Merge ac55383d1e into 1d434dec47

fastapi/security/http.py

@@ -178,11 +178,24 @@ class HTTPBasic(HTTPBase):
                 """
             ),
         ] = True,
+        auto_error_detail: Annotated[
+            str,
+            Doc(
+                """
+                The text to be returned to the client when `auto_error`
+                raises an HTTP exception.
+
+                It's useful when you have multiple errors defined: set
+                different detail text to easily differentiate which error was raised.
+                """
+            ),
+        ] = "Not authenticated",
     ):
         self.model = HTTPBaseModel(scheme="basic", description=description)
         self.scheme_name = scheme_name or self.__class__.__name__
         self.realm = realm
         self.auto_error = auto_error
+        self.auto_error_detail = auto_error_detail
 
     async def __call__(  # type: ignore
         self, request: Request
@@ -197,7 +210,7 @@ class HTTPBasic(HTTPBase):
             if self.auto_error:
                 raise HTTPException(
                     status_code=HTTP_401_UNAUTHORIZED,
-                    detail="Not authenticated",
+                    detail=self.auto_error_detail,
                     headers=unauthorized_headers,
                 )
             else:
@@ -293,10 +306,23 @@ class HTTPBearer(HTTPBase):
                 """
             ),
         ] = True,
+        auto_error_detail: Annotated[
+            str,
+            Doc(
+                """
+                The text to be returned to the client when `auto_error`
+                raises an HTTP exception.
+
+                It's useful when you have multiple errors defined: set
+                different detail text to easily differentiate which error was raised.
+                """
+            ),
+        ] = "Not authenticated",
     ):
         self.model = HTTPBearerModel(bearerFormat=bearerFormat, description=description)
         self.scheme_name = scheme_name or self.__class__.__name__
         self.auto_error = auto_error
+        self.auto_error_detail = auto_error_detail
 
     async def __call__(
         self, request: Request
@@ -306,7 +332,8 @@ class HTTPBearer(HTTPBase):
         if not (authorization and scheme and credentials):
             if self.auto_error:
                 raise HTTPException(
-                    status_code=HTTP_403_FORBIDDEN, detail="Not authenticated"
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail=self.auto_error_detail,
                 )
             else:
                 return None
@@ -395,10 +422,23 @@ class HTTPDigest(HTTPBase):
                 """
             ),
         ] = True,
+        auto_error_detail: Annotated[
+            str,
+            Doc(
+                """
+                The text to be returned to the client when `auto_error`
+                raises an HTTP exception.
+
+                It's useful when you have multiple errors defined: set
+                different detail text to easily differentiate which error was raised.
+                """
+            ),
+        ] = "Not authenticated",
     ):
         self.model = HTTPBaseModel(scheme="digest", description=description)
         self.scheme_name = scheme_name or self.__class__.__name__
         self.auto_error = auto_error
+        self.auto_error_detail = auto_error_detail
 
     async def __call__(
         self, request: Request
@@ -408,7 +448,8 @@ class HTTPDigest(HTTPBase):
         if not (authorization and scheme and credentials):
             if self.auto_error:
                 raise HTTPException(
-                    status_code=HTTP_403_FORBIDDEN, detail="Not authenticated"
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail=self.auto_error_detail,
                 )
             else:
                 return None

tests/test_security_http_basic_auto_error_detail.py

@@ -0,0 +1,30 @@
+from typing import Optional
+
+from fastapi import FastAPI, Security
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+from fastapi.testclient import TestClient
+
+app = FastAPI()
+
+error_message = "not a 20 minute adventure"
+security = HTTPBasic(auto_error=True, auto_error_detail=error_message)
+
+
+@app.get("/users/me")
+def read_current_user(credentials: Optional[HTTPBasicCredentials] = Security(security)):
+    return {"username": credentials.username, "password": credentials.password}
+
+
+client = TestClient(app)
+
+
+def test_security_http_basic():
+    response = client.get("/users/me", auth=("john", "secret"))
+    assert response.status_code == 200, response.text
+    assert response.json() == {"username": "john", "password": "secret"}
+
+
+def test_security_http_basic_no_credentials():
+    response = client.get("/users/me")
+    assert response.status_code == 401, response.text
+    assert response.json() == {"detail": error_message}

tests/test_security_http_bearer_auto_error_detail.py

@@ -0,0 +1,28 @@
+from fastapi import FastAPI, Security
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi.testclient import TestClient
+
+app = FastAPI()
+
+error_message = "not a 20 minute adventure"
+security = HTTPBearer(auto_error=True, auto_error_detail=error_message)
+
+
+@app.get("/users/me")
+def read_current_user(credentials: HTTPAuthorizationCredentials = Security(security)):
+    return {"scheme": credentials.scheme, "credentials": credentials.credentials}
+
+
+client = TestClient(app)
+
+
+def test_security_http_bearer():
+    response = client.get("/users/me", headers={"Authorization": "Bearer foobar"})
+    assert response.status_code == 200, response.text
+    assert response.json() == {"scheme": "Bearer", "credentials": "foobar"}
+
+
+def test_security_http_bearer_no_credentials():
+    response = client.get("/users/me")
+    assert response.status_code == 403, response.text
+    assert response.json() == {"detail": error_message}