Browse Source

fix: Require realm in HTTPBasic to comply with RFC 7617 (#13471)

pull/14595/head
Sudhakar Pallaprolu 7 months ago
parent
commit
4fb016ccfd
  1. 2
      docs_src/security/tutorial006_an_py39.py
  2. 2
      docs_src/security/tutorial006_py39.py
  3. 4
      docs_src/security/tutorial007_an_py39.py
  4. 4
      docs_src/security/tutorial007_py39.py
  5. 8
      fastapi/security/http.py
  6. 6
      tests/test_security_http_basic_optional.py
  7. 6
      tests/test_tutorial/test_security/test_tutorial006.py

2
docs_src/security/tutorial006_an_py39.py

@ -5,7 +5,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
security = HTTPBasic(realm="simple")
@app.get("/users/me")

2
docs_src/security/tutorial006_py39.py

@ -3,7 +3,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
security = HTTPBasic(realm="simple")
@app.get("/users/me")

4
docs_src/security/tutorial007_an_py39.py

@ -6,7 +6,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
security = HTTPBasic(realm="simple")
def get_current_username(
@ -26,7 +26,7 @@ def get_current_username(
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
headers={"WWW-Authenticate": 'Basic realm="simple"'},
)
return credentials.username

4
docs_src/security/tutorial007_py39.py

@ -5,7 +5,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
security = HTTPBasic(realm="simple")
def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
@ -23,7 +23,7 @@ def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
headers={"WWW-Authenticate": 'Basic realm="simple"'},
)
return credentials.username

8
fastapi/security/http.py

@ -153,13 +153,13 @@ class HTTPBasic(HTTPBase):
),
] = None,
realm: Annotated[
Optional[str],
str,
Doc(
"""
HTTP Basic authentication realm.
"""
),
] = None,
],
description: Annotated[
Optional[str],
Doc(
@ -197,9 +197,7 @@ class HTTPBasic(HTTPBase):
self.auto_error = auto_error
def make_authenticate_headers(self) -> dict[str, str]:
if self.realm:
return {"WWW-Authenticate": f'Basic realm="{self.realm}"'}
return {"WWW-Authenticate": "Basic"}
return {"WWW-Authenticate": f'Basic realm="{self.realm}"'}
async def __call__( # type: ignore
self, request: Request

6
tests/test_security_http_basic_optional.py

@ -7,7 +7,7 @@ from fastapi.testclient import TestClient
app = FastAPI()
security = HTTPBasic(auto_error=False)
security = HTTPBasic(realm="simple", auto_error=False)
@app.get("/users/me")
@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials():
"/users/me", headers={"Authorization": "Basic notabase64token"}
)
assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic"
assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"}
@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials():
auth_header = f"Basic {payload}"
response = client.get("/users/me", headers={"Authorization": auth_header})
assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic"
assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"}

6
tests/test_tutorial/test_security/test_tutorial006.py

@ -29,7 +29,7 @@ def test_security_http_basic_no_credentials(client: TestClient):
response = client.get("/users/me")
assert response.json() == {"detail": "Not authenticated"}
assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic"
assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
def test_security_http_basic_invalid_credentials(client: TestClient):
@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials(client: TestClient):
"/users/me", headers={"Authorization": "Basic notabase64token"}
)
assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic"
assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"}
@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials(client: TestClient):
auth_header = f"Basic {payload}"
response = client.get("/users/me", headers={"Authorization": auth_header})
assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic"
assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"}

Loading…
Cancel
Save