Coverage for docs_src/security/tutorial005_an.py: 100%
94 statements
« prev ^ index » next coverage.py v7.6.1, created at 2024-08-08 03:53 +0000
1from datetime import datetime, timedelta, timezone 1abcde
2from typing import List, Union 1abcde
4import jwt 1abcde
5from fastapi import Depends, FastAPI, HTTPException, Security, status 1abcde
6from fastapi.security import ( 1abcde
7 OAuth2PasswordBearer,
8 OAuth2PasswordRequestForm,
9 SecurityScopes,
10)
11from jwt.exceptions import InvalidTokenError 1abcde
12from passlib.context import CryptContext 1abcde
13from pydantic import BaseModel, ValidationError 1abcde
14from typing_extensions import Annotated 1abcde
16# to get a string like this run:
17# openssl rand -hex 32
18SECRET_KEY = "09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7" 1abcde
19ALGORITHM = "HS256" 1abcde
20ACCESS_TOKEN_EXPIRE_MINUTES = 30 1abcde
23fake_users_db = { 1abcde
24 "johndoe": {
25 "username": "johndoe",
26 "full_name": "John Doe",
27 "email": "johndoe@example.com",
28 "hashed_password": "$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lW",
29 "disabled": False,
30 },
31 "alice": {
32 "username": "alice",
33 "full_name": "Alice Chains",
34 "email": "alicechains@example.com",
35 "hashed_password": "$2b$12$gSvqqUPvlXP2tfVFaWK1Be7DlH.PKZbv5H8KnzzVgXXbVxpva.pFm",
36 "disabled": True,
37 },
38}
41class Token(BaseModel): 1abcde
42 access_token: str 1abcde
43 token_type: str 1abcde
46class TokenData(BaseModel): 1abcde
47 username: Union[str, None] = None 1abcde
48 scopes: List[str] = [] 1abcde
51class User(BaseModel): 1abcde
52 username: str 1abcde
53 email: Union[str, None] = None 1abcde
54 full_name: Union[str, None] = None 1abcde
55 disabled: Union[bool, None] = None 1abcde
58class UserInDB(User): 1abcde
59 hashed_password: str 1abcde
62pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") 1abcde
64oauth2_scheme = OAuth2PasswordBearer( 1abcde
65 tokenUrl="token",
66 scopes={"me": "Read information about the current user.", "items": "Read items."},
67)
69app = FastAPI() 1abcde
72def verify_password(plain_password, hashed_password): 1abcde
73 return pwd_context.verify(plain_password, hashed_password) 1abcde
76def get_password_hash(password): 1abcde
77 return pwd_context.hash(password) 1abcde
80def get_user(db, username: str): 1abcde
81 if username in db: 1abcde
82 user_dict = db[username] 1abcde
83 return UserInDB(**user_dict) 1abcde
86def authenticate_user(fake_db, username: str, password: str): 1abcde
87 user = get_user(fake_db, username) 1abcde
88 if not user: 1abcde
89 return False 1abcde
90 if not verify_password(password, user.hashed_password): 1abcde
91 return False 1abcde
92 return user 1abcde
95def create_access_token(data: dict, expires_delta: Union[timedelta, None] = None): 1abcde
96 to_encode = data.copy() 1abcde
97 if expires_delta: 1abcde
98 expire = datetime.now(timezone.utc) + expires_delta 1abcde
99 else:
100 expire = datetime.now(timezone.utc) + timedelta(minutes=15) 1abcde
101 to_encode.update({"exp": expire}) 1abcde
102 encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) 1abcde
103 return encoded_jwt 1abcde
106async def get_current_user( 1abcde
107 security_scopes: SecurityScopes, token: Annotated[str, Depends(oauth2_scheme)]
108):
109 if security_scopes.scopes: 1abcde
110 authenticate_value = f'Bearer scope="{security_scopes.scope_str}"' 1abcde
111 else:
112 authenticate_value = "Bearer" 1abcde
113 credentials_exception = HTTPException( 1abcde
114 status_code=status.HTTP_401_UNAUTHORIZED,
115 detail="Could not validate credentials",
116 headers={"WWW-Authenticate": authenticate_value},
117 )
118 try: 1abcde
119 payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) 1abcde
120 username: str = payload.get("sub") 1abcde
121 if username is None: 1abcde
122 raise credentials_exception 1abcde
123 token_scopes = payload.get("scopes", []) 1abcde
124 token_data = TokenData(scopes=token_scopes, username=username) 1abcde
125 except (InvalidTokenError, ValidationError): 1abcde
126 raise credentials_exception 1abcde
127 user = get_user(fake_users_db, username=token_data.username) 1abcde
128 if user is None: 1abcde
129 raise credentials_exception 1abcde
130 for scope in security_scopes.scopes: 1abcde
131 if scope not in token_data.scopes: 1abcde
132 raise HTTPException( 1abcde
133 status_code=status.HTTP_401_UNAUTHORIZED,
134 detail="Not enough permissions",
135 headers={"WWW-Authenticate": authenticate_value},
136 )
137 return user 1abcde
140async def get_current_active_user( 1abcde
141 current_user: Annotated[User, Security(get_current_user, scopes=["me"])],
142):
143 if current_user.disabled: 1abcde
144 raise HTTPException(status_code=400, detail="Inactive user") 1abcde
145 return current_user 1abcde
148@app.post("/token") 1abcde
149async def login_for_access_token( 1abcde
150 form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
151) -> Token:
152 user = authenticate_user(fake_users_db, form_data.username, form_data.password) 1abcde
153 if not user: 1abcde
154 raise HTTPException(status_code=400, detail="Incorrect username or password") 1abcde
155 access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) 1abcde
156 access_token = create_access_token( 1abcde
157 data={"sub": user.username, "scopes": form_data.scopes},
158 expires_delta=access_token_expires,
159 )
160 return Token(access_token=access_token, token_type="bearer") 1abcde
163@app.get("/users/me/", response_model=User) 1abcde
164async def read_users_me( 1abcde
165 current_user: Annotated[User, Depends(get_current_active_user)],
166):
167 return current_user 1abcde
170@app.get("/users/me/items/") 1abcde
171async def read_own_items( 1abcde
172 current_user: Annotated[User, Security(get_current_active_user, scopes=["items"])],
173):
174 return [{"item_id": "Foo", "owner": current_user.username}] 1abcde
177@app.get("/status/") 1abcde
178async def read_system_status(current_user: Annotated[User, Depends(get_current_user)]): 1abcde
179 return {"status": "ok"} 1abcde