plain 0.66.0__tar.gz → 0.67.0__tar.gz

{plain-0.66.0 → plain-0.67.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.66.0
+Version: 0.67.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.66.0 → plain-0.67.0}/plain/CHANGELOG.md

@@ -1,5 +1,16 @@
 # plain changelog
 
+## [0.67.0](https://github.com/dropseed/plain/releases/plain@0.67.0) (2025-09-22)
+
+### What's changed
+
+- `ALLOWED_HOSTS` now defaults to `[]` (empty list) which allows all hosts, making it easier for development setups ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+- Empty `ALLOWED_HOSTS` in production now triggers a preflight error instead of a warning to ensure proper security configuration ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+
+### Upgrade instructions
+
+- No changes required
+
 ## [0.66.0](https://github.com/dropseed/plain/releases/plain@0.66.0) (2025-09-22)
 
 ### What's changed

plain-0.67.0/plain/cli/agent/request.py

@@ -0,0 +1,172 @@
+import json
+
+import click
+
+from plain.runtime import settings
+from plain.test import Client
+
+
+@click.command()
+@click.argument("path")
+@click.option(
+    "--method",
+    default="GET",
+    help="HTTP method (GET, POST, PUT, PATCH, DELETE, etc.)",
+)
+@click.option(
+    "--data",
+    help="Request data (JSON string for POST/PUT/PATCH)",
+)
+@click.option(
+    "--user",
+    "user_id",
+    help="User ID to authenticate as (skips normal authentication)",
+)
+@click.option(
+    "--follow/--no-follow",
+    default=True,
+    help="Follow redirects (default: True)",
+)
+@click.option(
+    "--content-type",
+    help="Content-Type header for request data",
+)
+@click.option(
+    "--header",
+    "headers",
+    multiple=True,
+    help="Additional headers (format: 'Name: Value')",
+)
+def request(path, method, data, user_id, follow, content_type, headers):
+    """Make an HTTP request using the test client against the development database."""
+
+    try:
+        # Only allow in DEBUG mode for security
+        if not settings.DEBUG:
+            click.secho("This command only works when DEBUG=True", fg="red", err=True)
+            return
+
+        # Create test client
+        client = Client()
+
+        # If user_id provided, force login
+        if user_id:
+            try:
+                # Get the User model using plain.auth utility
+                from plain.auth import get_user_model
+
+                User = get_user_model()
+
+                # Get the user
+                try:
+                    user = User.query.get(id=user_id)
+                    client.force_login(user)
+                    click.secho(
+                        f"Authenticated as user {user_id}", fg="green", dim=True
+                    )
+                except User.DoesNotExist:
+                    click.secho(f"User {user_id} not found", fg="red", err=True)
+                    return
+
+            except Exception as e:
+                click.secho(f"Authentication error: {e}", fg="red", err=True)
+                return
+
+        # Parse additional headers
+        header_dict = {}
+        for header in headers:
+            if ":" in header:
+                key, value = header.split(":", 1)
+                header_dict[key.strip()] = value.strip()
+
+        # Prepare request data
+        if data and content_type and "json" in content_type.lower():
+            try:
+                # Validate JSON
+                json.loads(data)
+            except json.JSONDecodeError as e:
+                click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
+                return
+
+        # Make the request
+        method = method.upper()
+        kwargs = {
+            "path": path,
+            "follow": follow,
+            "headers": header_dict or None,
+        }
+
+        if method in ("POST", "PUT", "PATCH") and data:
+            kwargs["data"] = data
+            if content_type:
+                kwargs["content_type"] = content_type
+
+        # Call the appropriate client method
+        if method == "GET":
+            response = client.get(**kwargs)
+        elif method == "POST":
+            response = client.post(**kwargs)
+        elif method == "PUT":
+            response = client.put(**kwargs)
+        elif method == "PATCH":
+            response = client.patch(**kwargs)
+        elif method == "DELETE":
+            response = client.delete(**kwargs)
+        elif method == "HEAD":
+            response = client.head(**kwargs)
+        elif method == "OPTIONS":
+            response = client.options(**kwargs)
+        elif method == "TRACE":
+            response = client.trace(**kwargs)
+        else:
+            click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
+            return
+
+        # Display response information
+        click.secho(
+            f"HTTP {response.status_code}",
+            fg="green" if response.status_code < 400 else "red",
+            bold=True,
+        )
+
+        # Show additional response info first
+        if hasattr(response, "user"):
+            click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
+
+        if hasattr(response, "resolver_match") and response.resolver_match:
+            match = response.resolver_match
+            url_name = match.namespaced_url_name or match.url_name or "unnamed"
+            click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
+
+        # Show headers
+        if response.headers:
+            click.secho("Response Headers:", fg="yellow", bold=True)
+            for key, value in response.headers.items():
+                click.echo(f"  {key}: {value}")
+            click.echo()
+
+        # Show response content last
+        if response.content:
+            content_type = response.headers.get("Content-Type", "")
+
+            if "json" in content_type.lower():
+                try:
+                    json_data = response.json()
+                    click.secho("Response Body (JSON):", fg="yellow", bold=True)
+                    click.echo(json.dumps(json_data, indent=2))
+                except Exception:
+                    click.secho("Response Body:", fg="yellow", bold=True)
+                    click.echo(response.content.decode("utf-8", errors="replace"))
+            elif "html" in content_type.lower():
+                click.secho("Response Body (HTML):", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
+            else:
+                click.secho("Response Body:", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
+        else:
+            click.secho("(No response body)", fg="yellow", dim=True)
+
+    except Exception as e:
+        click.secho(f"Request failed: {e}", fg="red", err=True)

{plain-0.66.0 → plain-0.67.0}/plain/internal/middleware/hosts.py

@@ -159,7 +159,6 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Check that the host looks valid and matches a host or host pattern in the
     given list of ``allowed_hosts``. Supported patterns:
 
-    - ``*`` matches anything
     - ``.example.com`` matches a domain and all its subdomains
       (e.g. ``example.com`` and ``sub.example.com``)
     - ``example.com`` matches exactly that domain
@@ -176,10 +175,6 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     host_ip = parse_ip_address(host)
 
     for pattern in allowed_hosts:
-        # Wildcard matches everything
-        if pattern == "*":
-            return True
-
         # Check CIDR notation patterns using walrus operator
         if network := parse_cidr_pattern(pattern):
             if host_ip and host_ip in network:

{plain-0.66.0 → plain-0.67.0}/plain/preflight/README.md

@@ -51,11 +51,11 @@ def custom_deploy_check(package_configs, **kwargs):
 
 ## Silencing preflight checks
 
-The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.W020`).
+The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.E020`).
 
 ```python
 # app/settings.py
 PREFLIGHT_SILENCED_CHECKS = [
-    "security.W020",
+    "security.E020",  # Allow empty ALLOWED_HOSTS in deployment
 ]
 ```

{plain-0.66.0 → plain-0.67.0}/plain/preflight/security.py

@@ -1,7 +1,7 @@
 from plain.exceptions import ImproperlyConfigured
 from plain.runtime import settings
 
-from .messages import Warning
+from .messages import Error, Warning
 from .registry import register_check
 
 SECRET_KEY_MIN_LENGTH = 50
@@ -81,9 +81,9 @@ def check_allowed_hosts(package_configs, **kwargs):
         []
         if settings.ALLOWED_HOSTS
         else [
-            Warning(
+            Error(
                 "ALLOWED_HOSTS must not be empty in deployment.",
-                id="security.W020",
+                id="security.E020",
             )
         ]
     )

{plain-0.66.0 → plain-0.67.0}/plain/runtime/global_settings.py

@@ -23,9 +23,10 @@ URLS_ROUTER: str
 # MARK: HTTP and Security
 
 # Hosts/domain names that are valid for this site.
-# "*" matches anything, ".example.com" matches example.com and all subdomains
-# "192.168.1.0/24" matches IP addresses in that CIDR range
-ALLOWED_HOSTS: list[str]
+# - An empty list [] allows all hosts (useful for development).
+# - ".example.com" matches example.com and all subdomains
+# - "192.168.1.0/24" matches IP addresses in that CIDR range
+ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.
 DEFAULT_RESPONSE_HEADERS = {

{plain-0.66.0 → plain-0.67.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "plain"
-version = "0.66.0"
+version = "0.67.0"
 description = "A web framework for building products with Python."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"

{plain-0.66.0 → plain-0.67.0}/tests/app/settings.py

@@ -1,4 +1,3 @@
-ALLOWED_HOSTS = []
 SECRET_KEY = "secret"
 DEBUG = True
 

{plain-0.66.0 → plain-0.67.0}/tests/test_csrf.py

@@ -115,67 +115,50 @@ def test_old_browser_fallback(headers):
 
 
 @pytest.mark.parametrize(
-    ("origin", "expected_allowed", "expected_reason_contains", "setup_allowed_hosts"),
+    ("origin", "expected_allowed", "expected_reason_contains"),
     [
         # Origin matches host - should be allowed
         (
             "https://testserver",
             True,
             "Same-origin request - Origin https://testserver matches Host testserver",
-            True,
         ),
         (
             "https://testserver:443",
             True,
             "Same-origin request - Origin https://testserver:443 matches Host testserver",
-            True,
         ),
         # Various rejection cases
-        ("null", False, "Cross-origin request detected - null Origin header", False),
-        ("https://attacker.com", False, "does not match Host", False),
-        ("https://sub.testserver", False, "does not match Host", False),
-        ("https://example.com:8080", False, "does not match Host", False),
-        ("http://example.com", False, "does not match Host", False),
+        ("null", False, "Cross-origin request detected - null Origin header"),
+        ("https://attacker.com", False, "does not match Host"),
+        ("https://sub.testserver", False, "does not match Host"),
+        ("https://example.com:8080", False, "does not match Host"),
+        ("http://example.com", False, "does not match Host"),
     ],
 )
-def test_origin_host_comparison(
-    origin, expected_allowed, expected_reason_contains, setup_allowed_hosts
-):
+def test_origin_host_comparison(origin, expected_allowed, expected_reason_contains):
     """Test Origin vs Host header comparison scenarios."""
-    from plain.runtime import settings
-
-    original_allowed_hosts = None
-    if setup_allowed_hosts:
-        # Temporarily modify ALLOWED_HOSTS to include testserver
-        original_allowed_hosts = settings.ALLOWED_HOSTS
-        settings.ALLOWED_HOSTS = [*settings.ALLOWED_HOSTS, "testserver"]
-
-    try:
-        rf = RequestFactory()
-        csrf_middleware = CsrfViewMiddleware(lambda request: None)
+    rf = RequestFactory()
+    csrf_middleware = CsrfViewMiddleware(lambda request: None)
 
-        # Configure request based on the origin
-        request_kwargs = {"headers": {"Origin": origin}}
-        if origin == "https://testserver:443":
-            request_kwargs.update(
-                {
-                    "SERVER_NAME": "testserver",
-                    "SERVER_PORT": "443",
-                    "secure": True,
-                }
-            )
-        elif origin == "https://testserver":
-            request_kwargs["secure"] = True
-
-        request = rf.post("/test/", **request_kwargs)
-        allowed, reason = csrf_middleware.should_allow_request(request)
+    # Configure request based on the origin
+    request_kwargs = {"headers": {"Origin": origin}}
+    if origin == "https://testserver:443":
+        request_kwargs.update(
+            {
+                "SERVER_NAME": "testserver",
+                "SERVER_PORT": "443",
+                "secure": True,
+            }
+        )
+    elif origin == "https://testserver":
+        request_kwargs["secure"] = True
+
+    request = rf.post("/test/", **request_kwargs)
+    allowed, reason = csrf_middleware.should_allow_request(request)
 
-        assert allowed is expected_allowed
-        assert expected_reason_contains in reason
-    finally:
-        if original_allowed_hosts is not None:
-            # Restore original ALLOWED_HOSTS
-            settings.ALLOWED_HOSTS = original_allowed_hosts
+    assert allowed is expected_allowed
+    assert expected_reason_contains in reason
 
 
 def test_invalid_origin_url():

{plain-0.66.0 → plain-0.67.0}/tests/test_http_hosts.py

@@ -57,12 +57,6 @@ def test_split_domain_port(host, expected_domain, expected_port):
 @pytest.mark.parametrize(
     ("host", "allowed_hosts", "expected"),
     [
-        # Wildcard matching
-        ("example.com", ["*"], True),
-        ("sub.example.com", ["*"], True),
-        ("127.0.0.1", ["*"], True),
-        ("[::1]", ["*"], True),
-        ("anything.at.all", ["*"], True),
         # Subdomain pattern matching
         ("example.com", [".example.com"], True),
         ("sub.example.com", [".example.com"], True),
@@ -84,7 +78,7 @@ def test_split_domain_port(host, expected_domain, expected_port):
         ("127.0.0.1", ["example.com", ".api.example.com", "127.0.0.1"], True),
         ("sub.example.com", ["example.com", ".api.example.com", "127.0.0.1"], False),
         ("other.com", ["example.com", ".api.example.com", "127.0.0.1"], False),
-        # Literal asterisk pattern (not treated as wildcard)
+        # Literal asterisk pattern (treated as literal string, not wildcard)
         ("*.test.com", ["*.test.com"], True),
         ("anything.test.com", ["*.test.com"], False),
         ("api.test.com", ["*.test.com"], False),
@@ -121,22 +115,6 @@ def test_split_domain_port(host, expected_domain, expected_port):
         ),
         ("example.com", [".api.example.com", ".staging.example.com"], False),
         ("www.example.com", [".api.example.com", ".staging.example.com"], False),
-        # Wildcard overrides other patterns
-        (
-            "anything.com",
-            ["*", "exact.com", ".subdomain.com", "127.0.0.1", "[::1]"],
-            True,
-        ),
-        (
-            "random.domain.org",
-            ["*", "exact.com", ".subdomain.com", "127.0.0.1", "[::1]"],
-            True,
-        ),
-        (
-            "192.168.1.100",
-            ["*", "exact.com", ".subdomain.com", "127.0.0.1", "[::1]"],
-            True,
-        ),
         # Edge cases
         ("", ["example.com"], False),
         ("example .com", ["example.com"], False),
@@ -196,9 +174,6 @@ def test_validate_host(host, allowed_hosts, expected):
         ("192.168.1.0/24", ["192.168.1.0/24"], False),  # Literal match of CIDR string
         ("192.168.1.100", ["192.168.1.0/999"], False),  # Invalid CIDR
         ("192.168.1.100", ["192.168.1.0/"], False),  # Invalid CIDR
-        # CIDR with wildcard - wildcard should take precedence
-        ("anything.com", ["*", "192.168.1.0/24"], True),
-        ("172.16.0.1", ["*", "192.168.1.0/24"], True),
         # Edge cases
         ("0.0.0.0", ["0.0.0.0/0"], True),  # Match all IPv4
         ("255.255.255.255", ["0.0.0.0/0"], True),

plain-0.66.0/plain/cli/agent/request.py

@@ -1,181 +0,0 @@
-import json
-
-import click
-
-from plain.runtime import settings
-from plain.test import Client
-
-
-@click.command()
-@click.argument("path")
-@click.option(
-    "--method",
-    default="GET",
-    help="HTTP method (GET, POST, PUT, PATCH, DELETE, etc.)",
-)
-@click.option(
-    "--data",
-    help="Request data (JSON string for POST/PUT/PATCH)",
-)
-@click.option(
-    "--user",
-    "user_id",
-    help="User ID to authenticate as (skips normal authentication)",
-)
-@click.option(
-    "--follow/--no-follow",
-    default=True,
-    help="Follow redirects (default: True)",
-)
-@click.option(
-    "--content-type",
-    help="Content-Type header for request data",
-)
-@click.option(
-    "--header",
-    "headers",
-    multiple=True,
-    help="Additional headers (format: 'Name: Value')",
-)
-def request(path, method, data, user_id, follow, content_type, headers):
-    """Make an HTTP request using the test client against the development database."""
-
-    try:
-        # Only allow in DEBUG mode for security
-        if not settings.DEBUG:
-            click.secho("This command only works when DEBUG=True", fg="red", err=True)
-            return
-
-        # Temporarily add testserver to ALLOWED_HOSTS so the test client can make requests
-        original_allowed_hosts = settings.ALLOWED_HOSTS
-        settings.ALLOWED_HOSTS = ["*"]
-
-        try:
-            # Create test client
-            client = Client()
-
-            # If user_id provided, force login
-            if user_id:
-                try:
-                    # Get the User model using plain.auth utility
-                    from plain.auth import get_user_model
-
-                    User = get_user_model()
-
-                    # Get the user
-                    try:
-                        user = User.query.get(id=user_id)
-                        client.force_login(user)
-                        click.secho(
-                            f"Authenticated as user {user_id}", fg="green", dim=True
-                        )
-                    except User.DoesNotExist:
-                        click.secho(f"User {user_id} not found", fg="red", err=True)
-                        return
-
-                except Exception as e:
-                    click.secho(f"Authentication error: {e}", fg="red", err=True)
-                    return
-
-            # Parse additional headers
-            header_dict = {}
-            for header in headers:
-                if ":" in header:
-                    key, value = header.split(":", 1)
-                    header_dict[key.strip()] = value.strip()
-
-            # Prepare request data
-            if data and content_type and "json" in content_type.lower():
-                try:
-                    # Validate JSON
-                    json.loads(data)
-                except json.JSONDecodeError as e:
-                    click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
-                    return
-
-            # Make the request
-            method = method.upper()
-            kwargs = {
-                "path": path,
-                "follow": follow,
-                "headers": header_dict or None,
-            }
-
-            if method in ("POST", "PUT", "PATCH") and data:
-                kwargs["data"] = data
-                if content_type:
-                    kwargs["content_type"] = content_type
-
-            # Call the appropriate client method
-            if method == "GET":
-                response = client.get(**kwargs)
-            elif method == "POST":
-                response = client.post(**kwargs)
-            elif method == "PUT":
-                response = client.put(**kwargs)
-            elif method == "PATCH":
-                response = client.patch(**kwargs)
-            elif method == "DELETE":
-                response = client.delete(**kwargs)
-            elif method == "HEAD":
-                response = client.head(**kwargs)
-            elif method == "OPTIONS":
-                response = client.options(**kwargs)
-            elif method == "TRACE":
-                response = client.trace(**kwargs)
-            else:
-                click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
-                return
-
-            # Display response information
-            click.secho(
-                f"HTTP {response.status_code}",
-                fg="green" if response.status_code < 400 else "red",
-                bold=True,
-            )
-
-            # Show additional response info first
-            if hasattr(response, "user"):
-                click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
-
-            if hasattr(response, "resolver_match") and response.resolver_match:
-                match = response.resolver_match
-                url_name = match.namespaced_url_name or match.url_name or "unnamed"
-                click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
-
-            # Show headers
-            if response.headers:
-                click.secho("Response Headers:", fg="yellow", bold=True)
-                for key, value in response.headers.items():
-                    click.echo(f"  {key}: {value}")
-                click.echo()
-
-            # Show response content last
-            if response.content:
-                content_type = response.headers.get("Content-Type", "")
-
-                if "json" in content_type.lower():
-                    try:
-                        json_data = response.json()
-                        click.secho("Response Body (JSON):", fg="yellow", bold=True)
-                        click.echo(json.dumps(json_data, indent=2))
-                    except Exception:
-                        click.secho("Response Body:", fg="yellow", bold=True)
-                        click.echo(response.content.decode("utf-8", errors="replace"))
-                elif "html" in content_type.lower():
-                    click.secho("Response Body (HTML):", fg="yellow", bold=True)
-                    content = response.content.decode("utf-8", errors="replace")
-                    click.echo(content)
-                else:
-                    click.secho("Response Body:", fg="yellow", bold=True)
-                    content = response.content.decode("utf-8", errors="replace")
-                    click.echo(content)
-            else:
-                click.secho("(No response body)", fg="yellow", dim=True)
-
-        finally:
-            # Restore original ALLOWED_HOSTS
-            settings.ALLOWED_HOSTS = original_allowed_hosts
-
-    except Exception as e:
-        click.secho(f"Request failed: {e}", fg="red", err=True)