tina4-python 3.9.0__tar.gz → 3.9.2__tar.gz

{tina4_python-3.9.0 → tina4_python-3.9.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tina4-python
-Version: 3.9.0
+Version: 3.9.2
 Summary: Tina4 Python v3 — Zero-dependency, lightweight web framework
 Author-email: Andre van Zuydam <andrevanzuydam@gmail.com>
 License: MIT

{tina4_python-3.9.0 → tina4_python-3.9.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "tina4-python"
-version = "3.9.0"
+version = "3.9.2"
 description = "Tina4 Python v3 — Zero-dependency, lightweight web framework"
 authors = [
     {name = "Andre van Zuydam", email = "andrevanzuydam@gmail.com"}

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/CLAUDE.md

@@ -480,7 +480,7 @@ Response.add_header("X-Custom", "value")
 
 ## Sessions
 
-TINA4_TOKEN_EXPIRES_IN is used to set the session time, recommend 15-60 minutes
+TINA4_TOKEN_LIMIT is used to set the session time, default 60 minutes
 
 ### Session Backends
 
@@ -1015,7 +1015,7 @@ async def admin_dashboard(request, response):
 
 **Rule: Any operation that takes more than ~1 second must use a queue.**
 
-Supports: litequeue (default/SQLite, zero-config), RabbitMQ, Kafka, MongoDB.
+Supports: file (default, zero-config), RabbitMQ, Kafka, MongoDB.
 
 ### Producing — enqueue work from a route
 
@@ -1515,8 +1515,8 @@ Key `.env` settings:
 ```bash
 # Authentication
 SECRET=your-jwt-secret            # JWT signing (default uses insecure placeholder)
-API_KEY=your-api-key              # Static bearer token for API auth
-TINA4_TOKEN_EXPIRES_IN=60         # Token lifetime in minutes (default: 60)
+TINA4_API_KEY=your-api-key        # Static bearer token for API auth (API_KEY fallback supported)
+TINA4_TOKEN_LIMIT=60              # Token lifetime in minutes (default: 60)
 
 # Database
 DATABASE_URL=sqlite:///app.db     # Connection URL (driver://host:port/database)
@@ -1525,7 +1525,7 @@ DATABASE_PASSWORD=                 # DB password
 
 # Framework
 TINA4_DEBUG=true                  # Enable dev mode (toolbar, live reload, error overlay)
-TINA4_LOG_LEVEL=ALL               # Log verbosity: ALL, DEBUG, INFO, WARNING, ERROR
+TINA4_LOG_LEVEL=ERROR             # Log verbosity: ALL, DEBUG, INFO, WARNING, ERROR (default: ERROR)
 TINA4_LOCALE=en                   # Language for framework messages (en, fr, af, zh, ja, es)
 TINA4_DEFAULT_WEBSERVER=FALSE     # Set to TRUE to use Tina4's built-in webserver instead of ASGI
 HOST_NAME=localhost:7145
@@ -1534,7 +1534,7 @@ HOST_NAME=localhost:7145
 TINA4_SESSION_HANDLER=SessionFileHandler  # SessionFileHandler, SessionRedisHandler, SessionValkeyHandler, SessionMongoHandler
 
 # Swagger/OpenAPI
-SWAGGER_TITLE=My API              # API title (default: "Tina4 Python API")
+SWAGGER_TITLE=Tina4 API           # API title (default: "Tina4 API")
 SWAGGER_VERSION=1.0.0             # API version
 SWAGGER_DESCRIPTION=              # API description
 SWAGGER_CONTACT_TEAM=             # Contact name
@@ -1763,7 +1763,7 @@ async def dashboard(request, response):
 - **`tina4python generate`**: model, route, migration, middleware scaffolding
 - **Database**: 5 engines (SQLite, PostgreSQL, MySQL, MSSQL, Firebird), query caching (`TINA4_DB_CACHE=true`, `cache_stats()`, `cache_clear()`)
 - **Sessions**: 4 backends (file, Redis/Valkey, MongoDB, database)
-- **Queue**: SQLite/RabbitMQ/Kafka/MongoDB backends, configured via env vars
+- **Queue**: file/RabbitMQ/Kafka/MongoDB backends, configured via env vars
 - **Cache**: memory/Redis/file backends
 - **Messenger**: .env driven SMTP/IMAP
 - **ORM relationships**: `has_many`, `has_one`, `belongs_to` with eager loading (`include=`)

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/__init__.py

@@ -8,7 +8,7 @@ Tina4 Python v3.0 — Zero-dependency, lightweight web framework.
 
 One import, everything works.
 """
-__version__ = "3.8.3"
+__version__ = "3.9.2"
 
 # ── HTTP Constants ──
 from tina4_python.core.constants import (  # noqa: E402, F401

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/auth/__init__.py

@@ -39,7 +39,7 @@ class Auth:
         self.secret = secret or os.environ.get("SECRET", "tina4-default-secret")
         self.algorithm = algorithm
         self.expires_in = expires_in or int(
-            os.environ.get("TINA4_TOKEN_EXPIRES_IN", "60")
+            os.environ.get("TINA4_TOKEN_LIMIT", "60")
         )
 
     # ── JWT ────────────────────────────────────────────────────────
@@ -184,8 +184,8 @@ class Auth:
 
     @staticmethod
     def validate_api_key(provided: str) -> bool:
-        """Check a Bearer token against the API_KEY env var."""
-        expected = os.environ.get("API_KEY", "")
+        """Check a Bearer token against the TINA4_API_KEY env var (falls back to API_KEY)."""
+        expected = os.environ.get("TINA4_API_KEY", os.environ.get("API_KEY", ""))
         if not expected:
             return False
         return hmac.compare_digest(provided, expected)

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/cli/__init__.py

@@ -141,6 +141,37 @@ def _init(args):
         if not dst_file.exists() and src_file.exists():
             dst_file.write_text(src_file.read_text(encoding="utf-8"), encoding="utf-8")
 
+    # Create root Dockerfile (uv variant) if it doesn't exist
+    root_dockerfile = target / "Dockerfile"
+    if not root_dockerfile.exists():
+        root_dockerfile.write_text(
+            'FROM python:3.13-slim AS build\n'
+            'WORKDIR /app\n'
+            'COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv\n'
+            'COPY pyproject.toml uv.lock* ./\n'
+            'RUN uv sync --frozen --no-dev\n'
+            'COPY . .\n'
+            '\n'
+            'FROM python:3.13-slim\n'
+            'WORKDIR /app\n'
+            'COPY --from=build /app .\n'
+            'COPY --from=build /usr/local/bin/uv /usr/local/bin/uv\n'
+            'ENV PATH="/app/.venv/bin:$PATH"\n'
+            'ENV HOST=0.0.0.0\n'
+            'ENV PORT=7145\n'
+            'EXPOSE 7145\n'
+            'CMD ["python", "app.py"]\n',
+            encoding="utf-8",
+        )
+
+    # Create root .dockerignore if it doesn't exist
+    root_dockerignore = target / ".dockerignore"
+    if not root_dockerignore.exists():
+        root_dockerignore.write_text(
+            ".venv\n__pycache__\n.git\n.claude\n.env\n*.log\ntests\ntmp\n",
+            encoding="utf-8",
+        )
+
     # Auto-detect AI tools and install context
     from tina4_python.ai import detect_ai_names, install_context, install_all
     detected = detect_ai_names(str(target))

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/core/middleware.py

@@ -1,9 +1,9 @@
-# Tina4 Middleware — CORS and Rate Limiter.
+# Tina4 Middleware — CORS, Rate Limiter, CSRF.
 """
-Built-in middleware for cross-origin requests and rate limiting.
+Built-in middleware for cross-origin requests, rate limiting, and CSRF protection.
 Zero dependencies — stdlib only.
 
-    from tina4_python.core.middleware import CorsMiddleware, RateLimiter
+    from tina4_python.core.middleware import CorsMiddleware, RateLimiter, CsrfMiddleware
 
 CORS is configured via environment variables:
     TINA4_CORS_ORIGINS=*                    # Allowed origins (* = all)
@@ -14,9 +14,13 @@ CORS is configured via environment variables:
 Rate limiter uses a sliding window in memory:
     TINA4_RATE_LIMIT=100                   # Requests per window
     TINA4_RATE_WINDOW=60                   # Window in seconds
+
+CSRF protection (off by default):
+    TINA4_CSRF=true                        # Enable CSRF token validation
 """
 import os
 import time
+import logging
 import threading
 
 
@@ -185,3 +189,122 @@ class SecurityHeadersMiddleware:
         )
 
         return request, response
+
+
+class CsrfMiddleware:
+    """CSRF token validation middleware.
+
+    Off by default — only active when TINA4_CSRF=true in .env or when
+    registered explicitly via Router.use(CsrfMiddleware).
+
+    Behaviour:
+        - Skips GET, HEAD, OPTIONS requests.
+        - Skips routes marked @noauth().
+        - Skips requests with a valid Authorization: Bearer header (API clients).
+        - Checks request.body["formToken"] then request.headers["X-Form-Token"].
+        - Rejects if token found in request.query["formToken"] (log warning, 403).
+        - Validates token with Auth.valid_token using SECRET env var.
+        - If token payload has session_id, verifies it matches request.session.session_id.
+        - Returns 403 with response.error("CSRF_INVALID", ...) on failure.
+    """
+
+    _logger = logging.getLogger("tina4.csrf")
+
+    @staticmethod
+    def before_csrf(request, response):
+        """Validate CSRF token before the route handler runs."""
+        # Check if CSRF is enabled via env (middleware registration bypasses this)
+        csrf_env = os.environ.get("TINA4_CSRF", "true").lower() not in ("false", "0", "no")
+        # When registered via Router.use(), this method always runs.
+        # The env check is only for auto-activation scenarios.
+
+        # Skip safe HTTP methods
+        method = getattr(request, "method", "GET").upper()
+        if method in ("GET", "HEAD", "OPTIONS"):
+            return request, response
+
+        # Skip routes marked @noauth()
+        handler = getattr(request, "_handler", None)
+        if handler and getattr(handler, "_noauth", False):
+            return request, response
+
+        # Skip requests with valid Bearer token (API clients)
+        auth_header = ""
+        headers = getattr(request, "headers", {})
+        if isinstance(headers, dict):
+            auth_header = headers.get("authorization", headers.get("Authorization", ""))
+        elif hasattr(headers, "get"):
+            auth_header = headers.get("authorization", "")
+
+        if auth_header.startswith("Bearer "):
+            bearer_token = auth_header[7:].strip()
+            if bearer_token:
+                from tina4_python.auth import Auth as _CsrfAuth
+                secret = os.environ.get("SECRET", "tina4-default-secret")
+                auth = _CsrfAuth(secret=secret)
+                if auth.valid_token(bearer_token) is not None:
+                    return request, response
+
+        # Reject if token is in query string (security risk — log warning)
+        query = getattr(request, "params", None) or getattr(request, "query", None) or {}
+        if isinstance(query, dict) and query.get("formToken"):
+            CsrfMiddleware._logger.warning(
+                "CSRF token found in query string — rejected for security. "
+                "Use POST body or X-Form-Token header instead."
+            )
+            return request, response.error(
+                "CSRF_INVALID",
+                "Form token must not be sent in the URL query string",
+                403,
+            )
+
+        # Extract token: body first, then header
+        token = None
+        body = getattr(request, "body", None) or {}
+        if isinstance(body, dict):
+            token = body.get("formToken")
+
+        if not token:
+            if isinstance(headers, dict):
+                token = headers.get("x-form-token", headers.get("X-Form-Token", ""))
+            elif hasattr(headers, "get"):
+                token = headers.get("x-form-token", "")
+
+        if not token:
+            return request, response.error(
+                "CSRF_INVALID",
+                "Invalid or missing form token",
+                403,
+            )
+
+        # Validate the token
+        from tina4_python.auth import Auth as _CsrfAuth
+        secret = os.environ.get("SECRET", "tina4-default-secret")
+        auth = _CsrfAuth(secret=secret)
+        payload = auth.valid_token(token)
+
+        if payload is None:
+            return request, response.error(
+                "CSRF_INVALID",
+                "Invalid or missing form token",
+                403,
+            )
+
+        # Session binding — if token has session_id, verify it matches
+        token_session_id = payload.get("session_id")
+        if token_session_id:
+            session = getattr(request, "session", None)
+            current_session_id = None
+            if session is not None:
+                current_session_id = getattr(session, "session_id", None)
+                if current_session_id is None and hasattr(session, "get"):
+                    current_session_id = session.get("session_id")
+
+            if current_session_id and token_session_id != current_session_id:
+                return request, response.error(
+                    "CSRF_INVALID",
+                    "Invalid or missing form token",
+                    403,
+                )
+
+        return request, response

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/core/server.py

@@ -911,7 +911,8 @@ async def app(scope: dict, receive, send):
             sid = request.session.session_id if hasattr(request.session, 'session_id') else getattr(request.session, 'id', None)
             if sid:
                 ttl = int(os.environ.get("TINA4_SESSION_TTL", "3600"))
-                response.header("set-cookie", f"tina4_session={sid}; Path=/; HttpOnly; SameSite=Lax; Max-Age={ttl}")
+                samesite = os.environ.get("TINA4_SESSION_SAMESITE", "Lax")
+                response.header("set-cookie", f"tina4_session={sid}; Path=/; HttpOnly; SameSite={samesite}; Max-Age={ttl}")
         except Exception:
             pass
 
@@ -1102,7 +1103,7 @@ def _print_banner(host: str, port: int, server_name: str = "asyncio"):
     from tina4_python.dotenv import is_truthy
 
     is_debug = is_truthy(os.environ.get("TINA4_DEBUG", ""))
-    log_level = os.environ.get("TINA4_LOG_LEVEL", "debug").upper()
+    log_level = os.environ.get("TINA4_LOG_LEVEL", "error").upper()
     display = "localhost" if host in ("0.0.0.0", "::") else host
 
     # Blue color for Python, only when stdout is a TTY
@@ -1145,7 +1146,7 @@ def run(host: str | None = None, port: int | None = None):
 
     # Init logger
     is_production = os.environ.get("TINA4_ENV", "development") == "production"
-    log_level = os.environ.get("TINA4_LOG_LEVEL", "debug" if not is_production else "info")
+    log_level = os.environ.get("TINA4_LOG_LEVEL", "error" if not is_production else "error")
     Log.init(level=log_level, production=is_production)
 
     # Ensure folders

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/frond/engine.py

@@ -578,7 +578,7 @@ def _wordwrap(text: str, width: int) -> str:
 # ── Form Token ─────────────────────────────────────────────────
 
 
-def _form_token(descriptor: str = "") -> str:
+def _form_token(descriptor: str = "", session_id: str = "") -> str:
     """Generate a JWT form token and return a hidden input element.
 
     Args:
@@ -586,6 +586,9 @@ def _form_token(descriptor: str = "") -> str:
             - Empty or omitted: payload is ``{"type": "form"}``
             - ``"admin_panel"``: payload is ``{"type": "form", "context": "admin_panel"}``
             - ``"checkout|order_123"``: payload is ``{"type": "form", "context": "checkout", "ref": "order_123"}``
+        session_id: Optional session ID to bind the token to a specific session.
+            When provided, the CSRF middleware will verify the token belongs to
+            the same session. If empty, checks ``_form_token_session_id`` global.
 
     Returns:
         ``<input type="hidden" name="formToken" value="TOKEN">``
@@ -600,6 +603,11 @@ def _form_token(descriptor: str = "") -> str:
         else:
             payload["context"] = descriptor
 
+    # Include session_id in payload for CSRF session binding
+    sid = session_id or _form_token_session_id
+    if sid:
+        payload["session_id"] = sid
+
     secret = os.environ.get("SECRET", "tina4-default-secret")
     ttl = int(os.environ.get("TINA4_TOKEN_EXPIRES_IN", "60"))
     auth = _FrondAuth(secret=secret, expires_in=ttl)
@@ -607,6 +615,17 @@ def _form_token(descriptor: str = "") -> str:
     return SafeString(f'<input type="hidden" name="formToken" value="{token}">')
 
 
+# Module-level session ID holder — set by the server before rendering templates
+# so that form_token() can bind tokens to the current session.
+_form_token_session_id: str = ""
+
+
+def set_form_token_session_id(session_id: str) -> None:
+    """Set the session ID used by form_token() for CSRF session binding."""
+    global _form_token_session_id
+    _form_token_session_id = session_id or ""
+
+
 # ── Frond Engine ────────────────────────────────────────────────
 
 

{tina4_python-3.9.0 → tina4_python-3.9.2}/tina4_python/query_builder/__init__.py

@@ -257,6 +257,152 @@ class QueryBuilder:
         """
         return self.count() > 0
 
+    def to_mongo(self) -> dict:
+        """Convert the fluent builder state into a MongoDB-compatible query.
+
+        Returns:
+            A dict with keys: filter, projection, sort, limit, skip.
+            Only non-empty keys are included.
+        """
+        result = {}
+
+        # -- projection --
+        if self._columns != ["*"]:
+            result["projection"] = {col.strip(): 1 for col in self._columns}
+
+        # -- filter --
+        if self._wheres:
+            param_index = 0
+            and_conditions = []
+            or_conditions = []
+
+            for i, (connector, condition) in enumerate(self._wheres):
+                mongo_cond, param_index = self._parse_condition_to_mongo(
+                    condition, param_index
+                )
+                if i == 0 or connector == "AND":
+                    and_conditions.append(mongo_cond)
+                else:
+                    or_conditions.append(mongo_cond)
+
+            if or_conditions:
+                # Merge AND conditions into a single dict, then $or with OR ones
+                and_merged = self._merge_mongo_conditions(and_conditions)
+                all_branches = [and_merged] + or_conditions
+                result["filter"] = {"$or": all_branches}
+            else:
+                result["filter"] = self._merge_mongo_conditions(and_conditions)
+
+        # -- sort --
+        if self._order_by_cols:
+            sort_list = []
+            for expr in self._order_by_cols:
+                parts = expr.strip().split()
+                field = parts[0]
+                direction = -1 if len(parts) > 1 and parts[1].upper() == "DESC" else 1
+                sort_list.append((field, direction))
+            result["sort"] = sort_list
+
+        # -- limit / skip --
+        if self._limit_val is not None:
+            result["limit"] = self._limit_val
+        if self._offset_val is not None:
+            result["skip"] = self._offset_val
+
+        return result
+
+    def _parse_condition_to_mongo(self, condition: str, param_index: int) -> tuple[dict, int]:
+        """Parse a single SQL condition string into a MongoDB filter dict.
+
+        Returns:
+            (mongo_filter_dict, updated_param_index)
+        """
+        import re
+
+        cond = condition.strip()
+
+        # IS NOT NULL
+        match = re.match(r"^(\w+)\s+IS\s+NOT\s+NULL$", cond, re.IGNORECASE)
+        if match:
+            return {match.group(1): {"$exists": True, "$ne": None}}, param_index
+
+        # IS NULL
+        match = re.match(r"^(\w+)\s+IS\s+NULL$", cond, re.IGNORECASE)
+        if match:
+            return {match.group(1): {"$exists": False}}, param_index
+
+        # NOT IN
+        match = re.match(r"^(\w+)\s+NOT\s+IN\s*\(\s*\?\s*\)$", cond, re.IGNORECASE)
+        if match:
+            val = self._params[param_index] if param_index < len(self._params) else []
+            values = val if isinstance(val, list) else [val]
+            return {match.group(1): {"$nin": values}}, param_index + 1
+
+        # IN
+        match = re.match(r"^(\w+)\s+IN\s*\(\s*\?\s*\)$", cond, re.IGNORECASE)
+        if match:
+            val = self._params[param_index] if param_index < len(self._params) else []
+            values = val if isinstance(val, list) else [val]
+            return {match.group(1): {"$in": values}}, param_index + 1
+
+        # LIKE
+        match = re.match(r"^(\w+)\s+LIKE\s+\?$", cond, re.IGNORECASE)
+        if match:
+            val = self._params[param_index] if param_index < len(self._params) else ""
+            # Convert SQL LIKE pattern to regex: % -> .*, _ -> .
+            pattern = str(val).replace("%", ".*").replace("_", ".")
+            return {match.group(1): {"$regex": pattern, "$options": "i"}}, param_index + 1
+
+        # Comparison operators: >=, <=, <>, !=, >, <, =
+        match = re.match(r"^(\w+)\s*(>=|<=|<>|!=|>|<|=)\s*\?$", cond)
+        if match:
+            field = match.group(1)
+            op = match.group(2)
+            val = self._params[param_index] if param_index < len(self._params) else None
+            op_map = {
+                "=": None,
+                "!=": "$ne",
+                "<>": "$ne",
+                ">": "$gt",
+                ">=": "$gte",
+                "<": "$lt",
+                "<=": "$lte",
+            }
+            mongo_op = op_map.get(op)
+            if mongo_op is None:
+                return {field: val}, param_index + 1
+            return {field: {mongo_op: val}}, param_index + 1
+
+        # Fallback: return condition as-is in $where (raw JS expression)
+        return {"$where": cond}, param_index
+
+    @staticmethod
+    def _merge_mongo_conditions(conditions: list[dict]) -> dict:
+        """Merge a list of single-field mongo condition dicts into one dict.
+
+        If the same field appears in multiple conditions, wraps them in $and.
+        """
+        if len(conditions) == 1:
+            return conditions[0]
+
+        merged = {}
+        conflicts = []
+        for cond in conditions:
+            for key, val in cond.items():
+                if key in merged:
+                    conflicts.append(cond)
+                    break
+                else:
+                    merged[key] = val
+            else:
+                continue
+            # If we broke out due to conflict, don't add to merged
+            pass
+
+        if conflicts:
+            return {"$and": conditions}
+        return merged
+
     # -- Private helpers --
 
     def _build_where(self) -> str: