Staging-->Main

.github/workflows/playwright.yml

@@ -30,11 +30,17 @@ jobs:
       uses: actions/setup-python@v6
       with:
         python-version: ${{ env.PYTHON_VERSION }}
+        cache: 'pip'
+        cache-dependency-path: Pipfile.lock
 
     # Setup Node.js
     - uses: actions/setup-node@v6
       with:
         node-version: ${{ env.NODE_VERSION }}
+        cache: 'npm'
+        cache-dependency-path: |
+          package-lock.json
+          app/package-lock.json
 
     # Install pipenv
     - name: Install pipenv
@@ -48,6 +54,14 @@ jobs:
     - name: Install root dependencies
       run: npm ci
 
+    # Cache Playwright browsers
+    - name: Cache Playwright browsers
+      id: playwright-cache
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/ms-playwright
+        key: playwright-browsers-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
+
     # Install Node dependencies (frontend)
     - name: Install frontend dependencies
       run: npm ci
@@ -61,13 +75,8 @@ jobs:
     # Start Docker Compose services (test databases)
     - name: Start test databases
       run: |
-        docker compose -f e2e/docker-compose.test.yml up -d
-        # Wait for databases to be healthy
-        echo "Waiting for databases to be ready..."
-        sleep 20
+        docker compose -f e2e/docker-compose.test.yml up -d --wait --wait-timeout 120
         docker ps -a
-        # Verify all containers are running
-        docker compose -f e2e/docker-compose.test.yml ps
 
     # Start FalkorDB (Redis graph database)
     - name: Start FalkorDB
@@ -133,9 +142,14 @@ jobs:
         AZURE_API_BASE: ${{ secrets.AZURE_API_BASE }}
         AZURE_API_VERSION: ${{ secrets.AZURE_API_VERSION }}
 
-    # Install Playwright browsers
+    # Install Playwright browsers (Chromium only in CI)
     - name: Install Playwright Browsers
-      run: npx playwright install --with-deps chromium firefox
+      if: steps.playwright-cache.outputs.cache-hit != 'true'
+      run: npx playwright install --with-deps chromium
+
+    - name: Install Playwright system deps
+      if: steps.playwright-cache.outputs.cache-hit == 'true'
+      run: npx playwright install-deps chromium
 
     # Create auth directory for storage state
     - name: Create auth directory
@@ -148,15 +162,15 @@ jobs:
         CI: true
 
     # Upload test results on failure
-    - uses: actions/upload-artifact@v6
+    - uses: actions/upload-artifact@v7
       if: failure()
       with:
         name: playwright-report
         path: playwright-report/
         retention-days: 30
 
     # Upload test screenshots on failure
-    - uses: actions/upload-artifact@v6
+    - uses: actions/upload-artifact@v7
       if: failure()
       with:
         name: test-results

Pipfile

@@ -4,9 +4,9 @@ verify_ssl = true
 name = "pypi"
 
 [packages]
-fastapi = "~=0.131.0"
-uvicorn = "~=0.40.0"
-litellm = "~=1.80.9"
+fastapi = "~=0.135.0"
+uvicorn = "~=0.41.0"
+litellm = "~=1.82.0"
 falkordb = "~=1.6.0"
 psycopg2-binary = "~=2.9.11"
 pymysql = "~=1.1.0"
@@ -22,7 +22,7 @@ fastmcp = ">=2.13.1"
 [dev-packages]
 pytest = "~=8.4.2"
 pylint = "~=4.0.3"
-playwright = "~=1.57.0"
+playwright = "~=1.58.0"
 pytest-playwright = "~=0.7.1"
 pytest-asyncio = "~=1.2.0"
 

api/app_factory.py

@@ -1,7 +1,9 @@
 """Application factory for the text2sql FastAPI app."""
 
+import hmac
 import logging
 import os
+import secrets
 
 from dotenv import load_dotenv
 from fastapi import FastAPI, Request, HTTPException
@@ -54,6 +56,79 @@ async def dispatch(self, request: Request, call_next):
         return response
 
 
+def _is_secure_request(request: Request) -> bool:
+    """Determine if the request is over HTTPS."""
+    forwarded_proto = request.headers.get("x-forwarded-proto")
+    if forwarded_proto:
+        return forwarded_proto == "https"
+    return request.url.scheme == "https"
+
+
+class CSRFMiddleware(BaseHTTPMiddleware):  # pylint: disable=too-few-public-methods
+    """Double Submit Cookie CSRF protection.
+
+    Sets a csrf_token cookie (readable by JS) on every response.
+    State-changing requests must echo the cookie value back
+    via the X-CSRF-Token header.  Bearer-token authenticated
+    requests and auth/login endpoints are exempt.
+    """
+
+    SAFE_METHODS = frozenset({"GET", "HEAD", "OPTIONS", "TRACE"})
+    CSRF_COOKIE = "csrf_token"
+    CSRF_HEADER = "x-csrf-token"
+
+    # Paths exempt from CSRF validation (auth flow endpoints).
+    # "/mcp" has no trailing slash so it also covers sub-paths like /mcp/sse.
+    EXEMPT_PREFIXES = (
+        "/login/",
+        "/signup/",
+        "/mcp",
+    )
+
+    async def dispatch(self, request: Request, call_next):
+        # Validate CSRF for unsafe, non-exempt, non-Bearer requests
+        if (
+            request.method not in self.SAFE_METHODS
+            and not request.url.path.startswith(self.EXEMPT_PREFIXES)
+            and not request.headers.get("authorization", "").lower().startswith("bearer ")
+        ):
+            cookie_token = request.cookies.get(self.CSRF_COOKIE)
+            header_token = request.headers.get(self.CSRF_HEADER)
+
+            if (
+                not cookie_token
+                or not header_token
+                or not hmac.compare_digest(cookie_token, header_token)
+            ):
+                response = JSONResponse(
+                    status_code=403,
+                    content={"detail": "CSRF token missing or invalid"},
+                )
+                self._ensure_csrf_cookie(request, response)
+                return response
+
+        response = await call_next(request)
+        self._ensure_csrf_cookie(request, response)
+        return response
+
+    # Match the session cookie lifetime (14 days in seconds)
+    CSRF_COOKIE_MAX_AGE = 60 * 60 * 24 * 14
+
+    def _ensure_csrf_cookie(self, request: Request, response):
+        """Set the CSRF cookie if it is not already present."""
+        if not request.cookies.get(self.CSRF_COOKIE):
+            token = secrets.token_urlsafe(32)
+            response.set_cookie(
+                key=self.CSRF_COOKIE,
+                value=token,
+                httponly=False,  # JS must read this value
+                samesite="lax",
+                secure=_is_secure_request(request),
+                path="/",
+                max_age=self.CSRF_COOKIE_MAX_AGE,
+            )
+
+
 def create_app():
     """Create and configure the FastAPI application."""
 
@@ -192,6 +267,9 @@ def custom_openapi():
     # Add security middleware
     app.add_middleware(SecurityMiddleware)
 
+    # Add CSRF middleware (double-submit cookie pattern)
+    app.add_middleware(CSRFMiddleware)
+
     # Mount static files from the React build (app/dist)
     # This serves the bundled assets (JS, CSS, images, etc.)
     dist_path = os.path.join(os.path.dirname(__file__), "../app/dist")
@@ -261,7 +339,7 @@ async def handle_oauth_error(
 
     # Serve React app for all non-API routes (SPA catch-all)
     @app.get("/{full_path:path}", include_in_schema=False)
-    async def serve_react_app(_full_path: str):
+    async def serve_react_app(full_path: str):  # pylint: disable=unused-argument
         """Serve the React app for all routes not handled by API endpoints."""
         # Serve index.html for the React SPA
         index_path = os.path.join(dist_path, "index.html")