FastAPI and TypeScript improved
This commit is contained in:
22
README.md
22
README.md
@@ -61,15 +61,18 @@ Protocol transports and guarantees co-equal with the body channel in the spec.
|
||||
|
||||
| Capability | Django | FastAPI | Rust / Axum | Tauri | TypeScript |
|
||||
|---|:---:|:---:|:---:|:---:|:---:|
|
||||
| Invalidation — `X-Mizan-Invalidate` header | ✅ | ❌ | ❌ | — ¹ | ✅ |
|
||||
| Auth-guard enforcement (`auth=…` rejects) | ✅ | ✅ | ❌ ⁵ | ◑ ⁵ | ❌ |
|
||||
| Origin-side HMAC cache | ✅ | ❌ | ❌ | ❌ | ✅ |
|
||||
| Invalidation — `X-Mizan-Invalidate` header | ✅ | ✅ | ❌ | — ¹ | ✅ |
|
||||
| Auth-guard enforcement (`auth=…` rejects) | ✅ | ✅ | ❌ ⁵ | ◑ ⁵ | ✅ ¹¹ |
|
||||
| Origin-side HMAC cache | ✅ | ✅ | ❌ | ❌ | ✅ |
|
||||
| Edge manifest export | ✅ | ❌ | ❌ | — | ✅ |
|
||||
| PSR (`render_strategy` in manifest) | ✅ | ❌ | ❌ | — | ✅ |
|
||||
| Session / CSRF init endpoint | ✅ | ◑ ⁷ | ◑ ⁷ | — | ❌ |
|
||||
|
||||
> **Caveat:** Rust/Axum and Tauri accept `auth=` on a function but do not yet enforce
|
||||
> it — do not rely on `auth=` for access control on those adapters.
|
||||
>
|
||||
> Django, FastAPI, and TypeScript share one auth/invalidation/cache implementation
|
||||
> (`mizan_core` for the Python adapters; the same spec, pinned cross-language, for TS).
|
||||
|
||||
### Stack extensions (Django)
|
||||
|
||||
@@ -82,8 +85,8 @@ target stack calls for them.
|
||||
| Forms (schema / validate / submit) | ✅ | ❌ | ◑ ³ | ❌ | ❌ |
|
||||
| Formsets | ✅ | ❌ | ❌ | ❌ | ❌ |
|
||||
| API shapes (ORM query projection) ⁴ | ✅ | — | — | — | — |
|
||||
| JWT auth (access / refresh, session validation) | ✅ | ❌ | ❌ | ❌ | ❌ |
|
||||
| MWT (edge identity token) | ✅ | ❌ | ❌ | — | ❌ |
|
||||
| JWT auth (access / refresh) ¹² | ✅ | ✅ | ❌ | ❌ | ◑ ¹³ |
|
||||
| MWT (edge identity token) | ✅ | ✅ | ❌ | — | ◑ ¹³ |
|
||||
| SSR bridge | ✅ | ❌ | ❌ | — | ❌ |
|
||||
| Auth-provider integration (allauth) | ✅ | ❌ | ❌ | ❌ | ❌ |
|
||||
|
||||
@@ -113,6 +116,15 @@ target stack calls for them.
|
||||
10. The TypeScript column is the `mizan-ts` backend adapter, which has no upload
|
||||
dispatch. The matching client side lives in the kernel (`@mizan/base`): `mizanCall`
|
||||
auto-switches to `multipart/form-data` when any argument is a `File`.
|
||||
11. `mizan-ts` dispatch now enforces `auth=` (`true`/`'staff'`/`'superuser'`/predicate)
|
||||
against a host-supplied `Identity`, byte-matching the Python guard's denial messages.
|
||||
12. JWT/MWT token logic is single-sourced in `mizan_core.auth`; Django and FastAPI ride
|
||||
it. Session-validation (immediate-logout revocation) is Django-only — FastAPI mints
|
||||
from its own credential check.
|
||||
13. `mizan-ts` ships an optional `decodeMwt`/`decodeJwtBearer`/`identityFromMwt` helper
|
||||
(HS256 via Node `crypto`, cross-language pin-tested against a Python-minted MWT) so a
|
||||
TS edge worker can derive `Identity` from a Python-issued token. Identity source stays
|
||||
host-supplied; `mizan-ts` does not mint from a session.
|
||||
|
||||
## Conformance
|
||||
|
||||
|
||||
Reference in New Issue
Block a user