streamlit 1.45.1__py3-none-any.whl → 1.46.1__py3-none-any.whl

streamlit/web/server/oauth_authlib_routes.py

@@ -14,7 +14,7 @@
 from __future__ import annotations
 
 import json
-from typing import Any
+from typing import Any, Final, cast
 from urllib.parse import urlparse
 
 import tornado.web
@@ -26,10 +26,13 @@ from streamlit.auth_util import (
     get_secrets_auth_section,
 )
 from streamlit.errors import StreamlitAuthError
+from streamlit.logger import get_logger
 from streamlit.url_util import make_url_path
 from streamlit.web.server.oidc_mixin import TornadoOAuth, TornadoOAuth2App
 from streamlit.web.server.server_util import AUTH_COOKIE_NAME
 
+_LOGGER: Final = get_logger(__name__)
+
 auth_cache = AuthCache()
 
 
@@ -57,7 +60,7 @@ def create_oauth_client(provider: str) -> tuple[TornadoOAuth2App, str]:
 
     oauth = TornadoOAuth(config, cache=auth_cache)
     oauth.register(provider)
-    return oauth.create_client(provider), redirect_uri
+    return oauth.create_client(provider), redirect_uri  # type: ignore[no-untyped-call]
 
 
 class AuthHandlerMixin(tornado.web.RequestHandler):
@@ -71,6 +74,13 @@ class AuthHandlerMixin(tornado.web.RequestHandler):
 
     def set_auth_cookie(self, user_info: dict[str, Any]) -> None:
         serialized_cookie_value = json.dumps(user_info)
+
+        # log error if cookie value is larger than 4096 bytes
+        if len(serialized_cookie_value.encode()) > 4096:
+            _LOGGER.error(
+                "Authentication cookie size exceeds maximum browser limit of 4096 bytes. Authentication may fail."
+            )
+
         try:
             # We don't specify Tornado secure flag here because it leads to missing cookie on Safari.
             # The OIDC flow should work only on secure context anyway (localhost or HTTPS),
@@ -92,7 +102,7 @@ class AuthHandlerMixin(tornado.web.RequestHandler):
 
 
 class AuthLoginHandler(AuthHandlerMixin, tornado.web.RequestHandler):
-    async def get(self):
+    async def get(self) -> None:
         """Redirect to the OAuth provider login page."""
         provider = self._parse_provider_token()
         if provider is None:
@@ -107,9 +117,9 @@ class AuthLoginHandler(AuthHandlerMixin, tornado.web.RequestHandler):
 
     def _parse_provider_token(self) -> str | None:
         provider_token = self.get_argument("provider", None)
+        if provider_token is None:
+            return None
         try:
-            if provider_token is None:
-                raise StreamlitAuthError("Missing provider token")
             payload = decode_provider_token(provider_token)
         except StreamlitAuthError:
             return None
@@ -118,35 +128,57 @@ class AuthLoginHandler(AuthHandlerMixin, tornado.web.RequestHandler):
 
 
 class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
-    def get(self):
+    def get(self) -> None:
         self.clear_auth_cookie()
         self.redirect_to_base()
 
 
 class AuthCallbackHandler(AuthHandlerMixin, tornado.web.RequestHandler):
-    async def get(self):
+    async def get(self) -> None:
         provider = self._get_provider_by_state()
         origin = self._get_origin_from_secrets()
         if origin is None:
+            _LOGGER.error(
+                "Error, misconfigured origin for `redirect_uri` in secrets. ",
+            )
             self.redirect_to_base()
             return
 
         error = self.get_argument("error", None)
         if error:
+            error_description = self.get_argument("error_description", None)
+            sanitized_error = error.replace("\n", "").replace("\r", "")
+            sanitized_error_description = (
+                error_description.replace("\n", "").replace("\r", "")
+                if error_description
+                else None
+            )
+            _LOGGER.error(
+                "Error during authentication: %s. Error description: %s",
+                sanitized_error,
+                sanitized_error_description,
+            )
             self.redirect_to_base()
             return
 
         if provider is None:
+            _LOGGER.error(
+                "Error, missing provider for oauth callback.",
+            )
             self.redirect_to_base()
             return
 
         client, _ = create_oauth_client(provider)
         token = client.authorize_access_token(self)
-        user = token.get("userinfo")
+        user = cast("dict[str, Any]", token.get("userinfo"))
 
         cookie_value = dict(user, origin=origin, is_logged_in=True)
         if user:
             self.set_auth_cookie(cookie_value)
+        else:
+            _LOGGER.error(
+                "Error, missing user info.",
+            )
         self.redirect_to_base()
 
     def _get_provider_by_state(self) -> str | None:
@@ -157,7 +189,7 @@ class AuthCallbackHandler(AuthHandlerMixin, tornado.web.RequestHandler):
             _, _, recorded_provider, code = key.split("_")
             state_provider_mapping[code] = recorded_provider
 
-        provider: str | None = state_provider_mapping.get(state_code_from_url, None)
+        provider: str | None = state_provider_mapping.get(state_code_from_url)
         return provider
 
     def _get_origin_from_secrets(self) -> str | None:

streamlit/web/server/oidc_mixin.py

@@ -12,34 +12,48 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import tornado.web
-from authlib.integrations.base_client import (  # type: ignore[import-untyped]
+# mypy: disable-error-code="no-untyped-call"
+# ruff: noqa: ANN201
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any, Callable, cast
+
+from authlib.integrations.base_client import (
     BaseApp,
     BaseOAuth,
     OAuth2Mixin,
     OAuthError,
     OpenIDMixin,
 )
-from authlib.integrations.requests_client import (  # type: ignore[import-untyped]
+from authlib.integrations.requests_client import (
     OAuth2Session,
 )
 
 from streamlit.web.server.authlib_tornado_integration import TornadoIntegration
 
+if TYPE_CHECKING:
+    import tornado.web
+
+    from streamlit.auth_util import AuthCache
 
-class TornadoOAuth2App(OAuth2Mixin, OpenIDMixin, BaseApp):  # type: ignore[misc]
+
+class TornadoOAuth2App(OAuth2Mixin, OpenIDMixin, BaseApp):
     client_cls = OAuth2Session
 
-    def load_server_metadata(self):
+    def load_server_metadata(self) -> dict[str, Any]:
         """We enforce S256 code challenge method if it is supported by the server."""
-        result = super().load_server_metadata()
+        result = cast("dict[str, Any]", super().load_server_metadata())
         if "S256" in result.get("code_challenge_methods_supported", []):
             self.client_kwargs["code_challenge_method"] = "S256"
         return result
 
     def authorize_redirect(
-        self, request_handler: tornado.web.RequestHandler, redirect_uri=None, **kwargs
-    ):
+        self,
+        request_handler: tornado.web.RequestHandler,
+        redirect_uri: Any = None,
+        **kwargs: Any,
+    ) -> None:
         """Create a HTTP Redirect for Authorization Endpoint.
 
         :param request_handler: HTTP request instance from Tornado.
@@ -52,8 +66,8 @@ class TornadoOAuth2App(OAuth2Mixin, OpenIDMixin, BaseApp):  # type: ignore[misc]
         request_handler.redirect(auth_context["url"], status=302)
 
     def authorize_access_token(
-        self, request_handler: tornado.web.RequestHandler, **kwargs
-    ):
+        self, request_handler: tornado.web.RequestHandler, **kwargs: Any
+    ) -> dict[str, Any]:
         """
         :param request_handler: HTTP request instance from Tornado.
         :return: A token dict.
@@ -68,13 +82,12 @@ class TornadoOAuth2App(OAuth2Mixin, OpenIDMixin, BaseApp):  # type: ignore[misc]
             "state": request_handler.get_argument("state"),
         }
 
-        assert self.framework.cache is not None
         session = None
 
         claims_options = kwargs.pop("claims_options", None)
         state_data = self.framework.get_state_data(session, params.get("state"))
         self.framework.clear_state_data(session, params.get("state"))
-        params = self._format_state_params(state_data, params)
+        params = self._format_state_params(state_data, params)  # type: ignore[attr-defined]
         token = self.fetch_access_token(**params, **kwargs)
 
         if "id_token" in token and "nonce" in state_data:
@@ -82,26 +95,31 @@ class TornadoOAuth2App(OAuth2Mixin, OpenIDMixin, BaseApp):  # type: ignore[misc]
                 token, nonce=state_data["nonce"], claims_options=claims_options
             )
             token = {**token, "userinfo": userinfo}
-        return token
+        return cast("dict[str, Any]", token)
 
-    def _save_authorize_data(self, **kwargs):
+    def _save_authorize_data(self, **kwargs: Any) -> None:
         """Authlib underlying uses the concept of "session" to store state data.
         In Tornado, we don't have a session, so we use the framework's cache option.
         """
         state = kwargs.pop("state", None)
         if state:
-            assert self.framework.cache is not None
             session = None
             self.framework.set_state_data(session, state, kwargs)
         else:
             raise RuntimeError("Missing state value")
 
 
-class TornadoOAuth(BaseOAuth):  # type: ignore[misc]
+class TornadoOAuth(BaseOAuth):
     oauth2_client_cls = TornadoOAuth2App
     framework_integration_cls = TornadoIntegration
 
-    def __init__(self, config=None, cache=None, fetch_token=None, update_token=None):
+    def __init__(
+        self,
+        config: dict[str, Any] | None = None,
+        cache: AuthCache | None = None,
+        fetch_token: Callable[[dict[str, Any]], dict[str, Any]] | None = None,
+        update_token: Callable[[dict[str, Any]], dict[str, Any]] | None = None,
+    ):
         super().__init__(
             cache=cache, fetch_token=fetch_token, update_token=update_token
         )

streamlit/web/server/routes.py

@@ -15,40 +15,48 @@
 from __future__ import annotations
 
 import os
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Any, Callable, cast
 
 import tornado.web
 
 from streamlit import config, file_util
 from streamlit.web.server.server_util import (
+    allowlisted_origins,
     emit_endpoint_deprecation_notice,
     is_xsrf_enabled,
 )
 
 if TYPE_CHECKING:
-    from collections.abc import Sequence
+    from collections.abc import Awaitable, Sequence
 
 
-def allow_cross_origin_requests() -> bool:
-    """True if cross-origin requests are allowed.
-
-    We only allow cross-origin requests when CORS protection has been disabled
-    with server.enableCORS=False or if using the Node server. When using the
-    Node server, we have a dev and prod port, which count as two origins.
+def allow_all_cross_origin_requests() -> bool:
+    """True if cross-origin requests from any origin are allowed.
 
+    We only allow ALL cross-origin requests when CORS protection has been
+    disabled with server.enableCORS=False or if using the Node server in dev
+    mode. When in dev mode, we have a dev and prod port, which count as two
+    origins.
     """
+
     return not config.get_option("server.enableCORS") or config.get_option(
         "global.developmentMode"
     )
 
 
+def is_allowed_origin(origin: Any) -> bool:
+    if not isinstance(origin, str):
+        return False
+    return origin in allowlisted_origins()
+
+
 class StaticFileHandler(tornado.web.StaticFileHandler):
     def initialize(
         self,
         path: str,
         default_filename: str | None = None,
         reserved_paths: Sequence[str] = (),
-    ):
+    ) -> None:
         self._reserved_paths = reserved_paths
 
         super().initialize(path, default_filename)
@@ -78,15 +86,15 @@ class StaticFileHandler(tornado.web.StaticFileHandler):
                 if os.path.sep != "/":
                     url_path = url_path.replace(os.path.sep, "/")
                 if any(url_path.endswith(x) for x in self._reserved_paths):
-                    raise e
+                    raise
 
                 self.path = self.parse_url_path(self.default_filename or "index.html")
                 absolute_path = self.get_absolute_path(self.root, self.path)
                 return super().validate_absolute_path(root, absolute_path)
 
-            raise e
+            raise
 
-    def write_error(self, status_code: int, **kwargs) -> None:
+    def write_error(self, status_code: int, **kwargs: Any) -> None:
         if status_code == 404:
             index_file = os.path.join(file_util.get_static_dir(), "index.html")
             self.render(index_file)
@@ -96,25 +104,27 @@ class StaticFileHandler(tornado.web.StaticFileHandler):
 
 class AddSlashHandler(tornado.web.RequestHandler):
     @tornado.web.addslash
-    def get(self):
+    def get(self) -> None:
         pass
 
 
 class RemoveSlashHandler(tornado.web.RequestHandler):
     @tornado.web.removeslash
-    def get(self):
+    def get(self) -> None:
         pass
 
 
 class _SpecialRequestHandler(tornado.web.RequestHandler):
     """Superclass for "special" endpoints, like /healthz."""
 
-    def set_default_headers(self):
+    def set_default_headers(self) -> None:
         self.set_header("Cache-Control", "no-cache")
-        if allow_cross_origin_requests():
+        if allow_all_cross_origin_requests():
             self.set_header("Access-Control-Allow-Origin", "*")
+        elif is_allowed_origin(origin := self.request.headers.get("Origin")):
+            self.set_header("Access-Control-Allow-Origin", cast("str", origin))
 
-    def options(self):
+    def options(self) -> None:
         """/OPTIONS handler for preflight CORS checks.
 
         When a browser is making a CORS request, it may sometimes first
@@ -136,7 +146,7 @@ class _SpecialRequestHandler(tornado.web.RequestHandler):
 
 
 class HealthHandler(_SpecialRequestHandler):
-    def initialize(self, callback):
+    def initialize(self, callback: Callable[[], Awaitable[tuple[bool, str]]]) -> None:
         """Initialize the handler.
 
         Parameters
@@ -147,15 +157,15 @@ class HealthHandler(_SpecialRequestHandler):
         """
         self._callback = callback
 
-    async def get(self):
+    async def get(self) -> None:
         await self.handle_request()
 
     # Some monitoring services only support the HTTP HEAD method for requests to
     # healthcheck endpoints, so we support HEAD as well to play nicely with them.
-    async def head(self):
+    async def head(self) -> None:
         await self.handle_request()
 
-    async def handle_request(self):
+    async def handle_request(self) -> None:
         if self.request.uri and "_stcore/" not in self.request.uri:
             new_path = (
                 "/_stcore/script-health-check"
@@ -212,7 +222,7 @@ _DEFAULT_ALLOWED_MESSAGE_ORIGINS = [
 
 
 class HostConfigHandler(_SpecialRequestHandler):
-    def initialize(self):
+    def initialize(self) -> None:
         # Make a copy of the allowedOrigins list, since we might modify it later:
         self._allowed_origins = _DEFAULT_ALLOWED_MESSAGE_ORIGINS.copy()
 

streamlit/web/server/server.py

@@ -53,8 +53,8 @@ from streamlit.web.server.routes import (
     StaticFileHandler,
 )
 from streamlit.web.server.server_util import (
-    DEVELOPMENT_PORT,
     get_cookie_secret,
+    is_tornado_version_less_than,
     is_xsrf_enabled,
     make_url_path_regex,
 )
@@ -70,12 +70,12 @@ _LOGGER: Final = get_logger(__name__)
 TORNADO_SETTINGS = {
     # Gzip HTTP responses.
     "compress_response": True,
-    # Ping every 1s to keep WS alive.
-    # 2021.06.22: this value was previously 20s, and was causing
-    # connection instability for a small number of users. This smaller
-    # ping_interval fixes that instability.
-    # https://github.com/streamlit/streamlit/issues/3196
-    "websocket_ping_interval": 1,
+    # Ping every 30s to keep WS alive.
+    # With recent versions of Tornado, this value must be greater than or
+    # equal to websocket_ping_timeout.
+    # For details, see https://github.com/tornadoweb/tornado/pull/3376
+    # For compatibility with older versions of Tornado, we set the value to 1.
+    "websocket_ping_interval": 1 if is_tornado_version_less_than("6.5.0") else 30,
     # If we don't get a ping response within 30s, the connection
     # is timed out.
     "websocket_ping_timeout": 30,
@@ -112,7 +112,7 @@ AUTH_LOGIN_ENDPOINT: Final = "/auth/login"
 AUTH_LOGOUT_ENDPOINT: Final = "/auth/logout"
 
 
-class RetriesExceeded(Exception):
+class RetriesExceededError(Exception):
     pass
 
 
@@ -175,7 +175,7 @@ def _get_ssl_options(cert_file: str | None, key_file: str | None) -> SSLContext
         try:
             ssl_ctx.load_cert_chain(cert_file, key_file)
         except ssl.SSLError:
-            _LOGGER.error(
+            _LOGGER.exception(
                 "Failed to load SSL certificate. Make sure "
                 "cert file '%s' and key file '%s' are correct.",
                 cert_file,
@@ -203,14 +203,6 @@ def start_listening_tcp_socket(http_server: HTTPServer) -> None:
         address = config.get_option("server.address")
         port = config.get_option("server.port")
 
-        if int(port) == DEVELOPMENT_PORT:
-            _LOGGER.warning(
-                "Port %s is reserved for internal development. "
-                "It is strongly recommended to select an alternative port "
-                "for `server.port`.",
-                DEVELOPMENT_PORT,
-            )
-
         try:
             http_server.listen(port, address)
             break  # It worked! So let's break out of the loop.
@@ -218,16 +210,13 @@ def start_listening_tcp_socket(http_server: HTTPServer) -> None:
         except OSError as e:
             if e.errno == errno.EADDRINUSE:
                 if server_port_is_manually_set():
-                    _LOGGER.error("Port %s is already in use", port)
+                    _LOGGER.error("Port %s is already in use", port)  # noqa: TRY400
                     sys.exit(1)
                 else:
                     _LOGGER.debug(
                         "Port %s already in use, trying to use the next one.", port
                     )
                     port += 1
-                    # Don't use the development port here:
-                    if port == DEVELOPMENT_PORT:
-                        port += 1
 
                     config.set_option(
                         "server.port", port, ConfigOption.STREAMLIT_DEFINITION
@@ -237,14 +226,14 @@ def start_listening_tcp_socket(http_server: HTTPServer) -> None:
                 raise
 
     if call_count >= MAX_PORT_SEARCH_RETRIES:
-        raise RetriesExceeded(
+        raise RetriesExceededError(
             f"Cannot start Streamlit server. Port {port} is already in use, and "
             f"Streamlit was unable to find a free port after {MAX_PORT_SEARCH_RETRIES} attempts.",
         )
 
 
 class Server:
-    def __init__(self, main_script_path: str, is_hello: bool):
+    def __init__(self, main_script_path: str, is_hello: bool) -> None:
         """Create the server. It won't be started yet."""
         _set_tornado_log_levels()
         self.initialize_mimetypes()
@@ -428,7 +417,7 @@ class Server:
                         make_url_path_regex(base, "(.*)"),
                         StaticFileHandler,
                         {
-                            "path": "%s/" % static_path,
+                            "path": f"{static_path}/",
                             "default_filename": "index.html",
                             "reserved_paths": [
                                 # These paths are required for identifying

streamlit/web/server/server_util.py

@@ -16,21 +16,49 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Callable, Final, Literal
+from typing import TYPE_CHECKING, Callable, Final, Literal, cast
 from urllib.parse import urljoin
 
 from streamlit import config, net_util, url_util
 from streamlit.runtime.secrets import secrets_singleton
+from streamlit.type_util import is_version_less_than
 
 if TYPE_CHECKING:
     from tornado.web import RequestHandler
 
-# The port reserved for internal development.
+# The port used for internal development.
 DEVELOPMENT_PORT: Final = 3000
 
 AUTH_COOKIE_NAME: Final = "_streamlit_user"
 
 
+def allowlisted_origins() -> set[str]:
+    return {origin.strip() for origin in config.get_option("server.corsAllowedOrigins")}
+
+
+def is_tornado_version_less_than(v: str) -> bool:
+    """Return True if the current Tornado version is less than the input version.
+
+    Parameters
+    ----------
+    v : str
+        Version string, e.g. "0.25.0"
+
+    Returns
+    -------
+    bool
+
+
+    Raises
+    ------
+    InvalidVersion
+        If the version strings are not valid.
+    """
+    import tornado
+
+    return is_version_less_than(tornado.version, v)
+
+
 def is_url_from_allowed_origins(url: str) -> bool:
     """Return True if URL is from allowed origins (for CORS purpose).
 
@@ -47,10 +75,14 @@ def is_url_from_allowed_origins(url: str) -> bool:
 
     hostname = url_util.get_hostname(url)
 
-    allowed_domains: list[str | Callable[[], str | None]] = [
+    allowlisted_domains = [
+        url_util.get_hostname(origin) for origin in allowlisted_origins()
+    ]
+
+    allowed_domains: list[str | None | Callable[[], str | None]] = [
         # Check localhost first.
         "localhost",
-        "0.0.0.0",
+        "0.0.0.0",  # noqa: S104
         "127.0.0.1",
         # Try to avoid making unnecessary HTTP requests by checking if the user
         # manually specified a server address.
@@ -58,6 +90,7 @@ def is_url_from_allowed_origins(url: str) -> bool:
         # Then try the options that depend on HTTP requests or opening sockets.
         net_util.get_internal_ip,
         net_util.get_external_ip,
+        *allowlisted_domains,
     ]
 
     for allowed_domain in allowed_domains:
@@ -87,12 +120,12 @@ def get_cookie_secret() -> str:
     return cookie_secret
 
 
-def is_xsrf_enabled():
+def is_xsrf_enabled() -> bool:
     csrf_enabled = config.get_option("server.enableXsrfProtection")
     if not csrf_enabled and secrets_singleton.load_if_toml_exists():
         auth_section = secrets_singleton.get("auth", None)
         csrf_enabled = csrf_enabled or auth_section is not None
-    return csrf_enabled
+    return cast("bool", csrf_enabled)
 
 
 def _get_server_address_if_manually_set() -> str | None:
@@ -102,17 +135,18 @@ def _get_server_address_if_manually_set() -> str | None:
 
 
 def make_url_path_regex(
-    *path, trailing_slash: Literal["optional", "required", "prohibited"] = "optional"
+    *path: str,
+    trailing_slash: Literal["optional", "required", "prohibited"] = "optional",
 ) -> str:
     """Get a regex of the form ^/foo/bar/baz/?$ for a path (foo, bar, baz)."""
-    path = [x.strip("/") for x in path if x]  # Filter out falsely components.
+    filtered_paths = [x.strip("/") for x in path if x]  # Filter out falsely components.
     path_format = r"^/%s$"
     if trailing_slash == "optional":
         path_format = r"^/%s/?$"
     elif trailing_slash == "required":
         path_format = r"^/%s/$"
 
-    return path_format % "/".join(path)
+    return path_format % "/".join(filtered_paths)
 
 
 def get_url(host_ip: str) -> str:

streamlit/web/server/stats_request_handler.py

@@ -14,11 +14,11 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, cast
 
 import tornado.web
 
-from streamlit.web.server import allow_cross_origin_requests
+from streamlit.web.server import allow_all_cross_origin_requests, is_allowed_origin
 from streamlit.web.server.server_util import emit_endpoint_deprecation_notice
 
 if TYPE_CHECKING:
@@ -30,11 +30,13 @@ class StatsRequestHandler(tornado.web.RequestHandler):
     def initialize(self, stats_manager: StatsManager) -> None:
         self._manager = stats_manager
 
-    def set_default_headers(self):
-        if allow_cross_origin_requests():
+    def set_default_headers(self) -> None:
+        if allow_all_cross_origin_requests():
             self.set_header("Access-Control-Allow-Origin", "*")
+        elif is_allowed_origin(origin := self.request.headers.get("Origin")):
+            self.set_header("Access-Control-Allow-Origin", cast("str", origin))
 
-    def options(self):
+    def options(self) -> None:
         """/OPTIONS handler for preflight CORS checks."""
         self.set_status(204)
         self.finish()