turboapi 0.3.23__cp314-cp314-win_amd64.whl → 0.3.28__cp314-cp314-win_amd64.whl

turboapi/async_pool.py

@@ -0,0 +1,141 @@
+"""
+Per-thread asyncio event loop management for Python 3.13+ free-threading.
+
+This module provides thread-local event loop management to enable true
+parallel execution of async handlers across multiple threads.
+"""
+
+import asyncio
+import threading
+from typing import Dict, Optional
+import sys
+
+
+class EventLoopPool:
+    """
+    Manages per-thread asyncio event loops for parallel async execution.
+    
+    In Python 3.13+ with free-threading, we can run multiple event loops
+    in parallel across different threads without GIL contention.
+    """
+    
+    _loops: Dict[int, asyncio.AbstractEventLoop] = {}
+    _lock = threading.Lock()
+    _initialized = False
+    
+    @classmethod
+    def initialize(cls, num_threads: Optional[int] = None) -> None:
+        """
+        Initialize the event loop pool with the specified number of threads.
+        
+        Args:
+            num_threads: Number of threads to create event loops for.
+                        If None, uses number of CPU cores.
+        """
+        if cls._initialized:
+            return
+        
+        with cls._lock:
+            if cls._initialized:
+                return
+            
+            if num_threads is None:
+                import os
+                num_threads = os.cpu_count() or 4
+            
+            print(f"🔄 Initializing EventLoopPool with {num_threads} threads")
+            cls._initialized = True
+    
+    @classmethod
+    def get_loop_for_thread(cls) -> asyncio.AbstractEventLoop:
+        """
+        Get or create an event loop for the current thread.
+        
+        Returns:
+            The event loop for the current thread.
+        """
+        thread_id = threading.get_ident()
+        
+        # Fast path: loop already exists
+        if thread_id in cls._loops:
+            return cls._loops[thread_id]
+        
+        # Slow path: create new loop
+        with cls._lock:
+            # Double-check after acquiring lock
+            if thread_id in cls._loops:
+                return cls._loops[thread_id]
+            
+            # Create new event loop for this thread
+            loop = asyncio.new_event_loop()
+            asyncio.set_event_loop(loop)
+            cls._loops[thread_id] = loop
+            
+            print(f"✅ Created event loop for thread {thread_id}")
+            return loop
+    
+    @classmethod
+    def get_running_loop(cls) -> Optional[asyncio.AbstractEventLoop]:
+        """
+        Get the running event loop for the current thread, if any.
+        
+        Returns:
+            The running event loop, or None if no loop is running.
+        """
+        try:
+            return asyncio.get_running_loop()
+        except RuntimeError:
+            return None
+    
+    @classmethod
+    def cleanup(cls) -> None:
+        """Clean up all event loops (call on shutdown)."""
+        with cls._lock:
+            for thread_id, loop in cls._loops.items():
+                if loop.is_running():
+                    loop.stop()
+                loop.close()
+            cls._loops.clear()
+            cls._initialized = False
+    
+    @classmethod
+    def stats(cls) -> Dict[str, int]:
+        """Get statistics about the event loop pool."""
+        with cls._lock:
+            return {
+                "total_loops": len(cls._loops),
+                "active_threads": len([l for l in cls._loops.values() if l.is_running()]),
+            }
+
+
+def ensure_event_loop() -> asyncio.AbstractEventLoop:
+    """
+    Ensure an event loop exists for the current thread.
+    
+    This is the primary function to call from Rust to get an event loop.
+    
+    Returns:
+        The event loop for the current thread.
+    """
+    # Try to get running loop first (fast path)
+    try:
+        return asyncio.get_running_loop()
+    except RuntimeError:
+        pass
+    
+    # Get or create thread-local loop
+    return EventLoopPool.get_loop_for_thread()
+
+
+# Python 3.13+ free-threading detection
+def is_free_threading_enabled() -> bool:
+    """Check if Python 3.13+ free-threading is enabled."""
+    return hasattr(sys, '_is_gil_enabled') and not sys._is_gil_enabled()
+
+
+# Initialize on import
+if is_free_threading_enabled():
+    print("🚀 Python 3.13+ free-threading detected - enabling parallel event loops!")
+    EventLoopPool.initialize()
+else:
+    print("⚠️  Free-threading not enabled - async performance may be limited")

turboapi/middleware.py

@@ -1,7 +1,19 @@
 """
-Middleware system for TurboAPI.
+FastAPI-compatible Middleware system for TurboAPI.
+
+Includes:
+- CORS (Cross-Origin Resource Sharing)
+- Trusted Host (HTTP Host Header attack prevention)
+- GZip Compression
+- HTTPS Redirect
+- Session Management
+- Custom Middleware Support
 """
 
+from typing import List, Optional, Callable, Awaitable, Pattern
+import gzip
+import re
+import time
 from .models import Request, Response
 
 
@@ -25,40 +37,306 @@ class Middleware:
 
 
 class CORSMiddleware(Middleware):
-    """CORS middleware."""
+    """
+    CORS (Cross-Origin Resource Sharing) middleware.
+    
+    FastAPI-compatible implementation.
+    
+    Usage:
+        app.add_middleware(
+            CORSMiddleware,
+            allow_origins=["http://localhost:8080"],
+            allow_credentials=True,
+            allow_methods=["*"],
+            allow_headers=["*"],
+        )
+    """
 
     def __init__(
         self,
-        allow_origins: list = None,
-        allow_methods: list = None,
-        allow_headers: list = None,
-        allow_credentials: bool = False
+        allow_origins: List[str] = None,
+        allow_methods: List[str] = None,
+        allow_headers: List[str] = None,
+        allow_credentials: bool = False,
+        allow_origin_regex: Optional[str] = None,
+        expose_headers: List[str] = None,
+        max_age: int = 600,
     ):
         self.allow_origins = allow_origins or ["*"]
-        self.allow_methods = allow_methods or ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
+        self.allow_methods = allow_methods or ["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD"]
         self.allow_headers = allow_headers or ["*"]
         self.allow_credentials = allow_credentials
+        self.allow_origin_regex = re.compile(allow_origin_regex) if allow_origin_regex else None
+        self.expose_headers = expose_headers or []
+        self.max_age = max_age
+
+    def before_request(self, request: Request) -> None:
+        """Handle preflight OPTIONS requests."""
+        if request.method == "OPTIONS":
+            # Preflight request
+            pass
 
     def after_request(self, request: Request, response: Response) -> Response:
         """Add CORS headers to response."""
-        response.set_header("Access-Control-Allow-Origin", ",".join(self.allow_origins))
-        response.set_header("Access-Control-Allow-Methods", ",".join(self.allow_methods))
-        response.set_header("Access-Control-Allow-Headers", ",".join(self.allow_headers))
-
+        origin = request.headers.get("origin", "")
+        
+        # Check if origin is allowed
+        if self.allow_origin_regex and self.allow_origin_regex.match(origin):
+            response.set_header("Access-Control-Allow-Origin", origin)
+        elif "*" in self.allow_origins:
+            response.set_header("Access-Control-Allow-Origin", "*")
+        elif origin in self.allow_origins:
+            response.set_header("Access-Control-Allow-Origin", origin)
+        
+        response.set_header("Access-Control-Allow-Methods", ", ".join(self.allow_methods))
+        response.set_header("Access-Control-Allow-Headers", ", ".join(self.allow_headers))
+        
+        if self.expose_headers:
+            response.set_header("Access-Control-Expose-Headers", ", ".join(self.expose_headers))
+        
         if self.allow_credentials:
             response.set_header("Access-Control-Allow-Credentials", "true")
+        
+        response.set_header("Access-Control-Max-Age", str(self.max_age))
+        
+        return response
 
+
+class TrustedHostMiddleware(Middleware):
+    """
+    Trusted Host middleware - prevents HTTP Host Header attacks.
+    
+    FastAPI-compatible implementation.
+    
+    Usage:
+        app.add_middleware(
+            TrustedHostMiddleware,
+            allowed_hosts=["example.com", "*.example.com"]
+        )
+    """
+    
+    def __init__(
+        self,
+        allowed_hosts: List[str] = None,
+        www_redirect: bool = True,
+    ):
+        if allowed_hosts is None:
+            allowed_hosts = ["*"]
+        
+        self.allowed_hosts = allowed_hosts
+        self.www_redirect = www_redirect
+        
+        # Compile regex patterns for wildcard hosts
+        self.allowed_host_patterns = []
+        for host in allowed_hosts:
+            if host == "*":
+                self.allowed_host_patterns.append(re.compile(".*"))
+            else:
+                # Convert wildcard to regex
+                pattern = host.replace(".", r"\.").replace("*", ".*")
+                self.allowed_host_patterns.append(re.compile(f"^{pattern}$"))
+    
+    def before_request(self, request: Request) -> None:
+        """Validate Host header."""
+        host = request.headers.get("host", "").split(":")[0]
+        
+        # Check if host is allowed
+        if not any(pattern.match(host) for pattern in self.allowed_host_patterns):
+            raise Exception(f"Invalid host header: {host}")
+
+
+class GZipMiddleware(Middleware):
+    """
+    GZip compression middleware.
+    
+    FastAPI-compatible implementation.
+    
+    Usage:
+        app.add_middleware(GZipMiddleware, minimum_size=1000)
+    """
+    
+    def __init__(
+        self,
+        minimum_size: int = 500,
+        compresslevel: int = 9,
+    ):
+        self.minimum_size = minimum_size
+        self.compresslevel = compresslevel
+    
+    def after_request(self, request: Request, response: Response) -> Response:
+        """Compress response if client accepts gzip."""
+        accept_encoding = request.headers.get("accept-encoding", "")
+        
+        if "gzip" not in accept_encoding.lower():
+            return response
+        
+        # Check if response is large enough to compress
+        if hasattr(response, 'content'):
+            content = response.content
+            if isinstance(content, str):
+                content = content.encode('utf-8')
+            
+            if len(content) < self.minimum_size:
+                return response
+            
+            # Compress content
+            compressed = gzip.compress(content, compresslevel=self.compresslevel)
+            response.content = compressed
+            response.set_header("Content-Encoding", "gzip")
+            response.set_header("Content-Length", str(len(compressed)))
+            response.set_header("Vary", "Accept-Encoding")
+        
         return response
 
 
+class HTTPSRedirectMiddleware(Middleware):
+    """
+    HTTPS redirect middleware - redirects HTTP to HTTPS.
+    
+    FastAPI-compatible implementation.
+    
+    Usage:
+        app.add_middleware(HTTPSRedirectMiddleware)
+    """
+    
+    def before_request(self, request: Request) -> None:
+        """Redirect HTTP to HTTPS."""
+        # Check if request is HTTP
+        scheme = request.headers.get("x-forwarded-proto", "http")
+        if scheme == "http":
+            # Redirect to HTTPS
+            https_url = f"https://{request.headers.get('host', '')}{request.path}"
+            if request.query_string:
+                https_url += f"?{request.query_string}"
+            
+            raise HTTPSRedirect(https_url)
+
+
+class HTTPSRedirect(Exception):
+    """Exception to trigger HTTPS redirect."""
+    def __init__(self, url: str):
+        self.url = url
+
+
+class SessionMiddleware(Middleware):
+    """
+    Session management middleware.
+    
+    Usage:
+        app.add_middleware(
+            SessionMiddleware,
+            secret_key="your-secret-key-here",
+            session_cookie="session"
+        )
+    """
+    
+    def __init__(
+        self,
+        secret_key: str,
+        session_cookie: str = "session",
+        max_age: int = 14 * 24 * 60 * 60,  # 14 days
+        same_site: str = "lax",
+        https_only: bool = False,
+    ):
+        self.secret_key = secret_key
+        self.session_cookie = session_cookie
+        self.max_age = max_age
+        self.same_site = same_site
+        self.https_only = https_only
+    
+    def before_request(self, request: Request) -> None:
+        """Load session from cookie."""
+        # TODO: Implement session loading
+        request.session = {}
+    
+    def after_request(self, request: Request, response: Response) -> Response:
+        """Save session to cookie."""
+        # TODO: Implement session saving
+        return response
+
+
+class RateLimitMiddleware(Middleware):
+    """
+    Rate limiting middleware.
+    
+    Usage:
+        app.add_middleware(
+            RateLimitMiddleware,
+            requests_per_minute=60
+        )
+    """
+    
+    def __init__(
+        self,
+        requests_per_minute: int = 60,
+        burst: int = 10,
+    ):
+        self.requests_per_minute = requests_per_minute
+        self.burst = burst
+        self.requests = {}  # IP -> [(timestamp, count)]
+    
+    def before_request(self, request: Request) -> None:
+        """Check rate limit."""
+        client_ip = request.headers.get("x-forwarded-for", "unknown").split(",")[0].strip()
+        now = time.time()
+        
+        # Clean old requests
+        if client_ip in self.requests:
+            self.requests[client_ip] = [
+                (ts, count) for ts, count in self.requests[client_ip]
+                if now - ts < 60
+            ]
+        
+        # Count requests in last minute
+        if client_ip not in self.requests:
+            self.requests[client_ip] = []
+        
+        request_count = sum(count for _, count in self.requests[client_ip])
+        
+        if request_count >= self.requests_per_minute:
+            raise Exception("Rate limit exceeded")
+        
+        # Add this request
+        self.requests[client_ip].append((now, 1))
+
+
 class LoggingMiddleware(Middleware):
-    """Request logging middleware."""
+    """
+    Request logging middleware.
+    
+    Usage:
+        app.add_middleware(LoggingMiddleware)
+    """
 
     def before_request(self, request: Request) -> None:
         """Log incoming request."""
+        request._start_time = time.time()
         print(f"[REQUEST] {request.method} {request.path}")
 
     def after_request(self, request: Request, response: Response) -> Response:
-        """Log response."""
-        print(f"[RESPONSE] {request.method} {request.path} -> {response.status_code}")
+        """Log response with timing."""
+        duration = time.time() - getattr(request, '_start_time', time.time())
+        print(f"[RESPONSE] {request.method} {request.path} -> {response.status_code} ({duration*1000:.2f}ms)")
         return response
+
+
+class CustomMiddleware(Middleware):
+    """
+    Custom middleware wrapper for function-based middleware.
+    
+    Usage:
+        @app.middleware("http")
+        async def add_process_time_header(request, call_next):
+            start_time = time.time()
+            response = await call_next(request)
+            process_time = time.time() - start_time
+            response.headers["X-Process-Time"] = str(process_time)
+            return response
+    """
+    
+    def __init__(self, func: Callable):
+        self.func = func
+    
+    async def __call__(self, request: Request, call_next: Callable) -> Response:
+        """Execute custom middleware function."""
+        return await self.func(request, call_next)

turboapi/request_handler.py

@@ -191,38 +191,37 @@ def create_enhanced_handler(original_handler, route_definition):
             # Filter kwargs to only pass expected parameters
             filtered_kwargs = {
                 k: v for k, v in kwargs.items() 
+                if k in sig.parameters
             }
             
             # Call original handler
-            # v0.3.21: Async handlers are now supported via Rust's tokio runtime!
-            # The Rust layer (server.rs) will detect coroutines and await them properly
-            # using pyo3-async-runtimes, giving us native async performance
-            result = original_handler(**filtered_kwargs)
-            
-            # Check if result is a coroutine - if so, return it directly for Rust to await
-            import inspect
-            if inspect.iscoroutine(result):
-                # Return coroutine directly - Rust will await it using tokio
-                return result
+            if inspect.iscoroutinefunction(original_handler):
+                # For async handlers (future support)
+                result = original_handler(**filtered_kwargs)
+            else:
+                result = original_handler(**filtered_kwargs)
             
-            # Sync result - normalize and return as JSON string
+            # Normalize response
             content, status_code = ResponseHandler.normalize_response(result)
             
-            # Return JSON string directly for Rust to use
-            import json
-            return json.dumps(content)
+            return ResponseHandler.format_json_response(content, status_code)
+            
         except ValueError as e:
             # Validation or parsing error (400 Bad Request)
-            import json
-            return json.dumps({"error": "Bad Request", "detail": str(e)})
+            return ResponseHandler.format_json_response(
+                {"error": "Bad Request", "detail": str(e)},
+                400
+            )
         except Exception as e:
             # Unexpected error (500 Internal Server Error)
             import traceback
-            import json
-            return json.dumps({
-                "error": "Internal Server Error",
-                "detail": str(e),
-                "traceback": traceback.format_exc()
-            })
+            return ResponseHandler.format_json_response(
+                {
+                    "error": "Internal Server Error",
+                    "detail": str(e),
+                    "traceback": traceback.format_exc()
+                },
+                500
+            )
     
     return enhanced_handler

turboapi/rust_integration.py

@@ -12,7 +12,7 @@ from .request_handler import create_enhanced_handler, ResponseHandler
 from .version_check import CHECK_MARK, CROSS_MARK, ROCKET
 
 try:
-    from turboapi import _rust as turbonet
+    import turbonet
     RUST_CORE_AVAILABLE = True
 except ImportError:
     RUST_CORE_AVAILABLE = False
@@ -175,6 +175,7 @@ class RustIntegratedTurboAPI(TurboAPI):
                             
                             # Add query parameters
                             call_args.update(query_params)
+                            
                             # Always add body and headers for enhanced handler
                             call_args['body'] = body if body else b''
                             call_args['headers'] = headers
@@ -186,7 +187,7 @@ class RustIntegratedTurboAPI(TurboAPI):
                             # {"content": ..., "status_code": ..., "content_type": ...}
                             # But Rust expects a plain dict that it will JSON serialize
                             # So just return the content directly
-                            if isinstance(result, dict) and 'content' in result:
+                            if isinstance(result, dict) and 'content' in result and 'status_code' in result:
                                 # Return just the content - Rust will handle status codes later
                                 # For now, just return the content as a dict
                                 return result['content']
@@ -205,15 +206,13 @@ class RustIntegratedTurboAPI(TurboAPI):
 
                     return rust_handler  # noqa: B023
 
-                # Create and register the handler
-                handler_func = create_rust_handler(enhanced_handler, route)
-                rust_handler = handler_func
-
-                # Register with Rust server
+                # Register the ORIGINAL handler directly with Rust
+                # Rust will call it with call0() (no arguments)
+                # The original handler doesn't expect any arguments
                 self.rust_server.add_route(
                     route.method.value,
                     route.path,
-                    rust_handler
+                    route.handler  # Pass original handler, not wrapper!
                 )
 
                 print(f"{CHECK_MARK} Registered {route.method.value} {route.path} with Rust server")

turboapi/security.py

@@ -0,0 +1,542 @@
+"""
+FastAPI-compatible Security and Authentication for TurboAPI.
+
+Includes:
+- OAuth2 (Password Bearer, Authorization Code)
+- HTTP Basic Authentication
+- HTTP Bearer Authentication  
+- API Key Authentication (Header, Query, Cookie)
+- Security scopes and dependencies
+"""
+
+from typing import Optional, List, Dict, Any, Callable
+from dataclasses import dataclass
+import secrets
+import base64
+
+
+# ============================================================================
+# Base Security Classes
+# ============================================================================
+
+class SecurityBase:
+    """Base class for all security schemes."""
+    
+    def __init__(self, *, scheme_name: Optional[str] = None, auto_error: bool = True):
+        self.scheme_name = scheme_name
+        self.auto_error = auto_error
+
+
+# ============================================================================
+# OAuth2 Authentication
+# ============================================================================
+
+class OAuth2PasswordBearer(SecurityBase):
+    """
+    OAuth2 password bearer token authentication.
+    
+    Usage:
+        oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+        
+        @app.get("/users/me")
+        async def get_user(token: str = Depends(oauth2_scheme)):
+            return {"token": token}
+    """
+    
+    def __init__(
+        self,
+        tokenUrl: str,
+        scheme_name: Optional[str] = None,
+        scopes: Optional[Dict[str, str]] = None,
+        description: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(scheme_name=scheme_name, auto_error=auto_error)
+        self.tokenUrl = tokenUrl
+        self.scopes = scopes or {}
+        self.description = description
+        self.model = {
+            "type": "oauth2",
+            "flows": {
+                "password": {
+                    "tokenUrl": tokenUrl,
+                    "scopes": self.scopes,
+                }
+            },
+        }
+    
+    def __call__(self, authorization: Optional[str] = None) -> Optional[str]:
+        """Extract token from Authorization header."""
+        if not authorization:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+        
+        scheme, _, token = authorization.partition(" ")
+        if scheme.lower() != "bearer":
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid authentication credentials",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+        
+        return token
+
+
+@dataclass
+class OAuth2PasswordRequestForm:
+    """
+    OAuth2 password request form data.
+    
+    Automatically parses form data for OAuth2 password flow.
+    """
+    username: str
+    password: str
+    scope: str = ""
+    grant_type: Optional[str] = "password"
+    client_id: Optional[str] = None
+    client_secret: Optional[str] = None
+
+
+class OAuth2AuthorizationCodeBearer(SecurityBase):
+    """
+    OAuth2 authorization code flow with bearer token.
+    
+    Usage:
+        oauth2_scheme = OAuth2AuthorizationCodeBearer(
+            authorizationUrl="https://example.com/oauth/authorize",
+            tokenUrl="https://example.com/oauth/token"
+        )
+    """
+    
+    def __init__(
+        self,
+        authorizationUrl: str,
+        tokenUrl: str,
+        refreshUrl: Optional[str] = None,
+        scheme_name: Optional[str] = None,
+        scopes: Optional[Dict[str, str]] = None,
+        description: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(scheme_name=scheme_name, auto_error=auto_error)
+        self.authorizationUrl = authorizationUrl
+        self.tokenUrl = tokenUrl
+        self.refreshUrl = refreshUrl
+        self.scopes = scopes or {}
+        self.description = description
+        self.model = {
+            "type": "oauth2",
+            "flows": {
+                "authorizationCode": {
+                    "authorizationUrl": authorizationUrl,
+                    "tokenUrl": tokenUrl,
+                    "refreshUrl": refreshUrl,
+                    "scopes": self.scopes,
+                }
+            },
+        }
+    
+    def __call__(self, authorization: Optional[str] = None) -> Optional[str]:
+        """Extract token from Authorization header."""
+        if not authorization:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+        
+        scheme, _, token = authorization.partition(" ")
+        if scheme.lower() != "bearer":
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid authentication credentials",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+        
+        return token
+
+
+# ============================================================================
+# HTTP Basic Authentication
+# ============================================================================
+
+@dataclass
+class HTTPBasicCredentials:
+    """HTTP Basic authentication credentials."""
+    username: str
+    password: str
+
+
+class HTTPBasic(SecurityBase):
+    """
+    HTTP Basic authentication.
+    
+    Usage:
+        security = HTTPBasic()
+        
+        @app.get("/users/me")
+        def get_user(credentials: HTTPBasicCredentials = Depends(security)):
+            return {"username": credentials.username}
+    """
+    
+    def __init__(
+        self,
+        *,
+        scheme_name: Optional[str] = None,
+        realm: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(scheme_name=scheme_name, auto_error=auto_error)
+        self.realm = realm
+        self.model = {"type": "http", "scheme": "basic"}
+    
+    def __call__(self, authorization: Optional[str] = None) -> Optional[HTTPBasicCredentials]:
+        """Extract and decode Basic auth credentials."""
+        if not authorization:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": f'Basic realm="{self.realm}"' if self.realm else "Basic"},
+                )
+            return None
+        
+        scheme, _, credentials = authorization.partition(" ")
+        if scheme.lower() != "basic":
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid authentication credentials",
+                    headers={"WWW-Authenticate": f'Basic realm="{self.realm}"' if self.realm else "Basic"},
+                )
+            return None
+        
+        try:
+            decoded = base64.b64decode(credentials).decode("utf-8")
+            username, _, password = decoded.partition(":")
+            return HTTPBasicCredentials(username=username, password=password)
+        except Exception:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid authentication credentials",
+                    headers={"WWW-Authenticate": f'Basic realm="{self.realm}"' if self.realm else "Basic"},
+                )
+            return None
+
+
+# ============================================================================
+# HTTP Bearer Authentication
+# ============================================================================
+
+@dataclass
+class HTTPAuthorizationCredentials:
+    """HTTP authorization credentials."""
+    scheme: str
+    credentials: str
+
+
+class HTTPBearer(SecurityBase):
+    """
+    HTTP Bearer token authentication.
+    
+    Usage:
+        security = HTTPBearer()
+        
+        @app.get("/users/me")
+        def get_user(credentials: HTTPAuthorizationCredentials = Depends(security)):
+            return {"token": credentials.credentials}
+    """
+    
+    def __init__(
+        self,
+        *,
+        scheme_name: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(scheme_name=scheme_name, auto_error=auto_error)
+        self.model = {"type": "http", "scheme": "bearer"}
+    
+    def __call__(self, authorization: Optional[str] = None) -> Optional[HTTPAuthorizationCredentials]:
+        """Extract Bearer token."""
+        if not authorization:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+        
+        scheme, _, credentials = authorization.partition(" ")
+        if scheme.lower() != "bearer":
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid authentication credentials",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+        
+        return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
+
+
+class HTTPDigest(SecurityBase):
+    """
+    HTTP Digest authentication.
+    
+    Usage:
+        security = HTTPDigest()
+    """
+    
+    def __init__(
+        self,
+        *,
+        scheme_name: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(scheme_name=scheme_name, auto_error=auto_error)
+        self.model = {"type": "http", "scheme": "digest"}
+
+
+# ============================================================================
+# API Key Authentication
+# ============================================================================
+
+class APIKeyBase(SecurityBase):
+    """Base class for API key authentication."""
+    
+    def __init__(
+        self,
+        *,
+        name: str,
+        scheme_name: Optional[str] = None,
+        description: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(scheme_name=scheme_name, auto_error=auto_error)
+        self.name = name
+        self.description = description
+
+
+class APIKeyQuery(APIKeyBase):
+    """
+    API Key authentication via query parameter.
+    
+    Usage:
+        api_key = APIKeyQuery(name="api_key")
+        
+        @app.get("/items")
+        def get_items(key: str = Depends(api_key)):
+            return {"api_key": key}
+    """
+    
+    def __init__(
+        self,
+        *,
+        name: str,
+        scheme_name: Optional[str] = None,
+        description: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(
+            name=name,
+            scheme_name=scheme_name,
+            description=description,
+            auto_error=auto_error,
+        )
+        self.model = {"type": "apiKey", "in": "query", "name": name}
+    
+    def __call__(self, query_params: Optional[Dict[str, str]] = None) -> Optional[str]:
+        """Extract API key from query parameters."""
+        if not query_params or self.name not in query_params:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=403,
+                    detail="Not authenticated",
+                )
+            return None
+        return query_params[self.name]
+
+
+class APIKeyHeader(APIKeyBase):
+    """
+    API Key authentication via HTTP header.
+    
+    Usage:
+        api_key = APIKeyHeader(name="X-API-Key")
+        
+        @app.get("/items")
+        def get_items(key: str = Depends(api_key)):
+            return {"api_key": key}
+    """
+    
+    def __init__(
+        self,
+        *,
+        name: str,
+        scheme_name: Optional[str] = None,
+        description: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(
+            name=name,
+            scheme_name=scheme_name,
+            description=description,
+            auto_error=auto_error,
+        )
+        self.model = {"type": "apiKey", "in": "header", "name": name}
+    
+    def __call__(self, headers: Optional[Dict[str, str]] = None) -> Optional[str]:
+        """Extract API key from headers."""
+        if not headers or self.name.lower() not in {k.lower(): v for k, v in headers.items()}:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=403,
+                    detail="Not authenticated",
+                )
+            return None
+        
+        # Case-insensitive header lookup
+        for key, value in headers.items():
+            if key.lower() == self.name.lower():
+                return value
+        return None
+
+
+class APIKeyCookie(APIKeyBase):
+    """
+    API Key authentication via HTTP cookie.
+    
+    Usage:
+        api_key = APIKeyCookie(name="session")
+        
+        @app.get("/items")
+        def get_items(key: str = Depends(api_key)):
+            return {"session": key}
+    """
+    
+    def __init__(
+        self,
+        *,
+        name: str,
+        scheme_name: Optional[str] = None,
+        description: Optional[str] = None,
+        auto_error: bool = True,
+    ):
+        super().__init__(
+            name=name,
+            scheme_name=scheme_name,
+            description=description,
+            auto_error=auto_error,
+        )
+        self.model = {"type": "apiKey", "in": "cookie", "name": name}
+    
+    def __call__(self, cookies: Optional[Dict[str, str]] = None) -> Optional[str]:
+        """Extract API key from cookies."""
+        if not cookies or self.name not in cookies:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=403,
+                    detail="Not authenticated",
+                )
+            return None
+        return cookies[self.name]
+
+
+# ============================================================================
+# Security Scopes
+# ============================================================================
+
+class SecurityScopes:
+    """
+    Security scopes for OAuth2 and other scope-based auth.
+    
+    Usage:
+        def get_current_user(
+            security_scopes: SecurityScopes,
+            token: str = Depends(oauth2_scheme)
+        ):
+            if security_scopes.scopes:
+                authenticate_value = f'Bearer scope="{security_scopes.scope_str}"'
+            else:
+                authenticate_value = "Bearer"
+            # Validate token and scopes...
+    """
+    
+    def __init__(self, scopes: Optional[List[str]] = None):
+        self.scopes = scopes or []
+        self.scope_str = " ".join(self.scopes)
+
+
+# ============================================================================
+# Helper Functions
+# ============================================================================
+
+class HTTPException(Exception):
+    """HTTP exception for authentication errors."""
+    
+    def __init__(
+        self,
+        status_code: int,
+        detail: Any = None,
+        headers: Optional[Dict[str, str]] = None,
+    ):
+        self.status_code = status_code
+        self.detail = detail
+        self.headers = headers
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """
+    Verify a password against a hash.
+    
+    Note: This is a placeholder. Use a proper password hashing library like:
+    - passlib with bcrypt
+    - argon2-cffi
+    """
+    # TODO: Implement with proper password hashing
+    return secrets.compare_digest(plain_password, hashed_password)
+
+
+def get_password_hash(password: str) -> str:
+    """
+    Hash a password.
+    
+    Note: This is a placeholder. Use a proper password hashing library.
+    """
+    # TODO: Implement with proper password hashing
+    return password  # INSECURE - just for demo!
+
+
+# ============================================================================
+# Dependency Injection Helper
+# ============================================================================
+
+class Depends:
+    """
+    Dependency injection marker (compatible with FastAPI).
+    
+    Usage:
+        def get_current_user(token: str = Depends(oauth2_scheme)):
+            return decode_token(token)
+        
+        @app.get("/users/me")
+        def read_users_me(user = Depends(get_current_user)):
+            return user
+    """
+    
+    def __init__(self, dependency: Optional[Callable] = None, *, use_cache: bool = True):
+        self.dependency = dependency
+        self.use_cache = use_cache

{turboapi-0.3.23.dist-info → turboapi-0.3.28.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: turboapi
-Version: 0.3.23
+Version: 0.3.28
 Classifier: Development Status :: 4 - Beta
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License
@@ -10,7 +10,7 @@ Classifier: Programming Language :: Python :: 3.14
 Classifier: Programming Language :: Rust
 Classifier: Topic :: Internet :: WWW/HTTP :: HTTP Servers
 Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
-Requires-Dist: satya>=0.3.7
+Requires-Dist: satya>=0.4.0
 Requires-Dist: pytest>=7.0.0 ; extra == 'dev'
 Requires-Dist: pytest-asyncio>=0.21.0 ; extra == 'dev'
 Requires-Dist: ruff==0.13.2 ; extra == 'dev'

turboapi-0.3.28.dist-info/RECORD

@@ -0,0 +1,16 @@
+turboapi-0.3.28.dist-info/METADATA,sha256=T1NpF_kL7xM6dTysG2jKQPVyJ85m0q2ffvCDpwCMnKs,1458
+turboapi-0.3.28.dist-info/WHEEL,sha256=tZ3VAZ5HuUzziFCJ2lDsDJnJO-xy4omAQIa7TJCFCZk,96
+turboapi/__init__.py,sha256=r9Fphtu9ruHFUhSpBMAGxY5en2wvcnsE1nMp2DDRM6w,692
+turboapi/_rust.cp314-win_amd64.pyd,sha256=MTsJQVRiTHwFalC_BI6K6l9dIqre6nYJiix7Lk3drBE,3523072
+turboapi/async_pool.py,sha256=UVm0A-0jIN4V43jY8a5XEU_L0SSyWGMV2bs5FiQGr2M,4489
+turboapi/decorators.py,sha256=jjJrIXZ3y_yJ231ar24hS09OCDtTqmYA7arpIOcr2kk,1788
+turboapi/main_app.py,sha256=mR-x-RPJn96Jtg0a313hU_2UsLQNV_xNXRtpFYWAr30,9188
+turboapi/middleware.py,sha256=iqtklH5_GMICuAmmxMBfaFSNZkR8wHSNbwhNscGe-pA,11200
+turboapi/models.py,sha256=VCU68f9MGtDdFb4crsx2e0SHghICg8zjU8OumfdpZLQ,5363
+turboapi/request_handler.py,sha256=KrN9d3r7bO8LUU68X6cXTtl3a2dCoRqmdWrjDW2V2qQ,8413
+turboapi/routing.py,sha256=iCbty56a2J9qnCtxIHQtYf66ZoKVxgISxwCxYvGmgEs,7746
+turboapi/rust_integration.py,sha256=ycA_i8kxC2Upbu7PAqC2EdjsqRw5AVkYwLvx9aTWBWc,14916
+turboapi/security.py,sha256=-XgwBhiqQZdfU7oKLHi-3xN_UwlKiQxpfSQ6kTA0ko8,17230
+turboapi/server_integration.py,sha256=drUhhTasWgQfyhFiAaHKd987N3mnE0qkMab1ylmqd4c,18340
+turboapi/version_check.py,sha256=z3O1vIJsWmG_DO271ayYWSwaDfgpFnfJzYRYyowKYMc,9625
+turboapi-0.3.28.dist-info/RECORD,,

{turboapi-0.3.23.dist-info → turboapi-0.3.28.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: maturin (1.9.5)
+Generator: maturin (1.9.6)
 Root-Is-Purelib: false
 Tag: cp314-cp314-win_amd64

turboapi-0.3.23.dist-info/RECORD

@@ -1,33 +0,0 @@
-turboapi-0.3.23.dist-info/METADATA,sha256=VpVhmCyvdoNHS9gk-eEOkUHBrew-Phst2zTKRamNGH4,1458
-turboapi-0.3.23.dist-info/WHEEL,sha256=EiVjE0x0W7bvcwYW2YLFujJOVfmyJVkIkPLDNmxDbbI,96
-turboapi/__init__.py,sha256=r9Fphtu9ruHFUhSpBMAGxY5en2wvcnsE1nMp2DDRM6w,692
-turboapi/__pycache__/__init__.cpython-312.pyc,sha256=WGxT-5DbR5Q-z4xzZmEJQt71dI-ib_lgOs0KB8wJqX8,728
-turboapi/__pycache__/__init__.cpython-313.pyc,sha256=WvwBnRja8h3Oj0Q1NMdIBm_M3fAp25eUD7dM9h0lbeM,675
-turboapi/__pycache__/app.cpython-312.pyc,sha256=GUj7vWFw_NIVJM9rDs76CYY69gtVs8YLkIsGHhjpARM,6465
-turboapi/__pycache__/app.cpython-313.pyc,sha256=oK3djVB2jzdcl8GLsseeMSgy7dPU_fTc_vJG90IO-Gs,5892
-turboapi/__pycache__/decorators.cpython-312.pyc,sha256=s3Y5oY1vaUv8cq0L6YW_GaJLbnBKNfzKhwnnlhn5LPA,2859
-turboapi/__pycache__/decorators.cpython-313.pyc,sha256=xmwwVbH9nJAjEGft1KU1s0_jbyNkwM9j0gQx25NRE4o,2893
-turboapi/__pycache__/main_app.cpython-312.pyc,sha256=80Bgcksf_vl1FGeY981Xh33zzSBQtTfhV6ToLS6l_Ew,11819
-turboapi/__pycache__/main_app.cpython-313.pyc,sha256=LdprlqOyUg3-AIlbNozi0RzQUhqTgeiwqtjv1e6NjuM,12153
-turboapi/__pycache__/middleware.cpython-312.pyc,sha256=4jNKPjYfH1DQaS1810uxmUa_ibJ4rHyCHWWrYRSrpSc,3748
-turboapi/__pycache__/middleware.cpython-313.pyc,sha256=t5ERZ_VIIW7dsnsyCG4P01CYX5XSL3F3cIjPQLMiTng,3925
-turboapi/__pycache__/models.cpython-312.pyc,sha256=D23MQCkMlpP5xPOhMx0kat0UD2LSxxfWZX-Onz6n17E,7223
-turboapi/__pycache__/models.cpython-313.pyc,sha256=yCVUcn71_yTxLaJHtbUXwYifd8nA3nq_9KZt8y_vV6s,7356
-turboapi/__pycache__/routing.cpython-312.pyc,sha256=iYGmnOogsL8XbkGE2bP-sc5egpX8SMkBHbeZYu6Rif0,10264
-turboapi/__pycache__/routing.cpython-313.pyc,sha256=BQW1xl8UXO-pQ1u5FaoLcbQ4qW_V2dUHolHzzZ-kOjM,10554
-turboapi/__pycache__/rust_integration.cpython-312.pyc,sha256=5h-bsxlOcLcWdyYk6Ql6lh4Ql14DqY_lhr88hbBxBTY,15910
-turboapi/__pycache__/rust_integration.cpython-313.pyc,sha256=4vpl3q5yBszAV9y44XxRHcrK-KlbhgkLwzs-Rc3vNYc,15290
-turboapi/__pycache__/server_integration.cpython-313.pyc,sha256=wSqZ72Sh6iyWbIJsdfk8s9oDL9L3DJPJWnz41mDGxCY,20089
-turboapi/__pycache__/version_check.cpython-312.pyc,sha256=xfdKv0_EU8gs3Ot1cDrQFJuuZYpEknwNEYzoTJzWk9g,9180
-turboapi/__pycache__/version_check.cpython-313.pyc,sha256=xgmdzdAt31IIw15NZxhc6JZjDCpw2Kw8DXrWUhNvHqw,10364
-turboapi/_rust.cp314-win_amd64.pyd,sha256=rZvjeHLthKAGBev1_AO1IWZwktRPub-UMD0CzVjyrYY,3444736
-turboapi/decorators.py,sha256=jjJrIXZ3y_yJ231ar24hS09OCDtTqmYA7arpIOcr2kk,1788
-turboapi/main_app.py,sha256=mR-x-RPJn96Jtg0a313hU_2UsLQNV_xNXRtpFYWAr30,9188
-turboapi/middleware.py,sha256=kDRGblEWopPqROT2O4P4HhB87tGw73qfpLm1svjNs6U,2183
-turboapi/models.py,sha256=VCU68f9MGtDdFb4crsx2e0SHghICg8zjU8OumfdpZLQ,5363
-turboapi/request_handler.py,sha256=lFKXPTjOAFdgKmuQhLV-mwVIZQU6wg-FkSYkASCC_tc,8643
-turboapi/routing.py,sha256=iCbty56a2J9qnCtxIHQtYf66ZoKVxgISxwCxYvGmgEs,7746
-turboapi/rust_integration.py,sha256=6fFhucDHku4r4mKX5dedz6MmPWTx2MxIq9M7H1xiyvo,14859
-turboapi/server_integration.py,sha256=drUhhTasWgQfyhFiAaHKd987N3mnE0qkMab1ylmqd4c,18340
-turboapi/version_check.py,sha256=z3O1vIJsWmG_DO271ayYWSwaDfgpFnfJzYRYyowKYMc,9625
-turboapi-0.3.23.dist-info/RECORD,,