tempest-fastapi-sdk 0.7.2__tar.gz → 0.7.3__tar.gz

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tempest-fastapi-sdk
-Version: 0.7.2
+Version: 0.7.3
 Summary: Shared FastAPI building blocks: base schemas, ORM model, async repository, exceptions, pagination and settings — the conventions used across Tempest projects.
 Project-URL: Homepage, https://github.com/mauriciobenjamin700/tempest-fastapi-sdk
 Project-URL: Repository, https://github.com/mauriciobenjamin700/tempest-fastapi-sdk

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "tempest-fastapi-sdk"
-version = "0.7.2"
+version = "0.7.3"
 description = "Shared FastAPI building blocks: base schemas, ORM model, async repository, exceptions, pagination and settings — the conventions used across Tempest projects."
 readme = "README.md"
 requires-python = ">=3.11"

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/__init__.py

@@ -103,7 +103,7 @@ from tempest_fastapi_sdk.webpush import (
     WebPushSubscriptionSchema,
 )
 
-__version__: str = "0.7.2"
+__version__: str = "0.7.3"
 
 __all__: list[str] = [
     "CNPJ",

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/api/middlewares/request_id.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import re
 import uuid
 from collections.abc import Awaitable, Callable
 
@@ -12,6 +13,16 @@ from starlette.types import ASGIApp
 
 from tempest_fastapi_sdk.core.context import clear_request_id, set_request_id
 
+_VALID_REQUEST_ID = re.compile(r"^[A-Za-z0-9._\-:+/=]{1,128}$")
+"""Whitelist for inbound request IDs.
+
+Restricts the header value to printable ASCII without whitespace or
+control characters so it cannot be used to forge log lines (CRLF
+injection inside :class:`JSONFormatter`) or response headers when
+echoed back. Generous enough to cover UUIDs, ULIDs, base64 trace
+IDs, and most OpenTelemetry trace identifiers.
+"""
+
 
 class RequestIDMiddleware(BaseHTTPMiddleware):
     """Bind an ``X-Request-ID`` header to the request-scoped context.
@@ -51,7 +62,12 @@ class RequestIDMiddleware(BaseHTTPMiddleware):
             Response: The handler's response with the request ID
             echoed in the configured header.
         """
-        rid = request.headers.get(self.header_name) or str(uuid.uuid4())
+        inbound = request.headers.get(self.header_name)
+        rid = (
+            inbound
+            if inbound is not None and _VALID_REQUEST_ID.fullmatch(inbound)
+            else str(uuid.uuid4())
+        )
         token = set_request_id(rid)
         try:
             response = await call_next(request)

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/api/routers/health.py

@@ -29,6 +29,7 @@ def make_health_router(
     prefix: str = "/health",
     tag: str = "health",
     version: str | None = None,
+    expose_checks: bool = True,
 ) -> APIRouter:
     """Build the canonical ``/health`` router.
 
@@ -40,8 +41,8 @@ def make_health_router(
       liveness probes as "restart the pod"). This endpoint takes
       precedence over readiness for that reason.
     * ``GET <prefix>/readiness`` — runs every configured check and
-      returns ``200`` only when all pass. Returns ``503`` with the
-      per-check breakdown when at least one fails.
+      returns ``200`` only when all pass. Returns ``503`` when at
+      least one fails.
 
     Args:
         db (AsyncDatabaseManager | None): When provided, a
@@ -55,6 +56,11 @@ def make_health_router(
         tag (str): OpenAPI tag applied to both endpoints.
         version (str | None): When provided, attached to the
             readiness payload as ``version``.
+        expose_checks (bool): Whether to surface the per-dependency
+            breakdown in the readiness payload. Defaults to ``True``
+            for development ergonomics; set ``False`` in production
+            so unauthenticated probes don't reveal which backends
+            (database, Redis, RabbitMQ, etc.) the service depends on.
 
     Returns:
         APIRouter: A router ready to ``include_router(...)`` on the
@@ -96,8 +102,9 @@ def make_health_router(
         overall = all(results.values()) if results else True
         payload: dict[str, Any] = {
             "status": "ready" if overall else "not_ready",
-            "checks": results,
         }
+        if expose_checks:
+            payload["checks"] = results
         if version is not None:
             payload["version"] = version
         return JSONResponse(

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/db/connection.py

@@ -31,8 +31,11 @@ class AsyncDatabaseManager:
     relying on substring tricks.
 
     Attributes:
-        db_url (str): The database connection URL.
         is_sqlite (bool): Whether the URL targets a SQLite backend.
+
+    The connection URL itself is stored on a private attribute so it
+    never leaks through ``repr()`` or accidental logging. Use the
+    :attr:`db_url_safe` property when a redacted form is needed.
     """
 
     def __init__(
@@ -69,7 +72,7 @@ class AsyncDatabaseManager:
             **engine_kwargs: Any additional keyword arguments are
                 passed through to ``create_async_engine`` verbatim.
         """
-        self.db_url: str = db_url
+        self._db_url: str = db_url
         self.is_sqlite: bool = make_url(db_url).get_backend_name() == "sqlite"
         self._echo: bool = echo
         self._pool_size: int = pool_size
@@ -81,6 +84,20 @@ class AsyncDatabaseManager:
         self._engine: AsyncEngine | None = None
         self._session_maker: async_sessionmaker[AsyncSession] | None = None
 
+    @property
+    def db_url_safe(self) -> str:
+        """Return the URL with credentials masked.
+
+        Useful for diagnostics, health payloads or log lines —
+        ``postgresql+asyncpg://user:pass@host/db`` becomes
+        ``postgresql+asyncpg://***@host/db``.
+
+        Returns:
+            str: The URL safe to surface outside the manager.
+        """
+        url = make_url(self._db_url)
+        return url.render_as_string(hide_password=True)
+
     @property
     def is_connected(self) -> bool:
         """Whether the engine is currently initialized.
@@ -115,7 +132,7 @@ class AsyncDatabaseManager:
         if self._poolclass is not None:
             kwargs["poolclass"] = self._poolclass
 
-        self._engine = create_async_engine(self.db_url, **kwargs)
+        self._engine = create_async_engine(self._db_url, **kwargs)
         self._session_maker = async_sessionmaker(
             self._engine,
             expire_on_commit=False,

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/settings/mixins.py

@@ -123,9 +123,19 @@ class JWTSettings(BaseSettings):
 class CORSSettings(BaseSettings):
     """CORS middleware configuration.
 
+    .. warning::
+        The default ``CORS_ORIGINS=["*"]`` is permissive on purpose
+        so local development works out of the box. **Never** ship
+        this default to production — set ``CORS_ORIGINS`` to the
+        explicit list of trusted frontend origins (e.g.
+        ``["https://app.example.com"]``) in your production
+        configuration. ``"*"`` is also incompatible with
+        ``CORS_ALLOW_CREDENTIALS=True`` (browsers ignore credentialed
+        requests sent to a wildcard origin).
+
     Attributes:
-        CORS_ORIGINS (list[str]): Allowed origins. Use ``["*"]`` only
-            in dev — disables credentialed requests in browsers.
+        CORS_ORIGINS (list[str]): Allowed origins. **Override in
+            production.** Defaults to ``["*"]`` for development only.
         CORS_ALLOW_CREDENTIALS (bool): Whether to allow cookies/auth
             headers cross-origin.
         CORS_ALLOW_METHODS (list[str]): Allowed HTTP methods.

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/sse/event_stream.py

@@ -176,8 +176,9 @@ def sse_response(
     Adds the SSE-specific headers (``Cache-Control: no-cache``,
     ``Connection: keep-alive``, ``X-Accel-Buffering: no``) so
     intermediate proxies don't buffer or cache the long-lived
-    response. Custom headers passed via ``headers`` are merged on
-    top of the defaults.
+    response. Caller-supplied ``headers`` are layered **below** the
+    SSE defaults so the three critical headers above cannot be
+    accidentally overridden — pass extra metadata, not replacements.
 
     Args:
         stream (AsyncIterable[bytes]): The byte stream produced by
@@ -188,7 +189,7 @@ def sse_response(
     Returns:
         StreamingResponse: A ready-to-return SSE response.
     """
-    merged: dict[str, str] = {**_SSE_HEADERS, **(headers or {})}
+    merged: dict[str, str] = {**(headers or {}), **_SSE_HEADERS}
     return StreamingResponse(
         stream,
         media_type="text/event-stream",

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/webpush/dispatcher.py

@@ -3,9 +3,11 @@
 from __future__ import annotations
 
 import asyncio
+import hashlib
 import json
 import logging
 from typing import Any
+from urllib.parse import urlsplit
 
 from tempest_fastapi_sdk.webpush.schemas import (
     WebPushPayloadSchema,
@@ -15,6 +17,29 @@ from tempest_fastapi_sdk.webpush.schemas import (
 logger = logging.getLogger(__name__)
 
 
+def _mask_endpoint(endpoint: str) -> str:
+    """Return a stable but non-sensitive identifier for an endpoint.
+
+    Keeps the host (useful for routing errors to the right push
+    service) and replaces the full path + query with a short SHA-256
+    prefix so subscription tokens never reach logs or API responses.
+
+    Args:
+        endpoint (str): The full push service URL.
+
+    Returns:
+        str: ``<host>/<sha256-prefix>`` or the original string when it
+        cannot be parsed.
+    """
+    try:
+        parsed = urlsplit(endpoint)
+    except ValueError:
+        return "<unparsable-endpoint>"
+    host = parsed.netloc or "<unknown-host>"
+    digest = hashlib.sha256(endpoint.encode("utf-8")).hexdigest()[:12]
+    return f"{host}/{digest}"
+
+
 class WebPushError(RuntimeError):
     """Raised when a push delivery attempt fails irrecoverably.
 
@@ -169,14 +194,15 @@ class WebPushDispatcher:
                 )
             except pywebpush.WebPushException as exc:
                 status = exc.response.status_code if exc.response is not None else None
+                masked = _mask_endpoint(subscription.endpoint)
                 if status in {404, 410}:
                     raise WebPushGoneError(
-                        f"Subscription gone (HTTP {status})",
+                        f"Subscription gone (HTTP {status}) for {masked}",
                         status_code=status,
                         endpoint=subscription.endpoint,
                     ) from exc
                 raise WebPushError(
-                    f"Web Push delivery failed: {exc}",
+                    f"Web Push delivery failed for {masked} (HTTP {status})",
                     status_code=status,
                     endpoint=subscription.endpoint,
                 ) from exc
@@ -216,7 +242,11 @@ class WebPushDispatcher:
             except WebPushGoneError:
                 gone.append(sub.endpoint)
             except WebPushError as exc:
-                logger.warning("Web Push send failed for %s: %s", sub.endpoint, exc)
+                logger.warning(
+                    "Web Push send failed for %s: %s",
+                    _mask_endpoint(sub.endpoint),
+                    exc,
+                )
 
         await asyncio.gather(*(_one(sub) for sub in subscriptions))
         return gone

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tempest_fastapi_sdk/webpush/schemas.py

@@ -3,8 +3,9 @@
 from __future__ import annotations
 
 from typing import Any
+from urllib.parse import urlsplit
 
-from pydantic import ConfigDict, Field
+from pydantic import ConfigDict, Field, field_validator
 
 from tempest_fastapi_sdk.schemas.base import BaseSchema
 
@@ -58,6 +59,33 @@ class WebPushSubscriptionSchema(BaseSchema):
         description="Optional expiration time (ms since epoch).",
     )
 
+    @field_validator("endpoint")
+    @classmethod
+    def _endpoint_must_be_https(cls, value: str) -> str:
+        """Reject endpoints that aren't ``https://`` URLs.
+
+        The Web Push spec requires HTTPS, and accepting arbitrary
+        schemes (``file://``, ``http://localhost``, etc.) would turn
+        the server into an SSRF proxy when subscriptions come from
+        untrusted clients.
+
+        Args:
+            value (str): The candidate endpoint URL.
+
+        Returns:
+            str: The same URL when valid.
+
+        Raises:
+            ValueError: When the URL is malformed or not HTTPS.
+        """
+        try:
+            parsed = urlsplit(value)
+        except ValueError as exc:
+            raise ValueError("Invalid endpoint URL") from exc
+        if parsed.scheme != "https" or not parsed.netloc:
+            raise ValueError("Push endpoints must be HTTPS URLs.")
+        return value
+
 
 class WebPushPayloadSchema(BaseSchema):
     """Optional helper for the JSON payload delivered with each push.

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tests/api/test_health_router.py

@@ -76,3 +76,22 @@ async def test_custom_prefix() -> None:
     async with _client(app) as client:
         liveness = await client.get("/ops/health/liveness")
     assert liveness.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_readiness_hides_checks_when_expose_checks_false() -> None:
+    """Production deployments can hide the per-dependency breakdown."""
+
+    async def db_check() -> bool:
+        return False
+
+    app = FastAPI()
+    app.include_router(
+        make_health_router(checks={"database": db_check}, expose_checks=False),
+    )
+    async with _client(app) as client:
+        response = await client.get("/health/readiness")
+    body = response.json()
+    assert response.status_code == 503
+    assert body["status"] == "not_ready"
+    assert "checks" not in body

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tests/api/test_request_id_middleware.py

@@ -54,6 +54,29 @@ async def test_context_is_isolated_between_requests() -> None:
     assert get_request_id() is None
 
 
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "malicious",
+    [
+        "abc\r\nX-Injected: 1",
+        "abc\nlevel=CRITICAL",
+        "abc with spaces",
+        "abc;rm -rf /",
+        "x" * 200,  # exceeds 128-char cap
+    ],
+)
+async def test_malicious_header_replaced_with_uuid(malicious: str) -> None:
+    """Reject CRLF and other unsafe characters to block log/header injection."""
+    app = _make_app()
+    transport = ASGITransport(app=app)
+    async with AsyncClient(transport=transport, base_url="http://test") as client:
+        response = await client.get("/echo", headers={"X-Request-ID": malicious})
+    rid = response.headers["X-Request-ID"]
+    uuid.UUID(rid)  # must be a fresh UUID, not the attacker's value
+    assert rid != malicious
+    assert response.json()["request_id"] == rid
+
+
 @pytest.mark.asyncio
 async def test_custom_header_name() -> None:
     app = FastAPI()

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tests/db/test_connection.py

@@ -120,6 +120,30 @@ class TestHealthCheck:
         await manager.disconnect()
 
 
+class TestUrlMasking:
+    def test_db_url_safe_hides_password(self) -> None:
+        manager = AsyncDatabaseManager(
+            "postgresql+asyncpg://alice:supersecret@db.internal:5432/app",
+        )
+        safe = manager.db_url_safe
+        assert "supersecret" not in safe
+        assert "alice" in safe
+        assert "db.internal" in safe
+
+    def test_db_url_safe_handles_url_without_password(self) -> None:
+        manager = AsyncDatabaseManager("sqlite+aiosqlite:///:memory:")
+        assert manager.db_url_safe.startswith("sqlite+aiosqlite://")
+
+    def test_db_url_no_public_attribute(self) -> None:
+        manager = AsyncDatabaseManager(
+            "postgresql+asyncpg://alice:supersecret@db.internal:5432/app",
+        )
+        # Credentials must not be reachable via a public attribute.
+        assert not hasattr(manager, "db_url") or "supersecret" not in str(
+            getattr(manager, "db_url", "")
+        )
+
+
 class TestRequireConnected:
     async def test_session_methods_lazy_connect(self) -> None:
         # get_session / get_session_context / session_dependency all

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tests/sse/test_event_stream.py

@@ -1,6 +1,7 @@
 """Tests for tempest_fastapi_sdk.sse."""
 
 import asyncio
+from collections.abc import AsyncIterator
 
 import pytest
 from fastapi import FastAPI
@@ -98,3 +99,32 @@ async def test_sse_response_end_to_end() -> None:
     assert b"event: ping" in response.content
     assert b"data: hello" in response.content
     assert b"data: world" in response.content
+
+
+async def test_sse_response_caller_headers_cannot_override_defaults() -> None:
+    """Caller-supplied headers must not override SSE-critical headers."""
+    from fastapi import FastAPI
+
+    app = FastAPI()
+
+    async def empty() -> AsyncIterator[bytes]:
+        if False:  # pragma: no cover - generator never yields
+            yield b""
+
+    @app.get("/events")
+    async def events() -> object:
+        return sse_response(
+            empty(),
+            headers={
+                "Cache-Control": "public, max-age=3600",
+                "X-Accel-Buffering": "yes",
+                "X-Custom": "ok",
+            },
+        )
+
+    transport = ASGITransport(app=app)
+    async with AsyncClient(transport=transport, base_url="http://test") as client:
+        response = await client.get("/events")
+    assert response.headers["cache-control"] == "no-cache"
+    assert response.headers["x-accel-buffering"] == "no"
+    assert response.headers["x-custom"] == "ok"

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/tests/webpush/test_schemas.py

@@ -45,6 +45,24 @@ class TestWebPushSubscription:
                 keys=WebPushKeysSchema(p256dh="pk", auth="a"),
             )
 
+    @pytest.mark.parametrize(
+        "endpoint",
+        [
+            "http://push.example.com/abc",
+            "file:///etc/passwd",
+            "ftp://push.example.com/abc",
+            "javascript:alert(1)",
+            "not-a-url",
+        ],
+    )
+    def test_non_https_endpoint_rejected(self, endpoint: str) -> None:
+        """Reject non-HTTPS endpoints to prevent SSRF via subscriptions."""
+        with pytest.raises(ValueError):
+            WebPushSubscriptionSchema(
+                endpoint=endpoint,
+                keys=WebPushKeysSchema(p256dh="pk", auth="a"),
+            )
+
 
 class TestWebPushPayload:
     def test_all_fields_optional(self) -> None:

{tempest_fastapi_sdk-0.7.2 → tempest_fastapi_sdk-0.7.3}/uv.lock

@@ -1,5 +1,5 @@
 version = 1
-revision = 3
+revision = 2
 requires-python = ">=3.11"
 resolution-markers = [
     "python_full_version >= '3.15'",
@@ -1948,7 +1948,7 @@ wheels = [
 
 [[package]]
 name = "tempest-fastapi-sdk"
-version = "0.7.2"
+version = "0.7.3"
 source = { editable = "." }
 dependencies = [
     { name = "alembic" },