Skip to content

Commit c01c748

Browse files
temrjanclaude
temrjan
and
claude
committed
fix: prevent query params leaking into typed session dict
Move session name check before `anno is dict` in `_find_p` so that `session: dict` returns the actual session scope instead of the merged data dict (which includes query parameters). Fixes #845 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 209d277 commit c01c748

3 files changed

Lines changed: 4 additions & 0 deletions

File tree

fasthtml/core.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,7 @@ async def _find_p(conn, data, hdrs, arg:str, p:Parameter):
198198
if issubclass(anno, Starlette): return conn.scope['app']
199199
if issubclass(anno, HTTPConnection): return conn
200200
if issubclass(anno, State): return conn.scope['app'].state
201+
if 'session'.startswith(arg.lower()) and anno is dict: return conn.scope.get('session', {})
201202
if anno is dict: return data
202203
if _is_body(anno):
203204
if 'session'.startswith(arg.lower()): return conn.scope.get('session', {})

nbs/api/00_core.ipynb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -790,6 +790,7 @@
790790
" if issubclass(anno, Starlette): return conn.scope['app']\n",
791791
" if issubclass(anno, HTTPConnection): return conn\n",
792792
" if issubclass(anno, State): return conn.scope['app'].state\n",
793+
" if 'session'.startswith(arg.lower()) and anno is dict: return conn.scope.get('session', {})\n",
793794
" if anno is dict: return data\n",
794795
" if _is_body(anno):\n",
795796
" if 'session'.startswith(arg.lower()): return conn.scope.get('session', {})\n",

tests/test_toaster.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,11 @@ def test_ft_response():
4646
assert 'Toast FtResponse' in res.text
4747

4848
def test_get_toaster_with_typehint():
49+
cli.get('/set-toast-get', follow_redirects=False)
4950
res = cli.get('/see-toast-with-typehint', follow_redirects=False)
5051
assert 'Toast get' in res.text
5152

53+
cli.get('/set-toast-get', follow_redirects=False)
5254
res = cli.get('/see-toast-with-typehint', follow_redirects=True)
5355
assert 'Toast get' in res.text
5456

0 commit comments

Comments
 (0)