PyPI - tina4-python - Versions diffs - 3.8.7__tar.gz → 3.9.1__tar.gz - Mend

tina4-python 3.8.7tar.gz → 3.9.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

{tina4_python-3.8.7 → tina4_python-3.9.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tina4-python
-Version: 3.8.7
+Version: 3.9.1
 Summary: Tina4 Python v3 — Zero-dependency, lightweight web framework
 Author-email: Andre van Zuydam <andrevanzuydam@gmail.com>
 License: MIT

{tina4_python-3.8.7 → tina4_python-3.9.1}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "tina4-python"
-version = "3.8.7"
+version = "3.9.1"
 description = "Tina4 Python v3 — Zero-dependency, lightweight web framework"
 authors = [
     {name = "Andre van Zuydam", email = "andrevanzuydam@gmail.com"}

{tina4_python-3.8.7 → tina4_python-3.9.1}/tina4_python/CLAUDE.md RENAMED Viewed

@@ -1015,7 +1015,7 @@ async def admin_dashboard(request, response):
 **Rule: Any operation that takes more than ~1 second must use a queue.**
-Supports: litequeue (default/SQLite, zero-config), RabbitMQ, Kafka, MongoDB.
+Supports: file (default, zero-config), RabbitMQ, Kafka, MongoDB.
 ### Producing — enqueue work from a route

{tina4_python-3.8.7 → tina4_python-3.9.1}/tina4_python/__init__.py RENAMED Viewed

@@ -8,7 +8,7 @@ Tina4 Python v3.0 — Zero-dependency, lightweight web framework.
 One import, everything works.
 """
-__version__ = "3.8.3"
+__version__ = "3.9.1"
 # ── HTTP Constants ──
 from tina4_python.core.constants import (  # noqa: E402, F401

{tina4_python-3.8.7 → tina4_python-3.9.1}/tina4_python/auth/__init__.py RENAMED Viewed

@@ -39,7 +39,7 @@ class Auth:
         self.secret = secret or os.environ.get("SECRET", "tina4-default-secret")
         self.algorithm = algorithm
         self.expires_in = expires_in or int(
-            os.environ.get("TINA4_TOKEN_EXPIRES_IN", "60")
+            os.environ.get("TINA4_TOKEN_LIMIT", "60")
         )
     # ── JWT ────────────────────────────────────────────────────────
@@ -184,8 +184,8 @@ class Auth:
     @staticmethod
     def validate_api_key(provided: str) -> bool:
-        """Check a Bearer token against the API_KEY env var."""
-        expected = os.environ.get("API_KEY", "")
+        """Check a Bearer token against the TINA4_API_KEY env var (falls back to API_KEY)."""
+        expected = os.environ.get("TINA4_API_KEY", os.environ.get("API_KEY", ""))
         if not expected:
             return False
         return hmac.compare_digest(provided, expected)

{tina4_python-3.8.7 → tina4_python-3.9.1}/tina4_python/core/middleware.py RENAMED Viewed

@@ -1,9 +1,9 @@
-# Tina4 Middleware — CORS and Rate Limiter.
+# Tina4 Middleware — CORS, Rate Limiter, CSRF.
 """
-Built-in middleware for cross-origin requests and rate limiting.
+Built-in middleware for cross-origin requests, rate limiting, and CSRF protection.
 Zero dependencies — stdlib only.
-    from tina4_python.core.middleware import CorsMiddleware, RateLimiter
+    from tina4_python.core.middleware import CorsMiddleware, RateLimiter, CsrfMiddleware
 CORS is configured via environment variables:
     TINA4_CORS_ORIGINS=*                    # Allowed origins (* = all)
@@ -14,9 +14,13 @@ CORS is configured via environment variables:
 Rate limiter uses a sliding window in memory:
     TINA4_RATE_LIMIT=100                   # Requests per window
     TINA4_RATE_WINDOW=60                   # Window in seconds
+CSRF protection (off by default):
+    TINA4_CSRF=true                        # Enable CSRF token validation
 """
 import os
 import time
+import logging
 import threading
@@ -185,3 +189,122 @@ class SecurityHeadersMiddleware:
         )
         return request, response
+class CsrfMiddleware:
+    """CSRF token validation middleware.
+    Off by default — only active when TINA4_CSRF=true in .env or when
+    registered explicitly via Router.use(CsrfMiddleware).
+    Behaviour:
+        - Skips GET, HEAD, OPTIONS requests.
+        - Skips routes marked @noauth().
+        - Skips requests with a valid Authorization: Bearer header (API clients).
+        - Checks request.body["formToken"] then request.headers["X-Form-Token"].
+        - Rejects if token found in request.query["formToken"] (log warning, 403).
+        - Validates token with Auth.valid_token using SECRET env var.
+        - If token payload has session_id, verifies it matches request.session.session_id.
+        - Returns 403 with response.error("CSRF_INVALID", ...) on failure.
+    """
+    _logger = logging.getLogger("tina4.csrf")
+    @staticmethod
+    def before_csrf(request, response):
+        """Validate CSRF token before the route handler runs."""
+        # Check if CSRF is enabled via env (middleware registration bypasses this)
+        csrf_env = os.environ.get("TINA4_CSRF", "true").lower() not in ("false", "0", "no")
+        # When registered via Router.use(), this method always runs.
+        # The env check is only for auto-activation scenarios.
+        # Skip safe HTTP methods
+        method = getattr(request, "method", "GET").upper()
+        if method in ("GET", "HEAD", "OPTIONS"):
+            return request, response
+        # Skip routes marked @noauth()
+        handler = getattr(request, "_handler", None)
+        if handler and getattr(handler, "_noauth", False):
+            return request, response
+        # Skip requests with valid Bearer token (API clients)
+        auth_header = ""
+        headers = getattr(request, "headers", {})
+        if isinstance(headers, dict):
+            auth_header = headers.get("authorization", headers.get("Authorization", ""))
+        elif hasattr(headers, "get"):
+            auth_header = headers.get("authorization", "")
+        if auth_header.startswith("Bearer "):
+            bearer_token = auth_header[7:].strip()
+            if bearer_token:
+                from tina4_python.auth import Auth as _CsrfAuth
+                secret = os.environ.get("SECRET", "tina4-default-secret")
+                auth = _CsrfAuth(secret=secret)
+                if auth.valid_token(bearer_token) is not None:
+                    return request, response
+        # Reject if token is in query string (security risk — log warning)
+        query = getattr(request, "params", None) or getattr(request, "query", None) or {}
+        if isinstance(query, dict) and query.get("formToken"):
+            CsrfMiddleware._logger.warning(
+                "CSRF token found in query string — rejected for security. "
+                "Use POST body or X-Form-Token header instead."
+            )
+            return request, response.error(
+                "CSRF_INVALID",
+                "Form token must not be sent in the URL query string",
+                403,
+            )
+        # Extract token: body first, then header
+        token = None
+        body = getattr(request, "body", None) or {}
+        if isinstance(body, dict):
+            token = body.get("formToken")
+        if not token:
+            if isinstance(headers, dict):
+                token = headers.get("x-form-token", headers.get("X-Form-Token", ""))
+            elif hasattr(headers, "get"):
+                token = headers.get("x-form-token", "")
+        if not token:
+            return request, response.error(
+                "CSRF_INVALID",
+                "Invalid or missing form token",
+                403,
+            )
+        # Validate the token
+        from tina4_python.auth import Auth as _CsrfAuth
+        secret = os.environ.get("SECRET", "tina4-default-secret")
+        auth = _CsrfAuth(secret=secret)
+        payload = auth.valid_token(token)
+        if payload is None:
+            return request, response.error(
+                "CSRF_INVALID",
+                "Invalid or missing form token",
+                403,
+            )
+        # Session binding — if token has session_id, verify it matches
+        token_session_id = payload.get("session_id")
+        if token_session_id:
+            session = getattr(request, "session", None)
+            current_session_id = None
+            if session is not None:
+                current_session_id = getattr(session, "session_id", None)
+                if current_session_id is None and hasattr(session, "get"):
+                    current_session_id = session.get("session_id")
+            if current_session_id and token_session_id != current_session_id:
+                return request, response.error(
+                    "CSRF_INVALID",
+                    "Invalid or missing form token",
+                    403,
+                )
+        return request, response

{tina4_python-3.8.7 → tina4_python-3.9.1}/tina4_python/core/server.py RENAMED Viewed

@@ -1102,7 +1102,7 @@ def _print_banner(host: str, port: int, server_name: str = "asyncio"):
     from tina4_python.dotenv import is_truthy
     is_debug = is_truthy(os.environ.get("TINA4_DEBUG", ""))
-    log_level = os.environ.get("TINA4_LOG_LEVEL", "debug").upper()
+    log_level = os.environ.get("TINA4_LOG_LEVEL", "error").upper()
     display = "localhost" if host in ("0.0.0.0", "::") else host
     # Blue color for Python, only when stdout is a TTY
@@ -1145,7 +1145,7 @@ def run(host: str | None = None, port: int | None = None):
     # Init logger
     is_production = os.environ.get("TINA4_ENV", "development") == "production"
-    log_level = os.environ.get("TINA4_LOG_LEVEL", "debug" if not is_production else "info")
+    log_level = os.environ.get("TINA4_LOG_LEVEL", "error" if not is_production else "error")
     Log.init(level=log_level, production=is_production)
     # Ensure folders

{tina4_python-3.8.7 → tina4_python-3.9.1}/tina4_python/frond/engine.py RENAMED Viewed

@@ -578,7 +578,7 @@ def _wordwrap(text: str, width: int) -> str:
 # ── Form Token ─────────────────────────────────────────────────
-def _form_token(descriptor: str = "") -> str:
+def _form_token(descriptor: str = "", session_id: str = "") -> str:
     """Generate a JWT form token and return a hidden input element.
     Args:
@@ -586,6 +586,9 @@ def _form_token(descriptor: str = "") -> str:
             - Empty or omitted: payload is ``{"type": "form"}``
             - ``"admin_panel"``: payload is ``{"type": "form", "context": "admin_panel"}``
             - ``"checkout|order_123"``: payload is ``{"type": "form", "context": "checkout", "ref": "order_123"}``
+        session_id: Optional session ID to bind the token to a specific session.
+            When provided, the CSRF middleware will verify the token belongs to
+            the same session. If empty, checks ``_form_token_session_id`` global.
     Returns:
         ``<input type="hidden" name="formToken" value="TOKEN">``
@@ -600,6 +603,11 @@ def _form_token(descriptor: str = "") -> str:
         else:
             payload["context"] = descriptor
+    # Include session_id in payload for CSRF session binding
+    sid = session_id or _form_token_session_id
+    if sid:
+        payload["session_id"] = sid
     secret = os.environ.get("SECRET", "tina4-default-secret")
     ttl = int(os.environ.get("TINA4_TOKEN_EXPIRES_IN", "60"))
     auth = _FrondAuth(secret=secret, expires_in=ttl)
@@ -607,6 +615,17 @@ def _form_token(descriptor: str = "") -> str:
     return SafeString(f'<input type="hidden" name="formToken" value="{token}">')
+# Module-level session ID holder — set by the server before rendering templates
+# so that form_token() can bind tokens to the current session.
+_form_token_session_id: str = ""
+def set_form_token_session_id(session_id: str) -> None:
+    """Set the session ID used by form_token() for CSRF session binding."""
+    global _form_token_session_id
+    _form_token_session_id = session_id or ""
 # ── Frond Engine ────────────────────────────────────────────────

tina4-python 3.8.7__tar.gz → 3.9.1__tar.gz

tina4-python 3.8.7tar.gz → 3.9.1tar.gz