Improve typing of view decorators

[Viicos]

A new type variable is defined, matching (async) callables taking a request and returning a response.

Some decorators are defined as views to comply with pyright (see microsoft/pyright#5821 (comment) for an explanation).

Note that some decorators allow *args, **kwargs to exist on the decorated views, e.g. never_cache:

def never_cache(view_func):
    """
    Decorator that adds headers to a response so that it will never be cached.
    """

    if iscoroutinefunction(view_func):

        async def _view_wrapper(request, *args, **kwargs):
            _check_request(request, "never_cache")
            response = await view_func(request, *args, **kwargs)
            add_never_cache_headers(response)
            return response

    else:

        def _view_wrapper(request, *args, **kwargs):
            _check_request(request, "never_cache")
            response = view_func(request, *args, **kwargs)
            add_never_cache_headers(response)
            return response

    return wraps(view_func)(_view_wrapper)

However, I think it's good to actually enforce views to take a single request argument. What do you think?

[sobolevn]

pls, add reveal_type(good__view)

[flaeppe]

However, I think it's good to actually enforce views to take a single request argument. What do you think?

What about path parameters?

[flaeppe]

It's probably fine to keep the first positional argument a request, but it needs to allow an arbitrary amount of args and kwargs after that

[intgr]

Thanks, I like creating a common shared definition for _ViewFuncT.

But some changes are needed.

[intgr]

Would make sense to keep _AsyncGetResponseCallable, _GetResponseCallable definitions together in the same file with _ViewFuncT.

Maybe move those 2 into this file? Or put all of them in django-stubs/views/__init__.pyi?

[intgr]

Waitaminute. Views aren't necessarily compatible with _GetResponseCallable.

Views can have extra arguments from URL parameters, e.g. def good_view2(request: HttpRequest, url_param: str) -> HttpResponse

This causes error

error: Value of type variable "_ViewFuncT" of "csrf_protect" cannot be "Callable[[HttpRequest, str], HttpResponse]" [type-var]

[Viicos]

Yep as suggested by flaeppe. I got mislead because some of these decorators are defined using decorator_from_middleware, which will call get_response (i.e. the view function) only by passing the request. So probably we need another view func type for those

[Viicos]

Ok my bad, decorator_from_middleware also supports extra arguments specified in a view function. So in the end I only need to update the definition of _ViewFuncT.

[intgr]

However, I think it's good to actually enforce views to take a single request argument. What do you think?

I believe it would break the hack that our FAQ suggests to constrain request.user type for authenticated views? https://github.com/typeddjango/django-stubs?tab=readme-ov-file#how-can-i-create-a-httprequest-thats-guaranteed-to-have-an-authenticated-user

I never liked this hack to begin with (#2046 (comment)), but I think lots of users are relying on it, we shouldn't break it, unless there's strong consensus to do so.

[Viicos]

I went for the assert types. Unfortunately I can't do:

assert_type(good_view, Callable[[HttpRequest], HttpResponse])

As Callable does not have information about the name of the arguments, while good_view is inferred as "(request: HttpRequest) -> HttpResponse" (which is a good thing).

Considering the decorators are defined with the type vars in a straightforward way I don't think it is that much of an issue to not be able to test this

[flaeppe]

I say that we should prefer the type over the name of an argument and thus add an assert_type to ensure the return type of the decorator.

You should be able to use assert_type(good_view, Callable[[HttpRequest], HttpResponse]) if your good_view forces the request argument to be positional e.g.

@csrf_protect
-def good_view(request: HttpRequest) -> HttpResponse:
+def good_view(request: HttpRequest, /) -> HttpResponse:
    return HttpResponse()
+assert_type(good_view, Callable[[HttpRequest], HttpResponse])

[intgr]

Unfortunately this still breaks the AuthenticatedHttpRequest hack, #2164 (comment)

[flaeppe]

Have we tried/do you think we can use callable protocols here? IIRC Concatenate only works in function scope(?)

What if we add a callable protocol for each type? e.g. View and AsyncView

class View(Protocol):
    def __call__(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponseBase: ...

class AsyncView(Protocol):
    async def __call__(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponseBase: ...

_ViewFuncT = TypeVar("_ViewFuncT", bound=View | AsyncView)

[flaeppe]

Also, can we incorporate the AuthenticatedHttpRequest hack in the test suite? Unless we haven't done so already

[Viicos]

__call__(self, request: HttpRequest, *args: Any, **kwargs: Any) will require every view function to have *args, **kwargs int their signature. Callable[Concatenate[HttpRequest, ...], HttpResponseBase] is currently the only way to express what we want here iirc.

I'll take a look at the AuthenticatedHttpRequest hack

[flaeppe]

__call__(self, request: HttpRequest, *args: Any, **kwargs: Any) will require every view function to have *args, **kwargs int their signature. Callable[Concatenate[HttpRequest, ...], HttpResponseBase] is currently the only way to express what we want here iirc.

From experimenting with mypy playground, I don't think that *args and **kwargs need to be included in the signature. Check this playground link: https://mypy-play.net/?mypy=latest&python=3.12&flags=strict&gist=e5d6cc2baf2095c4eab2863ea645faf3

Let me know if I missed something

Edit: Here's a different playground link that includes a TypeVar and decorator, much similar to what we have in this PR; https://mypy-play.net/?mypy=latest&python=3.12&flags=strict&gist=277b229672c75316b1b9473c07d4712a

[Viicos]

Interesting, this seems to have changed really recently in the typing spec:

• spec: Expanded "Callables" chapter to include additional details. python/typing#1723
• mypy: This behavior was implemented from the beginning apparently.
• pyright: (*args: Any, **kwargs: Any) should be treated as ... in function definition microsoft/pyright#7848.

[Viicos]

The AuthenticatedHttpRequest think is annoying :/ Maybe it could be explicitly exported in django-stubs-ext or in the stubs itself, and added as an overload?

[intgr]

Ignoring AuthenticatedHttpRequest for the moment, the added test_csrf.py is failing for me with mypy... Do you know what's up with that?

tests/assert_type/views/decorators/test_csrf.py:19: error: Value of type variable "_ViewFuncT" of "csrf_protect" cannot be "Callable[[HttpRequest], HttpResponse]" [type-var]
tests/assert_type/views/decorators/test_csrf.py:24: error: Value of type variable "_ViewFuncT" of "csrf_protect" cannot be "Callable[[HttpRequest], Coroutine[Any, Any, HttpResponse]]" [type-var]
tests/assert_type/views/decorators/test_csrf.py:29: error: Value of type variable "_ViewFuncT" of "csrf_protect" cannot be "Callable[[HttpRequest, int, str], HttpResponse]" [type-var]
tests/assert_type/views/decorators/test_csrf.py:34: error: Value of type variable "_ViewFuncT" of "csrf_protect" cannot be "Callable[[HttpRequest, int, str], Coroutine[Any, Any, HttpResponse]]" [type-var]

[intgr]

I wanted to look into what could be done about AuthenticatedHttpRequest, but this is blocking that.

[flaeppe]

Problem is probably the forced positional of request in the protocols

[intgr]

Indeed. Removing the /, from _View signature fixes that, but then makes line 9 fail.

We can fix this by duplicating both View protocols for both positional/non-positional cases. I think that would be fine. Unless there are better solutions?

class _View(Protocol):
    def __call__(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponseBase: ...

class _ViewPositionalRequest(Protocol):
    def __call__(self, request: HttpRequest, /, *args: Any, **kwargs: Any) -> HttpResponseBase: ...

class _AsyncView(Protocol):
    async def __call__(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponseBase: ...

class _AsyncViewPositionalRequest(Protocol):
    async def __call__(self, request: HttpRequest, /, *args: Any, **kwargs: Any) -> HttpResponseBase: ...

_ViewFuncT = TypeVar(
    "_ViewFuncT", bound=_View | _ViewPositionalRequest | _AsyncView | _AsyncViewPositionalRequest
)  # noqa: PYI018

[intgr]

btw django.db.transaction.non_atomic_requests decorator expects views as well, and could re-use this.

[intgr]

Looks like defining a Protocol for request wouldn't work either.

I'm open to just hinting as request: Any to solve the AuthenticatedHttpRequest hack. That's basically the approach we had until now.

[intgr]

Let's add a test for the hack as well:

from django.contrib.auth.models import User


class AuthenticatedHttpRequest(HttpRequest):
    user: User


@csrf_protect
def view_hack_authenticated_request(request: AuthenticatedHttpRequest) -> HttpResponse:
    return HttpResponse()

[intgr]

Add @type_check_only to all protocols.