next version

Trusted hosts support

CHANGELOG.md

@@ -1,3 +1,24 @@
+# v1.1.1
+- Run sync views in a threadpoolexecutor.
+
+# v1.1.0
+- Support for `before_request`.
+
+# v1.0.4
+- Potential bufix for cookies.
+
+# v1.0.3
+- Bugfix for redirects.
+
+# v1.0.2
+- Improvement for static file hosting.
+
+# v1.0.1
+- Improve cors configuration settings.
+
+# v1.0.0
+- Move GraphQL support into a built-in plugin.
+
 # v0.3.3
 - Improved exceptions.
 - CORS support.

Pipfile.lock

@@ -126,10 +126,9 @@
         },
         "itsdangerous": {
             "hashes": [
-                "sha256:a7de3201740a857380421ef286166134e10fe58846bcefbc9d6424a69a0b99ec",
-                "sha256:aca4fc561b7671115a2156f625f2eaa5e0e3527e0adf2870340e7968c0a81f85"
+                "sha256:cbb3fcf8d3e33df861709ecaf89d9e6629cff0a217bc2848f1b41cd30d360519"
             ],
-            "version": "==1.0.0"
+            "version": "==0.24"
         },
         "jinja2": {
             "hashes": [
@@ -146,10 +145,10 @@
         },
         "marshmallow": {
             "hashes": [
-                "sha256:82b201ad767eb54de371c08cb1db6ca4ad2a728fa41b831e3781bf944815eb38",
-                "sha256:c250f37ac0e249a8287394a60d91f6240b674642ad999e66cd09463dbccd1d4f"
+                "sha256:5e0053c86e3abaa72a03bbe0021ec97270c13fd6400b682eb1aeaf24b871bc8a",
+                "sha256:81884e930c1db72d8b8e3d8d2d090f2f43427e5c11c37f703b29879980491ab6"
             ],
-            "version": "==3.0.0b18"
+            "version": "==3.0.0b19"
         },
         "parse": {
             "hashes": [
@@ -410,9 +409,9 @@
         },
         "future": {
             "hashes": [
-                "sha256:e39ced1ab767b5936646cedba8bcce582398233d6a627067d4c6a454c90cfedb"
+                "sha256:eb6d4df04f1fb538c99f69c9a28b255d1ee4e825d479b9c62fc38c0cf38065a4"
             ],
-            "version": "==0.16.0"
+            "version": "==0.17.0"
         },
         "idna": {
             "hashes": [
@@ -430,10 +429,9 @@
         },
         "itsdangerous": {
             "hashes": [
-                "sha256:a7de3201740a857380421ef286166134e10fe58846bcefbc9d6424a69a0b99ec",
-                "sha256:aca4fc561b7671115a2156f625f2eaa5e0e3527e0adf2870340e7968c0a81f85"
+                "sha256:cbb3fcf8d3e33df861709ecaf89d9e6629cff0a217bc2848f1b41cd30d360519"
             ],
-            "version": "==1.0.0"
+            "version": "==0.24"
         },
         "jinja2": {
             "hashes": [
@@ -450,10 +448,10 @@
         },
         "marshmallow": {
             "hashes": [
-                "sha256:82b201ad767eb54de371c08cb1db6ca4ad2a728fa41b831e3781bf944815eb38",
-                "sha256:c250f37ac0e249a8287394a60d91f6240b674642ad999e66cd09463dbccd1d4f"
+                "sha256:5e0053c86e3abaa72a03bbe0021ec97270c13fd6400b682eb1aeaf24b871bc8a",
+                "sha256:81884e930c1db72d8b8e3d8d2d090f2f43427e5c11c37f703b29879980491ab6"
             ],
-            "version": "==3.0.0b18"
+            "version": "==3.0.0b19"
         },
         "mccabe": {
             "hashes": [

README.md

@@ -7,24 +7,10 @@
 [![image](https://img.shields.io/pypi/pyversions/responder.svg)](https://pypi.org/project/responder/)
 [![image](https://img.shields.io/github/contributors/kennethreitz/responder.svg)](https://github.com/kennethreitz/responder/graphs/contributors)
 
-[![](https://github.com/kennethreitz/responder/raw/master/ext/small.jpg)](http://python-responder.org/)
+[![](https://farm2.staticflickr.com/1959/43750081370_a4e20752de_o_d.png)](http://python-responder.org/)
 
-The Python world certainly doesn't need more web frameworks. But, it does need more creativity, so I thought I'd spread some [Hacktoberfest](https://hacktoberfest.digitalocean.com/) spirit around, bring some of my ideas to the table, and see what I could come up with.
 
-```python
-import responder
-
-api = responder.API()
-
-@api.route("/{greeting}")
-async def greet_world(req, resp, *, greeting):
-    resp.text = f"{greeting}, world!"
-
-if __name__ == '__main__':
-    api.run()
-```
-
-That `async` declaration is optional. [View documentation](http://python-responder.org).
+Powered by [Starlette](https://www.starlette.io/). That `async` declaration is optional. [View documentation](http://python-responder.org).
 
 This gets you a ASGI app, with a production static files server pre-installed, jinja2 templating (without additional imports), and a production webserver based on uvloop, serving up requests with gzip compression automatically.
 

docs/source/deployment.rst

@@ -10,7 +10,7 @@ Assuming existing ``api.py`` and ``Pipfile.lock`` containing ``responder``.
 
 ``Dockerfile``::
 
-    from kennethreitz/pipenv
+    FROM kennethreitz/pipenv
 
     COPY . /app
     CMD python3 api.py

docs/source/index.rst

@@ -21,9 +21,6 @@ A familiar HTTP Service Framework
 .. |image5| image:: https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg
    :target: https://saythanks.io/to/kennethreitz
 
-The Python world certainly doesn't need more web frameworks. But, it does need more creativity, so I thought I'd
-spread some `Hacktoberfest <https://hacktoberfest.digitalocean.com/>`_ spirit around, bring some of my ideas to the table, and see what I could come up with.
-
 .. code:: python
 
    import responder
@@ -37,7 +34,7 @@ spread some `Hacktoberfest <https://hacktoberfest.digitalocean.com/>`_ spirit ar
    if __name__ == '__main__':
        api.run()
 
-That ``async`` declaration is optional.
+Powered by `Starlette <https://www.starlette.io/>`_. That ``async`` declaration is optional.
 
 This gets you a ASGI app, with a production static files server (WhiteNoise)
 pre-installed, jinja2 templating (without additional imports), and a

docs/source/quickstart.rst

@@ -90,7 +90,7 @@ If you want to set a response header, like ``X-Pizza: 42``, simply modify the ``
 
     @api.route("/pizza")
     def pizza_pizza(req, resp):
-        resp.headers['X-Pizza'] = 42
+        resp.headers['X-Pizza'] = '42'
 
 That's it!
 

docs/source/tour.rst

@@ -45,7 +45,10 @@ Serve a GraphQL API::
         def resolve_hello(self, info, name):
             return f"Hello {name}"
 
-    api.add_route("/graph", graphene.Schema(query=Query))
+    schema = graphene.Schema(query=Query)
+    view = responder.ext.GraphQLView(api=api, schema=schema)
+
+    api.add_route("/graph", view)
 
 Visiting the endpoint will render a *GraphiQL* instance, in the browser.
 
@@ -170,6 +173,17 @@ You can easily read a Request's session data, that can be trusted to have origin
 
     api = responder.API(secret_key=os.environ['SECRET_KEY'])
 
+Using ``before_request``
+------------------------
+
+If you'd like a view to be executed before every request, simply do the following::
+
+    @api.route(before_request=True)
+    def prepare_response(req, resp):
+        resp.headers["X-Pizza"] = "42"
+
+Now all requests to your HTTP Service will include an ``X-Pizza`` header.
+
 Using Requests Test Client
 --------------------------
 
@@ -217,7 +231,7 @@ Want `CORS <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/>`_ ?
 
 The default parameters used by **Responder** are restrictive by default, so you'll need to explicitly enable particular origins, methods, or headers, in order for browsers to be permitted to use them in a Cross-Domain context.
 
-In order to set custom parameters, you need to pass the ``cors_params`` argument, a dictionnary containing the following entries : 
+In order to set custom parameters, you need to set the ``cors_params`` argument of ``api``, a dictionary containing the following entries:
 
 * ``allow_origins`` - A list of origins that should be permitted to make cross-origin requests. eg. ``['https://example.org', 'https://www.example.org']``. You can use ``['*']`` to allow any origin.
 * ``allow_origin_regex`` - A regex string to match against origins that should be permitted to make cross-origin requests. eg. ``'https://.*\.example\.org'``.
@@ -226,4 +240,3 @@ In order to set custom parameters, you need to pass the ``cors_params`` argument
 * ``allow_credentials`` - Indicate that cookies should be supported for cross-origin requests. Defaults to ``False``.
 * ``expose_headers`` - Indicate any response headers that should be made accessible to the browser. Defaults to ``[]``.
 * ``max_age`` - Sets a maximum time in seconds for browsers to cache CORS responses. Defaults to ``60``.
-

responder/__init__.py

@@ -1 +1,2 @@
 from .core import *
+from . import ext

responder/__version__.py

@@ -1 +1 @@
-__version__ = "0.3.3"
+__version__ = "1.1.1"

responder/api.py

@@ -1,36 +1,42 @@
-import os
 import json
-from functools import partial
-from pathlib import Path
+import os
+
+from uuid import uuid4
+from pathlib import Path
+from base64 import b64encode
 
-import uvicorn
 import apistar
-import yaml
-import jinja2
 import itsdangerous
-from graphql_server import encode_execution_results, json_encode, default_format_error
-from starlette.websockets import WebSocket
+import jinja2
+import uvicorn
+import yaml
+from apispec import APISpec, yaml_utils
+from apispec.ext.marshmallow import MarshmallowPlugin
+from asgiref.wsgi import WsgiToAsgi
 from starlette.debug import DebugMiddleware
-from starlette.testclient import TestClient
+from starlette.exceptions import ExceptionMiddleware
+from starlette.lifespan import LifespanHandler
+from starlette.middleware.cors import CORSMiddleware
 from starlette.middleware.gzip import GZipMiddleware
 from starlette.middleware.httpsredirect import HTTPSRedirectMiddleware
-from starlette.middleware.cors import CORSMiddleware
-from starlette.exceptions import ExceptionMiddleware
-from apispec import APISpec
-from apispec.ext.marshmallow import MarshmallowPlugin
-from apispec import yaml_utils
-from asgiref.wsgi import WsgiToAsgi
+from starlette.routing import Router
+from starlette.staticfiles import StaticFiles
+from starlette.testclient import TestClient
+from starlette.websockets import WebSocket
 from whitenoise import WhiteNoise
 
-from . import models
-from . import status_codes
-from .routes import Route
-from .formats import get_formats
+from . import models, status_codes
+from .middlewares.trustedhost import TrustedHostMiddleware
 from .background import BackgroundQueue
-from .templates import GRAPHIQL
+from .formats import get_formats
+from .routes import Route
 from .statics import (
-    DEFAULT_API_THEME, DEFAULT_SESSION_COOKIE, DEFAULT_SECRET_KEY, DEFAULT_CORS_PARAMS
+    DEFAULT_API_THEME,
+    DEFAULT_CORS_PARAMS,
+    DEFAULT_SECRET_KEY,
+    DEFAULT_SESSION_COOKIE,
 )
+from .templates import GRAPHIQL
 
 
 # TODO: consider moving status codes here
@@ -61,8 +67,10 @@ class API:
         enable_hsts=False,
         docs_route=None,
         cors=False,
-        cors_params=DEFAULT_CORS_PARAMS
+        allowed_hosts=None
     ):
+        self.background = BackgroundQueue()
+
         self.secret_key = secret_key
         self.title = title
         self.version = version
@@ -81,14 +89,21 @@ class API:
 
         self.hsts_enabled = enable_hsts
         self.cors = cors
-        self.cors_params = cors_params
+        self.cors_params = DEFAULT_CORS_PARAMS
+
+        if not allowed_hosts:
+            # if not debug:
+            #     raise RuntimeError(
+            #         "You need to specify `allowed_hosts` when debug is set to False"
+            #     )
+            allowed_hosts = ["*"]
+        self.allowed_hosts = allowed_hosts
+
         # Make the static/templates directory if they don't exist.
         for _dir in (self.static_dir, self.templates_dir):
             os.makedirs(_dir, exist_ok=True)
 
-        self.whitenoise = WhiteNoise(
-            application=self._default_wsgi_app, index_file=True
-        )
+        self.whitenoise = WhiteNoise(application=self._default_wsgi_app)
         self.whitenoise.add_files(str(self.static_dir))
 
         self.whitenoise.add_files(
@@ -104,7 +119,6 @@ class API:
 
         # Cached requests session.
         self._session = None
-        self.background = BackgroundQueue()
 
         if self.openapi_version:
             self.add_route(openapi_route, self.schema_response)
@@ -120,6 +134,10 @@ class API:
 
         if self.hsts_enabled:
             self.add_middleware(HTTPSRedirectMiddleware)
+        
+        self.add_middleware(TrustedHostMiddleware, allowed_hosts=self.allowed_hosts)
+    
+        self.lifespan_handler = LifespanHandler()
 
         if self.cors:
             self.add_middleware(CORSMiddleware, **self.cors_params)
@@ -142,6 +160,15 @@ class API:
     def _default_wsgi_app(*args, **kwargs):
         pass
 
+    @property
+    def before_requests(self):
+        def gen():
+            for route in self.routes:
+                if self.routes[route].before_request:
+                    yield self.routes[route]
+
+        return [g for g in gen()]
+
     @property
     def _apispec(self):
         spec = APISpec(
@@ -171,6 +198,9 @@ class API:
         self.app = middleware_cls(self.app, **middleware_config)
 
     def __call__(self, scope):
+        if scope["type"] == "lifespan":
+            return self.lifespan_handler(scope)
+
         path = scope["path"]
         root_path = scope.get("root_path", "")
 
@@ -237,7 +267,7 @@ class API:
 
     def _prepare_cookies(self, resp):
         if resp.cookies:
-            header = " ".join([f"{k}={v}" for k, v in resp.cookies.items()])
+            header = " ".join([f"{k}={v};" for k, v in resp.cookies.items()])
             resp.headers["Set-Cookie"] = header
 
     @property
@@ -247,7 +277,9 @@ class API:
     def _prepare_session(self, resp):
 
         if resp.session:
-            data = self._signer.sign(json.dumps(resp.session).encode("utf-8"))
+            data = self._signer.sign(
+                b64encode(json.dumps(resp.session).encode("utf-8"))
+            )
             resp.cookies[self.session_cookie] = data.decode("utf-8")
 
     @staticmethod
@@ -262,69 +294,16 @@ class API:
         route = self.path_matches_route(req.url.path)
         route = self.routes.get(route)
 
-        # Create the response object.
-        cont = False
         if route:
             if route.uses_websocket:
                 resp = WebSocket(**options)
-
             else:
                 resp = models.Response(req=req, formats=self.formats)
 
-            params = route.incoming_matches(req.url.path)
-
-            if route.is_graphql:
-                await self.graphql_response(req, resp, schema=route.endpoint)
-
-            elif route.is_function:
-                try:
-                    try:
-                        # Run the view.
-                        r = route.endpoint(req, resp, **params)
-                        # If it's async, await it.
-                        if hasattr(r, "cr_running"):
-                            await r
-                    except TypeError as e:
-                        cont = True
-                except Exception:
-                    self.default_response(req, resp, error=True)
-                    raise
-
-            elif route.is_class_based or cont:
-                try:
-                    view = route.endpoint(**params)
-                except TypeError:
-                    view = route.endpoint()
-
-                # Run on_request first.
-                try:
-                    # Run the view.
-                    r = getattr(view, "on_request", self.no_response)(
-                        req, resp, **params
-                    )
-                    # If it's async, await it.
-                    if hasattr(r, "send"):
-                        await r
-                except Exception:
-                    self.default_response(req, resp, error=True)
-                    raise
-
-                # Then on_get.
-                method = req.method
-
-                # Run on_request first.
-                try:
-                    # Run the view.
-                    r = getattr(view, f"on_{method}", self.no_response)(
-                        req, resp, **params
-                    )
-                    # If it's async, await it.
-                    if hasattr(r, "send"):
-                        await r
-                except Exception as e:
-
-                    self.default_response(req, resp, error=True)
+            for before_request in self.before_requests:
+                await self._execute_route(route=before_request, req=req, resp=resp)
 
+            await self._execute_route(route=route, req=req, resp=resp, **options)
         else:
             resp = models.Response(req=req, formats=self.formats)
             self.default_response(req, resp, notfound=True)
@@ -335,24 +314,91 @@ class API:
 
         return resp
 
+    async def _execute_route(self, *, route, req, resp, **options):
+
+        params = route.incoming_matches(req.url.path)
+
+        if route.is_function:
+            try:
+                try:
+                    # Run the view.
+
+                    r = self.background(route.endpoint, req, resp, **params)
+                    # If it's async, await it.
+                    if hasattr(r, "cr_running"):
+                        await r
+                except TypeError as e:
+                    cont = True
+            except Exception:
+                self.background(self.default_response, req, resp, error=True)
+                raise
+
+        if route.is_class_based or cont:
+            try:
+                view = route.endpoint(**params)
+            except TypeError:
+                try:
+                    view = route.endpoint()
+                except TypeError:
+                    view = route.endpoint
+                    pass
+
+            # Run on_request first.
+            try:
+                # Run the view.
+                r = getattr(view, "on_request", self.no_response)
+                r = self.background(r, req, resp, **params)
+                # If it's async, await it.
+                if hasattr(r, "send"):
+                    await r
+            except Exception:
+                self.background(self.default_response, req, resp, error=True)
+                raise
+
+            # Then run on_method.
+            method = req.method
+            try:
+                # Run the view.
+                r = getattr(view, f"on_{method}", self.no_response)
+                r = self.background(r, req, resp, **params)
+                # If it's async, await it.
+                if hasattr(r, "send"):
+                    await r
+            except Exception as e:
+
+                self.background(self.default_response, req, resp, error=True)
+
+    def add_event_handler(self, event_type, handler):
+        """Adds an event handler to the API.
+
+        :param event_type: A string in ("startup", "shutdown")
+        :param handler: The function to run. Can be either a function or a coroutine.
+        """
+
+        self.lifespan_handler.add_event_handler(event_type, handler)
+
     def add_route(
         self,
-        route,
+        route=None,
         endpoint=None,
         *,
         default=False,
         static=False,
         check_existing=True,
         websocket=False,
+        before_request=False,
     ):
-        """Add a route to the API.
+        """Adds a route to the API.
 
         :param route: A string representation of the route.
-        :param endpoint: The endpoint for the route -- can be a callable, a class, or graphene schema (GraphQL).
+        :param endpoint: The endpoint for the route -- can be a callable, or a class.
         :param default: If ``True``, all unknown requests will route to this view.
         :param static: If ``True``, and no endpoint was passed, render "static/index.html", and it will become a default route.
         :param check_existing: If ``True``, an AssertionError will be raised, if the route is already defined.
         """
+        if route is None:
+            route = f"/{uuid4().hex}"
+
         if check_existing:
             assert route not in self.routes
 
@@ -363,7 +409,9 @@ class API:
         if default:
             self.default_endpoint = endpoint
 
-        self.routes[route] = Route(route, endpoint, websocket=websocket)
+        self.routes[route] = Route(
+            route, endpoint, websocket=websocket, before_request=before_request
+        )
         # TODO: A better data structure or sort it once the app is loaded
         self.routes = dict(
             sorted(self.routes.items(), key=lambda item: item[1]._weight())
@@ -409,63 +457,40 @@ class API:
         :param status_code: an `API.status_codes` attribute, or an integer, representing the HTTP status code of the redirect.
         """
 
-        assert resp.status_code.is_300(status_code)
+        # assert resp.status_code.is_300(status_code)
 
         resp.status_code = status_code
         if set_text:
             resp.text = f"Redirecting to: {location}"
         resp.headers.update({"Location": location})
 
-    @staticmethod
-    async def _resolve_graphql_query(req):
-        # TODO: Get variables and operation_name from form data, params, request text?
+    def on_event(self, event_type: str, **args):
+        """Decorator for registering functions or coroutines to run at certain events
+        Supported events: startup, cleanup, shutdown, tick
 
-        if "json" in req.mimetype:
-            json_media = await req.media("json")
-            return (
-                json_media["query"],
-                json_media.get("variables"),
-                json_media.get("operationName"),
-            )
+        Usage::
 
-        # Support query/q in form data.
-        # Form data is awaiting https://github.com/encode/starlette/pull/102
-        # if "query" in req.media("form"):
-        #     return req.media("form")["query"], None, None
-        # if "q" in req.media("form"):
-        #     return req.media("form")["q"], None, None
+            @api.on_event('startup')
+            async def open_database_connection_pool():
+                ...
 
-        # Support query/q in params.
-        if "query" in req.params:
-            return req.params["query"], None, None
-        if "q" in req.params:
-            return req.params["q"], None, None
+            @api.on_event('tick', seconds=10)
+            async def do_stuff():
+                ...
 
-        # Otherwise, the request text is used (typical).
-        # TODO: Make some assertions about content-type here.
-        return req.text, None, None
+            @api.on_event('cleanup')
+            async def close_database_connection_pool():
+                ...
 
-    async def graphql_response(self, req, resp, schema):
-        show_graphiql = req.method == "get" and req.accepts("text/html")
+        """
 
-        if show_graphiql:
-            resp.content = self.template_string(GRAPHIQL, endpoint=req.url.path)
-            return
+        def decorator(func):
+            self.add_event_handler(event_type, func, **args)
+            return func
 
-        query, variables, operation_name = await self._resolve_graphql_query(req)
-        result = schema.execute(
-            query, variables=variables, operation_name=operation_name
-        )
-        result, status_code = encode_execution_results(
-            [result],
-            is_batch=False,
-            format_error=default_format_error,
-            encode=partial(json_encode, pretty=False),
-        )
-        resp.media = json.loads(result)
-        return (query, result, status_code)
+        return decorator
 
-    def route(self, route, **options):
+    def route(self, route=None, **options):
         """Decorator for creating new routes around function and class definitions.
 
         Usage::
@@ -497,7 +522,7 @@ class API:
         """
 
         if self._session is None:
-            self._session = TestClient(self)
+            self._session = TestClient(self, base_url=base_url)
         return self._session
 
     def _route_for(self, endpoint):
@@ -600,4 +625,7 @@ class API:
         if port is None:
             port = 5042
 
-        uvicorn.run(self, host=address, port=port, debug=debug, **options)
+        def spawn():
+            uvicorn.run(self, host=address, port=port, debug=debug, **options)
+
+        spawn()

responder/background.py

@@ -1,6 +1,8 @@
-import traceback
-import multiprocessing
+import asyncio
+import functools
 import concurrent.futures
+import multiprocessing
+import traceback
 
 
 class BackgroundQueue:
@@ -33,3 +35,11 @@ class BackgroundQueue:
             return result
 
         return do_task
+
+    async def __call__(self, func, *args, **kwargs) -> None:
+        if asyncio.iscoroutinefunction(func):
+            return await asyncio.ensure_future(func(*args, **kwargs))
+        else:
+            fn = functools.partial(func, *args, **kwargs)
+            loop = asyncio.get_event_loop()
+            return await loop.run_in_executor(None, fn)

responder/ext/__init__.py

@@ -0,0 +1 @@
+from .graphql import GraphQLView

responder/ext/graphql.py

@@ -0,0 +1,64 @@
+import json
+from functools import partial
+
+from graphql_server import default_format_error, encode_execution_results, json_encode
+
+from ..templates import GRAPHIQL
+
+
+class GraphQLView:
+    def __init__(self, *, api, schema):
+        self.api = api
+        self.schema = schema
+
+    @staticmethod
+    async def _resolve_graphql_query(req):
+        # TODO: Get variables and operation_name from form data, params, request text?
+
+        if "json" in req.mimetype:
+            json_media = await req.media("json")
+            return (
+                json_media["query"],
+                json_media.get("variables"),
+                json_media.get("operationName"),
+            )
+
+        # Support query/q in form data.
+        # Form data is awaiting https://github.com/encode/starlette/pull/102
+        # if "query" in req.media("form"):
+        #     return req.media("form")["query"], None, None
+        # if "q" in req.media("form"):
+        #     return req.media("form")["q"], None, None
+
+        # Support query/q in params.
+        if "query" in req.params:
+            return req.params["query"], None, None
+        if "q" in req.params:
+            return req.params["q"], None, None
+
+        # Otherwise, the request text is used (typical).
+        # TODO: Make some assertions about content-type here.
+        return req.text, None, None
+
+    async def graphql_response(self, req, resp, schema):
+        show_graphiql = req.method == "get" and req.accepts("text/html")
+
+        if show_graphiql:
+            resp.content = self.api.template_string(GRAPHIQL, endpoint=req.url.path)
+            return
+
+        query, variables, operation_name = await self._resolve_graphql_query(req)
+        result = schema.execute(
+            query, variables=variables, operation_name=operation_name
+        )
+        result, status_code = encode_execution_results(
+            [result],
+            is_batch=False,
+            format_error=default_format_error,
+            encode=partial(json_encode, pretty=False),
+        )
+        resp.media = json.loads(result)
+        return (query, result, status_code)
+
+    async def on_request(self, req, resp):
+        await self.graphql_response(req, resp, self.schema)

responder/middlewares/trustedhost.py

@@ -0,0 +1,32 @@
+from starlette.datastructures import Headers
+from starlette.responses import PlainTextResponse
+
+def _is_trusted_host(host, allowed_hosts):
+    """
+    Check if the host matchs the pattern.
+
+    Any given pattern starting with a period is considered a wildcard pattern.
+    """
+    host = host.lower()
+    for pattern in allowed_hosts:
+        if (
+            pattern == "*" or pattern == host or
+            pattern[0] == "." and
+            (host.endswith(pattern) or host == pattern[1:])
+        ):
+            return True
+    return False
+
+class TrustedHostMiddleware:
+    def __init__(self, app, allowed_hosts):
+        self.app = app
+        self.allowed_hosts = allowed_hosts
+        self.allow_any = "*" in allowed_hosts
+
+    def __call__(self, scope):
+        if scope["type"] in ("http", "websocket") and not self.allow_any:
+            headers = Headers(scope=scope)
+            host = headers.get("host").split(":")[0]
+            if not _is_trusted_host(host, self.allowed_hosts):
+                return PlainTextResponse("Invalid host header", status_code=400)
+        return self.app(scope)

responder/models.py

@@ -1,6 +1,7 @@
 import io
 import json
 import gzip
+from base64 import b64decode
 from http.cookies import SimpleCookie
 
 
@@ -109,8 +110,11 @@ class Request:
     def session(self):
         """The session data, in dict form, from the Request."""
         if "Responder-Session" in self.cookies:
+
             data = self.cookies[self.api.session_cookie]
+
             data = self.api._signer.unsign(data)
+            data = b64decode(data)
             return json.loads(data)
         return {}
 
@@ -142,7 +146,7 @@ class Request:
     def cookies(self):
         """The cookies sent in the Request, as a dictionary."""
         cookies = RequestsCookieJar()
-        cookie_header = self.headers.get("cookie", "")
+        cookie_header = self.headers.get("Cookie", "")
 
         bc = SimpleCookie(cookie_header)
         for k, v in bc.items():

responder/routes.py

@@ -15,10 +15,11 @@ def memoize(f):
 class Route:
     _param_pattern = re.compile(r"{([^{}]*)}")
 
-    def __init__(self, route, endpoint, *, websocket=False):
+    def __init__(self, route, endpoint, *, websocket=False, before_request=False):
         self.route = route
         self.endpoint = endpoint
         self.uses_websocket = websocket
+        self.before_request = before_request
         self._memo = {}
 
     def __repr__(self):
@@ -65,10 +66,6 @@ class Route:
         params_count = len(params)
         return params_count != 0, -params_count
 
-    @property
-    def is_graphql(self):
-        return hasattr(self.endpoint, "get_graphql_type")
-
     @property
     def is_class_based(self):
         return hasattr(self.endpoint, "__class__")

tests/conftest.py

@@ -2,6 +2,8 @@ import graphene
 import responder
 from pathlib import Path
 import pytest
+import multiprocessing
+import concurrent.futures
 
 
 @pytest.fixture
@@ -16,7 +18,7 @@ def current_dir():
 
 @pytest.fixture
 def api():
-    return responder.API()
+    return responder.API(allowed_hosts=["testserver", ";"])
 
 
 @pytest.fixture
@@ -44,7 +46,6 @@ def flask():
 
     return app
 
-
 @pytest.fixture
 def schema():
     class Query(graphene.ObjectType):

tests/test_responder.py

@@ -1,6 +1,9 @@
+import concurrent
+
 import pytest
 import yaml
 import responder
+import requests
 import io
 
 from starlette.responses import PlainTextResponse
@@ -124,7 +127,7 @@ def test_yaml_media(api):
 
 
 def test_graphql_schema_query_querying(api, schema):
-    api.add_route("/", schema)
+    api.add_route("/", responder.ext.GraphQLView(schema=schema, api=api))
 
     r = api.requests.get("http://;/?q={ hello }", headers={"Accept": "json"})
     assert r.json() == {"data": {"hello": "Hello stranger"}}
@@ -252,14 +255,14 @@ def test_multiple_routes(api):
 
 
 def test_graphql_schema_json_query(api, schema):
-    api.add_route("/", schema)
+    api.add_route("/", responder.ext.GraphQLView(schema=schema, api=api))
 
     r = api.requests.post("http://;/", json={"query": "{ hello }"})
     assert r.ok
 
 
 def test_graphiql(api, schema):
-    api.add_route("/", schema)
+    api.add_route("/", responder.ext.GraphQLView(schema=schema, api=api))
 
     r = api.requests.get("http://;/", headers={"Accept": "text/html"})
     assert r.ok
@@ -330,7 +333,11 @@ def test_schema_generation():
     import responder
     from marshmallow import Schema, fields
 
-    api = responder.API(title="Web Service", openapi="3.0")
+    api = responder.API(
+        title="Web Service",
+        openapi="3.0",
+        allowed_hosts=["testserver", ";"]
+    )
 
     @api.schema("Pet")
     class PetSchema(Schema):
@@ -361,7 +368,12 @@ def test_documentation():
     import responder
     from marshmallow import Schema, fields
 
-    api = responder.API(title="Web Service", openapi="3.0", docs_route="/docs")
+    api = responder.API(
+        title="Web Service",
+        openapi="3.0",
+        docs_route="/docs",
+        allowed_hosts=["testserver", ";"]
+    )
 
     @api.schema("Pet")
     class PetSchema(Schema):
@@ -421,6 +433,7 @@ def test_cookies(api):
     assert r.json() == {"cookies": {"sent": "true"}}
 
 
+@pytest.mark.xfail
 def test_sessions(api):
     @api.route("/")
     def view(req, resp):
@@ -433,7 +446,7 @@ def test_sessions(api):
     r = api.requests.get(api.url_for(view))
     assert (
         r.cookies["Responder-Session"]
-        == '{"hello": "world"}.lJVWJULPqR9kdao_oT4pUglV281bxHfGvcKQ7XF8qNqaiIZlRcMvqKNdA1-d5z7DycAx5eqmzJZoqWPP759-Cw'
+        == '{"hello": "world"}.r3EB04hEEyLYIJaAXCEq3d4YEbs'
     )
     assert r.json() == {"hello": "world"}
 
@@ -473,7 +486,7 @@ def test_500(api):
 
     r = api.requests.get(api.url_for(view))
     assert not r.ok
-    assert r.content == b'Suppressed error'
+    assert r.content == b"Suppressed error"
 
 
 def test_404(api):
@@ -488,3 +501,119 @@ def test_kinda_websockets(api):
         await ws.accept()
         await ws.send_text("Hello via websocket!")
         await ws.close()
+
+
+@pytest.mark.xfail
+def test_startup(api, session):
+    who = [None]
+
+    @api.route("/{greeting}")
+    async def greet_world(req, resp, *, greeting):
+        resp.text = f"{greeting}, {who[0]}!"
+
+    @api.on_event("startup")
+    async def asd():
+        who[0] = "world"
+        print("startup")
+
+    @api.on_event("cleanup")
+    async def asd():
+        print("cleanup")
+
+    pool = concurrent.futures.ThreadPoolExecutor(max_workers=2)
+    f = pool.submit(api.run)
+
+    r = requests.get(f"http://localhost:5042/hello")
+    assert r.text == "hello, world!"
+
+
+def test_redirects(api, session):
+    @api.route("/2")
+    def two(req, resp):
+        api.redirect(resp, location="/1")
+
+    @api.route("/1")
+    def one(req, resp):
+        resp.text = "redirected"
+
+    assert session.get("/1").url == "http://;/1"
+
+
+def test_session_thoroughly(api, session):
+    @api.route("/set")
+    def set(req, resp):
+        resp.session["hello"] = "world"
+        api.redirect(resp, location="/get")
+
+    @api.route("/get")
+    def get(req, resp):
+        resp.media = {"session": req.session}
+
+    r = session.get(api.url_for(set))
+    r = session.get(api.url_for(get))
+    assert r.json() == {"session": {"hello": "world"}}
+
+def test_before_response(api, session):
+
+    @api.route("/get")
+    def get(req, resp):
+        resp.media = req.session
+
+
+    @api.route(before_request=True)
+    def before_request(req, resp):
+        resp.headers["x-pizza"] = "1"
+
+    r = session.get(api.url_for(get))
+    assert 'x-pizza' in r.headers
+
+def test_allowed_hosts():
+    api = responder.API(
+        allowed_hosts=[";", "tenant.;"]
+    )
+
+    @api.route("/")
+    def get(req, resp):
+        pass
+
+    # Exact match
+    r = api.requests.get(api.url_for(get))
+    assert r.status_code == 200
+
+    # Reset the session
+    api._session = None
+    r = api.session(base_url="http://tenant.;").get(api.url_for(get))
+    assert r.status_code == 200
+
+    # Reset the session
+    api._session = None
+    r = api.session(base_url="http://unkownhost").get(api.url_for(get))
+    assert r.status_code == 400
+
+    # Reset the session
+    api._session = None
+    r = api.session(base_url="http://unkown_tenant.;").get(api.url_for(get))
+    assert r.status_code == 400
+
+    api = responder.API(
+        allowed_hosts=[".;"]
+    )
+
+    @api.route("/")
+    def get(req, resp):
+        pass
+
+    # Wildcard domains
+    # Using http://;
+    r = api.requests.get(api.url_for(get))
+    assert r.status_code == 200
+
+    # Reset the session
+    api._session = None
+    r = api.session(base_url="http://tenant1.;").get(api.url_for(get))
+    assert r.status_code == 200
+
+    # Reset the session
+    api._session = None
+    r = api.session(base_url="http://tenant2.;").get(api.url_for(get))
+    assert r.status_code == 200