Posts tagged: security https://waylonwalker.com/tags/security/atom.xml 2023-07-28T14:59:37Z All posts with the tag "security" Waylon Walker markata-go 💭 First-class session support in FastAPI · Issue #754 · tiangolo... https://waylonwalker.com/thought-36/ 2023-07-28T14:59:37Z 2023-07-28T14:59:37Z !https://github.com/tiangolo/fastapi/issues/754 <div class="embed-card embed-card-external"> <a href="https://github.com/tiangolo/fastapi/issues/754" class="embed-card-link" target="_blank" rel="noopener noreferrer"> <div class="embed-card-image"> <img class="glightbox" src="https://opengraph.githubassets.com/5190baf4079f115873906d0710f7ee90869032b3ff4751df480a4ca41ff00084/fastapi/fastapi/issues/754" alt="First-class session support in FastAPI · Issue #754 · fastapi/fastapi — Is your feature request related to a problem All of the security schemas currently supported by FastAPI rely on some sort of &#34;client-server synergy&#34; , where, for instance, the client is expected to..." loading="lazy"/ data-glightbox="description: First-class session support in FastAPI · Issue #754 · fastapi/fastapi — Is your feature request related to a problem All of the security schemas currently supported by FastAPI rely on some sort of &#34;client-server synergy&#34; , where, for instance, the client is expected to..."> </div> <div class="embed-card-content"> <div class="embed-card-title">First-class session support in FastAPI · Issue #754 · fastapi/fastapi</div> <div class="embed-card-description">Is your feature request related to a problem All of the security schemas currently supported by FastAPI rely on some sort of &#34;client-server synergy&#34; , where, for instance, the client is expected to...</div> <div class="embed-card-meta">GitHub · github.com</div> </div> </a> </div> <p>Here is a snippet provided by @tiangolo to store the users jwt inside of a session cookie in fatapi. This was written in feb 12, 2020 and admits that this is not a well documented part of <a href="/fastapi/" class="glossary-term" title="FastAPI is a modern and efficient web framework for Python, built on top of the Starlette web framework, and pydantic for data validation and serialization.">fastapi</a>.</p> <blockquote> <p>It’s already in place. More or less like the rest of the security tools. And it’s compatible with the rest of the parts, integrated with OpenAPI (as possible), but probably most importantly, with dependencies.</p> </blockquote> <blockquote> <p>It’s just not properly documented yet. 😞</p> </blockquote> <blockquote> <p>But still, it works 🚀 e.g.</p> </blockquote> <pre class="chroma"><code><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Form</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">Depends</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">fastapi.security</span> <span class="kn">import</span> <span class="n">APIKeyCookie</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">starlette.responses</span> <span class="kn">import</span> <span class="n">Response</span><span class="p">,</span> <span class="n">HTMLResponse</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">starlette</span> <span class="kn">import</span> <span class="n">status</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">jose</span> <span class="kn">import</span> <span class="n">jwt</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">app</span> <span class="o">=</span> <span class="n">FastAPI</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">cookie_sec</span> <span class="o">=</span> <span class="n">APIKeyCookie</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="s2">&#34;session&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">secret_key</span> <span class="o">=</span> <span class="s2">&#34;someactualsecret&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">users</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;dmontagu&#34;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;password&#34;</span><span class="p">:</span> <span class="s2">&#34;secret1&#34;</span><span class="p">},</span> <span class="s2">&#34;tiangolo&#34;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;password&#34;</span><span class="p">:</span> <span class="s2">&#34;secret2&#34;</span><span class="p">}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">get_current_user</span><span class="p">(</span><span class="n">session</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">Depends</span><span class="p">(</span><span class="n">cookie_sec</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="n">secret_key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">user</span> <span class="o">=</span> <span class="n">users</span><span class="p">[</span><span class="n">payload</span><span class="p">[</span><span class="s2">&#34;sub&#34;</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">user</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">raise</span> <span class="n">HTTPException</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="o">.</span><span class="n">HTTP_403_FORBIDDEN</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s2">&#34;Invalid authentication&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.get</span><span class="p">(</span><span class="s2">&#34;/login&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">login_page</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">HTMLResponse</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> &lt;form action=&#34;/login&#34; method=&#34;post&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="s2"> Username: &lt;input type=&#34;text&#34; name=&#34;username&#34; required&gt; </span></span></span><span class="line"><span class="cl"><span class="s2"> &lt;br&gt; </span></span></span><span class="line"><span class="cl"><span class="s2"> Password: &lt;input type=&#34;password&#34; name=&#34;password&#34; required&gt; </span></span></span><span class="line"><span class="cl"><span class="s2"> &lt;input type=&#34;submit&#34; value=&#34;Login&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="s2"> &lt;/form&gt; </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.post</span><span class="p">(</span><span class="s2">&#34;/login&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">response</span><span class="p">:</span> <span class="n">Response</span><span class="p">,</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">Form</span><span class="p">(</span><span class="o">...</span><span class="p">),</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">Form</span><span class="p">(</span><span class="o">...</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">username</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">users</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">raise</span> <span class="n">HTTPException</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="o">.</span><span class="n">HTTP_403_FORBIDDEN</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s2">&#34;Invalid user or password&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">db_password</span> <span class="o">=</span> <span class="n">users</span><span class="p">[</span><span class="n">username</span><span class="p">][</span><span class="s2">&#34;password&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">password</span> <span class="o">==</span> <span class="n">db_password</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">raise</span> <span class="n">HTTPException</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="o">.</span><span class="n">HTTP_403_FORBIDDEN</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s2">&#34;Invalid user or password&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">encode</span><span class="p">({</span><span class="s2">&#34;sub&#34;</span><span class="p">:</span> <span class="n">username</span><span class="p">},</span> <span class="n">secret_key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span><span class="o">.</span><span class="n">set_cookie</span><span class="p">(</span><span class="s2">&#34;session&#34;</span><span class="p">,</span> <span class="n">token</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">{</span><span class="s2">&#34;ok&#34;</span><span class="p">:</span> <span class="kc">True</span><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.get</span><span class="p">(</span><span class="s2">&#34;/private&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">read_private</span><span class="p">(</span><span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">{</span><span class="s2">&#34;username&#34;</span><span class="p">:</span> <span class="n">username</span><span class="p">,</span> <span class="s2">&#34;private&#34;</span><span class="p">:</span> <span class="s2">&#34;get some private data&#34;</span><span class="p">}</span> </span></span></code></pre><div class="admonition note"> <p class="admonition-title">Note</p> <p>This post is a <a href="/thoughts/" class="wikilink" data-title="Thoughts" data-description="These are generally my thoughts on a web page or some sort of url, except a rare few don&#39;t have a link. These are dual published off of my..." data-date="2024-04-01" data-preview="These are generally my thoughts on a web page or some sort of url, except a rare few don&#39;t have a link. These are dual published off of my...">thought</a>. It’s a short note that I make about someone else’s content online <a href="/tags/thoughts/" class="hashtag-tag" data-tag="thoughts" data-count="2" data-reading-time="3" data-reading-time-text="3 minutes">#thoughts</a></p> </div> Waylon Walker hello@waylonwalker.com https://waylonwalker.com