Browse Source

fix: Require realm in HTTPBasic to comply with RFC 7617 (#13471)

pull/14595/head
Sudhakar Pallaprolu 7 months ago
parent
commit
4fb016ccfd
  1. 2
      docs_src/security/tutorial006_an_py39.py
  2. 2
      docs_src/security/tutorial006_py39.py
  3. 4
      docs_src/security/tutorial007_an_py39.py
  4. 4
      docs_src/security/tutorial007_py39.py
  5. 8
      fastapi/security/http.py
  6. 6
      tests/test_security_http_basic_optional.py
  7. 6
      tests/test_tutorial/test_security/test_tutorial006.py

2
docs_src/security/tutorial006_an_py39.py

@ -5,7 +5,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI() app = FastAPI()
security = HTTPBasic() security = HTTPBasic(realm="simple")
@app.get("/users/me") @app.get("/users/me")

2
docs_src/security/tutorial006_py39.py

@ -3,7 +3,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI() app = FastAPI()
security = HTTPBasic() security = HTTPBasic(realm="simple")
@app.get("/users/me") @app.get("/users/me")

4
docs_src/security/tutorial007_an_py39.py

@ -6,7 +6,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI() app = FastAPI()
security = HTTPBasic() security = HTTPBasic(realm="simple")
def get_current_username( def get_current_username(
@ -26,7 +26,7 @@ def get_current_username(
raise HTTPException( raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED, status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password", detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"}, headers={"WWW-Authenticate": 'Basic realm="simple"'},
) )
return credentials.username return credentials.username

4
docs_src/security/tutorial007_py39.py

@ -5,7 +5,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI() app = FastAPI()
security = HTTPBasic() security = HTTPBasic(realm="simple")
def get_current_username(credentials: HTTPBasicCredentials = Depends(security)): def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
@ -23,7 +23,7 @@ def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
raise HTTPException( raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED, status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password", detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"}, headers={"WWW-Authenticate": 'Basic realm="simple"'},
) )
return credentials.username return credentials.username

8
fastapi/security/http.py

@ -153,13 +153,13 @@ class HTTPBasic(HTTPBase):
), ),
] = None, ] = None,
realm: Annotated[ realm: Annotated[
Optional[str], str,
Doc( Doc(
""" """
HTTP Basic authentication realm. HTTP Basic authentication realm.
""" """
), ),
] = None, ],
description: Annotated[ description: Annotated[
Optional[str], Optional[str],
Doc( Doc(
@ -197,9 +197,7 @@ class HTTPBasic(HTTPBase):
self.auto_error = auto_error self.auto_error = auto_error
def make_authenticate_headers(self) -> dict[str, str]: def make_authenticate_headers(self) -> dict[str, str]:
if self.realm: return {"WWW-Authenticate": f'Basic realm="{self.realm}"'}
return {"WWW-Authenticate": f'Basic realm="{self.realm}"'}
return {"WWW-Authenticate": "Basic"}
async def __call__( # type: ignore async def __call__( # type: ignore
self, request: Request self, request: Request

6
tests/test_security_http_basic_optional.py

@ -7,7 +7,7 @@ from fastapi.testclient import TestClient
app = FastAPI() app = FastAPI()
security = HTTPBasic(auto_error=False) security = HTTPBasic(realm="simple", auto_error=False)
@app.get("/users/me") @app.get("/users/me")
@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials():
"/users/me", headers={"Authorization": "Basic notabase64token"} "/users/me", headers={"Authorization": "Basic notabase64token"}
) )
assert response.status_code == 401, response.text assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic" assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"} assert response.json() == {"detail": "Not authenticated"}
@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials():
auth_header = f"Basic {payload}" auth_header = f"Basic {payload}"
response = client.get("/users/me", headers={"Authorization": auth_header}) response = client.get("/users/me", headers={"Authorization": auth_header})
assert response.status_code == 401, response.text assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic" assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"} assert response.json() == {"detail": "Not authenticated"}

6
tests/test_tutorial/test_security/test_tutorial006.py

@ -29,7 +29,7 @@ def test_security_http_basic_no_credentials(client: TestClient):
response = client.get("/users/me") response = client.get("/users/me")
assert response.json() == {"detail": "Not authenticated"} assert response.json() == {"detail": "Not authenticated"}
assert response.status_code == 401, response.text assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic" assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
def test_security_http_basic_invalid_credentials(client: TestClient): def test_security_http_basic_invalid_credentials(client: TestClient):
@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials(client: TestClient):
"/users/me", headers={"Authorization": "Basic notabase64token"} "/users/me", headers={"Authorization": "Basic notabase64token"}
) )
assert response.status_code == 401, response.text assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic" assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"} assert response.json() == {"detail": "Not authenticated"}
@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials(client: TestClient):
auth_header = f"Basic {payload}" auth_header = f"Basic {payload}"
response = client.get("/users/me", headers={"Authorization": auth_header}) response = client.get("/users/me", headers={"Authorization": auth_header})
assert response.status_code == 401, response.text assert response.status_code == 401, response.text
assert response.headers["WWW-Authenticate"] == "Basic" assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
assert response.json() == {"detail": "Not authenticated"} assert response.json() == {"detail": "Not authenticated"}

Loading…
Cancel
Save