Browse Source
Adds `app.audit_security()` that returns a list of all routes with no
SecurityBase dependency anywhere in their dependency tree. Recursively
walks nested dependencies to detect security schemes at any depth.
Detects all security types: OAuth2PasswordBearer, HTTPBearer, HTTPBasic,
APIKeyHeader/Query/Cookie, OpenIdConnect, and Security() with scopes.
Also detects router-level security dependencies.
Use case: security reviews and compliance audits. There is currently no
way to statically determine which FastAPI endpoints are unprotected
without manually traversing the full dependency graph of every route.
Example:
unprotected = app.audit_security()
for route in unprotected:
print(f"UNPROTECTED: {route['methods']} {route['path']}")
pull/14996/head
1 changed files with 59 additions and 0 deletions
Loading…
Reference in new issue