rythazhur/mizan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
54581d184f5feeb72bdcd4b59afe0ddfbff55dd4
mizan/packages/mizan-django
History
Ryth Azhur 54581d184f Fix MWT security issues from expert review 
Critical:
- Separate MIZAN_MWT_SECRET from MIZAN_CACHE_SECRET — compromising one
  no longer compromises the other (token forgery vs cache poisoning)
- Move kid from JWT payload to JOSE header per RFC 7515 — standard
  libraries use header kid for key selection before payload decode

High:
- Full SHA-256 pkey (64 chars) instead of truncated 16 — no reason to
  reduce collision resistance
- Add nbf (not-before) claim for clock skew protection
- Log warnings in _try_mwt_auth on missing secret and decode failures
  instead of silent swallow
- Rename _csrf_protect_unless_jwt to _csrf_protect_unless_token (accuracy)
- decode_mwt logs at DEBUG level on failures for observability

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 00:52:30 -04:00
..
generate/generator
Flatten to three packages + extract mizan-runtime
2026-04-06 15:41:31 -04:00
src/mizan
Fix MWT security issues from expert review
2026-04-07 00:52:30 -04:00
tests
Flatten to three packages + extract mizan-runtime
2026-04-06 15:41:31 -04:00
.gitignore
Flatten to three packages + extract mizan-runtime
2026-04-06 15:41:31 -04:00
pyproject.toml
Architecture rework: fix protocol bugs, add origin-side cache, document spec
2026-04-06 22:40:55 -04:00
README.md
Flatten to three packages + extract mizan-runtime
2026-04-06 15:41:31 -04:00

README.md

mizan (Python)

Django server functions framework. See the monorepo root for full documentation.

Install

uv add "mizan[channels,allauth] @ git+https://git.impactsoundworks.com/isw/mizan.git#subdirectory=django"

Setup

# settings.py
INSTALLED_APPS = ["mizan", ...]

# urls.py
path("api/mizan/", include("mizan.urls"))

# asgi.py (optional, for WebSocket)
from mizan import wrap_asgi
application = wrap_asgi(get_asgi_application())

Define Functions

from mizan.client import client
from mizan.setup.registry import register
from pydantic import BaseModel

class Output(BaseModel):
    message: str

@client
def echo(request, text: str) -> Output:
    return Output(message=text)

register(echo, "echo")

Register in apps.py:

def ready(self):
    import myapp.mizan_clients

Auth

@client(auth=True)          # requires authentication
@client(auth='staff')       # requires is_staff
@client(auth='superuser')   # requires is_superuser
@client(auth=my_callable)   # custom check

Contexts

@client(context='global')   # fetched once, SSR-hydrated, becomes useCurrentUser()
@client(context='local')    # fetched with params, becomes <GreetProvider>

Forms

from mizan.forms import mizanFormMixin, mizanFormMeta

class ContactForm(mizanFormMixin, forms.Form):
    mizan = mizanFormMeta(name="contact", title="Contact Us")
    name = forms.CharField()
    email = forms.EmailField()

    def on_submit_success(self, request):
        return {"sent": True}

Auto-registers contact.schema, contact.validate, contact.submit. Generates useContactForm() with Zod validation.

Channels

from mizan.channels import ReactChannel

class ChatChannel(ReactChannel):
    class Params(BaseModel):
        room: str
    class DjangoMessage(BaseModel):
        text: str

    def authorize(self, params):
        return self.user.is_authenticated
    def group(self, params):
        return f"chat_{params.room}"

Generates useChatChannel({ room }).

Running Tests

uv sync --extra dev --extra channels
uv run pytest
Reference in New Issue View Git Blame Copy Permalink