committed by
GitHub
47 changed files with 463 additions and 136 deletions
@ -24,7 +24,9 @@ jobs: |
|||||
env: |
env: |
||||
GITHUB_CONTEXT: ${{ toJson(github) }} |
GITHUB_CONTEXT: ${{ toJson(github) }} |
||||
run: echo "$GITHUB_CONTEXT" |
run: echo "$GITHUB_CONTEXT" |
||||
- uses: actions/checkout@v6 |
# pin to actions/checkout@v5 for compatibility with latest-changes |
||||
|
# Ref: https://github.com/actions/checkout/issues/2313 |
||||
|
- uses: actions/checkout@v5 |
||||
with: |
with: |
||||
# To allow latest-changes to commit to the main branch |
# To allow latest-changes to commit to the main branch |
||||
token: ${{ secrets.FASTAPI_LATEST_CHANGES }} |
token: ${{ secrets.FASTAPI_LATEST_CHANGES }} |
||||
@ -34,7 +36,7 @@ jobs: |
|||||
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} |
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} |
||||
with: |
with: |
||||
limit-access-to-actor: true |
limit-access-to-actor: true |
||||
- uses: tiangolo/[email protected].0 |
- uses: tiangolo/[email protected].1 |
||||
with: |
with: |
||||
token: ${{ secrets.GITHUB_TOKEN }} |
token: ${{ secrets.GITHUB_TOKEN }} |
||||
latest_changes_file: docs/en/docs/release-notes.md |
latest_changes_file: docs/en/docs/release-notes.md |
||||
|
|||||
@ -0,0 +1,88 @@ |
|||||
|
name: pre-commit |
||||
|
|
||||
|
on: |
||||
|
pull_request: |
||||
|
types: |
||||
|
- opened |
||||
|
- synchronize |
||||
|
|
||||
|
env: |
||||
|
IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} |
||||
|
|
||||
|
jobs: |
||||
|
pre-commit: |
||||
|
runs-on: ubuntu-latest |
||||
|
steps: |
||||
|
- name: Dump GitHub context |
||||
|
env: |
||||
|
GITHUB_CONTEXT: ${{ toJson(github) }} |
||||
|
run: echo "$GITHUB_CONTEXT" |
||||
|
- uses: actions/checkout@v5 |
||||
|
name: Checkout PR for own repo |
||||
|
if: env.IS_FORK == 'false' |
||||
|
with: |
||||
|
# To be able to commit it needs more than the last commit |
||||
|
ref: ${{ github.head_ref }} |
||||
|
# A token other than the default GITHUB_TOKEN is needed to be able to trigger CI |
||||
|
token: ${{ secrets.PRE_COMMIT }} |
||||
|
# pre-commit lite ci needs the default checkout configs to work |
||||
|
- uses: actions/checkout@v5 |
||||
|
name: Checkout PR for fork |
||||
|
if: env.IS_FORK == 'true' |
||||
|
- name: Set up Python |
||||
|
uses: actions/setup-python@v6 |
||||
|
with: |
||||
|
python-version: "3.14" |
||||
|
- name: Setup uv |
||||
|
uses: astral-sh/setup-uv@v7 |
||||
|
with: |
||||
|
cache-dependency-glob: | |
||||
|
requirements**.txt |
||||
|
pyproject.toml |
||||
|
uv.lock |
||||
|
- name: Install Dependencies |
||||
|
run: | |
||||
|
uv venv |
||||
|
uv pip install -r requirements.txt |
||||
|
- name: Run pre-commit |
||||
|
id: precommit |
||||
|
run: | |
||||
|
# Fetch the base branch for comparison |
||||
|
git fetch origin ${{ github.base_ref }} |
||||
|
uvx pre-commit run --from-ref origin/${{ github.base_ref }} --to-ref HEAD --show-diff-on-failure |
||||
|
continue-on-error: true |
||||
|
- name: Commit and push changes |
||||
|
if: env.IS_FORK == 'false' |
||||
|
run: | |
||||
|
git config user.name "github-actions[bot]" |
||||
|
git config user.email "github-actions[bot]@users.noreply.github.com" |
||||
|
git add -A |
||||
|
if git diff --staged --quiet; then |
||||
|
echo "No changes to commit" |
||||
|
else |
||||
|
git commit -m "🎨 Auto format" |
||||
|
git push |
||||
|
fi |
||||
|
- uses: pre-commit-ci/[email protected] |
||||
|
if: env.IS_FORK == 'true' |
||||
|
with: |
||||
|
msg: 🎨 Auto format |
||||
|
- name: Error out on pre-commit errors |
||||
|
if: steps.precommit.outcome == 'failure' |
||||
|
run: exit 1 |
||||
|
|
||||
|
# https://github.com/marketplace/actions/alls-green#why |
||||
|
pre-commit-alls-green: # This job does nothing and is only used for the branch protection |
||||
|
if: always() |
||||
|
needs: |
||||
|
- pre-commit |
||||
|
runs-on: ubuntu-latest |
||||
|
steps: |
||||
|
- name: Dump GitHub context |
||||
|
env: |
||||
|
GITHUB_CONTEXT: ${{ toJson(github) }} |
||||
|
run: echo "$GITHUB_CONTEXT" |
||||
|
- name: Decide whether the needed jobs succeeded or failed |
||||
|
uses: re-actors/alls-green@release/v1 |
||||
|
with: |
||||
|
jobs: ${{ toJSON(needs) }} |
||||
@ -1,25 +1,29 @@ |
|||||
# See https://pre-commit.com for more information |
# See https://pre-commit.com for more information |
||||
# See https://pre-commit.com/hooks.html for more hooks |
# See https://pre-commit.com/hooks.html for more hooks |
||||
default_language_version: |
|
||||
python: python3.10 |
|
||||
repos: |
repos: |
||||
- repo: https://github.com/pre-commit/pre-commit-hooks |
- repo: https://github.com/pre-commit/pre-commit-hooks |
||||
rev: v6.0.0 |
rev: v6.0.0 |
||||
hooks: |
hooks: |
||||
- id: check-added-large-files |
- id: check-added-large-files |
||||
- id: check-toml |
- id: check-toml |
||||
- id: check-yaml |
- id: check-yaml |
||||
args: |
args: |
||||
- --unsafe |
- --unsafe |
||||
- id: end-of-file-fixer |
- id: end-of-file-fixer |
||||
- id: trailing-whitespace |
- id: trailing-whitespace |
||||
- repo: https://github.com/astral-sh/ruff-pre-commit |
- repo: https://github.com/astral-sh/ruff-pre-commit |
||||
rev: v0.14.3 |
rev: v0.14.3 |
||||
hooks: |
hooks: |
||||
- id: ruff |
- id: ruff |
||||
args: |
args: |
||||
- --fix |
- --fix |
||||
- id: ruff-format |
- id: ruff-format |
||||
ci: |
- repo: local |
||||
autofix_commit_msg: 🎨 [pre-commit.ci] Auto format from pre-commit.com hooks |
hooks: |
||||
autoupdate_commit_msg: ⬆ [pre-commit.ci] pre-commit autoupdate |
- id: local-script |
||||
|
language: unsupported |
||||
|
name: local script |
||||
|
entry: uv run ./scripts/docs.py add-permalinks-pages |
||||
|
args: |
||||
|
- --update-existing |
||||
|
files: ^docs/en/docs/.*\.md$ |
||||
|
|||||
@ -0,0 +1,17 @@ |
|||||
|
# Use Old 403 Authentication Error Status Codes { #use-old-403-authentication-error-status-codes } |
||||
|
|
||||
|
Before FastAPI version `0.122.0`, when the integrated security utilities returned an error to the client after a failed authentication, they used the HTTP status code `403 Forbidden`. |
||||
|
|
||||
|
Starting with FastAPI version `0.122.0`, they use the more appropriate HTTP status code `401 Unauthorized`, and return a sensible `WWW-Authenticate` header in the response, following the HTTP specifications, <a href="https://datatracker.ietf.org/doc/html/rfc7235#section-3.1" class="external-link" target="_blank">RFC 7235</a>, <a href="https://datatracker.ietf.org/doc/html/rfc9110#name-401-unauthorized" class="external-link" target="_blank">RFC 9110</a>. |
||||
|
|
||||
|
But if for some reason your clients depend on the old behavior, you can revert to it by overriding the method `make_not_authenticated_error` in your security classes. |
||||
|
|
||||
|
For example, you can create a subclass of `HTTPBearer` that returns a `403 Forbidden` error instead of the default `401 Unauthorized` error: |
||||
|
|
||||
|
{* ../../docs_src/authentication_error_status_code/tutorial001_an_py39.py hl[9:13] *} |
||||
|
|
||||
|
/// tip |
||||
|
|
||||
|
Notice that the function returns the exception instance, it doesn't raise it. The raising is done in the rest of the internal code. |
||||
|
|
||||
|
/// |
||||
@ -0,0 +1,20 @@ |
|||||
|
from fastapi import Depends, FastAPI, HTTPException, status |
||||
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer |
||||
|
from typing_extensions import Annotated |
||||
|
|
||||
|
app = FastAPI() |
||||
|
|
||||
|
|
||||
|
class HTTPBearer403(HTTPBearer): |
||||
|
def make_not_authenticated_error(self) -> HTTPException: |
||||
|
return HTTPException( |
||||
|
status_code=status.HTTP_403_FORBIDDEN, detail="Not authenticated" |
||||
|
) |
||||
|
|
||||
|
|
||||
|
CredentialsDep = Annotated[HTTPAuthorizationCredentials, Depends(HTTPBearer403())] |
||||
|
|
||||
|
|
||||
|
@app.get("/me") |
||||
|
def read_me(credentials: CredentialsDep): |
||||
|
return {"message": "You are authenticated", "token": credentials.credentials} |
||||
@ -0,0 +1,21 @@ |
|||||
|
from typing import Annotated |
||||
|
|
||||
|
from fastapi import Depends, FastAPI, HTTPException, status |
||||
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer |
||||
|
|
||||
|
app = FastAPI() |
||||
|
|
||||
|
|
||||
|
class HTTPBearer403(HTTPBearer): |
||||
|
def make_not_authenticated_error(self) -> HTTPException: |
||||
|
return HTTPException( |
||||
|
status_code=status.HTTP_403_FORBIDDEN, detail="Not authenticated" |
||||
|
) |
||||
|
|
||||
|
|
||||
|
CredentialsDep = Annotated[HTTPAuthorizationCredentials, Depends(HTTPBearer403())] |
||||
|
|
||||
|
|
||||
|
@app.get("/me") |
||||
|
def read_me(credentials: CredentialsDep): |
||||
|
return {"message": "You are authenticated", "token": credentials.credentials} |
||||
@ -1,6 +1,6 @@ |
|||||
-e .[all] |
-e .[all] |
||||
-r requirements-tests.txt |
-r requirements-tests.txt |
||||
-r requirements-docs.txt |
-r requirements-docs.txt |
||||
pre-commit >=2.17.0,<5.0.0 |
pre-commit >=4.5.0,<5.0.0 |
||||
# For generating screenshots |
# For generating screenshots |
||||
playwright |
playwright |
||||
|
|||||
@ -0,0 +1,69 @@ |
|||||
|
import importlib |
||||
|
|
||||
|
import pytest |
||||
|
from fastapi.testclient import TestClient |
||||
|
from inline_snapshot import snapshot |
||||
|
|
||||
|
from ...utils import needs_py39 |
||||
|
|
||||
|
|
||||
|
@pytest.fixture( |
||||
|
name="client", |
||||
|
params=[ |
||||
|
"tutorial001_an", |
||||
|
pytest.param("tutorial001_an_py39", marks=needs_py39), |
||||
|
], |
||||
|
) |
||||
|
def get_client(request: pytest.FixtureRequest): |
||||
|
mod = importlib.import_module( |
||||
|
f"docs_src.authentication_error_status_code.{request.param}" |
||||
|
) |
||||
|
|
||||
|
client = TestClient(mod.app) |
||||
|
return client |
||||
|
|
||||
|
|
||||
|
def test_get_me(client: TestClient): |
||||
|
response = client.get("/me", headers={"Authorization": "Bearer secrettoken"}) |
||||
|
assert response.status_code == 200 |
||||
|
assert response.json() == { |
||||
|
"message": "You are authenticated", |
||||
|
"token": "secrettoken", |
||||
|
} |
||||
|
|
||||
|
|
||||
|
def test_get_me_no_credentials(client: TestClient): |
||||
|
response = client.get("/me") |
||||
|
assert response.status_code == 403 |
||||
|
assert response.json() == {"detail": "Not authenticated"} |
||||
|
|
||||
|
|
||||
|
def test_openapi_schema(client: TestClient): |
||||
|
response = client.get("/openapi.json") |
||||
|
assert response.status_code == 200, response.text |
||||
|
assert response.json() == snapshot( |
||||
|
{ |
||||
|
"openapi": "3.1.0", |
||||
|
"info": {"title": "FastAPI", "version": "0.1.0"}, |
||||
|
"paths": { |
||||
|
"/me": { |
||||
|
"get": { |
||||
|
"summary": "Read Me", |
||||
|
"operationId": "read_me_me_get", |
||||
|
"responses": { |
||||
|
"200": { |
||||
|
"description": "Successful Response", |
||||
|
"content": {"application/json": {"schema": {}}}, |
||||
|
} |
||||
|
}, |
||||
|
"security": [{"HTTPBearer403": []}], |
||||
|
} |
||||
|
} |
||||
|
}, |
||||
|
"components": { |
||||
|
"securitySchemes": { |
||||
|
"HTTPBearer403": {"type": "http", "scheme": "bearer"} |
||||
|
} |
||||
|
}, |
||||
|
} |
||||
|
) |
||||
Loading…
Reference in new issue