Authentication / Authorization on routes without JWT and applying scopes

[WilliamStam]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

import typing
from typing import List

import uvicorn
from fastapi import Depends, FastAPI, Request, Security
from fastapi.security import APIKeyHeader, APIKeyQuery
from pydantic import BaseModel, Field
from starlette.authentication import AuthCredentials
from starlette.authentication import requires

class ProfileModel(BaseModel):
    id: int = None
    name: str = None
    token: str = None
    permissions: List[str] = Field(default_factory=list)


async def find_by_token(token: str = None) -> ProfileModel:
    """using a fake response here. this needs to get the user from the db based on the token"""
    print("find_by_token")
    if token == "abc":
        return ProfileModel(
            id=1,
            name="Big noob",
            token=token,
            permissions=["a", "b"]
        )
    return ProfileModel()


QUERY_API_KEY = APIKeyQuery(name='token', auto_error=False, description="First")
HEADER_API_KEY = APIKeyHeader(name='X-API-Key', auto_error=False, description="Second")


async def user_dependency(
    request: Request,
    query_api_key: str = Security(QUERY_API_KEY),
    header_api_key: str = Security(HEADER_API_KEY),
) -> ProfileModel:
    """ using the token we find the current user """
    print("user_dependency")
    token = next(
        (arg for arg in [query_api_key, header_api_key] if arg is not None),
        None
    )
    print(f"user_dependency:  {token}")
    user = ProfileModel()
    if token:
        user = await find_by_token(token=token)
    # user = ProfileModel(name="dog", token=str(token), permissions=['c'])
    request.scope["auth"] = AuthCredentials(scopes=user.permissions)
    request.scope["user"] = user
    request.scope["token"] = token
    
    # print(request.scope.get("auth").scopes)
    return user


CurrentUser = typing.Annotated[ProfileModel, Depends(user_dependency, use_cache=False)]

app = FastAPI(
    debug=True,
    title="Demo",
    description="Demo FastAPI application",
    docs_url="/docs",
)


@app.middleware("http")
async def request_middleware(request: Request, call_next):
    print("request_middleware")
    
    # how do i get the token from "user_dependency" here?
    user: ProfileModel = await find_by_token("abc")
    
    request.scope['auth'] = AuthCredentials(scopes=user.permissions)
    request.scope['user'] = user
    
    return await call_next(request)


@app.get("/")
async def home():
    """Free for all"""
    return "home"


# im purly adding this in to be able to print out the marker
_CallableType = typing.TypeVar("_CallableType", bound=typing.Callable)
def permission(
    scopes: typing.Union[str, typing.Sequence[str], None] = None,
    status_code: int = 403,
    redirect: typing.Optional[str] = None,
) -> typing.Callable[[_CallableType], _CallableType]:
    if scopes is None:
        scopes = []
    print(f"permission decorator: {scopes}")
    return requires(scopes=scopes, status_code=status_code, redirect=redirect)


@app.get("/profile")
# starlet has a "requires" decorator for routes to check the scopes, ive just wrapped it in permission above to
# be able to print out the values
@permission("abc")
async def profile(
    request: Request, # this is required for the auth middleware stuff to be included request.scope[...]
    user: CurrentUser # needed so that openapi shows the lock icon
):
    """only logged in users"""
    print("profile page")
    return request.user


if __name__ == "__main__":
    uvicorn.run("main:app", reload=True)

Description

some things ive noticed and comments

• adding an application dependency to get the token from header / query etc would result in even the "open" pages having the lock icon. adding it to the router dependencies works but then application middleware cant get the token (same for route depends)
• the "require" decorator runs first. it doesnt attach the values (request?) to the route at all (decorator so obviously)
• there doesnt seem to be anyway to attach the permissions to the actual route object. was thinking if something like @app.get("/profile",permissions=["a"]) or at the least have an "optional" key to add all this in then it would make things easier. also that would allow the custom openapi class thing to look at the routes and decide if the current user (middleware) has the permission or not to display the route in the docs even (seen a few requests for that)
• i can see why pretty much ALL the examples of auth use JWT tokens. the scopes are known ahead of time. no need to look them up, just need to get it from header and decrypt it and voila user scope
• the docs pretty much have a if not user then raise forbidden in the actual body of the page. but this would mean that EVERY route that needs permissions would need that.

so in the interim im playing around with the following but it feels like a hack'n'slash

@app.get("/profile")
async def profile(
    request: Request,
    user: CurrentUser
):
    user.has_permissions(["abc"])

but this wouldn't be available to any automatic documentation items (custom open api and run through routes).

• adding in request and user into every route just for the auth somewhat seems like a lot of excess. the documentation will show a padlock from the CurrentUser depends (cause it calls the Security stuff) but if you forget to add in the user.has_permissions then you potentially open up that endpoint, theres now a disconnect.

i tried adding a "permission" parameter on the @app.get but that naturally complains about get not having a param defined for permissions. suggest adding **kwargs to all the route stuff (get,post,put etc) that way the devs can do whatever they want with it but it gives the dev the power to add some stuff in. (i noticed that the methods were duplicated in application and routing)

ive tried many things now :( but still not happy with it :(

how have others solved this? a lot of what i find around auth just regurgitates the jwt examples on the fastapi docs page. was a mission to even find the usage of APIKeyHeader, APIKeyQuery (pretty impressed that fastapi has these tbh)

Operating System

Linux, Windows

Operating System Details

No response

FastAPI Version

0.103.2

Pydantic Version

2.4.2

Python Version

Python 3.12.0

Additional Context

No response

[WilliamStam]

and to further add. as far as i can tell it wont be possible for a Depends to add a "response" (so like auto adding a "403" response to pages that use user: CurrentUser

[chrisK824]

hI @WilliamStam , this might help you sort some things out:

https://github.com/chrisK824/fastapi-rbac-example

[chrisK824]

Hi @OriBerlo , not sure I understand correctly your question. The link I have provided above is on a repo where I demonstrate just that (applying different permissions for each individual endpoint path). Are you requesting something different that I'm missing at the moment?

[OriBerlo]

Hi Chris, the code you provided is great and very clear! thanks for that :)
I wanted to ask a deeper question regarding the solution approach you suggested.

I'm writing an Auth infra in fastapi and I wanted all endpoints to be protected, I'm achieving it using a global dependency (similar to your example) but I also want the ability to override the roles/permissions from each endpoint and choose to override / not rely on the global dependency and I was wondering whether you have a suggestion for that

Thanks for the response and for the Example code you provided,
Ori

[chrisK824]

Hey again Ori,

The code example does exact what you are asking for. It does apply different permissions dependencies on each route, not globally, so I don't get your need yet. Can you provide with a piece of code you have so far to maybe explain better your situation?

[rohantandon25]

hi @chrisK824, my use case is that I have a router which has a global dependency to validate jwt tokens. then, i also have endpoints which come under the secure router where i want to check for the permissions, so for example

secure_router = APIRouter(dependencies=[Security(auth0_token)])
@secure_router.get("/api/{org}/user",
                    dependencies=[Depends(PermissionsValidator(["read:{org}"]))])

and PermissionsValidator is defined as:

class PermissionsValidator:
    def __init__(self, required_permissions: list[str]):
        self.required_permissions = required_permissions

    def __call__(self, token: JWTPayload = Security(auth0_token)):
        token_permissions = token.permissions
        token_permissions_set = set(token_permissions)
        required_permissions_set = set(self.required_permissions)

        if not required_permissions_set.issubset(token_permissions_set):
            raise PermissionDeniedException

it seems to me that the jwt token will be validated twice in this scenario - is it possible to do it only once?

[chrisK824]

Hey @rohantandon25, I am afraid that you are right. I mean a little log there wouldn't hurt, as there could be a deduplication mechanism for dependencies that I am not aware of (didn't run your example as I am not close to a machine these days).

If that's the case, most probably, I don't think you can do much about it. Certainly one cannot override router or global dependencies with path dependencies as I could track this one down #7089

If I were you I would try to encapsulate the router dependency as a subset of the path one. After all, having a token with no required specifc permissions is just having a token with empty list of required permissions.

And if that seems overkill, I guess I would split those paths in a different router.

[WilliamStam]

I'm writing an Auth infra in fastapi and I wanted all endpoints to be protected,

@router.post("/items",
             dependencies=[Depends(PermissionChecker([Items.permissions.CREATE]))], # <----- this is on the route itself
             response_model=Item, summary="Create a new item",
             tags=["Items"])
def create_item(item: ItemIn, db: Session = Depends(get_db)):

since its a normal dependency you can use it on the router / route / app levels

---

you can also add the "permissions" object onto the route object ala decorator. as in route_object.permissions = xyz but that means you havent explicitly declared it on the object., just attaching to the object.

you can also look at #10692 but its very similer to chris's approach for the auth