Global Dependency and JWT Permission Validation

[rohantandon25]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

secure_router = APIRouter(dependencies=[Security(auth0_token)])
@secure_router.get("/api/{org}/user",
                    dependencies=[Depends(PermissionsValidator(["read:{org}"]))])

and PermissionsValidator is defined as:

class PermissionsValidator:
    def __init__(self, required_permissions: list[str]):
        self.required_permissions = required_permissions

    def __call__(self, token: JWTPayload = Security(auth0_token)):
        token_permissions = token.permissions
        token_permissions_set = set(token_permissions)
        required_permissions_set = set(self.required_permissions)

        if not required_permissions_set.issubset(token_permissions_set):
            raise PermissionDeniedException

Description

My use case is that I have a router which has a global dependency to validate jwt tokens. then, i also have endpoints which come under the secure router where i want to check for the permissions.

It seems to me that the jwt token will be validated twice in this scenario - first in the global dependency and then in the endpoint dependency.

Is it possible to do that only once? Somehow if PermissionsValidator could use the validated JWT Token and extract the permissions from that.

Operating System

Mac

Operating System Details

No response

FastAPI Version

No response

Pydantic Version

No response

Python Version

Python 3.12.2

Additional Context

No response

Originally posted by @rohantandon25 in #10388 (reply in thread)

[YuriiMotov]

FastAPI has a dependency caching mechanism, so auth0_token dependency will be resolved only once per endpoint call.
You can easily check it by replacing auth0_token by function like below:

def auth0_token():
    print("Hi from auth0_token!")
    return JWTPayload(permissions=["read:asd"])

But you have another problem:

@secure_router.get("/api/{org}/user",
                    dependencies=[Depends(PermissionsValidator(["read:{org}"]))])

This line will be executed before FastAPI app started, and the literal string read:{org} will not be resolved. So, you will have ['read:{org}'] in the required_permissions attribute and when user call the endpoint with org=asd, you will compare ['read:{org}'] (which you passed to constructor of PermissionsValidator) with ['read:asd'] (which will be extracted from token) and it will always be False..

You can solve it by adding something like this in the PermissionsValidator.__call__:

        org = request.path_params.get("org", None)
        if org:
            required_permissions_set = {perm.replace(':{org}', f":{org}") for perm in required_permissions_set}

Final working example:

from dataclasses import dataclass
from fastapi import APIRouter, Depends, FastAPI, HTTPException, Request, Security

@dataclass
class JWTPayload():
    permissions: list[str]

class PermissionDeniedException(HTTPException):
    pass

def auth0_token():
    print("Hi from auth0_token!")
    return JWTPayload(permissions=["read:asd"])

class PermissionsValidator:
    def __init__(self, required_permissions: list[str]):
        self.required_permissions = required_permissions

    def __call__(self, request: Request, token: JWTPayload = Security(auth0_token)):
        token_permissions = token.permissions
        token_permissions_set = set(token_permissions)
        required_permissions_set = set(self.required_permissions)

        org = request.path_params.get("org", None)
        if org:
            required_permissions_set = {perm.replace(':{org}', f":{org}") for perm in required_permissions_set}

        if not required_permissions_set.issubset(token_permissions_set):
            raise PermissionDeniedException(status_code=403)


secure_router = APIRouter(dependencies=[Security(auth0_token)])

@secure_router.get("/api/{org}/user", dependencies=[Depends(PermissionsValidator(["read:{org}"]))])
def user(org: str):
    pass

app = FastAPI()
app.include_router(secure_router)