Merge 9b7ad41659 into 1d434dec47

4 days ago · 4961709a17
3 changed files with 59 additions and 2 deletions
--- a/fastapi/param_functions.py
+++ b/fastapi/param_functions.py
@ -2295,7 +2295,8 @@ def Security(  # noqa: N802
        Doc(
            """
            OAuth2 scopes required for the *path operation* that uses this Security
-            dependency.
+            dependency. If a string is given, the list of scopes will have only one scope
+            defined by the string value.

            The term "scope" comes from the OAuth2 specification, it seems to be
            intentionally vague and interpretable. It normally refers to permissions,
--- a/fastapi/params.py
+++ b/fastapi/params.py
@ -783,4 +783,7 @@ class Security(Depends):
        use_cache: bool = True,
    ):
        super().__init__(dependency=dependency, use_cache=use_cache)
-        self.scopes = scopes or []
+        if isinstance(scopes, str):
+            self.scopes: Sequence[str] = [scopes]
+        else:
+            self.scopes = scopes or []
--- a/tests/test_security_oauth2_scopes.py
+++ b/tests/test_security_oauth2_scopes.py
@ -0,0 +1,53 @@
+from typing import List
+
+from fastapi import FastAPI, Security
+from fastapi.params import Depends
+from fastapi.security import OAuth2PasswordBearer
+from fastapi.security.oauth2 import SecurityScopes
+from fastapi.testclient import TestClient
+
+app = FastAPI()
+
+oauth2_scheme = OAuth2PasswordBearer(
+    tokenUrl="token",
+    scopes={"me": "Read information about the current user.", "items": "Read items."},
+)
+
+
+def get_security_scopes(
+    security_scopes: SecurityScopes, token=Depends(oauth2_scheme)
+) -> List[str]:
+    return security_scopes.scopes
+
+
+@app.get("/me")
+async def read_single_scope(
+    current_scope=Security(get_security_scopes, scopes="me"),
+):
+    return {"scopes": current_scope}
+
+
+@app.get("/me-and-items")
+async def read_multiple_scopes(
+    current_scope=Security(get_security_scopes, scopes=["me", "items"]),
+):
+    return {"scopes": current_scope}
+
+
+client = TestClient(app)
+
+
+def test_single_scope_string():
+    response = client.get("/me", headers={"Authorization": "Bearer sometoken"})
+
+    assert response.status_code == 200
+    assert response.json() == {"scopes": ["me"]}
+
+
+def test_list_scopes():
+    response = client.get(
+        "/me-and-items", headers={"Authorization": "Bearer sometoken"}
+    )
+
+    assert response.status_code == 200
+    assert response.json() == {"scopes": ["me", "items"]}