feat(experimental): remove pydantic

Author: aekasitt

pyproject.toml

@@ -25,8 +25,6 @@ classifiers = [
 ]
 dependencies = [
   'itsdangerous >=2.0.1,<3.0.0',
-  'pydantic >=2.0.0',
-  'pydantic-settings >=2.0.0',
   'starlette >=0',
 ]
 description = 'Stateless implementation of Cross-Site Request Forgery (XSRF) Protection by using Double Submit Cookie mitigation pattern'

src/fastapi_csrf_protect/core.py

@@ -11,13 +11,13 @@
 
 ### Standard packages ###
 from hashlib import sha1
+from json import loads
 from re import match
 from os import urandom
 from typing import Dict, Optional, Tuple, Union
 
 ### Third-party packages ###
 from itsdangerous import BadData, SignatureExpired, URLSafeTimedSerializer
-from pydantic import create_model
 from starlette.datastructures import Headers, UploadFile
 from starlette.requests import Request
 from starlette.responses import Response
@@ -56,11 +56,13 @@ def get_csrf_from_body(self, data: bytes) -> str:
     :param data: attached request body containing cookie data with configured `token_key`
     :type data: bytes
     """
-    fields: Dict[str, Tuple[type, str]] = {self._token_key: (str, "csrf-token")}
-    Body = create_model("Body", **fields)
     content: str = '{"' + data.decode("utf-8").replace("&", '","').replace("=", '":"') + '"}'
-    body = Body.model_validate_json(content)
-    token: str = body.model_dump()[self._token_key]
+    body: Dict[str, str] = loads(content)
+    token: str = ""
+    try:
+      token = body[self._token_key]
+    except AttributeError:
+      pass
     return token
 
   def get_csrf_from_headers(self, headers: Headers) -> str:

src/fastapi_csrf_protect/csrf_config.py

@@ -10,11 +10,7 @@
 # *************************************************************
 
 ### Standard packages ###
-from typing import Any, ClassVar, Callable, Literal, Optional, Sequence, Set, Tuple, Union
-
-### Third-party packages ###
-from pydantic import ValidationError
-from pydantic_settings import BaseSettings
+from typing import Any, ClassVar, Callable, Literal, Optional, Sequence, Set, Tuple, cast
 
 ### Local modules ###
 from fastapi_csrf_protect.load_config import LoadConfig
@@ -30,7 +26,7 @@ class CsrfConfig(object):
   _header_type: ClassVar[Optional[str]] = None
   _httponly: ClassVar[bool] = True
   _max_age: ClassVar[int] = 3600
-  _methods: ClassVar[Set[Literal["DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT"]]] = {
+  _methods: ClassVar[Set[str]] = {
     "POST",
     "PUT",
     "PATCH",
@@ -41,15 +37,14 @@ class CsrfConfig(object):
   _token_key: ClassVar[str] = "csrf-token"
 
   @classmethod
-  def load_config(
-    cls, settings: Callable[..., Union[Sequence[Tuple[str, Any]], BaseSettings]]
-  ) -> None:
+  def load_config(cls, settings: Callable[..., Sequence[Tuple[str, Any]]]) -> None:
     try:
       config = LoadConfig(**{key.lower(): value for key, value in settings()})
       cls._cookie_key = config.cookie_key or cls._cookie_key
       cls._cookie_path = config.cookie_path or cls._cookie_path
       cls._cookie_domain = config.cookie_domain
-      cls._cookie_samesite = config.cookie_samesite
+      if config.cookie_samesite in {"lax", "strict", "none"}:
+        cls._cookie_samesite = cast(Literal["lax", "strict", "none"], config.cookie_samesite)
       cls._cookie_secure = False if config.cookie_secure is None else config.cookie_secure
       cls._header_name = config.header_name or cls._header_name
       cls._header_type = config.header_type
@@ -59,11 +54,11 @@ def load_config(
       cls._secret_key = config.secret_key
       cls._token_location = config.token_location or cls._token_location
       cls._token_key = config.token_key or cls._token_key
-    except ValidationError:
+    except ValueError:
       raise
     except Exception as err:
       print(err)
-      raise TypeError('CsrfConfig must be pydantic "BaseSettings" or list of tuple')
+      raise TypeError("CsrfConfig must be a sequence of tuples")
 
 
 __all__: Tuple[str, ...] = ("CsrfConfig",)

src/fastapi_csrf_protect/load_config.py

@@ -10,46 +10,79 @@
 # *************************************************************
 
 ### Standard packages ###
-from typing import Literal, Optional, Set, Tuple
+from typing import Optional, List, Set, Tuple, Union, get_args, get_origin
 
 ### Third-party packages ###
-from pydantic import (
-  BaseModel,
-  StrictBool,
-  StrictInt,
-  StrictStr,
-  model_validator,
-)
-
-
-class LoadConfig(BaseModel):
-  cookie_key: Optional[StrictStr] = "fastapi-csrf-token"
-  cookie_path: Optional[StrictStr] = "/"
-  cookie_domain: Optional[StrictStr] = None
-  cookie_samesite: Optional[Literal["lax", "none", "strict"]] = "lax"
-  cookie_secure: Optional[StrictBool] = False
-  header_name: Optional[StrictStr] = "X-CSRF-Token"
-  header_type: Optional[StrictStr] = None
-  httponly: Optional[StrictBool] = True
-  max_age: Optional[StrictInt] = 3600
-  methods: Optional[Set[Literal["DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT"]]] = None
-  secret_key: Optional[StrictStr] = None
-  token_location: Optional[Literal["body", "header"]] = "header"
-  token_key: Optional[StrictStr] = None
-
-  @model_validator(mode="after")
-  def validate_cookie_samesite_none_secure(self) -> "LoadConfig":
+from dataclasses import dataclass
+
+
+@dataclass
+class LoadConfig:
+  cookie_key: Optional[str] = "fastapi-csrf-token"
+  cookie_path: Optional[str] = "/"
+  cookie_domain: Optional[str] = None
+  cookie_samesite: Optional[str] = "lax"
+  cookie_secure: Optional[bool] = False
+  header_name: Optional[str] = "X-CSRF-Token"
+  header_type: Optional[str] = None
+  httponly: Optional[bool] = True
+  max_age: Optional[int] = 3600
+  methods: Optional[Set[str]] = None
+  secret_key: Optional[str] = None
+  token_location: Optional[str] = "header"
+  token_key: Optional[str] = None
+
+  def __post_init__(self) -> None:
+    self.validate_attribute_types()
+    self.validate_cookie_samesite()
+    self.validate_cookie_samesite_none_secure()
+    self.validate_methods()
+    self.validate_token_key()
+    self.validate_token_location()
+
+  def validate_attribute_types(self) -> None:
+    for name, field_type in self.__annotations__.items():
+      origin = get_origin(field_type)
+      if origin == Union:
+        types = get_args(field_type)
+        typed: List[bool] = []
+        for current_type in types:
+          if get_origin(current_type) is None:
+            typed.append(isinstance(getattr(self, name), current_type))
+          else:
+            subscripted = get_origin(current_type)
+            typed.append(isinstance(getattr(self, name), subscripted))
+            # TODO: subtypes
+        if not any(typed):
+          raise TypeError(f"The field `{name}` was not correctly assigned as `{field_type}`.")
+      elif not isinstance(getattr(self, name), field_type):
+        current_type = type(getattr(self, name))
+        raise TypeError(
+          f"The field `{name}` was assigned by `{current_type}` instead of `{field_type}`"
+        )
+
+  def validate_methods(self) -> None:
+    if self.methods is not None and isinstance(self.methods, set):
+      for method in self.methods:
+        if method not in {"DELETE", "GET", "PATCH", "POST", "PUT"}:
+          raise TypeError("lol")
+
+  def validate_cookie_samesite(self) -> None:
+    if self.cookie_samesite is not None and self.cookie_samesite not in {"lax", "none", "strict"}:
+      raise TypeError("lol")
+
+  def validate_cookie_samesite_none_secure(self) -> None:
     if self.cookie_samesite in {None, "none"} and self.cookie_secure is not True:
-      raise ValueError('The "cookie_secure" must be True if "cookie_samesite" set to "none".')
-    return self
+      raise TypeError('The "cookie_secure" must be True if "cookie_samesite" set to "none".')
 
-  @model_validator(mode="after")
-  def validate_token_key(self) -> "LoadConfig":
+  def validate_token_key(self) -> None:
     token_location: str = self.token_location if self.token_location is not None else "header"
-    if token_location == "body":
-      if self.token_key is None:
-        raise ValueError('The "token_key" must be present when "token_location" is "body"')
-    return self
+    if token_location == "body" and self.token_key is None:
+      raise TypeError('The "token_key" must be present when "token_location" is "body"')
+
+  def validate_token_location(self) -> None:
+    if self.token_location not in {"body", "header"}:
+      raise TypeError("lol")
 
 
 __all__: Tuple[str, ...] = ("LoadConfig",)