* mkdocs: expanded theme configuration to add alternative dark theme.
The default theme will be determined by the users system theme by the
`prefers-color-scheme` media query.
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
* add typing overloads for Config.__call__
This allows for more precise return types instead of the current `Any`.
We have 3 overload cases here:
1. handles cases where the user provides an explicit `cast` argument.
```
reveal_type(config("POOL_SIZE", cast=int))
# note: Revealed type is 'int'
reveal_type(config("DEBUG", cast=bool, default=None))
# note: Revealed type is 'Union[bool, None]'
```
2. handles no cast or default being passed
```
reveal_type(config("FOO"))
# note: Revealed type is 'str'
```
3. handles no cast being provided, and the default not being `str`
```
reveal_type(config("DB_NAME", default=None))
# note: Revealed type is 'Union[str, None]'
reveal_type(config("FOO", default=False))
# note: Revealed type is 'Union[str, bool]'
```
* ignore overloads from code coverage
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
- Fix typo ("Third party middleware" to "...responses")
- Fix w3 link (current link leads to 404; I followed links from archive.org to get the "latest" spec)
- Format it similarly to "Third party middleware" (use h4, use the class name as header)
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
* ensure TestClient requests run in the same EventLoop as lifespan
* for lifespan task verification, use native task identity rather than anyio.abc.TaskInfo equality
https://github.com/agronholm/anyio/issues/324
* remove redundant pragma: no cover
* it's now a loop_id not a threading.ident
* replace Protocol with plain Callable TypeAlias
* use lifespan_context to actually open a task group
trio should complain if used incorrectly here.
* assign self.portal once, schedule reset immediately after assignment
* inline apps into their tests
* make task/loop trackers nonlocals
as opposed to ClassVar assignment
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
Co-authored-by: Jordan Speicher <jordan@jspeicher.com>
Co-authored-by: Jordan Speicher <uSpike@users.noreply.github.com>
* Prepare version 0.15.0
* Remember to add a note about websocket_connect
* Add date and blurb to release notes
* Bump version to 0.15.0
* Add note about fixing #1012
* First whack at anyio integration
* Fix formatting
* Remove debug messages
* mypy fixes
* Update README.md
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
* Fix install_requires typo
* move_on_after blocks if deadline is too small
* Linter fixes
* Improve WSGI structured concurrency
* Tests use anyio
* Checkin progress on testclient
* Prep for anyio 3
* Remove debug backend option
* Use anyio 3.0.0rc1
* Remove old style executor from GraphQLApp
* Fix extra import
* Don't cancel task scope early
* Wait for wsgi sender to finish before exiting
* Use memory object streams in websocket tests
* Test on asyncio, asyncio+uvloop, and trio
* Formatting fixes
* run_until_first_complete doesn't need a return
* Fix middleware app call
* Simplify middleware exceptions
* Use anyio for websocket test
* Set STARLETTE_TESTCLIENT_ASYNC_BACKEND in tests
* Pass async backend to portal
* Formatting fixes
* Bump anyio
* Cleanup portals and add TestClient.async_backend
* Use anyio.run_async_from_thread to send from worker thread
* Use websocket_connect as context manager
* Document changes in TestClient
* Formatting fix
* Fix websocket raises coverage
* Update to anyio 3.0.0rc3 and replace aiofiles
* Apply suggestions from code review
Co-authored-by: Alex Grönholm <alex.gronholm@nextday.fi>
* Bump to require anyio 3.0.0 final
* Remove mention of aiofiles in README.md
* Pin jinja2 to releases before 3 due to DeprecationWarnings
* Add task_group as application attribute
* Remove run_until_first_complete
* Undo jinja pin
* Refactor anyio.sleep into an event
* Use one less task in test_websocket_concurrency_pattern
* Apply review suggestions
* Rename argument
* fix start_task_soon type
* fix BaseHTTPMiddleware when used without Starlette
* Testclient receive() is a non-trapping function if the response is already complete
This allows for a zero deadline when waiting for a disconnect message
* Use variable annotation for async_backend
* Update docs regarding dependency on anyio
* Use CancelScope instead of move_on_after in request.is_disconnected
* Cancel task group after returning middleware response
Add test for https://github.com/encode/starlette/issues/1022
* Add link to anyio backend options in testclient docs
* Add types-dataclasses
* Re-implement starlette.concurrency.run_until_first_complete and add a test
* Fix type on handler callable
* Apply review comments to clarify run_until_first_complete scope
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
Co-authored-by: Alex Grönholm <alex.gronholm@nextday.fi>
Co-authored-by: Thomas Grainger <tagrain@gmail.com>
Param "workers" in WSGIMiddleware.__init__ has not been used
since 0.6.3, which is changed in GH-164, commit 96c51c.
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Small Pythonic code changes for datastructures.py file
* Reverting back .gitignore changes
* reverting back newline in .gitignore
* Reverting back the changes as requested during merge review
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
* Convert comment type hints to annotations
* Update to python 3.6+ syntax
* Explicitly state response type annotation
* Explicitly define queue generic type
* use quote instead of quote_plus for RedirectResponse location header
adjust safe characters: rem. duplicate & symbol
add test for redirect quoting
* remove unused import
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Set explicit Origin in CORS preflight response if allow_credentials is True and allow_origins is wildcard
When making a preflight request, the browser makes no indication as to whether the actual subsequent
request will pass up credentials. However, unless the preflight response explicitly allows the
request's `Origin` in the `Access-Control-Response-Header`, the browser will fail the CORS check and
prevent the actual follow-up CORS request. This means that responding with the `*` wildcard is not
sufficient to allow preflighted credentialed requests. The current workaround is to provide an
equivalently permissive `allow_origin_regex` pattern.
The `simple_response()` code already performs similar logic which currently only applies to
non-preflighted requests since the browser would never make a preflighted request that hits this
code due to this issue:
```
if self.allow_all_origins and has_cookie:
headers["Access-Control-Allow-Origin"] = origin
```
This just bring the two halves inline with each other.
* Add Vary header to preflight response if allow_credentials
* Use allow_explicit_origin() for preflight request_headers
This simplifies the code slightly by using this recently added method.
It has some trade-offs, though. We now construct a `MutableHeaders` instead of a simple `dict` when
copying the pre-computed preflight headers, and we move the `Vary` header construction out of the
pre-computation and into the call handler.
I think it makes the code more maintainable and the added per-call computation is minimal.
* Convert MutableHeaders to dict for PlainTextResponse
* Revert back to dict() for preflight headers
This also names and caches some of the boolean tests in __init__() which we use in later if-blocks.
This follows the existing pattern in order to better self-document the code.
* Clean up comments
* Remove unused self.allow_credentials attribute
* Add HEAD to CORS ALL_METHODS list
The HEAD method is conspicuously absent from the allowed methods list when `allow_methods="*"` is
used. This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted by the
browser, but it does prevent the actual cross-origin HEAD response from being read by the calling
app.
[This can catch people off-guard.](https://discuss.encode.io/t/for-cors-middleware-why-is-head-not-included-in-all-methods/939)
This simply adds HEAD to the `ALL_METHODS` list in the CORS middleware module and includes some
additional tests to validate the new behavior.
* Update tests/middleware/test_cors.py to use more explicit status code check
Co-authored-by: euri10 <euri10@users.noreply.github.com>
Co-authored-by: euri10 <euri10@users.noreply.github.com>
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Add Origin to Vary header on credentialed CORS response
According to the [MDN CORS docs]
(https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Access-Control-Allow-Origin), the `Origin`
item should be added to the `Vary` header when the `Access-Control-Allow-Origin` is set to an
explicit origin value, as opposed to the `*` wildcard.
>If the server specifies a single origin (that may dynamically change based on the requesting origin
as part of a white-list) rather than the "*" wildcard, then the server should also include Origin in
the Vary response header — to indicate to clients that server responses will differ based on the
value of the Origin request header.
The existing code fails to update the `Vary` list when the server is configured to allow all
origins (`*`) and the request has a `Cookie` header (ie. credentialed). In that situation, the
`Access-Control-Allow-Origin` header will be set to the request's `Origin` value.
It appears this may have just been a simple oversight in the original implementation. This updates
the code to add `Origin` to the `Vary` header under these circumstancesIf it was intentionally
omitted, I'd be delighted to learn why.
* Add type annotations
* Add test to ensure that the vary header does not contain origin if request is non-credentialed
* Make session cookie use ASGI root path
* Check if ASGI root_path exists before using it
Co-authored-by: Tom Christie <tom@tomchristie.com>
* Remove comment
* Add test
Co-authored-by: Mahmoud Hanafy <mahmoud.hanafy@retresco.de>
Co-authored-by: Tom Christie <tom@tomchristie.com>
* StaticFiles: Fix cache validation bug for deleted files in html mode
Previously StaticFiles would return 304 for a deleted file if its
Last-Modified date was the same as that of 404.html
* Use black formatter
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
Piotr Gnus