streamlit-nightly 1.43.2.dev20250307__py3-none-any.whl

streamlit/web/server/browser_websocket_handler.py

@@ -0,0 +1,246 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+import hmac
+import json
+from typing import TYPE_CHECKING, Any, Final
+from urllib.parse import urlparse
+
+import tornado.concurrent
+import tornado.locks
+import tornado.netutil
+import tornado.web
+import tornado.websocket
+from tornado.escape import utf8
+from tornado.websocket import WebSocketHandler
+
+from streamlit import config
+from streamlit.logger import get_logger
+from streamlit.proto.BackMsg_pb2 import BackMsg
+from streamlit.runtime import Runtime, SessionClient, SessionClientDisconnectedError
+from streamlit.runtime.runtime_util import serialize_forward_msg
+from streamlit.web.server.server_util import (
+    AUTH_COOKIE_NAME,
+    is_url_from_allowed_origins,
+    is_xsrf_enabled,
+)
+
+if TYPE_CHECKING:
+    from collections.abc import Awaitable
+
+    from streamlit.proto.ForwardMsg_pb2 import ForwardMsg
+
+_LOGGER: Final = get_logger(__name__)
+
+
+class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
+    """Handles a WebSocket connection from the browser"""
+
+    def initialize(self, runtime: Runtime) -> None:
+        self._runtime = runtime
+        self._session_id: str | None = None
+        # The XSRF cookie is normally set when xsrf_form_html is used, but in a
+        # pure-Javascript application that does not use any regular forms we just
+        # need to read the self.xsrf_token manually to set the cookie as a side
+        # effect. See https://www.tornadoweb.org/en/stable/guide/security.html#cross-site-request-forgery-protection
+        # for more details.
+        if is_xsrf_enabled():
+            _ = self.xsrf_token
+
+    def get_signed_cookie(
+        self,
+        name: str,
+        value: str | None = None,
+        max_age_days: float = 31,
+        min_version: int | None = None,
+    ) -> bytes | None:
+        """Get a signed cookie from the request. Added for compatibility with
+        Tornado < 6.3.0.
+        See release notes: https://www.tornadoweb.org/en/stable/releases/v6.3.0.html#deprecation-notices
+        """
+        try:
+            return super().get_signed_cookie(name, value, max_age_days, min_version)
+        except AttributeError:
+            return super().get_secure_cookie(name, value, max_age_days, min_version)
+
+    def check_origin(self, origin: str) -> bool:
+        """Set up CORS."""
+        return super().check_origin(origin) or is_url_from_allowed_origins(origin)
+
+    def _validate_xsrf_token(self, supplied_token: str) -> bool:
+        """Inspired by tornado.web.RequestHandler.check_xsrf_cookie method,
+        to check the XSRF token passed in Websocket connection header.
+        """
+        _, token, _ = self._decode_xsrf_token(supplied_token)
+        _, expected_token, _ = self._get_raw_xsrf_token()
+
+        decoded_token = utf8(token)
+        decoded_expected_token = utf8(expected_token)
+
+        if not decoded_token or not decoded_expected_token:
+            return False
+        return hmac.compare_digest(decoded_token, decoded_expected_token)
+
+    def _parse_user_cookie(self, raw_cookie_value: bytes) -> dict[str, Any]:
+        """Process the user cookie and extract the user info after
+        validating the origin. Origin is validated for security reasons.
+        """
+        cookie_value = json.loads(raw_cookie_value)
+        user_info = {}
+
+        cookie_value_origin = cookie_value.get("origin", None)
+        parsed_origin_from_header = urlparse(self.request.headers["Origin"])
+        expected_origin_value = (
+            parsed_origin_from_header.scheme + "://" + parsed_origin_from_header.netloc
+        )
+        if cookie_value_origin == expected_origin_value:
+            user_info["is_logged_in"] = cookie_value.get("is_logged_in", False)
+            del cookie_value["origin"]
+            del cookie_value["is_logged_in"]
+            user_info.update(cookie_value)
+
+        return user_info
+
+    def write_forward_msg(self, msg: ForwardMsg) -> None:
+        """Send a ForwardMsg to the browser."""
+        try:
+            self.write_message(serialize_forward_msg(msg), binary=True)
+        except tornado.websocket.WebSocketClosedError as e:
+            raise SessionClientDisconnectedError from e
+
+    def select_subprotocol(self, subprotocols: list[str]) -> str | None:
+        """Return the first subprotocol in the given list.
+
+        This method is used by Tornado to select a protocol when the
+        Sec-WebSocket-Protocol header is set in an HTTP Upgrade request.
+
+        NOTE: We repurpose the Sec-WebSocket-Protocol header here in a slightly
+        unfortunate (but necessary) way. The browser WebSocket API doesn't allow us to
+        set arbitrary HTTP headers, and this header is the only one where we have the
+        ability to set it to arbitrary values, so we use it to pass tokens (in this
+        case, the previous session ID to allow us to reconnect to it) from client to
+        server as the *third* value in the list.
+
+        The reason why the auth token is set as the third value is that:
+          - when Sec-WebSocket-Protocol is set, many clients expect the server to
+            respond with a selected subprotocol to use. We don't want that reply to be
+            the session token, so we by convention have the client always set the first
+            protocol to "streamlit" and select that.
+          - the second protocol in the list is reserved in some deployment environments
+            for an auth token that we currently don't use
+        """
+        if subprotocols:
+            return subprotocols[0]
+
+        return None
+
+    def open(self, *args, **kwargs) -> Awaitable[None] | None:
+        user_info: dict[str, str | bool | None] = {}
+
+        existing_session_id = None
+        try:
+            ws_protocols = [
+                p.strip()
+                for p in self.request.headers["Sec-Websocket-Protocol"].split(",")
+            ]
+
+            raw_cookie_value = self.get_signed_cookie(AUTH_COOKIE_NAME)
+            if is_xsrf_enabled() and raw_cookie_value:
+                csrf_protocol_value = ws_protocols[1]
+
+                if self._validate_xsrf_token(csrf_protocol_value):
+                    user_info.update(self._parse_user_cookie(raw_cookie_value))
+
+            if len(ws_protocols) >= 3:
+                # See the NOTE in the docstring of the `select_subprotocol` method above
+                # for a detailed explanation of why this is done.
+                existing_session_id = ws_protocols[2]
+        except KeyError:
+            # Just let existing_session_id=None if we run into any error while trying to
+            # extract it from the Sec-Websocket-Protocol header.
+            pass
+
+        self._session_id = self._runtime.connect_session(
+            client=self,
+            user_info=user_info,
+            existing_session_id=existing_session_id,
+        )
+        return None
+
+    def on_close(self) -> None:
+        if not self._session_id:
+            return
+        self._runtime.disconnect_session(self._session_id)
+        self._session_id = None
+
+    def get_compression_options(self) -> dict[Any, Any] | None:
+        """Enable WebSocket compression.
+
+        Returning an empty dict enables websocket compression. Returning
+        None disables it.
+
+        (See the docstring in the parent class.)
+        """
+        if config.get_option("server.enableWebsocketCompression"):
+            return {}
+        return None
+
+    def on_message(self, payload: str | bytes) -> None:
+        if not self._session_id:
+            return
+
+        try:
+            if isinstance(payload, str):
+                # Sanity check. (The frontend should only be sending us bytes;
+                # Protobuf.ParseFromString does not accept str input.)
+                raise RuntimeError(
+                    "WebSocket received an unexpected `str` message. "
+                    "(We expect `bytes` only.)"
+                )
+
+            msg = BackMsg()
+            msg.ParseFromString(payload)
+            _LOGGER.debug("Received the following back message:\n%s", msg)
+
+        except Exception as ex:
+            _LOGGER.exception("Error deserializing back message")
+            self._runtime.handle_backmsg_deserialization_exception(self._session_id, ex)
+            return
+
+        # "debug_disconnect_websocket" and "debug_shutdown_runtime" are special
+        # developmentMode-only messages used in e2e tests to test reconnect handling and
+        # disabling widgets.
+        if msg.WhichOneof("type") == "debug_disconnect_websocket":
+            if config.get_option("global.developmentMode") or config.get_option(
+                "global.e2eTest"
+            ):
+                self.close()
+            else:
+                _LOGGER.warning(
+                    "Client tried to disconnect websocket when not in development mode or e2e testing."
+                )
+        elif msg.WhichOneof("type") == "debug_shutdown_runtime":
+            if config.get_option("global.developmentMode") or config.get_option(
+                "global.e2eTest"
+            ):
+                self._runtime.stop()
+            else:
+                _LOGGER.warning(
+                    "Client tried to shut down runtime when not in development mode or e2e testing."
+                )
+        else:
+            # AppSession handles all other BackMsg types.
+            self._runtime.handle_backmsg(self._session_id, msg)

streamlit/web/server/component_request_handler.py

@@ -0,0 +1,116 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+import mimetypes
+import os
+from typing import TYPE_CHECKING, Final
+
+import tornado.web
+
+import streamlit.web.server.routes
+from streamlit.logger import get_logger
+
+if TYPE_CHECKING:
+    from streamlit.components.types.base_component_registry import BaseComponentRegistry
+
+_LOGGER: Final = get_logger(__name__)
+
+
+class ComponentRequestHandler(tornado.web.RequestHandler):
+    def initialize(self, registry: BaseComponentRegistry):
+        self._registry = registry
+
+    def get(self, path: str) -> None:
+        parts = path.split("/")
+        component_name = parts[0]
+        component_root = self._registry.get_component_path(component_name)
+        if component_root is None:
+            self.write("not found")
+            self.set_status(404)
+            return
+
+        # follow symlinks to get an accurate normalized path
+        component_root = os.path.realpath(component_root)
+        filename = "/".join(parts[1:])
+        abspath = os.path.normpath(os.path.join(component_root, filename))
+
+        # Do NOT expose anything outside of the component root.
+        if os.path.commonpath([component_root, abspath]) != component_root:
+            self.write("forbidden")
+            self.set_status(403)
+            return
+        try:
+            with open(abspath, "rb") as file:
+                contents = file.read()
+        except OSError as e:
+            _LOGGER.error(
+                "ComponentRequestHandler: GET %s read error", abspath, exc_info=e
+            )
+            self.write("read error")
+            self.set_status(404)
+            return
+
+        self.write(contents)
+        self.set_header("Content-Type", self.get_content_type(abspath))
+
+        self.set_extra_headers(path)
+
+    def set_extra_headers(self, path: str) -> None:
+        """Disable cache for HTML files.
+
+        Other assets like JS and CSS are suffixed with their hash, so they can
+        be cached indefinitely.
+        """
+        is_index_url = len(path) == 0
+
+        if is_index_url or path.endswith(".html"):
+            self.set_header("Cache-Control", "no-cache")
+        else:
+            self.set_header("Cache-Control", "public")
+
+    def set_default_headers(self) -> None:
+        if streamlit.web.server.routes.allow_cross_origin_requests():
+            self.set_header("Access-Control-Allow-Origin", "*")
+
+    def options(self) -> None:
+        """/OPTIONS handler for preflight CORS checks."""
+        self.set_status(204)
+        self.finish()
+
+    @staticmethod
+    def get_content_type(abspath: str) -> str:
+        """Returns the ``Content-Type`` header to be used for this request.
+        From tornado.web.StaticFileHandler.
+        """
+        mime_type, encoding = mimetypes.guess_type(abspath)
+        # per RFC 6713, use the appropriate type for a gzip compressed file
+        if encoding == "gzip":
+            return "application/gzip"
+        # As of 2015-07-21 there is no bzip2 encoding defined at
+        # http://www.iana.org/assignments/media-types/media-types.xhtml
+        # So for that (and any other encoding), use octet-stream.
+        elif encoding is not None:
+            return "application/octet-stream"
+        elif mime_type is not None:
+            return mime_type
+        # if mime_type not detected, use application/octet-stream
+        else:
+            return "application/octet-stream"
+
+    @staticmethod
+    def get_url(file_id: str) -> str:
+        """Return the URL for a component file with the given ID."""
+        return f"components/{file_id}"

streamlit/web/server/media_file_handler.py

@@ -0,0 +1,141 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+from urllib.parse import quote
+
+import tornado.web
+
+from streamlit.logger import get_logger
+from streamlit.runtime.media_file_storage import MediaFileKind, MediaFileStorageError
+from streamlit.runtime.memory_media_file_storage import (
+    MemoryMediaFileStorage,
+    get_extension_for_mimetype,
+)
+from streamlit.web.server import allow_cross_origin_requests
+
+_LOGGER = get_logger(__name__)
+
+
+class MediaFileHandler(tornado.web.StaticFileHandler):
+    _storage: MemoryMediaFileStorage
+
+    @classmethod
+    def initialize_storage(cls, storage: MemoryMediaFileStorage) -> None:
+        """Set the MemoryMediaFileStorage object used by instances of this
+        handler. Must be called on server startup.
+        """
+        # This is a class method, rather than an instance method, because
+        # `get_content()` is a class method and needs to access the storage
+        # instance.
+        cls._storage = storage
+
+    def set_default_headers(self) -> None:
+        if allow_cross_origin_requests():
+            self.set_header("Access-Control-Allow-Origin", "*")
+
+    def set_extra_headers(self, path: str) -> None:
+        """Add Content-Disposition header for downloadable files.
+
+        Set header value to "attachment" indicating that file should be saved
+        locally instead of displaying inline in browser.
+
+        We also set filename to specify the filename for downloaded files.
+        Used for serving downloadable files, like files stored via the
+        `st.download_button` widget.
+        """
+        media_file = self._storage.get_file(path)
+
+        if media_file and media_file.kind == MediaFileKind.DOWNLOADABLE:
+            filename = media_file.filename
+
+            if not filename:
+                filename = f"streamlit_download{get_extension_for_mimetype(media_file.mimetype)}"
+
+            try:
+                # Check that the value can be encoded in latin1. Latin1 is
+                # the default encoding for headers.
+                filename.encode("latin1")
+                file_expr = f'filename="{filename}"'
+            except UnicodeEncodeError:
+                # RFC5987 syntax.
+                # See: https://datatracker.ietf.org/doc/html/rfc5987
+                file_expr = f"filename*=utf-8''{quote(filename)}"
+
+            self.set_header("Content-Disposition", f"attachment; {file_expr}")
+
+    # Overriding StaticFileHandler to use the MediaFileManager
+    #
+    # From the Tornado docs:
+    # To replace all interaction with the filesystem (e.g. to serve
+    # static content from a database), override `get_content`,
+    # `get_content_size`, `get_modified_time`, `get_absolute_path`, and
+    # `validate_absolute_path`.
+    def validate_absolute_path(self, root: str, absolute_path: str) -> str:
+        try:
+            self._storage.get_file(absolute_path)
+        except MediaFileStorageError:
+            _LOGGER.error("MediaFileHandler: Missing file %s", absolute_path)
+            raise tornado.web.HTTPError(404, "not found")
+
+        return absolute_path
+
+    def get_content_size(self) -> int:
+        abspath = self.absolute_path
+        if abspath is None:
+            return 0
+
+        media_file = self._storage.get_file(abspath)
+        return media_file.content_size
+
+    def get_modified_time(self) -> None:
+        # We do not track last modified time, but this can be improved to
+        # allow caching among files in the MediaFileManager
+        return None
+
+    @classmethod
+    def get_absolute_path(cls, root: str, path: str) -> str:
+        # All files are stored in memory, so the absolute path is just the
+        # path itself. In the MediaFileHandler, it's just the filename
+        return path
+
+    @classmethod
+    def get_content(
+        cls, abspath: str, start: int | None = None, end: int | None = None
+    ):
+        _LOGGER.debug("MediaFileHandler: GET %s", abspath)
+
+        try:
+            # abspath is the hash as used `get_absolute_path`
+            media_file = cls._storage.get_file(abspath)
+        except Exception:
+            _LOGGER.error("MediaFileHandler: Missing file %s", abspath)
+            return None
+
+        _LOGGER.debug(
+            "MediaFileHandler: Sending %s file %s", media_file.mimetype, abspath
+        )
+
+        # If there is no start and end, just return the full content
+        if start is None and end is None:
+            return media_file.content
+
+        if start is None:
+            start = 0
+        if end is None:
+            end = len(media_file.content)
+
+        # content is bytes that work just by slicing supplied by start and end
+        return media_file.content[start:end]

streamlit/web/server/oauth_authlib_routes.py

@@ -0,0 +1,176 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from __future__ import annotations
+
+import json
+from typing import Any
+from urllib.parse import urlparse
+
+import tornado.web
+
+from streamlit.auth_util import (
+    AuthCache,
+    decode_provider_token,
+    generate_default_provider_section,
+    get_secrets_auth_section,
+)
+from streamlit.errors import StreamlitAuthError
+from streamlit.url_util import make_url_path
+from streamlit.web.server.oidc_mixin import TornadoOAuth, TornadoOAuth2App
+from streamlit.web.server.server_util import AUTH_COOKIE_NAME
+
+auth_cache = AuthCache()
+
+
+def create_oauth_client(provider: str) -> tuple[TornadoOAuth2App, str]:
+    """Create an OAuth client for the given provider based on secrets.toml configuration."""
+    auth_section = get_secrets_auth_section()
+    if auth_section:
+        redirect_uri = auth_section.get("redirect_uri", None)
+        config = auth_section.to_dict()
+    else:
+        config = {}
+        redirect_uri = "/"
+
+    provider_section = config.setdefault(provider, {})
+
+    if not provider_section and provider == "default":
+        provider_section = generate_default_provider_section(auth_section)
+        config["default"] = provider_section
+
+    provider_client_kwargs = provider_section.setdefault("client_kwargs", {})
+    if "scope" not in provider_client_kwargs:
+        provider_client_kwargs["scope"] = "openid email profile"
+    if "prompt" not in provider_client_kwargs:
+        provider_client_kwargs["prompt"] = "select_account"
+
+    oauth = TornadoOAuth(config, cache=auth_cache)
+    oauth.register(provider)
+    return oauth.create_client(provider), redirect_uri
+
+
+class AuthHandlerMixin(tornado.web.RequestHandler):
+    """Mixin for handling auth cookies. Added for compatibility with Tornado < 6.3.0."""
+
+    def initialize(self, base_url: str) -> None:
+        self.base_url = base_url
+
+    def redirect_to_base(self) -> None:
+        self.redirect(make_url_path(self.base_url, "/"))
+
+    def set_auth_cookie(self, user_info: dict[str, Any]) -> None:
+        serialized_cookie_value = json.dumps(user_info)
+        try:
+            # We don't specify Tornado secure flag here because it leads to missing cookie on Safari.
+            # The OIDC flow should work only on secure context anyway (localhost or HTTPS),
+            # so specifying the secure flag here will not add anything in terms of security.
+            self.set_signed_cookie(
+                AUTH_COOKIE_NAME,
+                serialized_cookie_value,
+                httpOnly=True,
+            )
+        except AttributeError:
+            self.set_secure_cookie(
+                AUTH_COOKIE_NAME,
+                serialized_cookie_value,
+                httponly=True,
+            )
+
+    def clear_auth_cookie(self) -> None:
+        self.clear_cookie(AUTH_COOKIE_NAME)
+
+
+class AuthLoginHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    async def get(self):
+        """Redirect to the OAuth provider login page."""
+        provider = self._parse_provider_token()
+        if provider is None:
+            self.redirect_to_base()
+            return
+
+        client, redirect_uri = create_oauth_client(provider)
+        try:
+            client.authorize_redirect(self, redirect_uri)
+        except Exception as e:
+            self.send_error(400, reason=str(e))
+
+    def _parse_provider_token(self) -> str | None:
+        provider_token = self.get_argument("provider", None)
+        try:
+            if provider_token is None:
+                raise StreamlitAuthError("Missing provider token")
+            payload = decode_provider_token(provider_token)
+        except StreamlitAuthError:
+            return None
+
+        return payload["provider"]
+
+
+class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    def get(self):
+        self.clear_auth_cookie()
+        self.redirect_to_base()
+
+
+class AuthCallbackHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    async def get(self):
+        provider = self._get_provider_by_state()
+        origin = self._get_origin_from_secrets()
+        if origin is None:
+            self.redirect_to_base()
+            return
+
+        error = self.get_argument("error", None)
+        if error:
+            self.redirect_to_base()
+            return
+
+        if provider is None:
+            self.redirect_to_base()
+            return
+
+        client, _ = create_oauth_client(provider)
+        token = client.authorize_access_token(self)
+        user = token.get("userinfo")
+
+        cookie_value = dict(user, origin=origin, is_logged_in=True)
+        if user:
+            self.set_auth_cookie(cookie_value)
+        self.redirect_to_base()
+
+    def _get_provider_by_state(self) -> str | None:
+        state_code_from_url = self.get_argument("state")
+        current_cache_keys = list(auth_cache.get_dict().keys())
+        state_provider_mapping = {}
+        for key in current_cache_keys:
+            _, _, recorded_provider, code = key.split("_")
+            state_provider_mapping[code] = recorded_provider
+
+        provider: str | None = state_provider_mapping.get(state_code_from_url, None)
+        return provider
+
+    def _get_origin_from_secrets(self) -> str | None:
+        redirect_uri = None
+        auth_section = get_secrets_auth_section()
+        if auth_section:
+            redirect_uri = auth_section.get("redirect_uri", None)
+
+        if not redirect_uri:
+            return None
+
+        redirect_uri_parsed = urlparse(redirect_uri)
+        origin_from_redirect_uri: str = (
+            redirect_uri_parsed.scheme + "://" + redirect_uri_parsed.netloc
+        )
+        return origin_from_redirect_uri