colleted bug fixes (#148)

* remove unnecessary headers
* remove doc submodule as its buggy
* re-add docs submodule
* change FSM state only when necessary
* set thing model handler method to GET
* fix enum access in state machine only if state is enum
* remove assert Access Control Allow Credentials in tests
* use uuid_hex from utils
* clean up stuff based on logs
* add a name to security schemes and remove password deletion
* refactor security scheme enforcement on server
* add a security scheme class for client
* refactor HTTP basic auth
* ruf tests folder
* add ruff tests folder to pipeline
* add an untested precommit file
* test precommit
* update changelog
* add SAST comments

Author: VigneshVSV

.github/workflows/ci-pipeline.yml

@@ -26,9 +26,12 @@ jobs:
       - name: install ruff
         run: pip install ruff
 
-      - name: run ruff linter
+      - name: run ruff linter src directory
         run: ruff check hololinked
 
+      - name: run ruff linter tests directory
+        run: ruff check tests/*.py tests/things/*.py tests/helper-scripts/*.py
+
   scan:
     name: security scan (${{ matrix.tool }})
     runs-on: ubuntu-latest

.gitignore

@@ -19,6 +19,7 @@ tests/run-unittest.bat
 # vs-code 
 .vscode/launch.json
 .vs/
+todo
 
 # zmq 
 *.ipc 

.gitmodules

@@ -1,6 +1,6 @@
 [submodule "examples"]
 	path = examples
 	url = https://github.com/hololinked-dev/examples.git
-[submodule "doc"]
-	path = doc
-	url = https://github.com/hololinked-dev/docs-v2.git
+[submodule "docs"]
+	path = docs
+	url = https://github.com/hololinked-dev/docs.git

.pre-commit-config.yaml

@@ -0,0 +1,21 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.14.7
+    hooks:
+      - id: ruff-check
+        files: ^hololinked/
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: "1.9.2"
+    hooks:
+      - id: bandit
+        # needs to be fixed
+        args: ["pyproject.toml -r hololinked/ -b .bandit-baseline.json"]
+        pass_filenames: false
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.26.0
+    hooks:
+      - id: gitleaks
+        entry: gitleaks git --pre-commit --redact --staged --verbose
+        pass_filenames: false

CHANGELOG.md

@@ -13,7 +13,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - supports structlog for logging, with colored logs and updated log statements
 - SAST with bandit & gitleaks integrated into CI/CD pipelines
 - uses pytest instead of unittests
-- code improvements with isort, dependency refactoring etc.
+- code improvements with isort, refactors & optimizations etc.
+- fixes minor bugs & cleans up HTTP headers
 
 ## [v0.3.7] - 2025-10-30
 

doc

@@ -1,7 +1,5 @@
-import base64
 import ssl
 import threading
-import uuid
 import warnings
 
 from typing import Any
@@ -22,11 +20,12 @@
     EventAffordance,
     PropertyAffordance,
 )
-from ..utils import set_global_event_loop_policy
+from ..utils import set_global_event_loop_policy, uuid_hex
 from .abstractions import ConsumedThingAction, ConsumedThingEvent, ConsumedThingProperty
 from .http.consumed_interactions import HTTPAction, HTTPEvent, HTTPProperty
 from .mqtt.consumed_interactions import MQTTConsumer  # only one type for now
 from .proxy import ObjectProxy
+from .security import BasicSecurity
 from .zmq.consumed_interactions import (
     ReadMultipleProperties,
     WriteMultipleProperties,
@@ -71,8 +70,6 @@ def zmq(
 
             - `logger`: `logging.Logger`, optional.
                  A custom logger instance to use for logging
-            - `log_level`: `int`, default `logging.INFO`.
-                The logging level to use for the client (e.g., logging.DEBUG, logging.INFO)
             - `ignore_TD_errors`: `bool`, default `False`.
                 Whether to ignore errors while fetching the Thing Description (TD)
             - `skip_interaction_affordances`: `list[str]`, default `[]`.
@@ -87,7 +84,7 @@ def zmq(
         ObjectProxy
             An ObjectProxy instance representing the remote Thing
         """
-        id = f"{server_id}|{thing_id}|{access_point}|{uuid.uuid4()}"
+        id = kwargs.get("id", f"{server_id}|{thing_id}|{access_point}|{uuid_hex()}")
 
         # configs
         ignore_TD_errors = kwargs.get("ignore_TD_errors", False)
@@ -131,6 +128,7 @@ def zmq(
             logger=logger,
             invokation_timeout=invokation_timeout,
             execution_timeout=execution_timeout,
+            security=kwargs.get("security", None),
         )
 
         # add properties
@@ -278,24 +276,26 @@ def http(self, url: str, **kwargs) -> ObjectProxy:
 
         # fetch TD
         headers = {"Content-Type": "application/json"}
-        username = kwargs.get("username")
-        password = kwargs.get("password")
-        if username and password:
-            token = base64.b64encode(f"{username}:{password}".encode("utf-8")).decode("ascii")
-            headers["Authorization"] = f"Basic {token}"
+        security = kwargs.pop("security", None)
+        username = kwargs.pop("username", None)
+        password = kwargs.pop("password", None)
+        if not security and username and password:
+            security = BasicSecurity(username=username, password=password)
+        if isinstance(security, BasicSecurity):
+            headers["Authorization"] = security.http_header
 
         response = req_rep_sync_client.get(url, headers=headers)  # type: httpx.Response
         response.raise_for_status()
 
         TD = Serializers.json.loads(response.content)
-        id = f"client|{TD['id']}|HTTP|{uuid.uuid4().hex[:8]}"
+        id = kwargs.get("id", f"client|{TD['id']}|HTTP|{uuid_hex()}")
         logger = kwargs.get("logger", structlog.get_logger()).bind(
             component="client",
             client_id=id,
             protocol="http",
             thing_id=TD["id"],
         )
-        object_proxy = ObjectProxy(id, td=TD, logger=logger, **kwargs)
+        object_proxy = ObjectProxy(id, td=TD, logger=logger, security=security, **kwargs)
 
         for name in TD.get("properties", []):
             affordance = PropertyAffordance.from_TD(name, TD)
@@ -383,7 +383,7 @@ def mqtt(
             - `log_level`: `int`, default `logging.INFO`.
                 The logging level to use for the client (e.g., logging.DEBUG, logging.INFO
         """
-        id = f"mqtt-client|{hostname}:{port}|{uuid.uuid4().hex[:8]}"
+        id = kwargs.get("id", f"mqtt-client|{hostname}:{port}|{uuid_hex()}")
         logger = kwargs.get("logger", structlog.get_logger()).bind(
             component="client",
             client_id=id,

docs

@@ -66,32 +66,13 @@ def get_body_from_response(
             return body
         response.raise_for_status()
 
-    def _merge_auth_headers(self, base: dict | None = None):
-        headers = dict(base or {})
-
-        # Avoid truthiness on ObjectProxy
-        owner = getattr(self, "_owner_inst", None)
-        if owner is None:
-            owner = getattr(self, "owner", None)
-
-        auth = getattr(owner, "_auth_header", None) if owner is not None else None
-
-        # Normalize present header names (case-insensitive)
-        present = {k.lower() for k in headers}
-
-        if auth:
-            if isinstance(auth, dict):
-                # Merge key-by-key if caller stored a header dict
-                for k, v in auth.items():
-                    if k.lower() not in present:
-                        headers[k] = v
-            elif isinstance(auth, str):
-                # Caller stored just the value: "Basic abcd=="
-                if "authorization" not in present:
-                    headers["Authorization"] = auth
-            else:
-                # Ignore unexpected types instead of crashing
-                pass
+    def _merge_auth_headers(self, base: dict[str, str]) -> dict[str, str]:
+        headers = base or {}
+
+        if not self.owner_inst or self.owner_inst._security is None:
+            return headers
+        if not any(key.lower() == "authorization" for key in headers.keys()):
+            headers["Authorization"] = self.owner_inst._security.http_header
 
         return headers
 
@@ -347,7 +328,9 @@ def listen(self, form: Form, callbacks: list[Callable], concurrent: bool = False
 
         try:
             with self._sync_http_client.stream(
-                method="GET", url=form.href, headers=self._merge_auth_headers({"Accept": "text/event-stream"})
+                method="GET",
+                url=form.href,
+                headers=self._merge_auth_headers({"Accept": "text/event-stream"}),
             ) as resp:
                 resp.raise_for_status()
                 interrupting_event = threading.Event()
@@ -383,7 +366,9 @@ async def async_listen(
 
         try:
             async with self._async_http_client.stream(
-                method="GET", url=form.href, headers=self._merge_auth_headers({"Accept": "text/event-stream"})
+                method="GET",
+                url=form.href,
+                headers=self._merge_auth_headers({"Accept": "text/event-stream"}),
             ) as resp:
                 resp.raise_for_status()
                 interrupting_event = asyncio.Event()

hololinked/client/factory.py

@@ -1,5 +1,3 @@
-import base64
-
 from typing import Any, Callable
 
 import structlog
@@ -29,7 +27,7 @@ class ObjectProxy:
             "_events",
             "_noblock_messages",
             "_schema_validator",
-            "_auth_header",
+            "_security",
         ]
     )
 
@@ -59,16 +57,10 @@ def __init__(self, id: str, **kwargs) -> None:
         self._allow_foreign_attributes = kwargs.get("allow_foreign_attributes", False)
         self._noblock_messages = dict()  # type: dict[str, ConsumedThingAction | ConsumedThingProperty]
         self._schema_validator = kwargs.get("schema_validator", None)
+        self._security = kwargs.get("security", None)
         self.logger = kwargs.pop("logger", structlog.get_logger())
         self.td = kwargs.get("td", dict())  # type: dict[str, Any]
 
-        self._auth_header = None
-        username = kwargs.get("username")
-        password = kwargs.get("password")
-        if username and password:
-            token = f"{username}:{password}".encode("utf-8")
-            self._auth_header = {"Authorization": f"Basic {base64.b64encode(token).decode('utf-8')}"}
-
     def __getattribute__(self, __name: str) -> Any:
         obj = super().__getattribute__(__name)
         if isinstance(obj, ConsumedThingProperty):