Browse Source
* ✨ Upgrade OAuth2 Security with scopes handling * 📝 Update Security tutorial with OAuth2 and JWT * ✨ Add tutorial code for OAuth2 with scopes (and JWT) * ✅ Add tests for tutorial/OAuth2 with scopes * 🐛 Fix security_scopes type declaration * ✨ Add docs and tests for SecurityScopespull/148/head
Sebastián Ramírez
6 years ago
committed by
GitHub
GitHub
11 changed files with 773 additions and 34 deletions
|
After Width: | Height: | Size: 79 KiB |
@ -0,0 +1,162 @@ |
|||
from datetime import datetime, timedelta |
|||
from typing import List |
|||
|
|||
import jwt |
|||
from fastapi import Depends, FastAPI, HTTPException, Security |
|||
from fastapi.security import ( |
|||
OAuth2PasswordBearer, |
|||
OAuth2PasswordRequestForm, |
|||
SecurityScopes, |
|||
) |
|||
from jwt import PyJWTError |
|||
from passlib.context import CryptContext |
|||
from pydantic import BaseModel, ValidationError |
|||
from starlette.status import HTTP_403_FORBIDDEN |
|||
|
|||
# to get a string like this run: |
|||
# openssl rand -hex 32 |
|||
SECRET_KEY = "09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7" |
|||
ALGORITHM = "HS256" |
|||
ACCESS_TOKEN_EXPIRE_MINUTES = 30 |
|||
|
|||
|
|||
fake_users_db = { |
|||
"johndoe": { |
|||
"username": "johndoe", |
|||
"full_name": "John Doe", |
|||
"email": "[email protected]", |
|||
"hashed_password": "$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lW", |
|||
"disabled": False, |
|||
}, |
|||
"alice": { |
|||
"username": "alice", |
|||
"full_name": "Alice Chains", |
|||
"email": "[email protected]", |
|||
"hashed_password": "$2b$12$gSvqqUPvlXP2tfVFaWK1Be7DlH.PKZbv5H8KnzzVgXXbVxpva.pFm", |
|||
"disabled": True, |
|||
}, |
|||
} |
|||
|
|||
|
|||
class Token(BaseModel): |
|||
access_token: str |
|||
token_type: str |
|||
|
|||
|
|||
class TokenData(BaseModel): |
|||
username: str = None |
|||
scopes: List[str] = [] |
|||
|
|||
|
|||
class User(BaseModel): |
|||
username: str |
|||
email: str = None |
|||
full_name: str = None |
|||
disabled: bool = None |
|||
|
|||
|
|||
class UserInDB(User): |
|||
hashed_password: str |
|||
|
|||
|
|||
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") |
|||
|
|||
oauth2_scheme = OAuth2PasswordBearer( |
|||
tokenUrl="/token", |
|||
scopes={"me": "Read information about the current user.", "items": "Read items."}, |
|||
) |
|||
|
|||
app = FastAPI() |
|||
|
|||
|
|||
def verify_password(plain_password, hashed_password): |
|||
return pwd_context.verify(plain_password, hashed_password) |
|||
|
|||
|
|||
def get_password_hash(password): |
|||
return pwd_context.hash(password) |
|||
|
|||
|
|||
def get_user(db, username: str): |
|||
if username in db: |
|||
user_dict = db[username] |
|||
return UserInDB(**user_dict) |
|||
|
|||
|
|||
def authenticate_user(fake_db, username: str, password: str): |
|||
user = get_user(fake_db, username) |
|||
if not user: |
|||
return False |
|||
if not verify_password(password, user.hashed_password): |
|||
return False |
|||
return user |
|||
|
|||
|
|||
def create_access_token(*, data: dict, expires_delta: timedelta = None): |
|||
to_encode = data.copy() |
|||
if expires_delta: |
|||
expire = datetime.utcnow() + expires_delta |
|||
else: |
|||
expire = datetime.utcnow() + timedelta(minutes=15) |
|||
to_encode.update({"exp": expire}) |
|||
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) |
|||
return encoded_jwt |
|||
|
|||
|
|||
async def get_current_user( |
|||
security_scopes: SecurityScopes, token: str = Depends(oauth2_scheme) |
|||
): |
|||
credentials_exception = HTTPException( |
|||
status_code=HTTP_403_FORBIDDEN, detail="Could not validate credentials" |
|||
) |
|||
try: |
|||
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) |
|||
username: str = payload.get("sub") |
|||
if username is None: |
|||
raise credentials_exception |
|||
token_scopes = payload.get("scopes", []) |
|||
token_data = TokenData(scopes=token_scopes, username=username) |
|||
except (PyJWTError, ValidationError): |
|||
raise credentials_exception |
|||
user = get_user(fake_users_db, username=token_data.username) |
|||
if user is None: |
|||
raise credentials_exception |
|||
for scope in security_scopes.scopes: |
|||
if scope not in token_data.scopes: |
|||
raise HTTPException( |
|||
status_code=HTTP_403_FORBIDDEN, detail="Not enough permissions" |
|||
) |
|||
return user |
|||
|
|||
|
|||
async def get_current_active_user( |
|||
current_user: User = Security(get_current_user, scopes=["me"]) |
|||
): |
|||
if current_user.disabled: |
|||
raise HTTPException(status_code=400, detail="Inactive user") |
|||
return current_user |
|||
|
|||
|
|||
@app.post("/token", response_model=Token) |
|||
async def route_login_access_token(form_data: OAuth2PasswordRequestForm = Depends()): |
|||
user = authenticate_user(fake_users_db, form_data.username, form_data.password) |
|||
if not user: |
|||
raise HTTPException(status_code=400, detail="Incorrect username or password") |
|||
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) |
|||
access_token = create_access_token( |
|||
data={"sub": user.username, "scopes": form_data.scopes}, |
|||
expires_delta=access_token_expires, |
|||
) |
|||
return {"access_token": access_token, "token_type": "bearer"} |
|||
|
|||
|
|||
@app.get("/users/me/", response_model=User) |
|||
async def read_users_me(current_user: User = Depends(get_current_active_user)): |
|||
return current_user |
|||
|
|||
|
|||
@app.get("/users/me/items/") |
|||
async def read_own_items( |
|||
current_user: User = Security(get_current_active_user, scopes=["items"]) |
|||
): |
|||
return [{"item_id": "Foo", "owner": current_user.username}] |
|||
@ -0,0 +1,191 @@ |
|||
You can use OAuth2 scopes directly with **FastAPI**, they are integrated to work seamlessly. |
|||
|
|||
This would allow you to have a more fine-grained permission system, following standards like OAuth2, integrated into your OpenAPI application (and the API docs). |
|||
|
|||
OAuth2 with scopes is the mechanism used by many big authentication providers, like Facebook, Google, GitHub, Microsoft, Twitter, etc. They use it to provide specific permissions to users and applications. |
|||
|
|||
Every time you "log in with" Facebook, Google, GitHub, Microsoft, Twitter, that application is using OAuth2 with scopes. |
|||
|
|||
In this section you will see how to manage authentication and authorization with the same OAuth2 with scopes in your **FastAPI** application. |
|||
|
|||
!!! warning |
|||
This is a more or less advanced section. If you are just starting, you can skip it. |
|||
|
|||
You don't necessarily need OAuth2 scopes, you can handle authentication and authorization however you want. |
|||
|
|||
But OAuth2 with scopes can be nicely integrated into your API (with OpenAPI) and your API docs. |
|||
|
|||
Nevertheless, you still enforce those scopes or any other security/authorization requirement however you need in your code. |
|||
|
|||
In many cases, OAuth2 with scopes can be an overkill. |
|||
|
|||
But if you know you need it, or you are curious, keep reading. |
|||
|
|||
## OAuth2 scopes and OpenAPI |
|||
|
|||
The OAuth2 specification defines "scopes" as a list of strings separated by spaces. |
|||
|
|||
The content of each of these strings can have any format, but should not contain spaces. |
|||
|
|||
These scopes represent "permissions". |
|||
|
|||
In OpenAPI (e.g. the API docs), you can define "security schemes", the same as you saw in the previous sections. |
|||
|
|||
When one of these security schemes uses OAuth2, you can also declare and use scopes. |
|||
|
|||
## Global view |
|||
|
|||
First, let's quickly see the parts that change from the previous section about OAuth2 and JWT. Now using OAuth2 scopes: |
|||
|
|||
```Python hl_lines="2 5 9 13 48 66 106 115 116 117 122 123 124 125 126 131 145 158" |
|||
{!./src/security/tutorial005.py!} |
|||
``` |
|||
|
|||
Now let's review those changes step by step. |
|||
|
|||
## OAuth2 Security scheme |
|||
|
|||
The first change is that now we are declaring the OAuth2 security scheme with two available scopes, `me` and `items`. |
|||
|
|||
The `scopes` parameter receives a `dict` with each scope as a key and the description as the value: |
|||
|
|||
```Python hl_lines="64 65 66 67" |
|||
{!./src/security/tutorial005.py!} |
|||
``` |
|||
|
|||
Because we are now declaring those scopes,they will show up in the API docs when you log-in/authorize. |
|||
|
|||
And you will be able to select which scopes you want to give access to: `me` and `items`. |
|||
|
|||
This is the same mechanism used when you give permissions while logging in with Facebook, Google, GitHub, etc: |
|||
|
|||
<img src="/img/tutorial/security/image11.png"> |
|||
|
|||
## JWT token with scopes |
|||
|
|||
Now, modify the token *path operation* to return the scopes requested. |
|||
|
|||
We are still using the same `OAuth2PasswordRequestForm`. It includes a property `scopes` with each scope it received. |
|||
|
|||
And we return the scopes as part of the JWT token. |
|||
|
|||
!!! danger |
|||
For simplicity, here we are just adding the scopes received directly to the token. |
|||
|
|||
But in your application, for security, you should make sure you only add the scopes that the user is actually able to have, or the ones you have predefined. |
|||
|
|||
```Python hl_lines="145" |
|||
{!./src/security/tutorial005.py!} |
|||
``` |
|||
|
|||
## Declare scopes in *path operations* and dependencies |
|||
|
|||
Now we declare that the *path operation* for `/users/me/items/` requires the scope `items`. |
|||
|
|||
For this, we import and use `Security` from `fastapi`. |
|||
|
|||
You can use `Security` to declare dependencies (just like `Depends`), but `Security` also receives a parameter `scopes` with a list of scopes (strings). |
|||
|
|||
In this case, we pass a dependency function `get_current_active_user` to `Security` (the same way we would do with `Depends`). |
|||
|
|||
But we also pass a `list` of scopes, in this case with just one scope: `items` (it could have more). |
|||
|
|||
And the dependency function `get_current_active_user` can also declare sub-dependencies, not only with `Depends` but also with `Security`. Declaring its own sub-dependency function (`get_current_user`), and more scope requirements. |
|||
|
|||
In this case, it requires the scope `me` (it could require more than one scope). |
|||
|
|||
!!! note |
|||
You don't necessarily need to add different scopes in different places. |
|||
|
|||
We are doing it here to demonstrate how **FastAPI** handles scopes declared at different levels. |
|||
|
|||
```Python hl_lines="5 131 158" |
|||
{!./src/security/tutorial005.py!} |
|||
``` |
|||
|
|||
## Use `SecurityScopes` |
|||
|
|||
Now update the dependency `get_current_user`. |
|||
|
|||
This is the one used by the dependencies above. |
|||
|
|||
Here's were we are declaring the same OAuth2 scheme we created above as a dependency: `oauth2_scheme`. |
|||
|
|||
Because this dependency function doesn't have any scope requirements itself, we can use `Depends` with `oauth2_scheme`, we don't have to use `Security`. |
|||
|
|||
We also declare a special parameter of type `SecurityScopes`, imported from `fastapi.security`. |
|||
|
|||
This `SecurityScopes` class is similar to `Request` (`Request` was used to get the request object directly). |
|||
|
|||
The parameter `security_scopes` will be of type `SecurityScopes`. It will have a property `scopes` with a list containing all the scopes required by itself and all the dependencies that use this as a sub-dependency. That means, all the "dependants" or all the super-dependencies (the contrary of sub-dependencies). |
|||
|
|||
We verify that all the scopes required, by this dependency and all the dependants (including *path operations*), are included in the scopes provided in the token received, otherwise raise an `HTTPException`. |
|||
|
|||
We also check that the token data is validated with the Pydantic model (catching the `ValidationError` exception), and if we get an error reading the JWT token or validating the data with Pydantic, we also raise an `HTTPException`. |
|||
|
|||
By validating the data with Pydantic we can make sure that we have, for example, exactly a `list` of `str` with the scopes and a `str` with the `username`. Instead of, for example, a `dict`, or something else, as it could break the application at some point later. |
|||
|
|||
|
|||
```Python hl_lines="9 13 106 48 106 115 116 117 122 123" |
|||
{!./src/security/tutorial005.py!} |
|||
``` |
|||
|
|||
So, as the other dependency `get_current_active_user` has as a sub-dependency this `get_current_user`, the scope `"me"` declared at `get_current_active_user` will be included in the `security_scopes.scopes` `list` inside of `get_current_user`. |
|||
|
|||
And as the *path operation* itself also declares a scope `"items"`, it will also be part of this `list` `security_scopes.scopes` in `get_current_user`. |
|||
|
|||
Here's how the hierarchy of dependencies and scopes looks like: |
|||
|
|||
* The *path operation* `read_own_items` has: |
|||
* Required scopes `["items"]` with the dependency: |
|||
* `get_current_active_user`: |
|||
* The dependency function `get_current_active_user` has: |
|||
* Required scopes `["me"]` with the dependency: |
|||
* `get_current_user`: |
|||
* The dependency function `get_current_user` has: |
|||
* No scopes required by itself. |
|||
* A dependency using `oauth2_scheme`. |
|||
* A `security_scopes` parameter of type `SecurityScopes`: |
|||
* This `security_scopes` parameter has a property `scopes` with a `list` containing all these scopes declared above, so: |
|||
* `security_scopes.scopes` will contain `["me", "items"]` |
|||
|
|||
## More details about `SecurityScopes` |
|||
|
|||
You can use `SecurityScopes` at any point, and in multiple places, it doesn't have to be at the "root" dependency. |
|||
|
|||
It will always have the security scopes declared in the current `Security` dependencies and all the super-dependencies/dependants. |
|||
|
|||
Because the `SecurityScopes` will have all the scopes declared by super-dependencies/dependants, you can use it to verify that a token has the required scopes in a central dependency function, and then declare different scope requirements in different *path operations*. |
|||
|
|||
## Check it |
|||
|
|||
If you open the API docs, you can authenticate and specify which scopes you want to authorize. |
|||
|
|||
<img src="/img/tutorial/security/image11.png"> |
|||
|
|||
If you don't select any scope, you will be "authenticated", but when you try to access `/users/me/` or `/users/me/items/` you will get an error saying that you don't have enough permissions. |
|||
|
|||
And if you select the scope `me` but not the scope `items`, you will be able to access `/users/me/` but not `/users/me/items/`. |
|||
|
|||
That's what would happen to a third party application that tried to access one of these *path operations* with a token provided by a user, depending on how many permissions the user gave the application. |
|||
|
|||
## About third party integrations |
|||
|
|||
In this example we are using the OAuth2 "password" flow. |
|||
|
|||
This is appropriate when we are logging in to our own application, probably with our own frontend. |
|||
|
|||
Because we can trust it to receive the `username` and `password`, as we control it. |
|||
|
|||
But if you are building an OAuth2 application that others would connect to (i.e., if you are building an authentication provider equivalent to Facebook, Google, GitHub, etc.) you should use one of the other flows. |
|||
|
|||
The most common is the implicit flow. |
|||
|
|||
The most secure is the code flow, but is more complex to implement as it requires more steps. As it is more cumbersome, many providers end up suggesting the implicit flow. |
|||
|
|||
!!! note |
|||
It's common that each authentication provider names their flows in a different way, to make it part of their brand. |
|||
|
|||
But in the end, they are implementing the same OAuth2 standard. |
|||
|
|||
**FastAPI** includes utilities for all these OAuth2 authentication flows in `fastapi.security.oauth2`. |
|||
@ -0,0 +1,313 @@ |
|||
from starlette.testclient import TestClient |
|||
|
|||
from security.tutorial005 import ( |
|||
app, |
|||
create_access_token, |
|||
fake_users_db, |
|||
get_password_hash, |
|||
verify_password, |
|||
) |
|||
|
|||
client = TestClient(app) |
|||
|
|||
openapi_schema = { |
|||
"openapi": "3.0.2", |
|||
"info": {"title": "Fast API", "version": "0.1.0"}, |
|||
"paths": { |
|||
"/token": { |
|||
"post": { |
|||
"responses": { |
|||
"200": { |
|||
"description": "Successful Response", |
|||
"content": { |
|||
"application/json": { |
|||
"schema": {"$ref": "#/components/schemas/Token"} |
|||
} |
|||
}, |
|||
}, |
|||
"422": { |
|||
"description": "Validation Error", |
|||
"content": { |
|||
"application/json": { |
|||
"schema": { |
|||
"$ref": "#/components/schemas/HTTPValidationError" |
|||
} |
|||
} |
|||
}, |
|||
}, |
|||
}, |
|||
"summary": "Route Login Access Token Post", |
|||
"operationId": "route_login_access_token_token_post", |
|||
"requestBody": { |
|||
"content": { |
|||
"application/x-www-form-urlencoded": { |
|||
"schema": { |
|||
"$ref": "#/components/schemas/Body_route_login_access_token" |
|||
} |
|||
} |
|||
}, |
|||
"required": True, |
|||
}, |
|||
} |
|||
}, |
|||
"/users/me/": { |
|||
"get": { |
|||
"responses": { |
|||
"200": { |
|||
"description": "Successful Response", |
|||
"content": { |
|||
"application/json": { |
|||
"schema": {"$ref": "#/components/schemas/User"} |
|||
} |
|||
}, |
|||
} |
|||
}, |
|||
"summary": "Read Users Me Get", |
|||
"operationId": "read_users_me_users_me__get", |
|||
"security": [{"OAuth2PasswordBearer": ["me"]}], |
|||
} |
|||
}, |
|||
"/users/me/items/": { |
|||
"get": { |
|||
"responses": { |
|||
"200": { |
|||
"description": "Successful Response", |
|||
"content": {"application/json": {"schema": {}}}, |
|||
} |
|||
}, |
|||
"summary": "Read Own Items Get", |
|||
"operationId": "read_own_items_users_me_items__get", |
|||
"security": [{"OAuth2PasswordBearer": ["items", "me"]}], |
|||
} |
|||
}, |
|||
}, |
|||
"components": { |
|||
"schemas": { |
|||
"Body_route_login_access_token": { |
|||
"title": "Body_route_login_access_token", |
|||
"required": ["username", "password"], |
|||
"type": "object", |
|||
"properties": { |
|||
"grant_type": { |
|||
"title": "Grant_Type", |
|||
"pattern": "password", |
|||
"type": "string", |
|||
}, |
|||
"username": {"title": "Username", "type": "string"}, |
|||
"password": {"title": "Password", "type": "string"}, |
|||
"scope": {"title": "Scope", "type": "string", "default": ""}, |
|||
"client_id": {"title": "Client_Id", "type": "string"}, |
|||
"client_secret": {"title": "Client_Secret", "type": "string"}, |
|||
}, |
|||
}, |
|||
"Token": { |
|||
"title": "Token", |
|||
"required": ["access_token", "token_type"], |
|||
"type": "object", |
|||
"properties": { |
|||
"access_token": {"title": "Access_Token", "type": "string"}, |
|||
"token_type": {"title": "Token_Type", "type": "string"}, |
|||
}, |
|||
}, |
|||
"User": { |
|||
"title": "User", |
|||
"required": ["username"], |
|||
"type": "object", |
|||
"properties": { |
|||
"username": {"title": "Username", "type": "string"}, |
|||
"email": {"title": "Email", "type": "string"}, |
|||
"full_name": {"title": "Full_Name", "type": "string"}, |
|||
"disabled": {"title": "Disabled", "type": "boolean"}, |
|||
}, |
|||
}, |
|||
"ValidationError": { |
|||
"title": "ValidationError", |
|||
"required": ["loc", "msg", "type"], |
|||
"type": "object", |
|||
"properties": { |
|||
"loc": { |
|||
"title": "Location", |
|||
"type": "array", |
|||
"items": {"type": "string"}, |
|||
}, |
|||
"msg": {"title": "Message", "type": "string"}, |
|||
"type": {"title": "Error Type", "type": "string"}, |
|||
}, |
|||
}, |
|||
"HTTPValidationError": { |
|||
"title": "HTTPValidationError", |
|||
"type": "object", |
|||
"properties": { |
|||
"detail": { |
|||
"title": "Detail", |
|||
"type": "array", |
|||
"items": {"$ref": "#/components/schemas/ValidationError"}, |
|||
} |
|||
}, |
|||
}, |
|||
}, |
|||
"securitySchemes": { |
|||
"OAuth2PasswordBearer": { |
|||
"type": "oauth2", |
|||
"flows": { |
|||
"password": { |
|||
"scopes": { |
|||
"me": "Read information about the current user.", |
|||
"items": "Read items.", |
|||
}, |
|||
"tokenUrl": "/token", |
|||
} |
|||
}, |
|||
} |
|||
}, |
|||
}, |
|||
} |
|||
|
|||
|
|||
def get_access_token(username="johndoe", password="secret", scope=None): |
|||
data = {"username": username, "password": password} |
|||
if scope: |
|||
data["scope"] = scope |
|||
response = client.post("/token", data=data) |
|||
content = response.json() |
|||
access_token = content.get("access_token") |
|||
return access_token |
|||
|
|||
|
|||
def test_openapi_schema(): |
|||
response = client.get("/openapi.json") |
|||
assert response.status_code == 200 |
|||
assert response.json() == openapi_schema |
|||
|
|||
|
|||
def test_login(): |
|||
response = client.post("/token", data={"username": "johndoe", "password": "secret"}) |
|||
assert response.status_code == 200 |
|||
content = response.json() |
|||
assert "access_token" in content |
|||
assert content["token_type"] == "bearer" |
|||
|
|||
|
|||
def test_login_incorrect_password(): |
|||
response = client.post( |
|||
"/token", data={"username": "johndoe", "password": "incorrect"} |
|||
) |
|||
assert response.status_code == 400 |
|||
assert response.json() == {"detail": "Incorrect username or password"} |
|||
|
|||
|
|||
def test_login_incorrect_username(): |
|||
response = client.post("/token", data={"username": "foo", "password": "secret"}) |
|||
assert response.status_code == 400 |
|||
assert response.json() == {"detail": "Incorrect username or password"} |
|||
|
|||
|
|||
def test_no_token(): |
|||
response = client.get("/users/me") |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Not authenticated"} |
|||
|
|||
|
|||
def test_token(): |
|||
access_token = get_access_token(scope="me") |
|||
response = client.get( |
|||
"/users/me", headers={"Authorization": f"Bearer {access_token}"} |
|||
) |
|||
print(response.json()) |
|||
assert response.status_code == 200 |
|||
assert response.json() == { |
|||
"username": "johndoe", |
|||
"full_name": "John Doe", |
|||
"email": "[email protected]", |
|||
"disabled": False, |
|||
} |
|||
|
|||
|
|||
def test_incorrect_token(): |
|||
response = client.get("/users/me", headers={"Authorization": "Bearer nonexistent"}) |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Could not validate credentials"} |
|||
|
|||
|
|||
def test_incorrect_token_type(): |
|||
response = client.get( |
|||
"/users/me", headers={"Authorization": "Notexistent testtoken"} |
|||
) |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Not authenticated"} |
|||
|
|||
|
|||
def test_verify_password(): |
|||
assert verify_password("secret", fake_users_db["johndoe"]["hashed_password"]) |
|||
|
|||
|
|||
def test_get_password_hash(): |
|||
assert get_password_hash("secretalice") |
|||
|
|||
|
|||
def test_create_access_token(): |
|||
access_token = create_access_token(data={"data": "foo"}) |
|||
assert access_token |
|||
|
|||
|
|||
def test_token_no_sub(): |
|||
response = client.get( |
|||
"/users/me", |
|||
headers={ |
|||
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoiZm9vIn0.9ynBhuYb4e6aW3oJr_K_TBgwcMTDpRToQIE25L57rOE" |
|||
}, |
|||
) |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Could not validate credentials"} |
|||
|
|||
|
|||
def test_token_no_username(): |
|||
response = client.get( |
|||
"/users/me", |
|||
headers={ |
|||
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb28ifQ.NnExK_dlNAYyzACrXtXDrcWOgGY2JuPbI4eDaHdfK5Y" |
|||
}, |
|||
) |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Could not validate credentials"} |
|||
|
|||
|
|||
def test_token_no_scope(): |
|||
access_token = get_access_token() |
|||
response = client.get( |
|||
"/users/me", headers={"Authorization": f"Bearer {access_token}"} |
|||
) |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Not enough permissions"} |
|||
|
|||
|
|||
def test_token_inexistent_user(): |
|||
response = client.get( |
|||
"/users/me", |
|||
headers={ |
|||
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VybmFtZTpib2IifQ.HcfCW67Uda-0gz54ZWTqmtgJnZeNem0Q757eTa9EZuw" |
|||
}, |
|||
) |
|||
assert response.status_code == 403 |
|||
assert response.json() == {"detail": "Could not validate credentials"} |
|||
|
|||
|
|||
def test_token_inactive_user(): |
|||
access_token = get_access_token( |
|||
username="alice", password="secretalice", scope="me" |
|||
) |
|||
response = client.get( |
|||
"/users/me", headers={"Authorization": f"Bearer {access_token}"} |
|||
) |
|||
print(response.json()) |
|||
assert response.status_code == 400 |
|||
assert response.json() == {"detail": "Inactive user"} |
|||
|
|||
|
|||
def test_read_items(): |
|||
access_token = get_access_token(scope="me items") |
|||
response = client.get( |
|||
"/users/me/items/", headers={"Authorization": f"Bearer {access_token}"} |
|||
) |
|||
assert response.status_code == 200 |
|||
assert response.json() == [{"item_id": "Foo", "owner": "johndoe"}] |
|||
Loading…
Reference in new issue