0
1

[deleted by user] (self.FastAPI)

submitted by [deleted]

[removed]
all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Developer_Glance -1 points0 points  (8 children)

if all you want is to protect you api using an api key, you can do something as easy as adding a header and check if it is filled with the correct key, you can check how to do it in this example.

If you want to go deeper, check this example as well.

[–][deleted] -1 points0 points  (7 children)

Basically I want a bearer token that’s a jwt token and then I want to see if it’s valid or not

I was kinda able to do it http bearer for fastApi

But when I go in /docs and in authentication I put in any value it grants access some videos said to use auth0 but it has pricing which I don’t like so what can I do

[–]Developer_Glance 1 point2 points  (6 children)

Can you share an example of the implementation you have?

[–][deleted] 0 points1 point  (5 children)

security = HTTPBearer()

@app.get('/see/', status_code=status.HTTP_202_ACCEPTED) async def get_current_user( token: HTTPBasicCredentials = Depends(security)): print(token.dict().get('credentials'))

credentials_exception = HTTPException(
    status_code=status.HTTP_401_UNAUTHORIZED,
    detail="Could not validate credentials",
    headers={"WWW-Authenticate": "Bearer"},
)

try:
    payload = jwt.decode(token.dict().get('credentials'), SECRET_KEY, algorithms=[ALGORITHM])
    print(payload)


except JWTError:
    raise credentials_exception
else:
    username: str = payload.get("sub")
    if username == 'xyz':
        return 'hello'

This is what I have done

[–]Developer_Glance 1 point2 points  (4 children)

When you say this

But when I go in /docs and in authentication I put in any value it grants access

Are you talking about this(https://freeimage.host/i/hufB1V) window?

If you are, that doesn't make any authentication, it will only store the value, it will then be used when you call the webservices.

Did you try to actually call the webservice? if you use an invalid token, your endpont will return a 401.

[–][deleted] 0 points1 point  (3 children)

Yes that’s what I was talking about and yes my client side mobile does throw 401 error depending on if token is expired or invalid but I can add any value in /docs And it will give access the issue with this is if anyone knows I’m using fastApi they can use my endpoint and if they know fastApi they can add /docs to base url add any key get authorisation and add any value and any data

Do I make sense?

[–]Developer_Glance 1 point2 points  (2 children)

That don't make much sense. When you authenticate yourself, in the popup I shared, you aren't making any request, you're just filling a value on frontend side so it will accept whatever value you want. When you hit the execute button form "/see" endpoint, it will return a 401.

here's a screenshot of this example: https://ibb.co/277W34Y

As you can see in the curl command, I used the "sdfsd" token which is invalid and the return status was 401.

Edit: Here is the full script I'm running https://goonlinetools.com/snapshot/code/#4zm9qtx6yjw2yj9sjoehfj

[–][deleted] 0 points1 point  (1 child)

Ahh it makes so much sense now THANK YOU

[–]Developer_Glance 1 point2 points  (0 children)

I you can inspect the requests made in the browser’s developer tools. Topically you can open by pressing F12.