From 170231783adddb3ba974bfb98dc66116b95ee6af Mon Sep 17 00:00:00 2001 From: Manu Date: Wed, 22 May 2019 13:18:59 +0200 Subject: [PATCH 01/10] :card_file_box: Fix SQLAlchemy operation error after database restarts (#32) --- {{cookiecutter.project_slug}}/backend/app/app/db/session.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/{{cookiecutter.project_slug}}/backend/app/app/db/session.py b/{{cookiecutter.project_slug}}/backend/app/app/db/session.py index 63752d1840..e4698d551f 100644 --- a/{{cookiecutter.project_slug}}/backend/app/app/db/session.py +++ b/{{cookiecutter.project_slug}}/backend/app/app/db/session.py @@ -3,7 +3,7 @@ from app.core import config -engine = create_engine(config.SQLALCHEMY_DATABASE_URI) +engine = create_engine(config.SQLALCHEMY_DATABASE_URI, pool_pre_ping=True) db_session = scoped_session( sessionmaker(autocommit=False, autoflush=False, bind=engine) ) From 6fc9a37eb5a6c371a45727399398c3c8d5b15155 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 22 May 2019 15:21:02 +0400 Subject: [PATCH 02/10] :memo: Update release notes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 349b82d2c2..01f2f922be 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,8 @@ After using this generator, your new project (the directory created) will contai ### Next release +* Fix SQLAlchemy operation errors on database restart. PR [#32](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/32) by [@ebreton](https://github.com/ebreton). + * Fix locations of scripts in generated README. PR [#19](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/19) by [@ebreton](https://github.com/ebreton). * Forward arguments from script to `pytest` inside container. PR [#17](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/17) by [@ebreton](https://github.com/ebreton). From 1d30172e7a76e3b78d2cdcb5289a3c986aa71264 Mon Sep 17 00:00:00 2001 From: Manu Date: Wed, 22 May 2019 13:29:24 +0200 Subject: [PATCH 03/10] :card_file_box: Fix SQLAlchemy class lookup (#29) --- {{cookiecutter.project_slug}}/backend/app/app/db/init_db.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/{{cookiecutter.project_slug}}/backend/app/app/db/init_db.py b/{{cookiecutter.project_slug}}/backend/app/app/db/init_db.py index 4f1d6f5aa3..6374273132 100644 --- a/{{cookiecutter.project_slug}}/backend/app/app/db/init_db.py +++ b/{{cookiecutter.project_slug}}/backend/app/app/db/init_db.py @@ -2,6 +2,11 @@ from app.core import config from app.models.user import UserCreate +# make sure all SQL Alchemy models are imported before initializing DB +# otherwise, SQL Alchemy might fail to initialize properly relationships +# for more details: https://github.com/tiangolo/full-stack-fastapi-postgresql/issues/28 +from app.db import base + def init_db(db_session): # Tables should be created with Alembic migrations From eae33cda72ace805781a5cd9f3140c6850be2292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 22 May 2019 15:30:51 +0400 Subject: [PATCH 04/10] :memo: Update release notes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 01f2f922be..223f828c2a 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,8 @@ After using this generator, your new project (the directory created) will contai ### Next release +* Fix SQLAlchemy class lookup on initialization. PR [#29](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/29) by [@ebreton](https://github.com/ebreton). + * Fix SQLAlchemy operation errors on database restart. PR [#32](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/32) by [@ebreton](https://github.com/ebreton). * Fix locations of scripts in generated README. PR [#19](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/19) by [@ebreton](https://github.com/ebreton). From 546dc8bdcb362e8a0465a82f47753c9d57898882 Mon Sep 17 00:00:00 2001 From: dmontagu <35119617+dmontagu@users.noreply.github.com> Date: Tue, 28 May 2019 22:24:09 -0700 Subject: [PATCH 05/10] :lock: Update login.py to receive password as body (#33) Change `new_password` from a query parameter to a body parameter for security. (Why this is problematic is discussed in the top answer to https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl) --- .../backend/app/app/api/api_v1/endpoints/login.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py b/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py index 2640f1c77e..64197ca10f 100644 --- a/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py +++ b/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py @@ -1,6 +1,6 @@ from datetime import timedelta -from fastapi import APIRouter, Depends, HTTPException +from fastapi import APIRouter, Body, Depends, HTTPException from fastapi.security import OAuth2PasswordRequestForm from sqlalchemy.orm import Session @@ -74,7 +74,7 @@ def recover_password(email: str, db: Session = Depends(get_db)): @router.post("/reset-password/", tags=["login"], response_model=Msg) -def reset_password(token: str, new_password: str, db: Session = Depends(get_db)): +def reset_password(token: str, new_password: str = Body(...), db: Session = Depends(get_db)): """ Reset password """ From de7140f1e71daa432a3ef2afd452a60b7190e45d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 29 May 2019 09:27:04 +0400 Subject: [PATCH 06/10] :memo: Update release notes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 223f828c2a..533b024c16 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,8 @@ After using this generator, your new project (the directory created) will contai ### Next release +* Security fix `password` input as body, not query. PR [#33](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/33) by [@dmontagu](https://github.com/dmontagu). + * Fix SQLAlchemy class lookup on initialization. PR [#29](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/29) by [@ebreton](https://github.com/ebreton). * Fix SQLAlchemy operation errors on database restart. PR [#32](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/32) by [@ebreton](https://github.com/ebreton). From a612765b831fcfc319f7ebadb47ad8b9a523c547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 29 May 2019 09:35:13 +0400 Subject: [PATCH 07/10] :memo: Update release notes, clarify text --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 533b024c16..59b169bd27 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,7 @@ After using this generator, your new project (the directory created) will contai ### Next release -* Security fix `password` input as body, not query. PR [#33](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/33) by [@dmontagu](https://github.com/dmontagu). +* Fix security on resetting a password. Receive it as body, not query. PR [#33](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/33) by [@dmontagu](https://github.com/dmontagu). * Fix SQLAlchemy class lookup on initialization. PR [#29](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/29) by [@ebreton](https://github.com/ebreton). From b4fa418e659dc90d925addf4fe70ba47deda9dd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 29 May 2019 09:47:59 +0400 Subject: [PATCH 08/10] :lock: Receive token as body in reset password (#34) --- .../backend/app/app/api/api_v1/endpoints/login.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py b/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py index 64197ca10f..1db861be5f 100644 --- a/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py +++ b/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py @@ -74,7 +74,7 @@ def recover_password(email: str, db: Session = Depends(get_db)): @router.post("/reset-password/", tags=["login"], response_model=Msg) -def reset_password(token: str, new_password: str = Body(...), db: Session = Depends(get_db)): +def reset_password(token: str = Body(...), new_password: str = Body(...), db: Session = Depends(get_db)): """ Reset password """ From 9b4108fdaeb8000e4b634fd3242715ccaaf91427 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 29 May 2019 09:48:28 +0400 Subject: [PATCH 09/10] :memo: Update release notes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 59b169bd27..542e40008f 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,8 @@ After using this generator, your new project (the directory created) will contai ### Next release +* Fix security on resetting a password. Receive token as body, not query. PR [#34](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/34). + * Fix security on resetting a password. Receive it as body, not query. PR [#33](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/33) by [@dmontagu](https://github.com/dmontagu). * Fix SQLAlchemy class lookup on initialization. PR [#29](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/29) by [@ebreton](https://github.com/ebreton). From 44d8a4358bc3f8c608bfad2d546aaeca074d2990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= Date: Wed, 29 May 2019 09:49:17 +0400 Subject: [PATCH 10/10] :bookmark: Release version 0.4.0 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 542e40008f..ad0cbe086f 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,8 @@ After using this generator, your new project (the directory created) will contai ### Next release +### 0.4.0 + * Fix security on resetting a password. Receive token as body, not query. PR [#34](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/34). * Fix security on resetting a password. Receive it as body, not query. PR [#33](https://github.com/tiangolo/full-stack-fastapi-postgresql/pull/33) by [@dmontagu](https://github.com/dmontagu).