Fix an import from pynacl - it's an optional dependency.
Fixed optional requirements for MFA - thanks to @sinisaos for reporting this issue.
Added support for Multi Factor Authentication, using an authenticator app.
This will soon be implemented in Piccolo Admin.
Huge thanks to @Skelmis and @sinisaos for their help with this.
Fix for a breaking change in Pydantic 2.8.0.
Upgraded setuptools.
Added excluded_paths argument to SessionsAuthBackend.
Fixed typo in CSPMiddleware (thanks to @Skelmis for fixing this).
default-src can now be set in CSPMiddleware.
Fixed bugs with filtering Email and multi-dimensional Array columns.
Fixed bugs with bulk updating the BaseUser table.
Thanks to @jrycw and @sinisaos for their help with this.
Added Python 3.12 support.
Added ne (not equals) operator to PiccoloCRUD.
Works with Piccolo v1, Piccolo Admin v1, and Pydantic v2.
Using the new json_schema_extra argument for create_pydantic_model.
Fixed a bug with extracting the type from an optional type. Thanks to @sinisaos for discovering this issue.
Pydantic v2 support - many thanks to @sinisaos for this.
Upgraded the version of Swagger UI used in the swagger_ui endpoint (see
piccolo_api.openapi.endpoints.swagger_ui). Thanks to @sinisaos for this.
PiccoloCRUD now handles foreign key violation errors gracefully.
For example, if we have tables like this:
class Director(Table):
name = Varchar()
class Movie(Table):
name = Varchar()
director = ForeignKey(Director, on_delete=OnDelete.restrict)The ON DELETE RESTRICT constraint means we're not allowed to delete a
director if a movie has a foreign key to it.
We now get a 422 error response, with an error message which we can display
in Piccolo Admin.
Support for Python 3.7 has also been dropped, as it's end of life.
Version pinning Pydantic to v1, as v2 has breaking changes.
We will add support for Pydantic v2 in a future release.
Thanks to @sinisaos for helping with this.
Added the excluded_paths argument to TokenAuthBackend. This means you
can wrap an entire ASGI application in this middleware, and exclude certain
paths, such as the Swagger docs. Thanks to @sinisaos for this.
app = FastAPI(
dependencies=[Depends(APIKeyHeader(name="Authorization"))],
middleware=[
Middleware(
AuthenticationMiddleware,
backend=TokenAuthBackend(
SecretTokenAuthProvider(tokens=["abc123"]),
excluded_paths=["/docs", "/openapi.json"], # <- Note
),
)
],
)Added allow_unauthenticated option to JWTMiddleware.
By default, JWTMiddleware rejects any request with an invalid JWT token,
but with this option we allow the user to reject the request instead within
their endpoints.
Added token_login endpoint, which is more convenient than
TokenAuthLoginEndpoint.
Improved the docs for token auth and JWT auth (thanks to @sinisaos).
Modified the OrderBy class, to add some functionality needed by Piccolo
Admin.
PiccoloCRUD now lets you specify multiple columns in the __order GET
param.
For example, with this schema:
class Movie(Table):
name = Varchar()
rating = Integer()To order the results by descending rating and ascending name:
GET /?__order=-rating,name
You can now get all rows with a null / not-null value in PiccoloCRUD.
For example, if we have a nullable column called score:
GET /?score__operator=is_null
Likewise, to get all rows whose score is not null:
GET /?score__operator=not_null
Catching more database errors in PiccoloCRUD, and returning useful API
responses instead of 500 errors.
Implemented GitHub's CodeQL suggestions - this now means LocalMediaStorage
uses 600 instead of 640 as the default file permissions for uploaded
files (thanks to @sinisaos for this).
- Added Python 3.11 support.
PiccoloCRUDvalidators can now be async.- Improved logging.
- The minimum version of FastAPI is now
0.87.0. The reason for this is Starlette made a fairly large change in version0.21.0, which meant we had to refactor a lot of our tests, which makes it challenging to support older versions.
Improving type annotations:
- Adding
id: SerialforSessionsBaseandTokenAuth. - Fixed type annotations for latest version of Starlette (thanks to @sinisaos for this).
If BaseUser is used with PiccoloCRUD, passwords are handled properly.
Thanks to @sinisaos for making this change.
PiccoloCRUD now handles database exceptions better. If a query fails due to
a unique constraint, a 422 response code is returned, along with information
about the error.
This means Piccolo Admin will show more useful debugging information when a query fails.
Thanks to @ethagnawl for reporting this issue, and @sinisaos for help prototyping a solution.
Fixed a bug with Email columns and PiccoloCRUD.get_new. Thanks to
@Tar8117 for reporting this bug.
Previously you had to provide folder_name as an argument to
S3MediaStorage.
It's now optional, as some users may choose to store their files in a bucket without a folder.
When uploading files to S3, we try and correctly set the content type. This now
works correctly for .jpg files (previously only .jpeg worked for JPEGs
). Thanks to @sumitsharansatsangi for adding this.
Fixed a bug with MediaStorage.delete_unused_files - it was raising an
exception when used with Array columns. Thanks to @sumitsharansatsangi for
reporting this issue.
When using S3MediaStorage you can now specify additional arguments when
files are uploaded (using the upload_metadata argument), for example,
setting the cache settings, and much more. Thanks to @sumitsharansatsangi, and
@sinisaos for help reviewing.
S3MediaStorage(
...,
# Cache the file for 24 hours:
upload_metadata={'CacheControl': 'max-age=86400'}
)Added dependency injection to PiccoloCrud hooks - the Starlette request
object will now be passed in if requested. For example:
def my_hook(row_id, request): ...
Thanks to @AnthonyArmour and @destos for this.
Added support for file storage in a local folder and in S3. This was added for Piccolo Admin, but is useful for all Piccolo apps. Thanks to @sinisaos for assisting with this.
Make Piccolo API work with Piccolo >= 0.82.0. Table used to accept a
parameter called ignore_missing. This was renamed to _ignore_missing.
Thanks to @sinisaos for this fix.
Improved the HTTP status codes returned by the change_password,
register and session_login endpoints. They now return a 422 status
code if a validation error occurs. This is required by Piccolo Admin, to better
determine why a request failed.
Added read_only option to change_password and register endpoints.
This is for Piccolo Admin's read_only mode.
Changed a parameter name used in the change_password endpoint to be less
ambiguous (old_password -> current_password).
Changed a parameter name used in the change_password endpoint to be less
ambiguous (confirm_password -> confirm_new_password).
Added a change_password endpoint (courtesy @sinisaos).
See the demo project for a full example.
The session_login, session_logout, and register endpoints can now
have their CSS styles easily customised, to make them match the rest of the
application.
from fastapi import FastAPI
from piccolo_api.session_auth.endpoints import register
from piccolo_api.shared.auth.styles import Styles
app = FastAPI()
app.mount(
'/register/',
register(
styles=Styles(background_color='black')
)
)It is now trivially easy to add CAPTCHA support to the register and
session_login endpoints, to provide protection against bots. Just sign up
for an account with hCaptcha or reCAPTCHA, and do the following:
from fastapi import FastAPI
from piccolo_api.session_auth.endpoints import register
from piccolo_api.shared.auth.captcha import hcaptcha
app = FastAPI()
# To use hCaptcha:
app.mount(
'/register/',
register(
captcha=hcaptcha(
site_key='my-site-key',
secret_key='my-secret-key',
)
)
)Added a register endpoint, which is great for quickly prototyping a sign up
process (courtesy @sinisaos).
Added hooks to the session_login endpoint, allowing additional logic to be
triggered before and after login.
Fixing the ids endpoint of PiccoloCRUD when a custom primary key column
is used with a name other than id.
The schema endpoint of PiccoloCRUD now returns the primary key name. This
means we'll be able to support tables with a custom primary key name in Piccolo
Admin.
Make sure tables with a custom primary key column work with PiccoloCRUD.
Fixed a bug with PiccoloCRUD, where a PATCH request returned a string
instead of a JSON object. Thanks to @trondhindenes for discovering and fixing
this issue.
Fixed bug with __range_header=false.
Added support for the Content-Range HTTP header in the GET endpoint of
PiccoloCRUD. This means the API client can fetch the number of available
rows, without doing a separate API call to the count endpoint.
GET /?__range_header=true
If the page size is 10, then the response header then looks something like:
Content-Range: movie 0-9/100
The feature was created to make Piccolo APIs work better with front ends like React Admin.
Thanks to @trondhindenes for adding this feature, and @sinisaos for help reviewing.
Added hooks to PiccoloCRUD. This allows the user to add their own logic
before a save / patch / delete (courtesy @trondhindenes).
For example:
# Normal functions and async functions are supported:
def pre_save_hook(movie):
movie.rating = 90
return movie
PiccoloCRUD(
table=Movie,
read_only=False,
hooks=[
Hook(hook_type=HookType.pre_save, callable=pre_save_hook)
]
)- Streamlined the
CSRFMiddlewarecode, and added missing type annotations. - If using the
__visible_fieldsparameter withPiccoloCRUD, and the field name is unrecognised, the error response will list the correct field names. - Improved test coverage (courtesy @sinisaos).
We recently added the __visible_fields GET parameter to PiccoloCRUD,
which allows the user to determine which fields are returned by the API.
However, there was no way of the user knowing which fields were supported. This
is now possible by visiting the /schema endpoint, which has a
visible_fields_options field which lists the columns available on the table
and related tables (courtesy @sinisaos).
Fixed a bug with the OpenAPI docs when using Array columns. Thanks to @gmos
for reporting this issue, and @sinisaos for fixing it.
The __visible_fields filter on PiccoloCRUD now works on the detail
endpoint (courtesy @sinisaos). For example:
GET /1/?__visible_fields=id,name,director.name
We also modified a type annotation in FastAPIWrapper, so you can use it
with FastAPI's APIRouter without getting a type warning. Thanks to @gmos
for reporting this issue.
Added a __visible_fields filter to PiccoloCRUD. It's a very powerful
feature which lets us specify which fields we want the API to return from a
GET request (courtesy @sinisaos).
It can even support joins, but we must supply a max_joins parameter:
app = PiccoloCRUD(Movie, max_joins=1)
uvicorn(app)Then we can do:
GET /?__visible_fields=id,name,director.name
Which will return:
{
"rows": [
{
"id": 17,
"name": "The Hobbit: The Battle of the Five Armies",
"director": {
"name": "Peter Jackson"
}
},
...
]
}By specifying exactly which data we want returned, it is much more efficient, especially when fetching large numbers of rows, or with tables with lots of columns.
Fixed a bug with the delete endpoint of PiccoloCRUD. It was returning a 204
response with a body (this isn't allowed, and could cause an exception to be
raised in the web server). Thanks to @trondhindenes for reporting this issue.
Updated Swagger UI to the latest version.
Modified the get_ids endpoint of PiccoloCRUD, so it accepts an
offset query parameter. It already supported limit.
You can now pass a schema_extra argument to PiccoloCRUD, which is
added to the underlying Pydantic schema.
create_pydantic_model is now imported from the main Piccolo repo.
- Added examples to CSRF docs (courtesy @sinisaos).
- Improved
SessionAuthBackend- it was too aggressive at rejecting requests whenallow_unauthenticated=True(thanks to @Bakz for reporting this).
If you send a GET request to the session_logout endpoint, it will now
render a simple logout form. This makes it work much nicer out of the box.
Thanks to @sinisaos for adding this.
When using the nested` argument in ``create_pydantic_model, more of the
other arguments are passed to the nested models. For example, if
include_default_columns is True, both the parent and child models will
include their default columns.
Added support for nested models in create_pydantic_model. For each
ForeignKey in the Piccolo table, the Pydantic model will contain a sub
model for the related table.
For example:
class Manager(Table):
name = Varchar()
class Band(Table):
name = Varchar()
manager = ForeignKey(Manager)
BandModel = create_pydantic_model(Band, nested=True)
If we were to write BandModel by hand instead, it would look like this:
class ManagerModel(BaseModel):
name: str
class BandModel(BaseModel):
name: str
manager: ManagerModel
This feature is designed to work with the new nested output option in
Piccolo >= 0.40.0, which returns the data in the correct format to pass
directly to the nested Pydantic model.
band = Band.select(
Band.id,
Band.name,
*Band.manager.all_columns()
).first(
).output(
nested=True
).run_sync()
>>> print(band)
{'id': 1, 'name': 'Pythonistas', 'manager': {'id': 1, 'name': 'Guido'}}
BandModel(**band)
Courtesy @aminalaee.
Make sure asyncpg gets installed, as Piccolo API currently has a hard
requirement on it (we hope to fix this in the future).
- Fixed MyPy errors (courtesy @sinisaos).
- Simplification of JWT authentication - it no longer needlessly checks expiry, as PyJWT already does this (courtesy @aminalaee).
- Substantial increase in code coverage (courtesy @aminalaee and @sinisaos).
- Increased the minimum PyJWT version, as versions > 2.0.0 return the JWT as a string instead of bytes.
- Added an option to exclude columns when using
create_pydantic_model(courtesy @kucera-lukas).
Updating PiccoloCRUD so it works better with the custom primary key feature
added in Piccolo.
Minor changes to the custom login template logic. More complex Jinja templates are now supported (which are extended from other Jinja templates).
Session auth improvements:
- The default login template is much nicer now.
- The login template can be overridden with a custom one, to match the look and feel of the application.
- The
session_logoutendpoint can now redirect after successfully logging out.
When using the swagger_ui endpoint, the title can now be customised -
courtesy @heliumbrain.
- Added an
allow_unauthenticatedoption toSessionsAuthBackend, which will add anUnauthenticatedUserto the scope, instead of rejecting the request. The app's endpoints are then responsible for checkingrequest.user.is_authenticated. - Improved the docs for Session Auth.
- If
deserialize_jsonis False oncreate_pydantic_model, it will still provide some JSON validation.
Added a deserialize_json option to create_pydantic_model, which will
convert JSON strings to objects - courtesy @heliumbrain.
Added the OAuth redirect endpoint to swagger_ui.
Added a swagger_ui endpoint which works with Piccolo's CSRFMiddleware.
Modified the auth middleware to add the Piccolo BaseUser instance for the
authenticated user to Starlette's BaseUser.
Add missing login.html template.
Added support for choices argument in Piccolo Column instances. The
choices are output in the schema endpoint of PiccoloCRUD.
Added validators and exclude_secrets arguments to PiccoloCRUD.
Added superuser_only and active_only options to SessionsAuthBackend.
Added support for Array column types.
Added py.typed file, for MyPy.
Exposing the help_text value for Table in the Pydantic schema.
Exposing the help_text value for Column in the Pydantic schema.
Fixing a bug with ids endpoint when there's a limit but no search.
Fixing ids endpoint in PiccoloCRUD with Postgres - search wasn't
working.
The ids endpoint in PiccoloCRUD now accepts a limit parameter.
Added additional validation to Pydantic serialisers - for example, Varchar
max length, and Decimal / Numeric precision and scale.
The ids endpoint in PiccoloCRUD is now searchable.
Added missing new endpoint to FastAPIWrapper - courtesy @sinisaos.
Made FastAPI a requirements, instead of an optional requirement.
- Added ids and references endpoints to
FastAPIWrapper. - Increase compatibility of
SessionLoginEndpointandCSRFMiddleware- adding a CSRF token as a form field should now work.
- Added docstrings to FastAPI endpoints in
FastAPIWrapper. - Exposing count and schema endpoints in
FastAPIWrapper.
- Added docs for
__pageand__page_sizequery parameters forPiccoloCRUD. - Implemented
max_page_sizeto prevent excessive server load - courtesy @sinisaos.
Renaming migrations which were problematic for Windows users.
Using Pydantic to serialise the PiccoloCRUD.new response. Fixes a bug
with serialising some values, such as decimal.Decimal.
- Using Piccolo's
run_syncinstead of asgiref. - Loosened dependencies.
create_pydantic_modelnow supports lazy references inForeignKeycolumns.- MyPy fixes.
PiccoloCRUDnow supports the __readable query parameter for detail endpoints - i.e. /api/movie/1/?__readable=true. Thanks to sinisaos for the initial prototype.- Improving type hints.
Bumped requirements.
Using Column._meta.required for Pydantic schema.
Can pass more configuration options to FastAPI via FastAPIWrapper.
Updated for Piccolo 0.12.
- Added
FastAPIWrapper, which makes building a FastAPI endpoint really simple. - Improved the handling of malformed queries better in
PiccoloCRUD- catching unrecognised column names, and returning a 400 response.
create_pydantic_model now accepts an optional model_name argument.
Bumped requirements, to support Piccolo Numeric and Real column types.
Improved session auth - can increase the expiry automatically, which improves the user experience.
Can choose to not redirect after a successful session auth login - this is preferred when calling the endpoint via AJAX.
Loosening requirements for Piccolo projects.
Bumped requirements.
Bumped requirements.
Can configure where CSRFMiddleware looks for tokens, and bug fixes.
CSRF tokens can now be passed as form values.
Supporting Piccolo 0.10.0.
Adding missing __init__.py file - was messing up release.
New style migrations.
Added support for PATCH queries, and specifying text filter types, to
PiccoloCRUD.
Changed schema format.
PiccoloCRUD 'new' endpoint works in readonly mode - doesn't save any data.
Supporting order by, pagination, and filter operators in PiccoloCRUD.
Added 'new' endpoint to PiccoloCRUD.
Added missing __init__.py files.
Added token auth and rate limiting middleware.
Updated Piccolo import paths.
Updated Piccolo syntax.
Improved code layout.
Updating to work with Piccolo > 0.5.
Added validation to PUT requests.
Added foreign key support to schema.
Changed import paths.