plain 0.66.0__py3-none-any.whl → 0.67.0__py3-none-any.whl

plain/CHANGELOG.md

@@ -1,5 +1,16 @@
 # plain changelog
 
+## [0.67.0](https://github.com/dropseed/plain/releases/plain@0.67.0) (2025-09-22)
+
+### What's changed
+
+- `ALLOWED_HOSTS` now defaults to `[]` (empty list) which allows all hosts, making it easier for development setups ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+- Empty `ALLOWED_HOSTS` in production now triggers a preflight error instead of a warning to ensure proper security configuration ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+
+### Upgrade instructions
+
+- No changes required
+
 ## [0.66.0](https://github.com/dropseed/plain/releases/plain@0.66.0) (2025-09-22)
 
 ### What's changed

plain/cli/agent/request.py

@@ -46,136 +46,127 @@ def request(path, method, data, user_id, follow, content_type, headers):
             click.secho("This command only works when DEBUG=True", fg="red", err=True)
             return
 
-        # Temporarily add testserver to ALLOWED_HOSTS so the test client can make requests
-        original_allowed_hosts = settings.ALLOWED_HOSTS
-        settings.ALLOWED_HOSTS = ["*"]
+        # Create test client
+        client = Client()
 
-        try:
-            # Create test client
-            client = Client()
+        # If user_id provided, force login
+        if user_id:
+            try:
+                # Get the User model using plain.auth utility
+                from plain.auth import get_user_model
 
-            # If user_id provided, force login
-            if user_id:
-                try:
-                    # Get the User model using plain.auth utility
-                    from plain.auth import get_user_model
-
-                    User = get_user_model()
-
-                    # Get the user
-                    try:
-                        user = User.query.get(id=user_id)
-                        client.force_login(user)
-                        click.secho(
-                            f"Authenticated as user {user_id}", fg="green", dim=True
-                        )
-                    except User.DoesNotExist:
-                        click.secho(f"User {user_id} not found", fg="red", err=True)
-                        return
-
-                except Exception as e:
-                    click.secho(f"Authentication error: {e}", fg="red", err=True)
-                    return
-
-            # Parse additional headers
-            header_dict = {}
-            for header in headers:
-                if ":" in header:
-                    key, value = header.split(":", 1)
-                    header_dict[key.strip()] = value.strip()
+                User = get_user_model()
 
-            # Prepare request data
-            if data and content_type and "json" in content_type.lower():
+                # Get the user
                 try:
-                    # Validate JSON
-                    json.loads(data)
-                except json.JSONDecodeError as e:
-                    click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
+                    user = User.query.get(id=user_id)
+                    client.force_login(user)
+                    click.secho(
+                        f"Authenticated as user {user_id}", fg="green", dim=True
+                    )
+                except User.DoesNotExist:
+                    click.secho(f"User {user_id} not found", fg="red", err=True)
                     return
 
-            # Make the request
-            method = method.upper()
-            kwargs = {
-                "path": path,
-                "follow": follow,
-                "headers": header_dict or None,
-            }
-
-            if method in ("POST", "PUT", "PATCH") and data:
-                kwargs["data"] = data
-                if content_type:
-                    kwargs["content_type"] = content_type
-
-            # Call the appropriate client method
-            if method == "GET":
-                response = client.get(**kwargs)
-            elif method == "POST":
-                response = client.post(**kwargs)
-            elif method == "PUT":
-                response = client.put(**kwargs)
-            elif method == "PATCH":
-                response = client.patch(**kwargs)
-            elif method == "DELETE":
-                response = client.delete(**kwargs)
-            elif method == "HEAD":
-                response = client.head(**kwargs)
-            elif method == "OPTIONS":
-                response = client.options(**kwargs)
-            elif method == "TRACE":
-                response = client.trace(**kwargs)
-            else:
-                click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
+            except Exception as e:
+                click.secho(f"Authentication error: {e}", fg="red", err=True)
+                return
+
+        # Parse additional headers
+        header_dict = {}
+        for header in headers:
+            if ":" in header:
+                key, value = header.split(":", 1)
+                header_dict[key.strip()] = value.strip()
+
+        # Prepare request data
+        if data and content_type and "json" in content_type.lower():
+            try:
+                # Validate JSON
+                json.loads(data)
+            except json.JSONDecodeError as e:
+                click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
                 return
 
-            # Display response information
-            click.secho(
-                f"HTTP {response.status_code}",
-                fg="green" if response.status_code < 400 else "red",
-                bold=True,
-            )
-
-            # Show additional response info first
-            if hasattr(response, "user"):
-                click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
-
-            if hasattr(response, "resolver_match") and response.resolver_match:
-                match = response.resolver_match
-                url_name = match.namespaced_url_name or match.url_name or "unnamed"
-                click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
-
-            # Show headers
-            if response.headers:
-                click.secho("Response Headers:", fg="yellow", bold=True)
-                for key, value in response.headers.items():
-                    click.echo(f"  {key}: {value}")
-                click.echo()
-
-            # Show response content last
-            if response.content:
-                content_type = response.headers.get("Content-Type", "")
-
-                if "json" in content_type.lower():
-                    try:
-                        json_data = response.json()
-                        click.secho("Response Body (JSON):", fg="yellow", bold=True)
-                        click.echo(json.dumps(json_data, indent=2))
-                    except Exception:
-                        click.secho("Response Body:", fg="yellow", bold=True)
-                        click.echo(response.content.decode("utf-8", errors="replace"))
-                elif "html" in content_type.lower():
-                    click.secho("Response Body (HTML):", fg="yellow", bold=True)
-                    content = response.content.decode("utf-8", errors="replace")
-                    click.echo(content)
-                else:
+        # Make the request
+        method = method.upper()
+        kwargs = {
+            "path": path,
+            "follow": follow,
+            "headers": header_dict or None,
+        }
+
+        if method in ("POST", "PUT", "PATCH") and data:
+            kwargs["data"] = data
+            if content_type:
+                kwargs["content_type"] = content_type
+
+        # Call the appropriate client method
+        if method == "GET":
+            response = client.get(**kwargs)
+        elif method == "POST":
+            response = client.post(**kwargs)
+        elif method == "PUT":
+            response = client.put(**kwargs)
+        elif method == "PATCH":
+            response = client.patch(**kwargs)
+        elif method == "DELETE":
+            response = client.delete(**kwargs)
+        elif method == "HEAD":
+            response = client.head(**kwargs)
+        elif method == "OPTIONS":
+            response = client.options(**kwargs)
+        elif method == "TRACE":
+            response = client.trace(**kwargs)
+        else:
+            click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
+            return
+
+        # Display response information
+        click.secho(
+            f"HTTP {response.status_code}",
+            fg="green" if response.status_code < 400 else "red",
+            bold=True,
+        )
+
+        # Show additional response info first
+        if hasattr(response, "user"):
+            click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
+
+        if hasattr(response, "resolver_match") and response.resolver_match:
+            match = response.resolver_match
+            url_name = match.namespaced_url_name or match.url_name or "unnamed"
+            click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
+
+        # Show headers
+        if response.headers:
+            click.secho("Response Headers:", fg="yellow", bold=True)
+            for key, value in response.headers.items():
+                click.echo(f"  {key}: {value}")
+            click.echo()
+
+        # Show response content last
+        if response.content:
+            content_type = response.headers.get("Content-Type", "")
+
+            if "json" in content_type.lower():
+                try:
+                    json_data = response.json()
+                    click.secho("Response Body (JSON):", fg="yellow", bold=True)
+                    click.echo(json.dumps(json_data, indent=2))
+                except Exception:
                     click.secho("Response Body:", fg="yellow", bold=True)
-                    content = response.content.decode("utf-8", errors="replace")
-                    click.echo(content)
+                    click.echo(response.content.decode("utf-8", errors="replace"))
+            elif "html" in content_type.lower():
+                click.secho("Response Body (HTML):", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
             else:
-                click.secho("(No response body)", fg="yellow", dim=True)
-
-        finally:
-            # Restore original ALLOWED_HOSTS
-            settings.ALLOWED_HOSTS = original_allowed_hosts
+                click.secho("Response Body:", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
+        else:
+            click.secho("(No response body)", fg="yellow", dim=True)
 
     except Exception as e:
         click.secho(f"Request failed: {e}", fg="red", err=True)

plain/internal/middleware/hosts.py

@@ -159,7 +159,6 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Check that the host looks valid and matches a host or host pattern in the
     given list of ``allowed_hosts``. Supported patterns:
 
-    - ``*`` matches anything
     - ``.example.com`` matches a domain and all its subdomains
       (e.g. ``example.com`` and ``sub.example.com``)
     - ``example.com`` matches exactly that domain
@@ -176,10 +175,6 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     host_ip = parse_ip_address(host)
 
     for pattern in allowed_hosts:
-        # Wildcard matches everything
-        if pattern == "*":
-            return True
-
         # Check CIDR notation patterns using walrus operator
         if network := parse_cidr_pattern(pattern):
             if host_ip and host_ip in network:

plain/preflight/README.md

@@ -51,11 +51,11 @@ def custom_deploy_check(package_configs, **kwargs):
 
 ## Silencing preflight checks
 
-The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.W020`).
+The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.E020`).
 
 ```python
 # app/settings.py
 PREFLIGHT_SILENCED_CHECKS = [
-    "security.W020",
+    "security.E020",  # Allow empty ALLOWED_HOSTS in deployment
 ]
 ```

plain/preflight/security.py

@@ -1,7 +1,7 @@
 from plain.exceptions import ImproperlyConfigured
 from plain.runtime import settings
 
-from .messages import Warning
+from .messages import Error, Warning
 from .registry import register_check
 
 SECRET_KEY_MIN_LENGTH = 50
@@ -81,9 +81,9 @@ def check_allowed_hosts(package_configs, **kwargs):
         []
         if settings.ALLOWED_HOSTS
         else [
-            Warning(
+            Error(
                 "ALLOWED_HOSTS must not be empty in deployment.",
-                id="security.W020",
+                id="security.E020",
             )
         ]
     )

plain/runtime/global_settings.py

@@ -23,9 +23,10 @@ URLS_ROUTER: str
 # MARK: HTTP and Security
 
 # Hosts/domain names that are valid for this site.
-# "*" matches anything, ".example.com" matches example.com and all subdomains
-# "192.168.1.0/24" matches IP addresses in that CIDR range
-ALLOWED_HOSTS: list[str]
+# - An empty list [] allows all hosts (useful for development).
+# - ".example.com" matches example.com and all subdomains
+# - "192.168.1.0/24" matches IP addresses in that CIDR range
+ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.
 DEFAULT_RESPONSE_HEADERS = {

{plain-0.66.0.dist-info → plain-0.67.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.66.0
+Version: 0.67.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.66.0.dist-info → plain-0.67.0.dist-info}/RECORD

@@ -1,5 +1,5 @@
 plain/AGENTS.md,sha256=5XMGBpJgbCNIpp60DPXB7bpAtFk8FAzqiZke95T965o,1038
-plain/CHANGELOG.md,sha256=9wAiAPwm8o5sNxPeriOAjP74g9sNxJRF5EpTTwjogpk,16069
+plain/CHANGELOG.md,sha256=8Ljw7VTQP1cn6sUy_1Pum2cmHsnmeRqbL8oBIWvxw-s,16604
 plain/README.md,sha256=5BJyKhf0TDanWVbOQyZ3zsi5Lov9xk-LlJYCDWofM6Y,4078
 plain/__main__.py,sha256=GK39854Lc_LO_JP8DzY9Y2MIQ4cQEl7SXFJy244-lC8,110
 plain/debug.py,sha256=XdjnXcbPGsi0J2SpHGaLthhYU5AjhBlkHdemaP4sbYY,758
@@ -44,7 +44,7 @@ plain/cli/agent/docs.py,sha256=ubX3ZeRHxVaetLk9fjiN9mJ07GZExC-CHUvQoX2DD7c,2464
 plain/cli/agent/llmdocs.py,sha256=AUpNDb1xSOsSpzGOiFvpzUe4f7PUGMiR9cI13aVZouo,5038
 plain/cli/agent/md.py,sha256=7r1II8ckubBFOZNGPASWaPmJdgByWFPINLqIOzRetLQ,2581
 plain/cli/agent/prompt.py,sha256=rugYyQHV7JDNqGrx3_PPShwwqYlnEVbxw8RsczOo8tg,1253
-plain/cli/agent/request.py,sha256=U4acLmpXlbFRjivrPtVv_r8DBts8OXg3m3-qotQxGL4,6547
+plain/cli/agent/request.py,sha256=uUbZoAhSSjOLtzgAAzacvqCS_27H-AvoeqIxpzjUjAA,5800
 plain/csrf/README.md,sha256=ApWpB-qlEf0LkOKm9Yr-6f_lB9XJEvGFDo_fraw8ghI,2391
 plain/csrf/middleware.py,sha256=KF8ngFadWdS0MHXC1dTLx-K3VtD6Xs-3RDjFqpiiEjQ,5053
 plain/csrf/views.py,sha256=HwQqfI6KPelHP9gSXhjfZaTLQic71PKsoZ6DPhr1rKI,572
@@ -75,7 +75,7 @@ plain/internal/handlers/exception.py,sha256=TbPYtgZ7ITJahUKhQWkptHK28Lb4zh_nOviN
 plain/internal/handlers/wsgi.py,sha256=dgPT29t_F9llB-c5RYU3SHxGuZNaZ83xRjOfuOmtOl8,8209
 plain/internal/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 plain/internal/middleware/headers.py,sha256=ENIW1Gwat54hv-ejgp2R8QTZm-PlaI7k44WU01YQrNk,964
-plain/internal/middleware/hosts.py,sha256=eDrW8ksCVyxZqehA6enNDG_nYOc2c2-CMvwMlfS4n9g,5918
+plain/internal/middleware/hosts.py,sha256=vKdjElDk1-Ju6FUXtm5t0AfPPN-DPhjS31PkRrhM6vc,5799
 plain/internal/middleware/https.py,sha256=bjysNX6_2l4Rp4DpzF2XYjH-m6gfHNq2x-MN2hHGW78,804
 plain/internal/middleware/slash.py,sha256=qBTJ-yvOM0d8gUISUC7Fx22LG6aj76uhOiNHjvTkAAs,2840
 plain/logs/README.md,sha256=rzOHfngjizLgXL21g0svC1Cdya2s_gBA_E-IljtHpy8,4069
@@ -89,16 +89,16 @@ plain/packages/README.md,sha256=iNqMtwFDVNf2TqKUzLKQW5Y4_GsssmdB4cVerzu27Ro,2674
 plain/packages/__init__.py,sha256=OpQny0xLplPdPpozVUUkrW2gB-IIYyDT1b4zMzOcCC4,160
 plain/packages/config.py,sha256=2U7b1cp_kqIuLdSeHGCLrSUV77TdfGRsww3PcXOazaA,2910
 plain/packages/registry.py,sha256=6ogeHZ8t3kBSoLoI7998r0kIbkEPhLGn-7yi-1qVjVo,7969
-plain/preflight/README.md,sha256=Ae7ujHmsJhTpRGX0pghBwGD2CG7SIxngenyb5CSbc2M,1721
+plain/preflight/README.md,sha256=6fA6zXmNUtO5xMrVV-0JLyzSJsIIEEGZyFSAW53nYYE,1764
 plain/preflight/__init__.py,sha256=j4-yPnrM5hmjumrdkBLOQjFHzRHpA6wCjiFpMNBjIqY,619
 plain/preflight/files.py,sha256=D_pBSwRXpXy2-3FWywweozuxrhIaR8w5hpPA2d6XMPs,522
 plain/preflight/messages.py,sha256=B6VyXzu7HTJHaPVK4G1L_1HVHG87CT7JPtcDk8QYSeE,2322
 plain/preflight/registry.py,sha256=vcqzaE1MIneNL_ydKPy_1zrSThnzsrWARSClLCJ-4b8,2331
-plain/preflight/security.py,sha256=oxUZBp2M0bpBfUoLYepIxoex2Y90nyjlrL8XU8UTHYY,2438
+plain/preflight/security.py,sha256=71cW35LMOlciAbtWXf50EhKhQQCZ-2LlQgXJ6Zxhxv4,2443
 plain/preflight/urls.py,sha256=cQ-WnFa_5oztpKdtwhuIGb7pXEml__bHsjs1SWO2YNI,1468
 plain/runtime/README.md,sha256=sTqXXJkckwqkk9O06XMMSNRokAYjrZBnB50JD36BsYI,4873
 plain/runtime/__init__.py,sha256=byFYnHrpUCwkpkHtdNhxr9iUdLDCWJjy92HPj30Ilck,2478
-plain/runtime/global_settings.py,sha256=tTvx7Z9gtkdy297n20aVhuHz7XKmo7OFU1spuJ22dhQ,5821
+plain/runtime/global_settings.py,sha256=EZ9mdDkwJkXGWDs0bnYnNmpfX49GP30RyU5HgxlrRPc,5872
 plain/runtime/user_settings.py,sha256=OzMiEkE6ZQ50nxd1WIqirXPiNuMAQULklYHEzgzLWgA,11027
 plain/runtime/utils.py,sha256=p5IuNTzc7Kq-9Ym7etYnt_xqHw5TioxfSkFeq1bKdgk,832
 plain/signals/README.md,sha256=XefXqROlDhzw7Z5l_nx6Mhq6n9jjQ-ECGbH0vvhKWYg,272
@@ -161,8 +161,8 @@ plain/views/forms.py,sha256=ESZOXuo6IeYixp1RZvPb94KplkowRiwO2eGJCM6zJI0,2400
 plain/views/objects.py,sha256=v3Vgvdoc1s0QW6JNWWrO5XXy9zF7vgwndgxX1eOSQoE,4999
 plain/views/redirect.py,sha256=Xpb3cB7nZYvKgkNqcAxf9Jwm2SWcQ0u2xz4oO5M3vP8,1909
 plain/views/templates.py,sha256=oAlebEyfES0rzBhfyEJzFmgLkpkbleA6Eip-8zDp-yk,1863
-plain-0.66.0.dist-info/METADATA,sha256=Gdvvx2LeKOpOjVbrSmq1S5DLWDT9qGGOmy4v-kOb_y4,4488
-plain-0.66.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-plain-0.66.0.dist-info/entry_points.txt,sha256=iGx7EijzXy87htbSv90RhtAcjhSTH_kvE8aeRCn1TRA,129
-plain-0.66.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.66.0.dist-info/RECORD,,
+plain-0.67.0.dist-info/METADATA,sha256=w_ZT2zv65VtVbl4yh0tKrVw8q9PeDj0cKWeeLm3pPNU,4488
+plain-0.67.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+plain-0.67.0.dist-info/entry_points.txt,sha256=iGx7EijzXy87htbSv90RhtAcjhSTH_kvE8aeRCn1TRA,129
+plain-0.67.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.67.0.dist-info/RECORD,,