diff --git a/fastapi/security/http.py b/fastapi/security/http.py index 9ab2df3c9..1943cd56a 100644 --- a/fastapi/security/http.py +++ b/fastapi/security/http.py @@ -181,7 +181,7 @@ class HTTPBasic(HTTPBase): ): self.model = HTTPBaseModel(scheme="basic", description=description) self.scheme_name = scheme_name or self.__class__.__name__ - self.realm = realm + self.realm = realm or "" self.auto_error = auto_error async def __call__( # type: ignore @@ -189,10 +189,8 @@ class HTTPBasic(HTTPBase): ) -> Optional[HTTPBasicCredentials]: authorization = request.headers.get("Authorization") scheme, param = get_authorization_scheme_param(authorization) - if self.realm: - unauthorized_headers = {"WWW-Authenticate": f'Basic realm="{self.realm}"'} - else: - unauthorized_headers = {"WWW-Authenticate": "Basic"} + # The "realm" is required, as per https://datatracker.ietf.org/doc/html/rfc7617#section-2. + unauthorized_headers = {"WWW-Authenticate": f'Basic realm="{self.realm}"'} if not authorization or scheme.lower() != "basic": if self.auto_error: raise HTTPException( diff --git a/tests/test_security_http_basic_optional.py b/tests/test_security_http_basic_optional.py index 9b6cb6c45..53bffe7e0 100644 --- a/tests/test_security_http_basic_optional.py +++ b/tests/test_security_http_basic_optional.py @@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials(): "/users/me", headers={"Authorization": "Basic notabase64token"} ) assert response.status_code == 401, response.text - assert response.headers["WWW-Authenticate"] == "Basic" + assert response.headers["WWW-Authenticate"] == 'Basic realm=""' assert response.json() == {"detail": "Invalid authentication credentials"} @@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials(): auth_header = f"Basic {payload}" response = client.get("/users/me", headers={"Authorization": auth_header}) assert response.status_code == 401, response.text - assert response.headers["WWW-Authenticate"] == "Basic" + assert response.headers["WWW-Authenticate"] == 'Basic realm=""' assert response.json() == {"detail": "Invalid authentication credentials"} diff --git a/tests/test_tutorial/test_security/test_tutorial006.py b/tests/test_tutorial/test_security/test_tutorial006.py index 40b413806..7fbaec626 100644 --- a/tests/test_tutorial/test_security/test_tutorial006.py +++ b/tests/test_tutorial/test_security/test_tutorial006.py @@ -32,7 +32,7 @@ def test_security_http_basic_no_credentials(client: TestClient): response = client.get("/users/me") assert response.json() == {"detail": "Not authenticated"} assert response.status_code == 401, response.text - assert response.headers["WWW-Authenticate"] == "Basic" + assert response.headers["WWW-Authenticate"] == 'Basic realm=""' def test_security_http_basic_invalid_credentials(client: TestClient): @@ -40,7 +40,7 @@ def test_security_http_basic_invalid_credentials(client: TestClient): "/users/me", headers={"Authorization": "Basic notabase64token"} ) assert response.status_code == 401, response.text - assert response.headers["WWW-Authenticate"] == "Basic" + assert response.headers["WWW-Authenticate"] == 'Basic realm=""' assert response.json() == {"detail": "Invalid authentication credentials"} @@ -49,7 +49,7 @@ def test_security_http_basic_non_basic_credentials(client: TestClient): auth_header = f"Basic {payload}" response = client.get("/users/me", headers={"Authorization": auth_header}) assert response.status_code == 401, response.text - assert response.headers["WWW-Authenticate"] == "Basic" + assert response.headers["WWW-Authenticate"] == 'Basic realm=""' assert response.json() == {"detail": "Invalid authentication credentials"}