starlette middleware decorator is deprecated

[fnep]

The example code for starlette proposes to use the middleware decorator: https://secure.readthedocs.io/en/latest/frameworks.html#starlette

Anyhow, this decorator is deprecated, and will be removed in version 1.0.0 - at least there is a warning about that.

The message is:

[...]/site-packages/starlette/applications.py:248: DeprecationWarning: The `middleware` decorator is deprecated, and will be removed in version 1.0.0. Refer to https://www.starlette.io/middleware/#using-middleware for recommended approach.

It would be good to update the help.

I'm using this now, but would not say that I'm confident this is the correct solution:

class SecureHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        secure_headers.framework.starlette(response)
        return response

app.add_middleware(SecureHeadersMiddleware)

[cak]

Thank you @fnep! I’ll test and adjust the documentation.

[fnep]

@cak My code from above is probably not the best for an example. There are other issues with it that i discovered later.

Im using this now:

class SecurityHeadersMiddleware:
    """Middleware to add security headers to the response."""

    def __init__(self, app: ASGIApp) -> None:
        self.app = app

    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
        if scope["type"] != "http":
            return await self.app(scope, receive, send)

        async def send_with_security_headers(message: Message) -> None:
            if message["type"] == "http.response.start":
                headers = MutableHeaders(scope=message)
                for key, value in secure_headers.headers_tuple():
                    headers.append(key, value)

            await send(message)

        await self.app(scope, receive, send_with_security_headers)

[cak]

Hi @fnep , I have updated the docs on the new version v.1.0.0 of secure.py: https://github.com/TypeError/secure/blob/update-v1.0/docs/frameworks.md#starlette

from starlette.applications import Starlette
from starlette.middleware.base import BaseHTTPMiddleware
from starlette.responses import Response

from secure import Secure

secure_headers = Secure.with_default_headers()


async def homepage(request):
    return Response("Hello, world")


class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        await secure_headers.set_headers_async(response)
        return response


app = Starlette(debug=True)
app.add_route("/", homepage)
app.add_middleware(SecurityHeadersMiddleware)

[fnep]

Thank you for the update. I need to check out what will change with 1.0. :)

Anyhow, i think my answer is outdated these days. Probably the class SecurityHeadersMiddleware from my later comment is the better choice. It looks like Starlette also plans to deprecate BaseHTTPMiddleware. encode/starlette#2160

[cak]

Thank you again for opening the issue! Absolutely, if you’d like to check out the new documentation for v1.0.0, it’s available at https://github.com/TypeError/secure/tree/update-v1.0. I plan to merge it into main tomorrow (9/27) and release v1.0.0 on PyPI on Saturday (9/28). I’ll close this issue once it’s merged. I also need to follow up on the deprecation of the middleware and update the documentation for what will take its place – thank you for the heads up! Any feedback is greatly appreciated!

[fnep]

I just upgraded my project to v1.0 and really appreciated the cleanup. 👍

[cak]

Outstanding! Thanks so much for the feedback! I’m really glad to hear the upgrade went smoothly. Thanks again for filing the issue and helping make secure.py even better! Happy coding! 🚀