plain 0.7.0__py3-none-any.whl → 0.8.0__py3-none-any.whl

plain/csrf/middleware.py

@@ -9,7 +9,7 @@ import string
 from collections import defaultdict
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost, ImproperlyConfigured
+from plain.exceptions import DisallowedHost
 from plain.http import HttpHeaders, UnreadablePostError
 from plain.logs import log_response
 from plain.runtime import settings
@@ -242,44 +242,31 @@ class CsrfViewMiddleware:
         If the CSRF_USE_SESSIONS setting is false, raises InvalidTokenFormat if
         the request's secret has invalid characters or an invalid length.
         """
-        if settings.CSRF_USE_SESSIONS:
-            try:
-                csrf_secret = request.session.get(CSRF_SESSION_KEY)
-            except AttributeError:
-                raise ImproperlyConfigured(
-                    "CSRF_USE_SESSIONS is enabled, but request.session is not "
-                    "set. SessionMiddleware must appear before CsrfViewMiddleware "
-                    "in MIDDLEWARE."
-                )
+        try:
+            csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
+        except KeyError:
+            csrf_secret = None
         else:
-            try:
-                csrf_secret = request.COOKIES[settings.CSRF_COOKIE_NAME]
-            except KeyError:
-                csrf_secret = None
-            else:
-                # This can raise InvalidTokenFormat.
-                _check_token_format(csrf_secret)
+            # This can raise InvalidTokenFormat.
+            _check_token_format(csrf_secret)
+
         if csrf_secret is None:
             return None
         return csrf_secret
 
     def _set_csrf_cookie(self, request, response):
-        if settings.CSRF_USE_SESSIONS:
-            if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]:
-                request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"]
-        else:
-            response.set_cookie(
-                settings.CSRF_COOKIE_NAME,
-                request.META["CSRF_COOKIE"],
-                max_age=settings.CSRF_COOKIE_AGE,
-                domain=settings.CSRF_COOKIE_DOMAIN,
-                path=settings.CSRF_COOKIE_PATH,
-                secure=settings.CSRF_COOKIE_SECURE,
-                httponly=settings.CSRF_COOKIE_HTTPONLY,
-                samesite=settings.CSRF_COOKIE_SAMESITE,
-            )
-            # Set the Vary header since content varies with the CSRF cookie.
-            patch_vary_headers(response, ("Cookie",))
+        response.set_cookie(
+            settings.CSRF_COOKIE_NAME,
+            request.META["CSRF_COOKIE"],
+            max_age=settings.CSRF_COOKIE_AGE,
+            domain=settings.CSRF_COOKIE_DOMAIN,
+            path=settings.CSRF_COOKIE_PATH,
+            secure=settings.CSRF_COOKIE_SECURE,
+            httponly=settings.CSRF_COOKIE_HTTPONLY,
+            samesite=settings.CSRF_COOKIE_SAMESITE,
+        )
+        # Set the Vary header since content varies with the CSRF cookie.
+        patch_vary_headers(response, ("Cookie",))
 
     def _origin_verified(self, request):
         request_origin = request.META["HTTP_ORIGIN"]
@@ -289,7 +276,7 @@ class CsrfViewMiddleware:
             pass
         else:
             good_origin = "{}://{}".format(
-                "https" if request.is_secure() else "http",
+                "https" if request.is_https() else "http",
                 good_host,
             )
             if request_origin == good_origin:
@@ -331,11 +318,7 @@ class CsrfViewMiddleware:
         ):
             return
         # Allow matching the configured cookie domain.
-        good_referer = (
-            settings.SESSION_COOKIE_DOMAIN
-            if settings.CSRF_USE_SESSIONS
-            else settings.CSRF_COOKIE_DOMAIN
-        )
+        good_referer = settings.CSRF_COOKIE_DOMAIN
         if good_referer is None:
             # If no cookie domain is configured, allow matching the current
             # host:port exactly if it's permitted by ALLOWED_HOSTS.
@@ -435,7 +418,7 @@ class CsrfViewMiddleware:
                 return self._reject(
                     request, REASON_BAD_ORIGIN % request.META["HTTP_ORIGIN"]
                 )
-        elif request.is_secure():
+        elif request.is_https():
             # If the Origin header wasn't provided, reject HTTPS requests if
             # the Referer header doesn't match an allowed value.
             #

plain/http/request.py

@@ -140,7 +140,7 @@ class HttpRequest:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.META["SERVER_NAME"]
             server_port = self.get_port()
-            if server_port != ("443" if self.is_secure() else "80"):
+            if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
@@ -281,7 +281,7 @@ class HttpRequest:
                 return "https" if header_value.strip() == secure_value else "http"
         return self._get_scheme()
 
-    def is_secure(self):
+    def is_https(self):
         return self.scheme == "https"
 
     @property

plain/internal/handlers/base.py

@@ -13,6 +13,15 @@ from .exception import convert_exception_to_response
 logger = logging.getLogger("plain.request")
 
 
+# These middleware classes are always used by Plain.
+BUILTIN_MIDDLEWARE = [
+    "plain.internal.middleware.headers.DefaultHeadersMiddleware",
+    "plain.internal.middleware.https.HttpsRedirectMiddleware",
+    "plain.internal.middleware.slash.RedirectSlashMiddleware",
+    "plain.csrf.middleware.CsrfViewMiddleware",
+]
+
+
 class BaseHandler:
     _view_middleware = None
     _middleware_chain = None
@@ -27,7 +36,10 @@ class BaseHandler:
 
         get_response = self._get_response
         handler = convert_exception_to_response(get_response)
-        for middleware_path in reversed(settings.MIDDLEWARE):
+
+        middlewares = reversed(BUILTIN_MIDDLEWARE + settings.MIDDLEWARE)
+
+        for middleware_path in middlewares:
             middleware = import_string(middleware_path)
             mw_instance = middleware(handler)
 

plain/internal/middleware/headers.py

@@ -0,0 +1,19 @@
+from plain.runtime import settings
+
+
+class DefaultHeadersMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+
+        for header, value in settings.DEFAULT_RESPONSE_HEADERS.items():
+            response.headers.setdefault(header, value)
+
+        # Add the Content-Length header to non-streaming responses if not
+        # already set.
+        if not response.streaming and not response.has_header("Content-Length"):
+            response.headers["Content-Length"] = str(len(response.content))
+
+        return response

plain/internal/middleware/https.py

@@ -0,0 +1,36 @@
+import re
+
+from plain.http import ResponsePermanentRedirect
+from plain.runtime import settings
+
+
+class HttpsRedirectMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+        # Settings for https (compile regexes once)
+        self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
+        self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
+        self.https_redirect_exempt = [
+            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT
+        ]
+
+    def __call__(self, request):
+        """
+        Rewrite the URL based on settings.APPEND_SLASH
+        """
+
+        if redirect_response := self.maybe_https_redirect(request):
+            return redirect_response
+
+        return self.get_response(request)
+
+    def maybe_https_redirect(self, request):
+        path = request.path.lstrip("/")
+        if (
+            self.https_redirect_enabled
+            and not request.is_https()
+            and not any(pattern.search(path) for pattern in self.https_redirect_exempt)
+        ):
+            host = self.https_redirect_host or request.get_host()
+            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")

plain/{middleware/common.py → internal/middleware/slash.py}

@@ -4,25 +4,7 @@ from plain.urls import is_valid_path
 from plain.utils.http import escape_leading_slashes
 
 
-class CommonMiddleware:
-    """
-    "Common" middleware for taking care of some basic operations:
-
-        - URL rewriting: Based on the APPEND_SLASH setting,
-          append missing slashes.
-
-            - If APPEND_SLASH is set and the initial URL doesn't end with a
-              slash, and it is not found in urlpatterns, form a new URL by
-              appending a slash at the end. If this new URL is found in
-              urlpatterns, return an HTTP redirect to this new URL; otherwise
-              process the initial URL as usual.
-
-          This behavior can be customized by subclassing CommonMiddleware and
-          overriding the response_redirect_class attribute.
-    """
-
-    response_redirect_class = ResponsePermanentRedirect
-
+class RedirectSlashMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
@@ -40,12 +22,7 @@ class CommonMiddleware:
         # If the given URL is "Not Found", then check if we should redirect to
         # a path with a slash appended.
         if response.status_code == 404 and self.should_redirect_with_slash(request):
-            return self.response_redirect_class(self.get_full_path_with_slash(request))
-
-        # Add the Content-Length header to non-streaming responses if not
-        # already set.
-        if not response.streaming and not response.has_header("Content-Length"):
-            response.headers["Content-Length"] = str(len(response.content))
+            return ResponsePermanentRedirect(self.get_full_path_with_slash(request))
 
         return response
 

plain/preflight/security/base.py

@@ -16,17 +16,18 @@ SECRET_KEY_WARNING_MSG = (
     f"vulnerable to attack."
 )
 
+# TODO
 W001 = Warning(
-    "You do not have 'plain.middleware.security.SecurityMiddleware' "
+    "You do not have 'plain.middleware.https.HttpsRedirectMiddleware' "
     "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
     "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and HTTPS_REDIRECT_ENABLED settings will "
     "have no effect.",
     id="security.W001",
 )
 
 W008 = Warning(
-    "Your SECURE_SSL_REDIRECT setting is not set to True. "
+    "Your HTTPS_REDIRECT_ENABLED setting is not set to True. "
     "Unless your site should be available over both SSL and non-SSL "
     "connections, you may want to either set this setting True "
     "or configure a load balancer or reverse-proxy server "
@@ -52,22 +53,6 @@ W020 = Warning(
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
-def _security_middleware():
-    return "plain.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
-
-
-@register(deploy=True)
-def check_security_middleware(package_configs, **kwargs):
-    passed_check = _security_middleware()
-    return [] if passed_check else [W001]
-
-
-@register(deploy=True)
-def check_ssl_redirect(package_configs, **kwargs):
-    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
-    return [] if passed_check else [W008]
-
-
 def _check_secret_key(secret_key):
     return (
         len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS

plain/preflight/security/csrf.py

@@ -32,9 +32,5 @@ def check_csrf_middleware(package_configs, **kwargs):
 
 @register(deploy=True)
 def check_csrf_cookie_secure(package_configs, **kwargs):
-    passed_check = (
-        settings.CSRF_USE_SESSIONS
-        or not _csrf_middleware()
-        or settings.CSRF_COOKIE_SECURE is True
-    )
+    passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
     return [] if passed_check else [W016]

plain/runtime/README.md

@@ -54,10 +54,7 @@ SECRET_KEY = environ["SECRET_KEY"]
 DEBUG = environ.get("DEBUG", "false").lower() in ("true", "1", "yes")
 
 MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
     "plain.auth.middleware.AuthenticationMiddleware",
 ]
 

plain/runtime/global_settings.py

@@ -29,11 +29,27 @@ TIME_ZONE: str = "UTC"
 DEFAULT_CHARSET = "utf-8"
 
 # List of strings representing installed packages.
-INSTALLED_PACKAGES: list = []
+INSTALLED_PACKAGES: list[str] = []
 
 # Whether to append trailing slashes to URLs.
 APPEND_SLASH = True
 
+# Default headers for all responses.
+DEFAULT_RESPONSE_HEADERS = {
+    # "Content-Security-Policy": "default-src 'self'",
+    # https://hstspreload.org/
+    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
+    "Cross-Origin-Opener-Policy": "same-origin",
+    "Referrer-Policy": "same-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
+
+# Whether to redirect all non-HTTPS requests to HTTPS.
+HTTPS_REDIRECT_ENABLED = True
+HTTPS_REDIRECT_EXEMPT = []
+HTTPS_REDIRECT_HOST = None
+
 # A secret key for this particular Plain installation. Used in secret-key
 # hashing algorithms. Set this in your settings, or Plain will complain
 # loudly.
@@ -82,7 +98,7 @@ HTTP_ERROR_VIEWS: dict[int] = {}
 # connections, AND that proxy ensures that user-submitted headers with the
 # same name are ignored (so that people can't spoof it), set this value to
 # a tuple of (header_name, header_value). For any requests that come in with
-# that header/value, request.is_secure() will return True.
+# that header/value, request.is_https() will return True.
 # WARNING! Only set this if you fully understand what you're doing. Otherwise,
 # you may be opening yourself up to a security risk.
 SECURE_PROXY_SSL_HEADER = None
@@ -94,11 +110,7 @@ SECURE_PROXY_SSL_HEADER = None
 # List of middleware to use. Order is important; in the request phase, these
 # middleware will be applied in the order given, and in the response
 # phase the middleware will be applied in reverse order.
-MIDDLEWARE = [
-    "plain.middleware.security.SecurityMiddleware",
-    "plain.middleware.common.CommonMiddleware",
-    "plain.csrf.middleware.CsrfViewMiddleware",
-]
+MIDDLEWARE: list[str] = []
 
 ###########
 # SIGNING #
@@ -120,7 +132,6 @@ CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
 CSRF_TRUSTED_ORIGINS: list[str] = []
-CSRF_USE_SESSIONS = False
 
 ###########
 # LOGGING #
@@ -150,23 +161,6 @@ ASSETS_BASE_URL: str = ""
 # message, but Plain will not stop you from e.g. running server.
 SILENCED_PREFLIGHT_CHECKS = []
 
-#######################
-# SECURITY MIDDLEWARE #
-#######################
-SECURE_REDIRECT_EXEMPT = []
-SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = True
-
-SECURE_DEFAULT_HEADERS = {
-    # "Content-Security-Policy": "default-src 'self'",
-    # https://hstspreload.org/
-    # "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
-    "Cross-Origin-Opener-Policy": "same-origin",
-    "Referrer-Policy": "same-origin",
-    "X-Content-Type-Options": "nosniff",
-    "X-Frame-Options": "DENY",
-}
-
 #############
 # Templates #
 #############

plain/test/client.py

@@ -379,7 +379,7 @@ class RequestFactory:
         # Refs comment in `get_bytes_from_wsgi()`.
         return path.decode("iso-8859-1")
 
-    def get(self, path, data=None, secure=False, *, headers=None, **extra):
+    def get(self, path, data=None, secure=True, *, headers=None, **extra):
         """Construct a GET request."""
         data = {} if data is None else data
         return self.generic(
@@ -398,7 +398,7 @@ class RequestFactory:
         path,
         data=None,
         content_type=MULTIPART_CONTENT,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -417,7 +417,7 @@ class RequestFactory:
             **extra,
         )
 
-    def head(self, path, data=None, secure=False, *, headers=None, **extra):
+    def head(self, path, data=None, secure=True, *, headers=None, **extra):
         """Construct a HEAD request."""
         data = {} if data is None else data
         return self.generic(
@@ -431,7 +431,7 @@ class RequestFactory:
             },
         )
 
-    def trace(self, path, secure=False, *, headers=None, **extra):
+    def trace(self, path, secure=True, *, headers=None, **extra):
         """Construct a TRACE request."""
         return self.generic("TRACE", path, secure=secure, headers=headers, **extra)
 
@@ -440,7 +440,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -455,7 +455,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -471,7 +471,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -487,7 +487,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -504,7 +504,7 @@ class RequestFactory:
         path,
         data="",
         content_type="application/octet-stream",
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -704,7 +704,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data=None,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -725,7 +725,7 @@ class Client(ClientMixin, RequestFactory):
         data=None,
         content_type=MULTIPART_CONTENT,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -752,7 +752,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data=None,
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -775,7 +775,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -803,7 +803,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -831,7 +831,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -859,7 +859,7 @@ class Client(ClientMixin, RequestFactory):
         data="",
         content_type="application/octet-stream",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,
@@ -886,7 +886,7 @@ class Client(ClientMixin, RequestFactory):
         path,
         data="",
         follow=False,
-        secure=False,
+        secure=True,
         *,
         headers=None,
         **extra,

plain/views/base.py

@@ -15,6 +15,10 @@ logger = logging.getLogger("plain.request")
 
 
 class View:
+    request: HttpRequest
+    url_args: tuple
+    url_kwargs: dict
+
     def __init__(self, *args, **kwargs) -> None:
         # Views can customize their init, which receives
         # the args and kwargs from as_view()

{plain-0.7.0.dist-info → plain-0.8.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.7.0
+Version: 0.8.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev
@@ -8,6 +8,7 @@ Requires-Python: >=3.11,<4.0
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: click (>=8.0.0)
 Requires-Dist: jinja2 (>=3.1.2,<4.0.0)
 Requires-Dist: python-dotenv (>=1.0.0,<2.0.0)

{plain-0.7.0.dist-info → plain-0.8.0.dist-info}/RECORD

@@ -15,7 +15,7 @@ plain/cli/packages.py,sha256=69VH1bIi1-5N5l2jlBcR5EP0pt-v16sPar9arO3gCSE,2052
 plain/cli/print.py,sha256=XraUYrgODOJquIiEv78wSCYGRBplHXtXSS9QtFG5hqY,217
 plain/cli/startup.py,sha256=PJYA-tNWGia-QbTlT0e5HvC8C7yDSq8wkAkIxgfKkvw,680
 plain/csrf/README.md,sha256=RXMWMtHmzf30gVVNOfj0kD4xlSqFIPgJh-n7dIciaEM,163
-plain/csrf/middleware.py,sha256=I7Ev-Y-VaR-Fgs_arVYNePt4qjwF_PozFBCqER2UMIY,18642
+plain/csrf/middleware.py,sha256=MlDQ55B4eRXySbzauFNs8gKhgQy32yWspBfPI0a3PzA,17775
 plain/csrf/views.py,sha256=YDgT451X16iUdCxpQ6rcHIy7nD0u7DAvCQl5-Mx5i9Y,219
 plain/debug.py,sha256=fdrWy4RNQOuXo80_jgwthCkMZKjjaF9lDj3Kqln_gJk,604
 plain/exceptions.py,sha256=tDS6l0epe_L9IlxpEdT2k2hWgEoAu8YBNIumNCtJ-WY,6333
@@ -29,7 +29,7 @@ plain/http/README.md,sha256=00zLFQ-FPjYXu3A8QsLhCCXxaT0ImvI5I-8xd3dp8WA,7
 plain/http/__init__.py,sha256=DIsDRbBsCGa4qZgq-fUuQS0kkxfbTU_3KpIM9VvH04w,1067
 plain/http/cookie.py,sha256=11FnSG3Plo6T3jZDbPoCw7SKh9ExdBio3pTmIO03URg,597
 plain/http/multipartparser.py,sha256=Z2PFDuGucj_nFnQagwdxowJcZHqzCfDApkXl5yRlRe4,27325
-plain/http/request.py,sha256=sRHjXOrxFMPIXSbwa6-hXJHNhR-EF4E5IprGtHUqeyE,26007
+plain/http/request.py,sha256=CrfXx-Som5AOM5WU62CTuv01VpFTz_qMLQS1Jx9Rwew,26005
 plain/http/response.py,sha256=h43Gx4PVPGEf63EHHrABYtwYu-8Y9mgAebwiGt8qeLE,24074
 plain/internal/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 plain/internal/files/README.md,sha256=kMux-NU5qiH0o1K8IajYQT8VjrYl_jLk9LkGG_kGuSc,45
@@ -42,20 +42,19 @@ plain/internal/files/uploadedfile.py,sha256=JRB7T3quQjg-1y3l1ASPxywtSQZhaeMc45uF
 plain/internal/files/uploadhandler.py,sha256=BZGQDHJMEUeBh9uJtxNVWQkFmHE7jzVTx9CLVt59Jqg,7197
 plain/internal/files/utils.py,sha256=XrHAs2tMqmywURgz5C6-GSj6sr2R-MCERcWT8yzBp5k,2652
 plain/internal/handlers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/internal/handlers/base.py,sha256=LcKKRtKlBk17Iy_8MRbx7wskULpnhHzA0fOlunzd9Lo,4506
+plain/internal/handlers/base.py,sha256=tpTrVhC_gZKrIoTJmCWD3bIpucOCGVV1DTkF0W2HZPI,4883
 plain/internal/handlers/exception.py,sha256=KUZSBzmzE6YSFxAZ336Mye_9vAPVIj9Av-w1SK5R4PA,4579
 plain/internal/handlers/wsgi.py,sha256=WIZvXlEAOn8lxwDM_HpSP82-ePKVu-Tzgpe65KkXEMk,7538
+plain/internal/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+plain/internal/middleware/headers.py,sha256=UnJWnlVVLD-10h7PB_QSYeREBzLo-TS3C-_ahmZ6w0I,636
+plain/internal/middleware/https.py,sha256=XpuQK8HicYX1jNanQHqNgyQ9rqe4NLUOZO3ZzKdsP8k,1203
+plain/internal/middleware/slash.py,sha256=LhQi5aUztE4kJnvRn75u8zaFvAVPPEl_Whu1gYWGs7g,2656
 plain/json.py,sha256=McJdsbMT1sYwkGRG--f2NSZz0hVXPMix9x3nKaaak2o,1262
 plain/logs/README.md,sha256=H6uVXdInYlasq0Z1WnhWnPmNwYQoZ1MSLPDQ4ZE7u4A,492
 plain/logs/__init__.py,sha256=rASvo4qFBDIHfkACmGLNGa6lRGbG9PbNjW6FmBt95ys,168
 plain/logs/configure.py,sha256=6mV7d1IxkDYT3VBz61qhIj0Esuy5l5QdQfsHaGCfI6w,1063
 plain/logs/loggers.py,sha256=iz9SYcwP9w5QAuwpULl48SFkVyJuuMoQ_fdLgdCHpNg,2121
 plain/logs/utils.py,sha256=9UzdCCQXJinGDs71Ngw297mlWkhgZStSd67ya4NOW98,1257
-plain/middleware/README.md,sha256=MgiLHwAfP8ooBSlDi1JhTwIHMlwphOqAkeWglYRbe8s,52
-plain/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/middleware/common.py,sha256=-YySkYUyaRujYA5Yg7GRD3xFjlQOZpeJP1Stpt6pias,3631
-plain/middleware/gzip.py,sha256=2NogLO6hPxVc3otxkhMDl7-r2Zw3vcIkAP29fx4j2eU,2383
-plain/middleware/security.py,sha256=WZRn5F9qx33wFTqh4CkBEtHrTuyr7RCt4Gwq4W2mBgE,1043
 plain/packages/README.md,sha256=Vq1Nw3mmEmZ2IriQavuVi4BjcQC2nb8k7YIbnm8QjIg,799
 plain/packages/__init__.py,sha256=DnHN1wwHXiXib4Y9BV__x9WrbUaTovoTIxW-tVyScTU,106
 plain/packages/config.py,sha256=6Vdf1TEQllZkkEvK0WK__zHJYT9nxmS3EyYrbuq0GkM,11201
@@ -67,12 +66,12 @@ plain/preflight/files.py,sha256=wbHCNgps7o1c1zQNBd8FDCaVaqX90UwuvLgEQ_DbUpY,510
 plain/preflight/messages.py,sha256=u0oc7q7YmBlKYJRcF5SQpzncfOkEzDhZTcpyclQDfHg,2427
 plain/preflight/registry.py,sha256=ZpxnZPIklXuT8xZVTxCUp_IER3zhd7DdfsmqIpAbLj4,2306
 plain/preflight/security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/preflight/security/base.py,sha256=EY9rgXi8qdzLY1mMq9lMqYJmIV2OhN66Vt96meblxoE,3541
-plain/preflight/security/csrf.py,sha256=EZy_DkVqc1kUmBA-UbNmhVsKhRINfmqgWSRlatKy5AA,1237
+plain/preflight/security/base.py,sha256=nsv-g-bFr_188mkOQwC1ZDnyS0rE6eZED8xZT-FEM8M,3074
+plain/preflight/security/csrf.py,sha256=8dKzs5kQwTTKeyfHbkrzdPk3OEoUN8mc-0xhSBo1KmM,1175
 plain/preflight/urls.py,sha256=O4PQ_v205VA2872fQlhPfxaihDDRCsVp0ZVKQ92aX4k,3019
-plain/runtime/README.md,sha256=wR0XrWAb4FGnOON2-O9ySSZCSMZmPkKGx-4DQXd_2h4,2209
+plain/runtime/README.md,sha256=Q8VVO7JRGuYrDxzuYL6ptoilhclbecxKzpRXKgbWGkU,2061
 plain/runtime/__init__.py,sha256=vIh77lL4e5CoQZz-HxvXeJL5329s8VfPFpNxx9rHgxs,1384
-plain/runtime/global_settings.py,sha256=cVwGcdpDFf2OoYeGD3Lfv-mxGF48aKSGzZlLKwp8UKI,5566
+plain/runtime/global_settings.py,sha256=3SLuQjPAHFv5F6QJBiuVy41yxsAoI446Rp4FoK8_A6o,5434
 plain/runtime/user_settings.py,sha256=JhxmCCOmEMk0QHh82l5iTpEie-UdZh13aXGsLhE5PBw,11255
 plain/signals/README.md,sha256=cd3tKEgH-xc88CUWyDxl4-qv-HBXx8VT32BXVwA5azA,230
 plain/signals/__init__.py,sha256=eAs0kLqptuP6I31dWXeAqRNji3svplpAV4Ez6ktjwXM,131
@@ -91,7 +90,7 @@ plain/templates/jinja/filters.py,sha256=3KJKKbxcv9dLzUDWPcaa88k3NU2m1GG3iMIgFhzX
 plain/templates/jinja/globals.py,sha256=qhvQuikkRkOTpHSW5FwdsvoViJNlRgHq3-O7ZyeajsE,669
 plain/test/README.md,sha256=Zso3Ir7a8vQerzKB6egjROQWkpveLAbscn7VTROPAiU,37
 plain/test/__init__.py,sha256=rXe88Y602NP8DBnReSyXb7dUzKoWweLuT43j-qwOUl4,138
-plain/test/client.py,sha256=cu43S-NL606VERUYi7NjvzIrVchlNLHqcKro7pnYmS4,31385
+plain/test/client.py,sha256=470yny2wfLEebdVjQckBqC9pqyDkHy8e0EH-rlVjsAQ,31368
 plain/urls/README.md,sha256=pWnCvgYkWN7rG7hSyBOtX4ZUP3iO7FhqM6lvwwYll6c,33
 plain/urls/__init__.py,sha256=3UzwIufXjIks2K_X_Vms2MV19IqvyPLrXUeHU3WP47c,753
 plain/urls/base.py,sha256=ECaOCEXs1ygKn4k1mt5XxSNPNlg5raJvx0aPaj7DFfE,3719
@@ -133,7 +132,7 @@ plain/utils/tree.py,sha256=wdWzmfsgc26YDF2wxhAY3yVxXTixQYqYDKE9mL3L3ZY,4383
 plain/validators.py,sha256=L9v9KtTe4iZhZVramZdKGf33R5Tt95FCdg2AJD2-2n0,19963
 plain/views/README.md,sha256=qndsXKyNMnipPlLaAvgQeGxqXknNQwlFh31Yxk8rHp8,5994
 plain/views/__init__.py,sha256=a-N1nkklVohJTtz0yD1MMaS0g66HviEjsKydNVVjvVc,392
-plain/views/base.py,sha256=WQy5btO4NNkEQAleII57oXUaDdd76a7OnFGdK7uFook,3160
+plain/views/base.py,sha256=wMkCAbr3XqXyP8dJr-O9atA1-N6K4-cTFflLhSYGOpY,3227
 plain/views/csrf.py,sha256=gO9npd_Ut_LoYF_u7Qb_ZsPRfSeE3aTPG97XlMp4oEo,724
 plain/views/errors.py,sha256=Y4oGX4Z6D2COKcDEfINvXE1acE8Ad15KwNNWPs5BCfc,967
 plain/views/exceptions.py,sha256=b4euI49ZUKS9O8AGAcFfiDpstzkRAuuj_uYQXzWNHME,138
@@ -142,8 +141,8 @@ plain/views/objects.py,sha256=9QBYyb8PgkRirXCQ8-Pms4_yMzP37dfeL30hWRYmtZg,7909
 plain/views/redirect.py,sha256=KLnlktzK6ZNMTlaEiZpMKQMEP5zeTgGLJ9BIkIJfwBo,1733
 plain/views/templates.py,sha256=nF9CcdhhjAyp3LB0RrSYnBaHpHzMfPSw719RCdcXk7o,2007
 plain/wsgi.py,sha256=R6k5FiAElvGDApEbMPTT0MPqSD7n2e2Az5chQqJZU0I,236
-plain-0.7.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.7.0.dist-info/METADATA,sha256=ILizFFak8iFUNe3VI8xf3UtKZsz2XB8jmg3zWm2QGS0,2716
-plain-0.7.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-plain-0.7.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
-plain-0.7.0.dist-info/RECORD,,
+plain-0.8.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.8.0.dist-info/METADATA,sha256=asx3_JWRlV7rkPuphIVufUKrMXEhYtQmJ-Dd6yVQdzY,2767
+plain-0.8.0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
+plain-0.8.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
+plain-0.8.0.dist-info/RECORD,,

{plain-0.7.0.dist-info → plain-0.8.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.9.0
+Generator: poetry-core 1.9.1
 Root-Is-Purelib: true
 Tag: py3-none-any

plain/middleware/README.md

@@ -1,3 +0,0 @@
-# Middleware
-
-Hook into the request/response cycle.

plain/middleware/gzip.py

@@ -1,64 +0,0 @@
-from plain.utils.cache import patch_vary_headers
-from plain.utils.regex_helper import _lazy_re_compile
-from plain.utils.text import compress_sequence, compress_string
-
-re_accepts_gzip = _lazy_re_compile(r"\bgzip\b")
-
-
-class GZipMiddleware:
-    """
-    Compress content if the browser allows gzip compression.
-    Set the Vary header accordingly, so that caches will base their storage
-    on the Accept-Encoding header.
-    """
-
-    max_random_bytes = 100
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        response = self.get_response(request)
-
-        # It's not worth attempting to compress really short responses.
-        if not response.streaming and len(response.content) < 200:
-            return response
-
-        # Avoid gzipping if we've already got a content-encoding.
-        if response.has_header("Content-Encoding"):
-            return response
-
-        patch_vary_headers(response, ("Accept-Encoding",))
-
-        ae = request.META.get("HTTP_ACCEPT_ENCODING", "")
-        if not re_accepts_gzip.search(ae):
-            return response
-
-        if response.streaming:
-            response.streaming_content = compress_sequence(
-                response.streaming_content,
-                max_random_bytes=self.max_random_bytes,
-            )
-            # Delete the `Content-Length` header for streaming content, because
-            # we won't know the compressed size until we stream it.
-            del response.headers["Content-Length"]
-        else:
-            # Return the compressed content only if it's actually shorter.
-            compressed_content = compress_string(
-                response.content,
-                max_random_bytes=self.max_random_bytes,
-            )
-            if len(compressed_content) >= len(response.content):
-                return response
-            response.content = compressed_content
-            response.headers["Content-Length"] = str(len(response.content))
-
-        # If there is a strong ETag, make it weak to fulfill the requirements
-        # of RFC 9110 Section 8.8.1 while also allowing conditional request
-        # matches on ETags.
-        etag = response.get("ETag")
-        if etag and etag.startswith('"'):
-            response.headers["ETag"] = "W/" + etag
-        response.headers["Content-Encoding"] = "gzip"
-
-        return response

plain/middleware/security.py

@@ -1,31 +0,0 @@
-import re
-
-from plain.http import ResponsePermanentRedirect
-from plain.runtime import settings
-
-
-class SecurityMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-        self.redirect = settings.SECURE_SSL_REDIRECT
-        self.redirect_host = settings.SECURE_SSL_HOST
-        self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
-
-        self.default_headers = settings.SECURE_DEFAULT_HEADERS
-
-    def __call__(self, request):
-        path = request.path.lstrip("/")
-        if (
-            self.redirect
-            and not request.is_secure()
-            and not any(pattern.search(path) for pattern in self.redirect_exempt)
-        ):
-            host = self.redirect_host or request.get_host()
-            return ResponsePermanentRedirect(f"https://{host}{request.get_full_path()}")
-
-        response = self.get_response(request)
-
-        for header, value in self.default_headers.items():
-            response.headers.setdefault(header, value)
-
-        return response