Closed nullhack closed 4 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hi @nullhack, working on this kind of things this weekend I found this library (fastapi-permissions) and it's used by Netflix on the dispatch project (dispatch) It's not using scopes, but I think that could be a good starting point. @frankie567 maybe could be included in fastapi-users to manage the permissions? (Probably related with #220)
Thank you, I'll take a look.
Currently, the approach is to check against the database if the user id. in the JWT still exists and that it has the right permission (active and superuser).
However, if you implement your own authentication class, I think you can make an authentication that works without DB query. The only constraint is that it returns a valid User object.
I think a scope approach could be interesting, but I don't think it's in the scope of this project. I think we can wire things pretty easily between fastapi-permissions
(for example) and fastapi-users
with dependency callables.
The only problem I see is that by design, fastapi-users check against database for every request. This defeats the purpose of permissions from scope (we want to check fast without database requests as much as possible).
However, if you implement your own authentication class, I think you can make an authentication that works without DB query
This would be nice.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I'm trying to use scopes with fastapi-users. Is there a simple example of how to use scopes?
My goal is to use scopes for things that don't require accessing user data (e.g. I don't need to query the database and get user id if my API is just rendering a list (in memory/redis) that requires the user to have read access), for this I can just check the scope.
Is it possible?