diff --git a/fastapi/security/http.py b/fastapi/security/http.py index 9ab2df3c9..a256dad2a 100644 --- a/fastapi/security/http.py +++ b/fastapi/security/http.py @@ -178,11 +178,24 @@ class HTTPBasic(HTTPBase): """ ), ] = True, + auto_error_detail: Annotated[ + str, + Doc( + """ + The text to be returned to the client when `auto_error` + raises an HTTP exception. + + It's useful when you have multiple errors defined: set + different detail text to easily differentiate which error was raised. + """ + ), + ] = "Not authenticated", ): self.model = HTTPBaseModel(scheme="basic", description=description) self.scheme_name = scheme_name or self.__class__.__name__ self.realm = realm self.auto_error = auto_error + self.auto_error_detail = auto_error_detail async def __call__( # type: ignore self, request: Request @@ -197,7 +210,7 @@ class HTTPBasic(HTTPBase): if self.auto_error: raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, - detail="Not authenticated", + detail=self.auto_error_detail, headers=unauthorized_headers, ) else: @@ -293,10 +306,23 @@ class HTTPBearer(HTTPBase): """ ), ] = True, + auto_error_detail: Annotated[ + str, + Doc( + """ + The text to be returned to the client when `auto_error` + raises an HTTP exception. + + It's useful when you have multiple errors defined: set + different detail text to easily differentiate which error was raised. + """ + ), + ] = "Not authenticated", ): self.model = HTTPBearerModel(bearerFormat=bearerFormat, description=description) self.scheme_name = scheme_name or self.__class__.__name__ self.auto_error = auto_error + self.auto_error_detail = auto_error_detail async def __call__( self, request: Request @@ -306,7 +332,8 @@ class HTTPBearer(HTTPBase): if not (authorization and scheme and credentials): if self.auto_error: raise HTTPException( - status_code=HTTP_403_FORBIDDEN, detail="Not authenticated" + status_code=HTTP_403_FORBIDDEN, + detail=self.auto_error_detail, ) else: return None @@ -395,10 +422,23 @@ class HTTPDigest(HTTPBase): """ ), ] = True, + auto_error_detail: Annotated[ + str, + Doc( + """ + The text to be returned to the client when `auto_error` + raises an HTTP exception. + + It's useful when you have multiple errors defined: set + different detail text to easily differentiate which error was raised. + """ + ), + ] = "Not authenticated", ): self.model = HTTPBaseModel(scheme="digest", description=description) self.scheme_name = scheme_name or self.__class__.__name__ self.auto_error = auto_error + self.auto_error_detail = auto_error_detail async def __call__( self, request: Request @@ -408,7 +448,8 @@ class HTTPDigest(HTTPBase): if not (authorization and scheme and credentials): if self.auto_error: raise HTTPException( - status_code=HTTP_403_FORBIDDEN, detail="Not authenticated" + status_code=HTTP_403_FORBIDDEN, + detail=self.auto_error_detail, ) else: return None diff --git a/tests/test_security_http_basic_auto_error_detail.py b/tests/test_security_http_basic_auto_error_detail.py new file mode 100644 index 000000000..8de85137c --- /dev/null +++ b/tests/test_security_http_basic_auto_error_detail.py @@ -0,0 +1,30 @@ +from typing import Optional + +from fastapi import FastAPI, Security +from fastapi.security import HTTPBasic, HTTPBasicCredentials +from fastapi.testclient import TestClient + +app = FastAPI() + +error_message = "not a 20 minute adventure" +security = HTTPBasic(auto_error=True, auto_error_detail=error_message) + + +@app.get("/users/me") +def read_current_user(credentials: Optional[HTTPBasicCredentials] = Security(security)): + return {"username": credentials.username, "password": credentials.password} + + +client = TestClient(app) + + +def test_security_http_basic(): + response = client.get("/users/me", auth=("john", "secret")) + assert response.status_code == 200, response.text + assert response.json() == {"username": "john", "password": "secret"} + + +def test_security_http_basic_no_credentials(): + response = client.get("/users/me") + assert response.status_code == 401, response.text + assert response.json() == {"detail": error_message} diff --git a/tests/test_security_http_bearer_auto_error_detail.py b/tests/test_security_http_bearer_auto_error_detail.py new file mode 100644 index 000000000..d6a254763 --- /dev/null +++ b/tests/test_security_http_bearer_auto_error_detail.py @@ -0,0 +1,28 @@ +from fastapi import FastAPI, Security +from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer +from fastapi.testclient import TestClient + +app = FastAPI() + +error_message = "not a 20 minute adventure" +security = HTTPBearer(auto_error=True, auto_error_detail=error_message) + + +@app.get("/users/me") +def read_current_user(credentials: HTTPAuthorizationCredentials = Security(security)): + return {"scheme": credentials.scheme, "credentials": credentials.credentials} + + +client = TestClient(app) + + +def test_security_http_bearer(): + response = client.get("/users/me", headers={"Authorization": "Bearer foobar"}) + assert response.status_code == 200, response.text + assert response.json() == {"scheme": "Bearer", "credentials": "foobar"} + + +def test_security_http_bearer_no_credentials(): + response = client.get("/users/me") + assert response.status_code == 403, response.text + assert response.json() == {"detail": error_message}