* feat: extend resource leak hook to detect database session leaks
The pre-commit hook now detects unsafe usage of get_auth_db_session()
and suggests using the auth_db_session() context manager instead. This
prevents database session leaks when exceptions occur.
Changes:
- Add FUNCTIONS_REQUIRING_CONTEXT to detect function calls that return
resources needing cleanup
- Fix nested try/finally detection for close() calls
- Update user_exists() in encrypted_db.py to use context manager
- Update example files to use auth_db_session() context manager
* fix: prevent session use after close and add search engine cleanup
- Move config dict creation inside with block in api_routes.py to prevent
using SettingsManager after database session is closed (was causing errors)
- Remove redundant session.close() call that was after context manager exit
- Add close() method and context manager support to BaseSearchEngine so
search engines with HTTP sessions can be properly cleaned up
Implement dynamic cookie security that allows localhost HTTP connections
to work out of the box while maintaining security for production:
- Add WSGI middleware (SecureCookieMiddleware) for dynamic Secure flag
- Localhost HTTP (127.0.0.1, ::1): No Secure flag (local traffic is safe)
- Proxied requests (X-Forwarded-For): Always add Secure flag (production)
- Non-localhost HTTP: Add Secure flag (requires HTTPS by design)
- TESTING mode: Never add Secure flag (for CI/development)
Security: Prevents X-Forwarded-For spoofing by checking for header
presence rather than value - any proxy header triggers Secure flag.
Also includes:
- Update HTTP examples with clear "LOCALHOST ONLY" documentation
- Add helpful CSRF error message explaining the security model
- Add comprehensive cookie security tests (9 tests)
- Add cookie security tests to CI workflow
Major improvements to HTTP API examples:
- Add intelligent retry logic for fetching research results (up to 2 minutes)
- Implement automatic user creation for out-of-the-box functionality
- Fix API endpoint usage (/api/start_research instead of /research/api/start)
- Add proper CSRF token handling and authentication flow
- Create comprehensive documentation with environment variable configuration
- Add progress monitoring and detailed status reporting
- Include remote Ollama and SearXNG configuration examples
- Provide multiple example scripts for different use cases
- Use pathlib.Path instead of os.path for modern Python practice
Examples now work completely out of the box without manual user setup
and include proper error handling and user guidance throughout the process.
