j03-dev · j03-dev · Jan 8, 2026 · Jan 5, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "oxapy"
 version = "0.7.9"
-edition = "2021"
+edition = "2024"
 authors = ["FITAHIANA Nomeniavo Joe <24nomeniavo@gmail.com>"]
 repository = "https://github.com/j03-dev/oxapy"
 
@@ -43,7 +43,6 @@ tera = "1.20"
 ahash = "0.8.12"
 ctrlc = "3.5.1"
 glob = "0.3.3"
-once_cell = "1.21.3"
 rand = "0.10.0-rc.5"
 url = "2.5.7"
 

diff --git a/oxapy/__init__.py b/oxapy/__init__.py
@@ -1,8 +1,19 @@
 from .oxapy import *
 
+import os
 import mimetypes
 
 
+def secure_join(base: str, *paths: str) -> str:
+    base = os.path.realpath(base)
+    target = os.path.realpath(os.path.join(base, *paths))
+
+    if target != base and not target.startswith(base + os.sep):
+        raise exceptions.ForbiddenError("Access denied")
+
+    return target
+
+
 def static_file(path: str = "/static", directory: str = "./static"):
     r"""
     Create a route for serving static files.
@@ -22,11 +33,8 @@ def static_file(path: str = "/static", directory: str = "./static"):
 
     @get(f"{path}/{{*path}}")
     def handler(_request, path: str):
-        file_path = f"{directory}/{path}"
-        try:
-            return send_file(file_path)
-        except FileNotFoundError:
-            return Response("File not found", Status.NOT_FOUND)
+        file_path = secure_join(directory, path)
+        return send_file(file_path)
 
     return handler
 
@@ -40,6 +48,12 @@ def send_file(path: str) -> Response:
     Returns:
         Response: A Response with file content
     """
+    if not os.path.exists(path):
+        raise exceptions.NotFoundError("Requested file not found")
+
+    if not os.path.isfile(path):
+        raise exceptions.ForbiddenError("Not a file")
+
     with open(path, "rb") as f:
         content = f.read()
     content_type, _ = mimetypes.guess_type(path)

diff --git a/oxapy/serializer/__init__.pyi b/oxapy/serializer/__init__.pyi
@@ -267,9 +267,9 @@ class Serializer(Field):
     @raw_data.setter
     def raw_data(self, value: typing.Optional[builtins.str]) -> None: ...
     @property
-    def context(self) -> typing.Optional[dict]: ...
+    def context(self) -> dict: ...
     @context.setter
-    def context(self, value: typing.Optional[dict]) -> None: ...
+    def context(self, value: dict) -> None: ...
     @property
     def data(self) -> typing.Any:
         r"""

diff --git a/src/cors.rs b/src/cors.rs
@@ -34,15 +34,19 @@ pub struct Cors {
     /// List of allowed origins, default is ["*"] (all origins)
     #[pyo3(get, set)]
     pub origins: Vec<String>,
+
     /// List of allowed HTTP methods, default includes common methods
     #[pyo3(get, set)]
     pub methods: Vec<String>,
+
     /// List of allowed HTTP headers, default includes common headers
     #[pyo3(get, set)]
     pub headers: Vec<String>,
+
     /// Whether to allow credentials (cookies, authorization headers), default is true
     #[pyo3(get, set)]
     pub allow_credentials: bool,
+
     /// Maximum age of preflight requests in seconds, default is 86400 (1 day)
     #[pyo3(get, set)]
     pub max_age: u32,
@@ -52,8 +56,20 @@ impl Default for Cors {
     fn default() -> Self {
         Self {
             origins: vec!["*".to_string()],
-            methods: vec!["GET, POST, PUT, DELETE, PATCH, OPTIONS".to_string()],
-            headers: vec!["Content-Type, Authorization, X-Requested-With, Accept".to_string()],
+            methods: vec![
+                "DELETE".to_string(),
+                "GET".to_string(),
+                "OPTIONS".to_string(),
+                "PATCH".to_string(),
+                "POST".to_string(),
+                "PUT".to_string(),
+            ],
+            headers: vec![
+                "Accept".to_string(),
+                "Authorization".to_string(),
+                "Content-Type".to_string(),
+                "X-Requested-With".to_string(),
+            ],
             allow_credentials: true,
             max_age: 86400,
         }

diff --git a/src/exceptions.rs b/src/exceptions.rs
@@ -1,5 +1,5 @@
 use pyo3::exceptions::PyException;
-use pyo3::{impl_exception_boilerplate, prelude::*};
+use pyo3::prelude::*;
 use pyo3_stub_gen::derive::*;
 
 pub trait IntoPyException<T> {
@@ -13,7 +13,22 @@ impl<T, E: ToString> IntoPyException<T> for Result<T, E> {
 }
 
 macro_rules! extend_exception {
+    ($name:ident) => {
+        pyo3::impl_exception_boilerplate!($name);
+
+        #[pyo3_stub_gen::derive::gen_stub_pymethods]
+        #[pyo3::prelude::pymethods]
+        impl $name {
+            #[new]
+            fn new(e: pyo3::Py<pyo3::PyAny>) -> $name {
+                Self(e)
+            }
+        }
+    };
+
     ($name:ident, $extend:ident) => {
+        pyo3::impl_exception_boilerplate!($name);
+
         #[pyo3_stub_gen::derive::gen_stub_pymethods]
         #[pyo3::prelude::pymethods]
         impl $name {
@@ -36,17 +51,7 @@ macro_rules! extend_exception {
 #[gen_stub_pyclass]
 #[pyclass(subclass, extends=PyException, module="oxapy.exceptions")]
 pub struct ClientError(pub Py<PyAny>);
-
-impl_exception_boilerplate!(ClientError);
-
-#[gen_stub_pymethods]
-#[pymethods]
-impl ClientError {
-    #[new]
-    fn new(e: Py<PyAny>) -> ClientError {
-        Self(e)
-    }
-}
+extend_exception!(ClientError);
 
 /// HTTP 400 Bad Request error exception.
 ///
@@ -58,8 +63,6 @@ impl ClientError {
 #[gen_stub_pyclass]
 #[pyclass(extends=ClientError, module="oxapy.exceptions")]
 pub struct BadRequestError;
-
-impl_exception_boilerplate!(BadRequestError);
 extend_exception!(BadRequestError, ClientError);
 
 /// HTTP 401 Unauthorized error exception.
@@ -71,8 +74,6 @@ extend_exception!(BadRequestError, ClientError);
 #[gen_stub_pyclass]
 #[pyclass(extends=ClientError, module="oxapy.exceptions")]
 pub struct UnauthorizedError;
-
-impl_exception_boilerplate!(UnauthorizedError);
 extend_exception!(UnauthorizedError, ClientError);
 
 /// HTTP 403 Forbidden error exception.
@@ -85,8 +86,6 @@ extend_exception!(UnauthorizedError, ClientError);
 #[gen_stub_pyclass]
 #[pyclass(extends=ClientError, module="oxapy.exceptions")]
 pub struct ForbiddenError;
-
-impl_exception_boilerplate!(ForbiddenError);
 extend_exception!(ForbiddenError, ClientError);
 
 /// HTTP 404 Not Found error exception.
@@ -99,8 +98,6 @@ extend_exception!(ForbiddenError, ClientError);
 #[gen_stub_pyclass]
 #[pyclass(extends=ClientError, module="oxapy.exceptions")]
 pub struct NotFoundError;
-
-impl_exception_boilerplate!(NotFoundError);
 extend_exception!(NotFoundError, ClientError);
 
 /// HTTP 409 Conflict error exception.
@@ -114,8 +111,6 @@ extend_exception!(NotFoundError, ClientError);
 #[gen_stub_pyclass]
 #[pyclass(extends=ClientError, module="oxapy.exceptions")]
 pub struct ConflictError;
-
-impl_exception_boilerplate!(ConflictError);
 extend_exception!(ConflictError, ClientError);
 
 /// HTTP 500 Internal Server Error exception.
@@ -129,17 +124,7 @@ extend_exception!(ConflictError, ClientError);
 #[pyclass(extends=PyException, module="oxapy.exceptions")]
 #[repr(transparent)]
 pub struct InternalError(Py<PyAny>);
-
-impl_exception_boilerplate!(InternalError);
-
-#[gen_stub_pymethods]
-#[pymethods]
-impl InternalError {
-    #[new]
-    fn new(e: Py<PyAny>) -> InternalError {
-        Self(e)
-    }
-}
+extend_exception!(InternalError);
 
 pub fn exceptions(m: &Bound<'_, PyModule>) -> PyResult<()> {
     let exceptions = PyModule::new(m.py(), "exceptions")?;

diff --git a/src/into_response.rs b/src/into_response.rs
@@ -96,7 +96,7 @@ impl From<PyErr> for Response {
                     Status::INTERNAL_SERVER_ERROR
                 }
             };
-            let response: Response = status.into();
+            let response = Response::from(status);
             response.set_body(format!(
                 r#"{{"detail": "{}"}}"#,
                 value.value(py).to_string().replace('"', "'")
@@ -106,9 +106,9 @@ impl From<PyErr> for Response {
 }
 
 impl From<Cors> for Response {
-    fn from(val: Cors) -> Self {
-        let mut response = Status::NO_CONTENT.into();
-        val.apply_headers(&mut response);
+    fn from(cors: Cors) -> Self {
+        let mut response = Response::from(Status::NO_CONTENT);
+        cors.apply_headers(&mut response);
         response
     }
 }

diff --git a/src/json.rs b/src/json.rs
@@ -1,26 +1,25 @@
-use once_cell::sync::OnceCell;
-use pyo3::{prelude::*, types::PyDict};
+use pyo3::{prelude::*, sync::PyOnceLock, types::PyDict};
 use serde::{Deserialize, Serialize};
 
-static ORJSON: OnceCell<Py<PyModule>> = OnceCell::new();
+static ORJSON: PyOnceLock<Py<PyModule>> = PyOnceLock::new();
 
 #[inline]
 pub fn dumps(data: &Py<PyAny>) -> PyResult<String> {
     Python::attach(|py| {
-        let orjson = ORJSON.get_or_init(|| PyModule::import(py, "orjson").unwrap().into());
-        let serialized_data =
-            orjson
-                .call_method1(py, "dumps", (data,))?
-                .call_method1(py, "decode", ("utf-8",))?;
+        let serialized_data = ORJSON
+            .get_or_try_init(py, || PyModule::import(py, "orjson").map(|m| m.into()))?
+            .call_method1(py, "dumps", (data,))?
+            .call_method1(py, "decode", ("utf-8",))?;
         Ok(serialized_data.extract(py)?)
     })
 }
 
 #[inline]
 pub fn loads(data: &str) -> PyResult<Py<PyDict>> {
     Python::attach(|py| {
-        let orjson = ORJSON.get_or_init(|| PyModule::import(py, "orjson").unwrap().into());
-        let deserialized_data = orjson.call_method1(py, "loads", (data,))?;
+        let deserialized_data = ORJSON
+            .get_or_try_init(py, || PyModule::import(py, "orjson").map(|m| m.into()))?
+            .call_method1(py, "loads", (data,))?;
         Ok(deserialized_data.extract(py)?)
     })
 }

diff --git a/src/jwt.rs b/src/jwt.rs
@@ -2,7 +2,7 @@ use jsonwebtoken::errors::ErrorKind;
 use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation};
 use pyo3::exceptions::PyException;
 use pyo3::types::PyDict;
-use pyo3::{exceptions::PyValueError, impl_exception_boilerplate, prelude::*};
+use pyo3::{exceptions::PyValueError, prelude::*};
 use pyo3_stub_gen::derive::*;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
@@ -18,46 +18,30 @@ use crate::json::Wrap;
 #[pyclass(subclass, extends=PyException, module="oxapy.jwt")]
 #[repr(transparent)]
 pub struct JwtError(Py<PyAny>);
-
-impl_exception_boilerplate!(JwtError);
-
-#[gen_stub_pymethods]
-#[pymethods]
-impl JwtError {
-    #[new]
-    fn new(e: Py<PyAny>) -> JwtError {
-        Self(e)
-    }
-}
+extend_exception!(JwtError);
 
 /// Occurs when there's an error during JWT encoding.
 #[gen_stub_pyclass]
 #[pyclass(extends=JwtError, module="oxapy.jwt")]
 pub struct JwtEncodingError;
-
-impl_exception_boilerplate!(JwtEncodingError);
 extend_exception!(JwtEncodingError, JwtError);
 
 /// Occurs when there's an error during JWT decoding/verification.
 #[gen_stub_pyclass]
 #[pyclass(extends=JwtError, module="oxapy.jwt")]
 pub struct JwtDecodingError;
-
-impl_exception_boilerplate!(JwtDecodingError);
 extend_exception!(JwtDecodingError, JwtError);
 
 /// Occurs when the JWT algorithm is invalid or not supported.
 #[gen_stub_pyclass]
 #[pyclass(extends=JwtError, module="oxapy.jwt")]
 pub struct JwtInvalidAlgorithm;
-impl_exception_boilerplate!(JwtInvalidAlgorithm);
 extend_exception!(JwtInvalidAlgorithm, JwtError);
 
 /// Occurs when a JWT claim is invalid (e.g., wrong format).
 #[gen_stub_pyclass]
 #[pyclass(extends=JwtError, module="oxapy.jwt")]
 pub struct JwtInvalidClaim;
-impl_exception_boilerplate!(JwtInvalidClaim);
 extend_exception!(JwtInvalidClaim, JwtError);
 
 #[derive(Debug, Clone, Serialize, Deserialize)]