Skip to content

Harden production errors docs and request framing#180

Open
justrach wants to merge 1 commit into
release/openapi-176from
release/prod-hardening-openapi
Open

Harden production errors docs and request framing#180
justrach wants to merge 1 commit into
release/openapi-176from
release/prod-hardening-openapi

Conversation

@justrach

Copy link
Copy Markdown
Owner

Summary

  • Add production-safe unexpected 500 redaction with TurboAPI(debug=True) detail mode
  • Register /openapi.json, /docs, and /redoc in the native Zig server path
  • Constrain pytest discovery to tests/ so vendored/auth-dependent tools are not collected by default
  • Add strict Zig HTTP framing parsing for Content-Length / Transfer-Encoding edge cases
  • Fix response normalization fallback for non-JSON byte responses under msgspec-backed JSON loading
  • Update stale tests for redacted 500s and current release version guard

Validation

  • python -m py_compile python/turboapi/request_handler.py python/turboapi/main_app.py python/turboapi/zig_integration.py tests/test_error_redaction.py tests/test_native_docs_registration.py
  • pytest tests/test_error_redaction.py tests/test_native_docs_registration.py tests/test_fastapi_parity.py::TestOpenAPI -q
  • pytest tests/test_binary_responses.py::TestBinaryResponseNormalization::test_text_response_not_affected tests/test_issue_fixes.py::TestResponseSerialization tests/test_issue_fixes.py::TestResponseSerializationIntegration::test_response_object_returned_correctly tests/test_error_redaction.py tests/test_native_docs_registration.py -q
  • pytest -q
  • zig fmt --check zig/src/server.zig
  • zig test zig/src/server.zig --test-filter framing
  • git diff --check

Full pytest now collects repo tests only and passed: 400 passed, 23 warnings.

Note: full unfiltered zig test still has an unrelated pre-existing compile issue in the response-cache test expecting a string from getCachedResponse(), so this PR validates the new framing parser with --test-filter framing and the commit hook Zig build.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 10e2a72c34

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

except ImportError:
pass
return (500, "application/json", _dumps({"error": str(e)}))
return (500, "application/json", _dumps(_internal_error_body(e, debug=debug)))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Redact errors from the eager async runner

For body_async_eager routes, fast_handler_eager calls run_coroutine_response_eager(), which catches exceptions raised inside the coroutine and formats them through async_pool._exception_response_tuple as {"error": str(exc)}; this redacted fallback only runs for setup/parsing errors outside the coroutine. A no-await async POST handler that raises RuntimeError("secret-token") will still return the secret in production despite debug=False.

Useful? React with 👍 / 👎.

self.docs_url,
200,
"text/html",
get_swagger_ui_html(self.title, self.openapi_url or "/openapi.json"),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Guard docs registration on an OpenAPI URL

When an app disables schema serving with openapi_url=None but leaves docs_url enabled or custom, this registers the native docs page pointing at the hard-coded /openapi.json; the guard above skips registering that schema route, so the UI fetches a missing spec. Gate docs/ReDoc registration on self.openapi_url instead of falling back to an unregistered path.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants