From b0115d0ab5d79562f1fe0d2a33860157e72ba97a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristj=C3=A1n=20Valur=20J=C3=B3nsson?= <sweskman@gmail.com>
Date: Fri, 11 Nov 2022 14:34:53 +0000
Subject: [PATCH 1/2] Add failing unittest demonstrating the problem

---
 tests/test_dependency_scopes.py | 59 +++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 tests/test_dependency_scopes.py

diff --git a/tests/test_dependency_scopes.py b/tests/test_dependency_scopes.py
new file mode 100644
index 000000000..0d07cd305
--- /dev/null
+++ b/tests/test_dependency_scopes.py
@@ -0,0 +1,59 @@
+from unittest.mock import Mock, call, patch
+
+import pytest
+from fastapi import FastAPI, Security
+from fastapi.security import SecurityScopes
+from fastapi.testclient import TestClient
+
+
+async def security1(scopes: SecurityScopes):
+    return _security1(scopes.scopes)
+
+
+def _security1(scopes):  # pragma: no cover
+    pass
+
+
+async def security2(scopes: SecurityScopes):
+    return _security2(scopes.scopes)
+
+
+def _security2(scopes):  # pragma: no cover
+    pass
+
+
+async def dep3(
+    dep=Security(security1, scopes=["scope1"]),
+    dep2=Security(security2, scopes=["scope2"]),
+):
+    return {}
+
+
+@pytest.fixture
+def mocks():
+    with patch.dict(globals(), {"_security1": Mock()}):
+        with patch.dict(globals(), {"_security2": Mock()}):
+            yield
+
+
+app = FastAPI()
+
+
+@app.get("/recursive_scopes")
+def recursive_scopes(dep=Security(dep3, scopes=["scope3"])):
+    return {}
+
+
+client = TestClient(app)
+
+
+@pytest.mark.xfail()
+# issue https://github.com/tiangolo/fastapi/issues/5623
+def test_recursive_scopes(mocks):
+    """
+    Test that scope recursion properly applies.  Scopes added to a dependency should propagate
+    and be prepended correctly to all sub-dependencies.
+    """
+    client.get("recursive_scopes")
+    _security1.assert_has_calls([call(["scope3", "scope1"])])
+    _security2.assert_has_calls([call(["scope3", "scope2"])])

From f9cc73867e9aa58073423a07f2fde718cb9939df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristj=C3=A1n=20Valur=20J=C3=B3nsson?= <sweskman@gmail.com>
Date: Fri, 11 Nov 2022 14:38:32 +0000
Subject: [PATCH 2/2] Add fix to scope propagation: Do not mutate incoming
 list.

---
 fastapi/dependencies/utils.py   | 2 +-
 tests/test_dependency_scopes.py | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/fastapi/dependencies/utils.py b/fastapi/dependencies/utils.py
index 3df5ccfc8..bebbbe954 100644
--- a/fastapi/dependencies/utils.py
+++ b/fastapi/dependencies/utils.py
@@ -147,7 +147,7 @@ def get_sub_dependant(
     security_scopes = security_scopes or []
     if isinstance(depends, params.Security):
         dependency_scopes = depends.scopes
-        security_scopes.extend(dependency_scopes)
+        security_scopes = security_scopes + list(dependency_scopes)
     if isinstance(dependency, SecurityBase):
         use_scopes: List[str] = []
         if isinstance(dependency, (OAuth2, OpenIdConnect)):
diff --git a/tests/test_dependency_scopes.py b/tests/test_dependency_scopes.py
index 0d07cd305..957a0896e 100644
--- a/tests/test_dependency_scopes.py
+++ b/tests/test_dependency_scopes.py
@@ -47,7 +47,6 @@ def recursive_scopes(dep=Security(dep3, scopes=["scope3"])):
 client = TestClient(app)
 
 
-@pytest.mark.xfail()
 # issue https://github.com/tiangolo/fastapi/issues/5623
 def test_recursive_scopes(mocks):
     """