plain 0.65.1__tar.gz → 0.67.0__tar.gz

{plain-0.65.1 → plain-0.67.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.65.1
+Version: 0.67.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.65.1 → plain-0.67.0}/plain/CHANGELOG.md

@@ -1,5 +1,30 @@
 # plain changelog
 
+## [0.67.0](https://github.com/dropseed/plain/releases/plain@0.67.0) (2025-09-22)
+
+### What's changed
+
+- `ALLOWED_HOSTS` now defaults to `[]` (empty list) which allows all hosts, making it easier for development setups ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+- Empty `ALLOWED_HOSTS` in production now triggers a preflight error instead of a warning to ensure proper security configuration ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+
+### Upgrade instructions
+
+- No changes required
+
+## [0.66.0](https://github.com/dropseed/plain/releases/plain@0.66.0) (2025-09-22)
+
+### What's changed
+
+- Host validation moved to dedicated middleware and `ALLOWED_HOSTS` setting is now required ([6a4b7be](https://github.com/dropseed/plain/commit/6a4b7be220))
+- Changed `request.get_port()` method to `request.port` cached property ([544f3e1](https://github.com/dropseed/plain/commit/544f3e19f8))
+- Removed internal `request._get_full_path()` method ([50cdb58](https://github.com/dropseed/plain/commit/50cdb58d4e))
+
+### Upgrade instructions
+
+- Add `ALLOWED_HOSTS` setting to your configuration if not already present (required for host validation)
+- Replace any usage of `request.get_host()` with `request.host`
+- Replace any usage of `request.get_port()` with `request.port`
+
 ## [0.65.1](https://github.com/dropseed/plain/releases/plain@0.65.1) (2025-09-22)
 
 ### What's changed

plain-0.67.0/plain/cli/agent/request.py

@@ -0,0 +1,172 @@
+import json
+
+import click
+
+from plain.runtime import settings
+from plain.test import Client
+
+
+@click.command()
+@click.argument("path")
+@click.option(
+    "--method",
+    default="GET",
+    help="HTTP method (GET, POST, PUT, PATCH, DELETE, etc.)",
+)
+@click.option(
+    "--data",
+    help="Request data (JSON string for POST/PUT/PATCH)",
+)
+@click.option(
+    "--user",
+    "user_id",
+    help="User ID to authenticate as (skips normal authentication)",
+)
+@click.option(
+    "--follow/--no-follow",
+    default=True,
+    help="Follow redirects (default: True)",
+)
+@click.option(
+    "--content-type",
+    help="Content-Type header for request data",
+)
+@click.option(
+    "--header",
+    "headers",
+    multiple=True,
+    help="Additional headers (format: 'Name: Value')",
+)
+def request(path, method, data, user_id, follow, content_type, headers):
+    """Make an HTTP request using the test client against the development database."""
+
+    try:
+        # Only allow in DEBUG mode for security
+        if not settings.DEBUG:
+            click.secho("This command only works when DEBUG=True", fg="red", err=True)
+            return
+
+        # Create test client
+        client = Client()
+
+        # If user_id provided, force login
+        if user_id:
+            try:
+                # Get the User model using plain.auth utility
+                from plain.auth import get_user_model
+
+                User = get_user_model()
+
+                # Get the user
+                try:
+                    user = User.query.get(id=user_id)
+                    client.force_login(user)
+                    click.secho(
+                        f"Authenticated as user {user_id}", fg="green", dim=True
+                    )
+                except User.DoesNotExist:
+                    click.secho(f"User {user_id} not found", fg="red", err=True)
+                    return
+
+            except Exception as e:
+                click.secho(f"Authentication error: {e}", fg="red", err=True)
+                return
+
+        # Parse additional headers
+        header_dict = {}
+        for header in headers:
+            if ":" in header:
+                key, value = header.split(":", 1)
+                header_dict[key.strip()] = value.strip()
+
+        # Prepare request data
+        if data and content_type and "json" in content_type.lower():
+            try:
+                # Validate JSON
+                json.loads(data)
+            except json.JSONDecodeError as e:
+                click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
+                return
+
+        # Make the request
+        method = method.upper()
+        kwargs = {
+            "path": path,
+            "follow": follow,
+            "headers": header_dict or None,
+        }
+
+        if method in ("POST", "PUT", "PATCH") and data:
+            kwargs["data"] = data
+            if content_type:
+                kwargs["content_type"] = content_type
+
+        # Call the appropriate client method
+        if method == "GET":
+            response = client.get(**kwargs)
+        elif method == "POST":
+            response = client.post(**kwargs)
+        elif method == "PUT":
+            response = client.put(**kwargs)
+        elif method == "PATCH":
+            response = client.patch(**kwargs)
+        elif method == "DELETE":
+            response = client.delete(**kwargs)
+        elif method == "HEAD":
+            response = client.head(**kwargs)
+        elif method == "OPTIONS":
+            response = client.options(**kwargs)
+        elif method == "TRACE":
+            response = client.trace(**kwargs)
+        else:
+            click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
+            return
+
+        # Display response information
+        click.secho(
+            f"HTTP {response.status_code}",
+            fg="green" if response.status_code < 400 else "red",
+            bold=True,
+        )
+
+        # Show additional response info first
+        if hasattr(response, "user"):
+            click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
+
+        if hasattr(response, "resolver_match") and response.resolver_match:
+            match = response.resolver_match
+            url_name = match.namespaced_url_name or match.url_name or "unnamed"
+            click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
+
+        # Show headers
+        if response.headers:
+            click.secho("Response Headers:", fg="yellow", bold=True)
+            for key, value in response.headers.items():
+                click.echo(f"  {key}: {value}")
+            click.echo()
+
+        # Show response content last
+        if response.content:
+            content_type = response.headers.get("Content-Type", "")
+
+            if "json" in content_type.lower():
+                try:
+                    json_data = response.json()
+                    click.secho("Response Body (JSON):", fg="yellow", bold=True)
+                    click.echo(json.dumps(json_data, indent=2))
+                except Exception:
+                    click.secho("Response Body:", fg="yellow", bold=True)
+                    click.echo(response.content.decode("utf-8", errors="replace"))
+            elif "html" in content_type.lower():
+                click.secho("Response Body (HTML):", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
+            else:
+                click.secho("Response Body:", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
+        else:
+            click.secho("(No response body)", fg="yellow", dim=True)
+
+    except Exception as e:
+        click.secho(f"Request failed: {e}", fg="red", err=True)

{plain-0.65.1 → plain-0.67.0}/plain/csrf/middleware.py

@@ -2,7 +2,6 @@ import logging
 import re
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost
 from plain.logs.utils import log_response
 from plain.runtime import settings
 
@@ -81,8 +80,8 @@ class CsrfViewMiddleware:
         if origin == "null":
             return False, "Cross-origin request detected - null Origin header"
 
-        try:
-            if (parsed_origin := urlparse(origin)) and (host := request.get_host()):
+        if (parsed_origin := urlparse(origin)) and (host := request.host):
+            try:
                 # Scheme-agnostic host:port comparison
                 origin_host = parsed_origin.hostname
                 origin_port = parsed_origin.port or (
@@ -97,7 +96,7 @@ class CsrfViewMiddleware:
                 # Use a fake scheme since we only care about host parsing
                 parsed_host = urlparse(f"http://{host}")
                 request_host = parsed_host.hostname or host
-                request_port = request.get_port()
+                request_port = request.port
 
                 # Compare hostname and port (scheme-agnostic)
                 # Both origin_host and request_host are normalized by urlparse (IPv6 brackets stripped)
@@ -110,8 +109,8 @@ class CsrfViewMiddleware:
                             True,
                             f"Same-origin request - Origin {origin} matches Host {host}",
                         )
-        except (ValueError, DisallowedHost):
-            pass
+            except ValueError:
+                pass
 
         # Origin present but doesn't match host
         return (

{plain-0.65.1 → plain-0.67.0}/plain/exceptions.py

@@ -67,12 +67,6 @@ class SuspiciousFileOperation(SuspiciousOperation):
     pass
 
 
-class DisallowedHost(SuspiciousOperation):
-    """HTTP_HOST header contains invalid value"""
-
-    pass
-
-
 class TooManyFieldsSent(SuspiciousOperation):
     """
     The number of fields in a GET or POST request exceeded

{plain-0.65.1 → plain-0.67.0}/plain/http/request.py

@@ -8,7 +8,6 @@ from itertools import chain
 from urllib.parse import parse_qsl, quote, urlencode, urljoin, urlsplit
 
 from plain.exceptions import (
-    DisallowedHost,
     ImproperlyConfigured,
     RequestDataTooBig,
     TooManyFieldsSent,
@@ -29,8 +28,6 @@ from plain.utils.datastructures import (
 from plain.utils.encoding import iri_to_uri
 from plain.utils.http import parse_header_parameters
 
-from .hosts import split_domain_port, validate_host
-
 
 class UnreadablePostError(OSError):
     pass
@@ -123,10 +120,13 @@ class HttpRequest:
             else:
                 self.encoding = self.content_params["charset"]
 
-    def _get_raw_host(self):
+    @cached_property
+    def host(self):
         """
-        Return the HTTP host using the environment or request headers. Skip
-        allowed hosts protection, so may return an insecure host.
+        Return the HTTP host using the environment or request headers.
+
+        Host validation is performed by HostValidationMiddleware, so this
+        property can safely return the host without any validation.
         """
         # We try three options, in order of decreasing preference.
         if settings.USE_X_FORWARDED_HOST and ("HTTP_X_FORWARDED_HOST" in self.meta):
@@ -136,34 +136,13 @@ class HttpRequest:
         else:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.meta["SERVER_NAME"]
-            server_port = self.get_port()
+            server_port = self.port
             if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
-    def get_host(self):
-        """Return the HTTP host using the environment or request headers."""
-        host = self._get_raw_host()
-
-        # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True.
-        allowed_hosts = settings.ALLOWED_HOSTS
-        if settings.DEBUG and not allowed_hosts:
-            allowed_hosts = [".localhost", "127.0.0.1", "[::1]"]
-
-        domain, port = split_domain_port(host)
-        if domain and validate_host(domain, allowed_hosts):
-            return host
-        else:
-            msg = f"Invalid HTTP_HOST header: {host!r}."
-            if domain:
-                msg += f" You may need to add {domain!r} to ALLOWED_HOSTS."
-            else:
-                msg += (
-                    " The domain name provided is not valid according to RFC 1034/1035."
-                )
-            raise DisallowedHost(msg)
-
-    def get_port(self):
+    @cached_property
+    def port(self):
         """Return the port number for the request as a string."""
         if settings.USE_X_FORWARDED_PORT and "HTTP_X_FORWARDED_PORT" in self.meta:
             port = self.meta["HTTP_X_FORWARDED_PORT"]
@@ -172,9 +151,12 @@ class HttpRequest:
         return str(port)
 
     def get_full_path(self, force_append_slash=False):
-        return self._get_full_path(self.path, force_append_slash)
+        """
+        Return the full path for the request, including query string.
 
-    def _get_full_path(self, path, force_append_slash):
+        If force_append_slash is True, append a trailing slash if the path
+        doesn't already end with one.
+        """
         # RFC 3986 requires query string arguments to be in the ASCII range.
         # Rather than crash if this doesn't happen, we encode defensively.
 
@@ -195,8 +177,8 @@ class HttpRequest:
             return quote(path, safe="/:@&+$,-_.!~*'()")
 
         return "{}{}{}".format(
-            escape_uri_path(path),
-            "/" if force_append_slash and not path.endswith("/") else "",
+            escape_uri_path(self.path),
+            "/" if force_append_slash and not self.path.endswith("/") else "",
             ("?" + iri_to_uri(self.meta.get("QUERY_STRING", "")))
             if self.meta.get("QUERY_STRING", "")
             else "",
@@ -220,7 +202,7 @@ class HttpRequest:
             location = str(location)
         bits = urlsplit(location)
         if not (bits.scheme and bits.netloc):
-            current_scheme_host = f"{self.scheme}://{self.get_host()}"
+            current_scheme_host = f"{self.scheme}://{self.host}"
 
             # Handle the simple, most common case. If the location is absolute
             # and a scheme or host (netloc) isn't provided, skip an expensive

{plain-0.65.1 → plain-0.67.0}/plain/internal/handlers/base.py

@@ -4,7 +4,7 @@ import types
 from opentelemetry import baggage, trace
 from opentelemetry.semconv.attributes import http_attributes, url_attributes
 
-from plain.exceptions import DisallowedHost, ImproperlyConfigured
+from plain.exceptions import ImproperlyConfigured
 from plain.logs.utils import log_response
 from plain.runtime import settings
 from plain.urls import get_resolver
@@ -17,6 +17,7 @@ logger = logging.getLogger("plain.request")
 
 # These middleware classes are always used by Plain.
 BUILTIN_BEFORE_MIDDLEWARE = [
+    "plain.internal.middleware.hosts.HostValidationMiddleware",  # Validate Host header first
     "plain.internal.middleware.headers.DefaultHeadersMiddleware",  # Runs after response, to set missing headers
     "plain.internal.middleware.https.HttpsRedirectMiddleware",  # Runs before response, to redirect to HTTPS quickly
     "plain.csrf.middleware.CsrfViewMiddleware",  # Runs before and after get_response...
@@ -78,10 +79,6 @@ class BaseHandler:
         except KeyError:
             # Missing required WSGI environment variables (e.g. in tests)
             pass
-        except DisallowedHost:
-            # Invalid host header - skip URL_FULL for telemetry but let the
-            # exception be handled normally by middleware for proper 400 response
-            pass
 
         # Add query string if present
         if query_string := request.meta.get("QUERY_STRING"):

{plain-0.65.1/plain/http → plain-0.67.0/plain/internal/middleware}/hosts.py

@@ -1,19 +1,65 @@
-"""
-Host validation utilities for ALLOWED_HOSTS functionality.
-
-This module provides functions for validating hosts against allowed patterns,
-including domain patterns, wildcards, and CIDR notation for IP ranges.
-"""
-
 import ipaddress
+import logging
 
+from plain.http import HttpRequest, ResponseBadRequest
+from plain.runtime import settings
 from plain.utils.regex_helper import _lazy_re_compile
 
+logger = logging.getLogger(__name__)
+
 host_validation_re = _lazy_re_compile(
     r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])(:[0-9]+)?$"
 )
 
 
+class HostValidationMiddleware:
+    """
+    Middleware to validate the Host header against ALLOWED_HOSTS.
+
+    This middleware should run first to ensure all subsequent code can trust
+    that the host header is valid. Returns a 400 Bad Request response if the
+    host is not allowed.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        if not is_host_valid(request):
+            host = request.host
+            msg = f"Invalid HTTP_HOST header: {host!r}."
+
+            domain, _ = split_domain_port(host)
+            if domain:
+                msg += f" You may need to add {domain!r} to ALLOWED_HOSTS."
+            else:
+                msg += (
+                    " The domain name provided is not valid according to RFC 1034/1035."
+                )
+
+            logger.warning(
+                msg,
+                extra={"status_code": 400, "request": request},
+            )
+
+            return ResponseBadRequest()
+
+        return self.get_response(request)
+
+
+def is_host_valid(request: HttpRequest) -> bool:
+    """
+    Check if the host is valid according to ALLOWED_HOSTS settings.
+    """
+    allowed_hosts = settings.ALLOWED_HOSTS
+
+    if not allowed_hosts:
+        return True  # Allow all hosts if ALLOWED_HOSTS is empty
+
+    domain, _ = split_domain_port(request.host)
+    return bool(domain) and validate_host(domain, allowed_hosts)
+
+
 def split_domain_port(host: str) -> tuple[str, str]:
     """
     Return a (domain, port) tuple from a given host.
@@ -36,7 +82,7 @@ def split_domain_port(host: str) -> tuple[str, str]:
     return domain, port
 
 
-def _is_same_domain(host: str, pattern: str) -> bool:
+def is_same_domain(host: str, pattern: str) -> bool:
     """
     Return ``True`` if the host is either an exact match or a match
     to the wildcard pattern.
@@ -56,7 +102,7 @@ def _is_same_domain(host: str, pattern: str) -> bool:
     )
 
 
-def _parse_ip_address(
+def parse_ip_address(
     host: str,
 ) -> ipaddress.IPv4Address | ipaddress.IPv6Address | None:
     """
@@ -75,7 +121,7 @@ def _parse_ip_address(
         return None
 
 
-def _parse_cidr_pattern(
+def parse_cidr_pattern(
     pattern: str,
 ) -> ipaddress.IPv4Network | ipaddress.IPv6Network | None:
     """
@@ -113,7 +159,6 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Check that the host looks valid and matches a host or host pattern in the
     given list of ``allowed_hosts``. Supported patterns:
 
-    - ``*`` matches anything
     - ``.example.com`` matches a domain and all its subdomains
       (e.g. ``example.com`` and ``sub.example.com``)
     - ``example.com`` matches exactly that domain
@@ -127,21 +172,17 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Return ``True`` for a valid host, ``False`` otherwise.
     """
     # Parse the host as an IP address if possible
-    host_ip = _parse_ip_address(host)
+    host_ip = parse_ip_address(host)
 
     for pattern in allowed_hosts:
-        # Wildcard matches everything
-        if pattern == "*":
-            return True
-
         # Check CIDR notation patterns using walrus operator
-        if network := _parse_cidr_pattern(pattern):
+        if network := parse_cidr_pattern(pattern):
             if host_ip and host_ip in network:
                 return True
             continue
 
         # For non-CIDR patterns, use existing domain matching logic
-        if _is_same_domain(host, pattern):
+        if is_same_domain(host, pattern):
             return True
 
     return False

{plain-0.65.1 → plain-0.67.0}/plain/internal/middleware/https.py

@@ -21,7 +21,6 @@ class HttpsRedirectMiddleware:
 
     def maybe_https_redirect(self, request):
         if self.https_redirect_enabled and not request.is_https():
-            host = request.get_host()
             return ResponseRedirect(
-                f"https://{host}{request.get_full_path()}", status_code=301
+                f"https://{request.host}{request.get_full_path()}", status_code=301
             )

{plain-0.65.1 → plain-0.67.0}/plain/internal/middleware/slash.py

@@ -65,7 +65,7 @@ class RedirectSlashMiddleware:
                 f"You called this URL via {request.method}, but the URL doesn't end "
                 "in a slash and you have APPEND_SLASH set. Plain can't "
                 f"redirect to the slash URL while maintaining {request.method} data. "
-                f"Change your form to point to {request.get_host() + new_path} (note the trailing "
+                f"Change your form to point to {request.host + new_path} (note the trailing "
                 "slash), or set APPEND_SLASH=False in your Plain settings."
             )
         return new_path

{plain-0.65.1 → plain-0.67.0}/plain/preflight/README.md

@@ -51,11 +51,11 @@ def custom_deploy_check(package_configs, **kwargs):
 
 ## Silencing preflight checks
 
-The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.W020`).
+The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.E020`).
 
 ```python
 # app/settings.py
 PREFLIGHT_SILENCED_CHECKS = [
-    "security.W020",
+    "security.E020",  # Allow empty ALLOWED_HOSTS in deployment
 ]
 ```

{plain-0.65.1 → plain-0.67.0}/plain/preflight/security.py

@@ -1,7 +1,7 @@
 from plain.exceptions import ImproperlyConfigured
 from plain.runtime import settings
 
-from .messages import Warning
+from .messages import Error, Warning
 from .registry import register_check
 
 SECRET_KEY_MIN_LENGTH = 50
@@ -81,9 +81,9 @@ def check_allowed_hosts(package_configs, **kwargs):
         []
         if settings.ALLOWED_HOSTS
         else [
-            Warning(
+            Error(
                 "ALLOWED_HOSTS must not be empty in deployment.",
-                id="security.W020",
+                id="security.E020",
             )
         ]
     )

{plain-0.65.1 → plain-0.67.0}/plain/runtime/global_settings.py

@@ -23,8 +23,9 @@ URLS_ROUTER: str
 # MARK: HTTP and Security
 
 # Hosts/domain names that are valid for this site.
-# "*" matches anything, ".example.com" matches example.com and all subdomains
-# "192.168.1.0/24" matches IP addresses in that CIDR range
+# - An empty list [] allows all hosts (useful for development).
+# - ".example.com" matches example.com and all subdomains
+# - "192.168.1.0/24" matches IP addresses in that CIDR range
 ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.

{plain-0.65.1 → plain-0.67.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "plain"
-version = "0.65.1"
+version = "0.67.0"
 description = "A web framework for building products with Python."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"