💭 Protect Api Docs Behind Authentication? · Issue #364 · Tiangolo/Fastapi
Waylon Walker
Learning in Public @_WaylonWalker
Tags
Note
This post is a thought. It's a short note that I make about someone else's
content online. Learn more about the process
thoughts
Here's my thought on 💭 Protect API docs behind authentication? · Issue #364 · tiangolo/fastapi
You can protect your fastapi docs behind auth so that not only can certain roles not run certain routes, but they cannot even see the docs at all. This way no one that shouldn't be poking around can even discover routes they shouldn't be using.
Here is the soluteion provided by @kennylajara
from fastapi import FastAPI from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html from fastapi.openapi.utils import get_openapi import secrets from fastapi import Depends, FastAPI, HTTPException, status from fastapi.security import HTTPBasic, HTTPBasicCredentials app = FastAPI( title="FastAPI", version="0.1.0", docs_url=None, redoc_url=None, openapi_url = None, ) security = HTTPBasic() def get_current_username(credentials: HTTPBasicCredentials = Depends(security)): correct_username = secrets.compare_digest(credentials.username, "user") correct_password = secrets.compare_digest(credentials.password, "password") if not (correct_username and correct_password): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect email or password", headers={"WWW-Authenticate": "Basic"}, ) return credentials.username @app.get("/docs", include_in_schema=False) async def get_swagger_documentation(username: str = Depends(get_current_username)): return get_swagger_ui_html(openapi_url="/openapi.json", title="docs") @app.get("/redoc", include_in_schema=False) async def get_redoc_documentation(username: str = Depends(get_current_username)): return get_redoc_html(openapi_url="/openapi.json", title="docs") @app.get("/openapi.json", include_in_schema=False) async def openapi(username: str = Depends(get_current_username)): return get_openapi(title=app.title, version=app.version, routes=app.routes
This post was a thought by Waylon Walker see all my thoughts at https://waylonwalker.com/thoughts