mrtolkien / fastapi_simple_security Goto Github PK

Hello,

I was just looking through fastapi security/auth libraries and I saw that in this library, api keys and also the secret value is created with uuid4(). However, UUID is not secure for that purpose and should not be used according to RFC4122. Instead, use something like token_urlsafe from the secrets package.

Using:
fastapi==0.68.0

After setup, setting the FASTAPI_SIMPLE_SECURITY_DB_LOCATION does not change the path from the default of /app/sqlite.db as expected. Instead getting hit with this error sqlite3.OperationalError: unable to open database file
Looking at the _sqlite_access.py definition doing this instead:
def __init__(self): try: self.db_location = os.environ["FASTAPI_SIMPLE_SECURITY_DB_LOCATION"] except KeyError: self.db_location = ""

seems to work.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• #25

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update dependency coverage to v7

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

basically the db file is not kept

I was trying to run the sample code in the Readme. I got an error

Traceback (most recent call last):
  File "pdfkitv2.py", line 8, in <module>
    from fastapi_simple_security import api_key_router, api_key_security
  File "D:\enviorments\pdfkit\lib\site-packages\fastapi_simple_security\__init__.py", line 1, in <module>
    from fastapi_simple_security.endpoints import api_key_router
  File "D:\enviorments\pdfkit\lib\site-packages\fastapi_simple_security\endpoints.py", line 7, in <module>
    from fastapi_simple_security._security_secret import secret_based_security
  File "<fstring>", line 1
    (SECRET=)

I think there is an error in the file _security_secret.py Line 18.

Also reported in #1 here

Running the script like described in the readme results in a

 File "/home/kai/PycharmProjects/fdm-api/app/main.py", line 5, in <module>
    from fastapi_simple_security import api_key_router, api_key_security
  File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/__init__.py", line 1, in <module>
    from fastapi_simple_security.endpoints import api_key_router
  File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/endpoints.py", line 8, in <module>
    from fastapi_simple_security._sqlite_access import sqlite_access
  File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/_sqlite_access.py", line 218, in <module>
    sqlite_access = SQLiteAccess()
  File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/_sqlite_access.py", line 21, in __init__
    self.init_db()
  File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/_sqlite_access.py", line 24, in init_db
    with sqlite3.connect(self.db_location) as connection:
sqlite3.OperationalError: unable to open database file

Tried with Python 3.6 as well as 3.9

when using pip (and not poetry...) the error is

The conflict is caused by:

• The user requested fastapi==0.75.2
• fastapi-simple-security 1.0.1 depends on fastapi<0.71 and >=0.70

From the package on pypi

fastapi_simple_security-1.0.1.dist-info/METADATA:Requires-Dist: fastapi (>=0.70,<0.71)
The only other ref to fastapi in your repo is

[[package]]
name = "fastapi"
version = "0.70.0"
description = "FastAPI framework, high performance, easy to learn, fast to code, ready for production"
category = "main"
optional = false
python-versions = ">=3.6.1"

pip install -r requirements.txt fails to resolve dependencies, because fastapi_simple_security is trying to force an older version of fastapi.

I Momentarily solved it by manually installing an older fastapi version in my application, but I see no reason why this should be the way to go (new versions don't introduce breaking changes).

Thanks!

Thank you for this great library. I have a question. Is there a way to access the API key that was used to request a secure endpoint when the dependency is used globally? For example:

app.include_router(myrouter, prefix='/myrouter', dependencies=[Depends(api_key_security)])

@myrouter.get('/secured-endpoint/')
async def secured_endpoint():
    return {'key': 'api-key'}

Does the request state contain the API key or it isn't passed anywhere? If the key isn't available in any context, we will have to use the dependency in each function like this:

from fastapi.security.api_key import APIKey


@app.get('/secured-endpoint/')
async def secured_endpoint(api_key: APIKey = Depends(api_key_security)):
    return {'key': api_key}

Please let me know if there's a possibility to use the dependency globally on a router and still get the API key value in all sub-routes.

 warnings.warn(
     f"ENVIRONMENT VARIABLE 'FASTAPI_SIMPLE_SECURITY_SECRET' NOT FOUND\n"
     f"\tGenerated a single-use secret key for this session:\n"
     f"\t{SECRET=}"

)