fix

markolofsen · markolofsen · commit f97fbaee26d1 · 2025-12-11T01:22:17.000+08:00
diff --git a/packages/django_cfg/__init__.py b/packages/django_cfg/__init__.py
@@ -32,7 +32,7 @@ class MyConfig(DjangoConfig):
 default_app_config = "django_cfg.apps.DjangoCfgConfig"
 
 # Version information
-__version__ = "1.5.110"
+__version__ = "1.5.115"
 __license__ = "MIT"
 
 # Setup warnings debug early (checks env var only at this point)
diff --git a/packages/django_cfg/apps/api/endpoints/endpoints_status/drf_views.py b/packages/django_cfg/apps/api/endpoints/endpoints_status/drf_views.py
@@ -5,7 +5,7 @@
 """
 
 from rest_framework import status
-from rest_framework.permissions import AllowAny
+from rest_framework.permissions import IsAdminUser
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -26,9 +26,12 @@ class DRFEndpointsStatusView(APIView):
         - auto_auth: Auto-retry with JWT on 401/403 (default: true)
 
     This endpoint uses DRF Browsable API with Tailwind CSS theme! 🎨
+
+    **IMPORTANT**: Admin-only for security (shows all endpoint statuses).
+    For public health checks, use /cfg/health/ instead.
     """
 
-    permission_classes = [AllowAny]  # Public endpoint
+    permission_classes = [IsAdminUser]  # Admin-only for security
     serializer_class = EndpointsStatusSerializer  # For schema generation
 
     def get(self, request):
diff --git a/packages/django_cfg/apps/api/endpoints/urls_list/views.py b/packages/django_cfg/apps/api/endpoints/urls_list/views.py
@@ -10,7 +10,7 @@
 from django.conf import settings
 from django.urls import URLPattern, URLResolver, get_resolver
 from rest_framework import status
-from rest_framework.permissions import AllowAny
+from rest_framework.permissions import IsAdminUser
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -31,13 +31,24 @@ class DRFURLsListView(APIView):
     - HTTP methods
 
     This endpoint uses DRF Browsable API with Tailwind CSS theme! 🎨
+
+    **IMPORTANT**: Admin-only endpoint for security reasons.
     """
 
-    permission_classes = [AllowAny]  # Public endpoint (can be restricted)
+    permission_classes = [IsAdminUser]  # Admin-only for security
     serializer_class = URLsListSerializer  # For schema generation
 
     def get(self, request):
-        """Return all registered URLs."""
+        """
+        Return registered URLs (API endpoints by default).
+
+        Query Parameters:
+            filter (str): Filter URLs by prefix
+                - omit or 'api': Only API endpoints (/api/*) - DEFAULT
+                - 'all': All URLs (admin, api, cfg, etc.)
+                - 'admin': Only admin endpoints (/admin/*)
+                - 'cfg': Only django-cfg endpoints (/cfg/*)
+        """
         try:
             config = getattr(settings, 'config', None)
 
@@ -46,19 +57,33 @@ def get(self, request):
             if not base_url:
                 base_url = request.build_absolute_uri('/').rstrip('/')
 
+            # Get filter parameter (default: 'api')
+            url_filter = request.query_params.get('filter', 'api')
+
             urls_data = {
                 "status": "success",
                 "service": config.project_name if config else "Django CFG",
                 "version": get_current_version(),
                 "base_url": base_url,
+                "filter": url_filter,
                 "total_urls": 0,
                 "urls": []
             }
 
             # Extract all URLs
-            url_patterns = self._get_all_urls()
-            urls_data["urls"] = url_patterns
-            urls_data["total_urls"] = len(url_patterns)
+            all_urls = self._get_all_urls()
+
+            # Apply filter (default: api)
+            if url_filter == 'all':
+                # Show all URLs
+                urls_data["urls"] = all_urls
+                urls_data["total_urls"] = len(all_urls)
+            else:
+                # Filter by prefix (api, admin, cfg)
+                filtered_urls = self._filter_urls(all_urls, url_filter)
+                urls_data["urls"] = filtered_urls
+                urls_data["total_urls"] = len(filtered_urls)
+                urls_data["total_urls_unfiltered"] = len(all_urls)
 
             return Response(urls_data, status=status.HTTP_200_OK)
 
@@ -68,6 +93,27 @@ def get(self, request):
                 "error": str(e)
             }, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
+    def _filter_urls(self, urls: List[Dict[str, Any]], filter_type: str) -> List[Dict[str, Any]]:
+        """
+        Filter URLs by prefix.
+
+        Args:
+            urls: List of URL dictionaries
+            filter_type: Filter type ('api', 'admin', 'cfg')
+
+        Returns:
+            Filtered list of URLs
+        """
+        if filter_type == 'api':
+            return [url for url in urls if url['pattern'].startswith('api/')]
+        elif filter_type == 'admin':
+            return [url for url in urls if url['pattern'].startswith('admin/')]
+        elif filter_type == 'cfg':
+            return [url for url in urls if url['pattern'].startswith('cfg/')]
+        else:
+            # Unknown filter - return all
+            return urls
+
     def _get_all_urls(self, urlpatterns=None, prefix='', namespace=None) -> List[Dict[str, Any]]:
         """
         Recursively extract all URL patterns from Django URLconf.
@@ -187,9 +233,11 @@ class DRFURLsListCompactView(APIView):
     Compact URLs list endpoint - just patterns and names.
 
     This endpoint uses DRF Browsable API with Tailwind CSS theme! 🎨
+
+    **IMPORTANT**: Admin-only endpoint for security reasons.
     """
 
-    permission_classes = [AllowAny]
+    permission_classes = [IsAdminUser]  # Admin-only for security
 
     def get(self, request):
         """Return compact URL list."""
diff --git a/packages/django_cfg/apps/integrations/centrifugo/views/rpc_proxy.py b/packages/django_cfg/apps/integrations/centrifugo/views/rpc_proxy.py
@@ -30,24 +30,15 @@
 
 
 class RPCProxyRequest(BaseModel):
-    """
-    Request from Centrifugo RPC proxy.
-
-    Supports both Centrifugo v5 and v6 formats.
-    V6 sends: {method, data} - minimal format
-    V5 sends: {client, transport, protocol, encoding, user, method, data, meta}
-    """
+    """Request from Centrifugo RPC proxy."""
 
-    # V6 minimal format - these are the main fields
-    method: str = Field("", description="RPC method name")
-    data: dict[str, Any] | str = Field(default_factory=dict, description="RPC params (dict or JSON string)")
-
-    # V5 extended format - optional in v6
     client: str = Field("", description="Client connection ID")
     transport: str = Field("websocket", description="Transport type")
     protocol: str = Field("json", description="Protocol format")
     encoding: str = Field("json", description="Encoding type")
     user: str = Field("", description="User ID from auth")
+    method: str = Field("", description="RPC method name")
+    data: dict[str, Any] = Field(default_factory=dict, description="RPC params")
     meta: dict[str, Any] | None = Field(None, description="Connection metadata")
 
 
@@ -98,20 +89,11 @@ async def post(self, request):
             body = json.loads(request.body)
             rpc_request = RPCProxyRequest(**body)
 
-            client_short = rpc_request.client[:8] if rpc_request.client else "unknown"
             logger.info(
                 f"RPC proxy: method={rpc_request.method} "
-                f"user={rpc_request.user} client={client_short}..."
+                f"user={rpc_request.user} client={rpc_request.client[:8]}..."
             )
 
-            # Parse data if it's a JSON string (Centrifugo v6 sends it this way)
-            rpc_data = rpc_request.data
-            if isinstance(rpc_data, str):
-                try:
-                    rpc_data = json.loads(rpc_data)
-                except json.JSONDecodeError:
-                    rpc_data = {"raw": rpc_data}
-
             # Get router and check if handler exists
             router = get_global_router()
 
@@ -129,7 +111,7 @@ async def post(self, request):
             handler = router.get_handler(rpc_request.method)
 
             # Try to validate params using handler's type hints
-            params = rpc_data
+            params = rpc_request.data
             try:
                 # Get param type from handler signature
                 import inspect
diff --git a/packages/django_cfg/apps/integrations/grpc/managers/grpc_request_log.py b/packages/django_cfg/apps/integrations/grpc/managers/grpc_request_log.py
@@ -191,14 +191,17 @@ async def amark_success(
         self,
         log_instance,
         duration_ms: int | None = None,
+        response_data: dict | None = None,
     ):
         """
         Mark request as successful (ASYNC - Django 5.2).
 
         Args:
             log_instance: GRPCRequestLog instance
             duration_ms: Duration in milliseconds
+            response_data: Response data (optional, for future use)
         """
+        # NOTE: response_data is accepted but not stored (no field in model yet)
         from ..models import GRPCRequestLog
 
         log_instance.status = GRPCRequestLog.StatusChoices.SUCCESS
@@ -258,6 +261,7 @@ async def amark_error(
         log_instance,
         grpc_status_code: str,
         error_message: str,
+        error_details: dict | None = None,
         duration_ms: int | None = None,
     ):
         """
@@ -267,13 +271,15 @@ async def amark_error(
             log_instance: GRPCRequestLog instance
             grpc_status_code: gRPC status code
             error_message: Error message
+            error_details: Additional error details (JSON)
             duration_ms: Duration in milliseconds
         """
         from ..models import GRPCRequestLog
 
         log_instance.status = GRPCRequestLog.StatusChoices.ERROR
         log_instance.grpc_status_code = grpc_status_code
         log_instance.error_message = error_message
+        log_instance.error_details = error_details
         log_instance.completed_at = timezone.now()
 
         if duration_ms is not None:
@@ -284,6 +290,7 @@ async def amark_error(
                 "status",
                 "grpc_status_code",
                 "error_message",
+                "error_details",
                 "completed_at",
                 "duration_ms",
             ]
diff --git a/packages/django_cfg/apps/integrations/grpc/migrations/0008_grpcrequestlog_error_details.py b/packages/django_cfg/apps/integrations/grpc/migrations/0008_grpcrequestlog_error_details.py
@@ -0,0 +1,18 @@
+# Generated manually for django_cfg 1.5.111 compatibility
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("grpc", "0007_simplify_grpc_models"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="grpcrequestlog",
+            name="error_details",
+            field=models.JSONField(blank=True, null=True),
+        ),
+    ]
diff --git a/packages/django_cfg/apps/integrations/grpc/models/grpc_request_log.py b/packages/django_cfg/apps/integrations/grpc/models/grpc_request_log.py
@@ -44,6 +44,7 @@ class StatusChoices(models.TextChoices):
     )
     grpc_status_code = models.CharField(max_length=50, null=True, blank=True, db_index=True)
     error_message = models.TextField(null=True, blank=True)
+    error_details = models.JSONField(null=True, blank=True)
 
     # Performance
     duration_ms = models.IntegerField(null=True, blank=True)
diff --git a/packages/django_cfg/apps/integrations/grpc/services/interceptors/observability.py b/packages/django_cfg/apps/integrations/grpc/services/interceptors/observability.py
@@ -546,7 +546,13 @@ async def wrapper(request, context):
                 )
 
             try:
-                response = await behavior(request, context)
+                # Handle both async and sync behaviors (Health Check is sync)
+                import inspect
+                if inspect.iscoroutinefunction(behavior):
+                    response = await behavior(request, context)
+                else:
+                    response = behavior(request, context)
+
                 duration_ms = (time.time() - start_time) * 1000
 
                 if self.enable_metrics:
@@ -848,10 +854,6 @@ async def _create_log_entry(
                 api_key=api_key,
                 is_authenticated=user is not None,
                 client_ip=client_ip,
-                user_agent=user_agent,
-                peer=peer,
-                request_data=self._serialize_message(request) if request else None,
-                status="pending",
             )
             return log_entry
 
diff --git a/packages/django_cfg/core/builders/security_builder.py b/packages/django_cfg/core/builders/security_builder.py
@@ -313,27 +313,20 @@ def _get_dev_csrf_origins(self) -> List[str]:
         Smart list of dev CSRF origins.
 
         Covers:
-        - Popular dev ports
+        - All dev ports from 3000 to 10000 (covers all common dev servers)
         - localhost and 127.0.0.1
 
         Docker IPs NOT needed - CSRF checks Referer from browser!
 
         Returns:
             List of dev CSRF origins
         """
-        popular_ports = [
-            3000,  # React/Next.js default
-            3777,  # Next.js Admin default
-            5173,  # Vite default
-            5174,  # Vite preview
-            8080,  # Vue/Spring Boot
-            4200,  # Angular
-            8000,  # Django default
-            8001,  # Django alternative
-        ]
+        # Wide port range for development (3000-10000)
+        # Covers: Next.js, React, Vite, Angular, Vue, Django, Flask, etc.
+        dev_ports = range(3000, 10001)
 
         origins = []
-        for port in popular_ports:
+        for port in dev_ports:
             origins.extend([
                 f"http://localhost:{port}",
                 f"http://127.0.0.1:{port}",
@@ -364,29 +357,20 @@ def _get_localhost_cors_regexes(self) -> List[str]:
 
     def _get_localhost_csrf_origins(self) -> List[str]:
         """
-        Localhost CSRF origins with common development ports.
+        Localhost CSRF origins with wide port range for development.
 
         CSRF doesn't support regex, so we need to list specific ports.
-        Covers standard development tools and frameworks.
+        Covers all development ports from 3000 to 10000.
 
         Note: CORS uses regex for ALL ports via CORS_ALLOWED_ORIGIN_REGEXES.
-        CSRF is more limited - only these common ports are whitelisted.
+        CSRF needs explicit port list - using same range as dev mode (3000-10000).
 
         Returns:
-            List of localhost origins with common ports for CSRF
+            List of localhost origins with development ports for CSRF
         """
-        # Common development ports (framework defaults)
-        dev_ports = [
-            # Frontend frameworks
-            3000, 3001, 3002,  # React/Next.js
-            5173, 5174,        # Vite
-            8080, 8081,        # Vue/Spring Boot
-            4200,              # Angular
-            # Backend servers
-            8000, 8001, 8002,  # Django
-            5000,              # Flask
-            4000,              # Express
-        ]
+        # Wide port range for development (3000-10000)
+        # Covers: Next.js, React, Vite, Angular, Vue, Django, Flask, etc.
+        dev_ports = range(3000, 10001)
 
         origins = []
         for port in dev_ports:
diff --git a/packages/django_cfg/core/middleware/noindex.py b/packages/django_cfg/core/middleware/noindex.py
diff --git a/packages/django_cfg/modules/django_import_export/templates/admin/import_export/change_list_export_item.html b/packages/django_cfg/modules/django_import_export/templates/admin/import_export/change_list_export_item.html
diff --git a/packages/django_cfg/modules/django_import_export/templates/admin/import_export/change_list_import_item.html b/packages/django_cfg/modules/django_import_export/templates/admin/import_export/change_list_import_item.html
diff --git a/solution/projects/django/api/environment/loader.py b/solution/projects/django/api/environment/loader.py

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ class StatusChoices(models.TextChoices):`
`44`	`44`	`)`
`45`	`45`	`grpc_status_code = models.CharField(max_length=50, null=True, blank=True, db_index=True)`
`46`	`46`	`error_message = models.TextField(null=True, blank=True)`
	`47`	`+ error_details = models.JSONField(null=True, blank=True)`
`47`	`48`
`48`	`49`	`# Performance`
`49`	`50`	`duration_ms = models.IntegerField(null=True, blank=True)`