From e48656e514045304fbf13dfe1bc1d6ac21f904bc Mon Sep 17 00:00:00 2001 From: shyam-ramani Date: Tue, 1 Apr 2025 23:17:40 +0530 Subject: [PATCH 1/3] fix(security): enforce 'realm' in HTTPBasic per RFC 7617 --- fastapi/security/http.py | 53 ++++++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/fastapi/security/http.py b/fastapi/security/http.py index 9ab2df3c9..6dce29bfe 100644 --- a/fastapi/security/http.py +++ b/fastapi/security/http.py @@ -2,6 +2,12 @@ import binascii from base64 import b64decode from typing import Optional +from fastapi.security.base import SecurityBase +from fastapi import HTTPException, status, Depends +from fastapi.security.utils import get_authorization_scheme_param +from starlette.requests import Request +from starlette.status import HTTP_401_UNAUTHORIZED +from typing import Optional, Tuple from fastapi.exceptions import HTTPException from fastapi.openapi.models import HTTPBase as HTTPBaseModel from fastapi.openapi.models import HTTPBearer as HTTPBearerModel @@ -64,34 +70,49 @@ class HTTPAuthorizationCredentials(BaseModel): """ ), ] +class HTTPBasicCredentials(BaseModel): + username: str + password: str - -class HTTPBase(SecurityBase): +class HTTPBasic(SecurityBase): def __init__( self, *, - scheme: str, scheme_name: Optional[str] = None, - description: Optional[str] = None, - auto_error: bool = True, + realm: str, # REQUIRED parameter (RFC 7617 compliance) + auto_error: bool = True ): - self.model = HTTPBaseModel(scheme=scheme, description=description) self.scheme_name = scheme_name or self.__class__.__name__ + self.realm = realm self.auto_error = auto_error - async def __call__( - self, request: Request - ) -> Optional[HTTPAuthorizationCredentials]: - authorization = request.headers.get("Authorization") - scheme, credentials = get_authorization_scheme_param(authorization) - if not (authorization and scheme and credentials): + async def __call__(self, request: Request) -> Optional[HTTPBasicCredentials]: + authorization_header = request.headers.get("Authorization") + scheme, credentials = get_authorization_scheme_param(authorization_header) + + # Handle missing/invalid scheme + if not authorization_header or scheme.lower() != "basic": if self.auto_error: raise HTTPException( - status_code=HTTP_403_FORBIDDEN, detail="Not authenticated" + status_code=HTTP_401_UNAUTHORIZED, + headers={"WWW-Authenticate": f'Basic realm="{self.realm}"'}, + detail="Invalid authentication credentials", ) - else: - return None - return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials) + return None + + # Decode credentials (base64) + try: + decoded = base64.b64decode(credentials).decode("utf-8") + username, _, password = decoded.partition(":") + return HTTPBasicCredentials(username=username, password=password) + except (ValueError, UnicodeDecodeError): + if self.auto_error: + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers={"WWW-Authenticate": f'Basic realm="{self.realm}"'}, + detail="Invalid authentication credentials", + ) + return None class HTTPBasic(HTTPBase): From 7d2a09b27c0d7273a7d0c036a74346f1e0a4ec0e Mon Sep 17 00:00:00 2001 From: shyam-ramani Date: Tue, 1 Apr 2025 23:20:25 +0530 Subject: [PATCH 2/3] fix(security): enforce 'realm' in HTTPBasic per RFC 7617 --- node_modules/.yarn-integrity | 10 ++++++++++ yarn.lock | 4 ++++ 2 files changed, 14 insertions(+) create mode 100644 node_modules/.yarn-integrity create mode 100644 yarn.lock diff --git a/node_modules/.yarn-integrity b/node_modules/.yarn-integrity new file mode 100644 index 000000000..9d4d6a804 --- /dev/null +++ b/node_modules/.yarn-integrity @@ -0,0 +1,10 @@ +{ + "systemParams": "win32-x64-127", + "modulesFolders": [], + "flags": [], + "linkedModules": [], + "topLevelPatterns": [], + "lockfileEntries": {}, + "files": [], + "artifacts": {} +} \ No newline at end of file diff --git a/yarn.lock b/yarn.lock new file mode 100644 index 000000000..fb57ccd13 --- /dev/null +++ b/yarn.lock @@ -0,0 +1,4 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + From 805df59287ba3499f242fec1e54d1f4d1ca1ce10 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 17:53:42 +0000 Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=8E=A8=20[pre-commit.ci]=20Auto=20for?= =?UTF-8?q?mat=20from=20pre-commit.com=20hooks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fastapi/security/http.py | 16 +++++++--------- node_modules/.yarn-integrity | 2 +- yarn.lock | 2 -- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/fastapi/security/http.py b/fastapi/security/http.py index 6dce29bfe..a6cb87b76 100644 --- a/fastapi/security/http.py +++ b/fastapi/security/http.py @@ -2,12 +2,7 @@ import binascii from base64 import b64decode from typing import Optional -from fastapi.security.base import SecurityBase -from fastapi import HTTPException, status, Depends -from fastapi.security.utils import get_authorization_scheme_param -from starlette.requests import Request -from starlette.status import HTTP_401_UNAUTHORIZED -from typing import Optional, Tuple +from fastapi import HTTPException from fastapi.exceptions import HTTPException from fastapi.openapi.models import HTTPBase as HTTPBaseModel from fastapi.openapi.models import HTTPBearer as HTTPBearerModel @@ -70,17 +65,20 @@ class HTTPAuthorizationCredentials(BaseModel): """ ), ] + + class HTTPBasicCredentials(BaseModel): username: str password: str + class HTTPBasic(SecurityBase): def __init__( self, *, scheme_name: Optional[str] = None, realm: str, # REQUIRED parameter (RFC 7617 compliance) - auto_error: bool = True + auto_error: bool = True, ): self.scheme_name = scheme_name or self.__class__.__name__ self.realm = realm @@ -89,7 +87,7 @@ class HTTPBasic(SecurityBase): async def __call__(self, request: Request) -> Optional[HTTPBasicCredentials]: authorization_header = request.headers.get("Authorization") scheme, credentials = get_authorization_scheme_param(authorization_header) - + # Handle missing/invalid scheme if not authorization_header or scheme.lower() != "basic": if self.auto_error: @@ -99,7 +97,7 @@ class HTTPBasic(SecurityBase): detail="Invalid authentication credentials", ) return None - + # Decode credentials (base64) try: decoded = base64.b64decode(credentials).decode("utf-8") diff --git a/node_modules/.yarn-integrity b/node_modules/.yarn-integrity index 9d4d6a804..003bc1b47 100644 --- a/node_modules/.yarn-integrity +++ b/node_modules/.yarn-integrity @@ -7,4 +7,4 @@ "lockfileEntries": {}, "files": [], "artifacts": {} -} \ No newline at end of file +} diff --git a/yarn.lock b/yarn.lock index fb57ccd13..4a5801883 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1,4 +1,2 @@ # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. # yarn lockfile v1 - -