def test_that_oauth2_rejects_expired_token(app, client):
security = FastAPISecurity()
@app.get("/")
def get_products(user: User = Depends(security.authenticated_user_or_401)):
return []
security.init(app, jwks_url=dummy_jwks_url, audiences=[dummy_audience])
access_token = make_access_token(sub="test-subject", expire_in=-1)
with aioresponses() as mock:
mock.get(dummy_jwks_url, payload=dummy_jwks_response_data)
resp = client.get("/", headers={"Authorization": f"Bearer {access_token}"})
assert resp.status_code == 401
def test_that_oauth2_rejects_incorrect_token(app, client):
security = FastAPISecurity()
@app.get("/")
def get_products(user: User = Depends(security.authenticated_user_or_401)):
return []
security.init(app, jwks_url=dummy_jwks_url, audiences=[dummy_audience])
resp = client.get("/")
assert resp.status_code == 401
resp = client.get("/", headers={"Authorization": "Bearer abc"})
assert resp.status_code == 401
resp = client.get("/", headers={"Authorization": "Bearer abc.xyz.def"})
assert resp.status_code == 401
def test_that_missing_permission_results_in_403(app, client):
security = FastAPISecurity()
can_list = UserPermission("users:list") # noqa
@app.get("/users/registry")
def get_user_list(user: User = Depends(
security.user_with_permissions(can_list))):
return [user]
security.init(app, jwks_url=dummy_jwks_url, audiences=[dummy_audience])
access_token = make_access_token(sub="test-user", permissions=[])
with aioresponses() as mock:
mock.get(dummy_jwks_url, payload=dummy_jwks_response_data)
resp = client.get("/users/registry",
headers={"Authorization": f"Bearer {access_token}"})
assert resp.status_code == 403
assert resp.json() == {
"detail": "Missing required permission users:list"
}
def test_that_assigned_permission_result_in_200(app, client):
security = FastAPISecurity()
can_list = UserPermission("users:list") # noqa
@app.get("/users/registry")
def get_user_list(user: User = Depends(
security.user_with_permissions(can_list))):
return [user]
security.init(app, jwks_url=dummy_jwks_url, audiences=[dummy_audience])
access_token = make_access_token(sub="test-user",
permissions=["users:list"])
with aioresponses() as mock:
mock.get(dummy_jwks_url, payload=dummy_jwks_response_data)
resp = client.get("/users/registry",
headers={"Authorization": f"Bearer {access_token}"})
assert resp.status_code == 200
(user1, ) = resp.json()
assert user1["auth"]["subject"] == "test-user"
from fastapi_security import FastAPISecurity, User, UserPermission
from . import db
from .models import Product
from .settings import get_settings
app = FastAPI()
settings = get_settings()
security = FastAPISecurity()
security.init(
app,
basic_auth_credentials=settings.basic_auth_credentials,
jwks_url=settings.oauth2_jwks_url,
audiences=settings.oauth2_audiences,
oidc_discovery_url=settings.oidc_discovery_url,
permission_overrides=settings.permission_overrides,
)
logger = logging.getLogger(__name__)
create_product_perm = UserPermission("products:create")
@app.get("/users/me")
async def get_user_details(user: User = Depends(security.user_with_info)):
"""Return user details, regardless of whether user is authenticated or not"""
return user.without_access_token()