FastAPI authentication and authorization
Project description
fastapi-auth
An opionated authentication and authorization system for FastAPI.
Features
- a SQLite-based user database (to be rewritten using SQLObject for broader database support)
- a commandline utility for adding, deleting users
- roles and permissions
- FastAPI endpoint protection based on permission or roles
Status
- experimental
Example usage
- see
demo_app.py
Concepts
This package is build around the following concepts:
Roles and permissions
A role is assigned to a user. A user can have one or more roles. A permission
defines a certain certain access scope like View entries
, Delete entries
,
Update Entries
. A Role can be have multiple permissions. So a user can have
multiple roles and one role can have multiple permissions.
Example on how to define permissions:
from fastapi_auth.permissions import Permission
VIEW_PERMISSION = Permission(name="view", description="View permission")
EDIT_PERMISSION = Permission(name="edit", description="Edit permission")
DELETE_PERMISSION = Permission(name="delete", description="Delete permission")
Roles are defined this way:
from fastapi_auth.permissions import Role
ADMIN_ROLE = Role(
name="Administrator",
description="Admin role",
permissions=[VIEW_PERMISSION, EDIT_PERMISSION, DELETE_PERMISSION],
)
USER_ROLE = Role(
name="User",
description="User role",
permissions=[VIEW_PERMISSION, EDIT_PERMISSION],
)
VIEWER_ROLE = Role(
name="Viewer",
description="Viewer role",
permissions=[VIEW_PERMISSION],
)
Also, all roles must be registered with a global ROLES_REGISTRY
:
from fastapi_auth.roles import ROLES_REGISTRY
ROLES_REGISTRY.register(ADMIN_ROLE)
ROLES_REGISTRY.register(USER_ROLE)
ROLES_REGISTRY.register(VIEWER_ROLE)
An endpoint of a FastAPI application be protected through one permission or one or more roles.
In this example, the /admin
endpoint is only acceessible for an authenticated user with role Administrator
:
# This is an endpoint that requires the user to be authenticated. In this case,
# the user must have the ADMIN_ROLE role. It is also possible to require a
# permission instead. Use the Protected dependency to require authentication.
# An unauthenticated request as ANONYMOUS_USER will be rejected.
@app.get("/admin")
def admin(user: User = Depends(Protected(required_roles=[ADMIN_ROLE]))):
return {"user": user}
You could also protect an endpoint using a permission:
from fastapi_auth.dependencies import Protected
@app.get("/admin")
def admin2(user: User = Depends(Protected(required_permission=VIEW_PERMISSION))):
return {"user": user}
Installation of the session middleware
In order to instrumentize your application, you need call install_middleware(app)
with your
custom FastAPI app
object.
from fastapi_auth.auth_routes import install_middleware
# Your FastAPI app
app = FastAPI()
# install the session middleware
install_middleware(app)
# add endpoints for authentication examples
app.mount("/auth", auth_router)
# add static files (for demo login form)
app.mount("/static", StaticFiles(directory="static"), name="static")
User management
For now, fastapi-auth
stores user accounts inside a Sqlite database. There is
the fastapi-auth-user-admin
utility for managing user accounts through the
commandline. There is no support (and there will be no support) for managing
user accounts through a web admin interface.
adding user
fastapi-auth-user-admin add <username> <password> "Role1,Role2..."
delete user
fastapi-auth-user-admin delete <username>
list users
fastapi-auth-user-admin list-users
set password users
fastapi-auth-user-admin set-password <username> <new-password>
Internals
The implementation is based on top of the starlette-session
(https://pypi-hypernode.com/project/starlette-session/) middleware. The user information
is stored through a signed cookie-based HTTP session. Session information is
readable but not modifiable. The encryption key can be configured through an environment
variable.
Author
Andreas Jung info@zopyx.com
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for zopyx_fastapi_auth-0.1.1.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | a31f4247a4396e12c89622044748952584b41f7b8220df1834d30eb4451c61ab |
|
MD5 | 906b3f2e7d1a5e6410a24c92eea01c5a |
|
BLAKE2b-256 | 9a33ce65d0dd3c685cbd42a53197ab9b5fbe5ca8e7605ba3c81289381022e5f9 |