/middleware/gzip.py

@@ -1,64 +0,0 @@
-from plain.utils.cache import patch_vary_headers
-from plain.utils.regex_helper import _lazy_re_compile
-from plain.utils.text import compress_sequence, compress_string
-
-re_accepts_gzip = _lazy_re_compile(r"\bgzip\b")
-
-
-class GZipMiddleware:
-    """
-    Compress content if the browser allows gzip compression.
-    Set the Vary header accordingly, so that caches will base their storage
-    on the Accept-Encoding header.
-    """
-
-    max_random_bytes = 100
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        response = self.get_response(request)
-
-        # It's not worth attempting to compress really short responses.
-        if not response.streaming and len(response.content) < 200:
-            return response
-
-        # Avoid gzipping if we've already got a content-encoding.
-        if response.has_header("Content-Encoding"):
-            return response
-
-        patch_vary_headers(response, ("Accept-Encoding",))
-
-        ae = request.META.get("HTTP_ACCEPT_ENCODING", "")
-        if not re_accepts_gzip.search(ae):
-            return response
-
-        if response.streaming:
-            response.streaming_content = compress_sequence(
-                response.streaming_content,
-                max_random_bytes=self.max_random_bytes,
-            )
-            # Delete the `Content-Length` header for streaming content, because
-            # we won't know the compressed size until we stream it.
-            del response.headers["Content-Length"]
-        else:
-            # Return the compressed content only if it's actually shorter.
-            compressed_content = compress_string(
-                response.content,
-                max_random_bytes=self.max_random_bytes,
-            )
-            if len(compressed_content) >= len(response.content):
-                return response
-            response.content = compressed_content
-            response.headers["Content-Length"] = str(len(response.content))
-
-        # If there is a strong ETag, make it weak to fulfill the requirements
-        # of RFC 9110 Section 8.8.1 while also allowing conditional request
-        # matches on ETags.
-        etag = response.get("ETag")
-        if etag and etag.startswith('"'):
-            response.headers["ETag"] = "W/" + etag
-        response.headers["Content-Encoding"] = "gzip"
-
-        return response

plain/middleware/security.py

@@ -1,31 +0,0 @@
-import re
-
-from plain.http import ResponsePermanentRedirect
-from plain.runtime import settings
-
-
-class SecurityMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-        self.redirect = settings.SECURE_SSL_REDIRECT
-        self.redirect_host = settings.SECURE_SSL_HOST
-        self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
-
-        self.default_headers = settings.SECURE_DEFAULT_HEADERS
-
-    def __call__(self, request):
-        path = request.path.lstrip("/")
-        if (
-            self.redirect
-            and not request.is_secure()
-            and not any(pattern.search(path) for pattern in self.redirect_exempt)
-        ):
-            host = self.redirect_host or request.get_host()
-            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")
-
-        response = self.get_response(request)
-
-        for header, value in self.default_headers.items():
-            response.headers.setdefault(header, value)
-
-        return response