search

fastapi-users / fastapi-users

Ready-to-use and customizable users management for FastAPI
https://fastapi-users.github.io/fastapi-users/
MIT License
4.58k stars 384 forks source link

[question] Is it possible to avoid database requests using scopes? #217

Closed nullhack closed 4 years ago

nullhack commented 4 years ago

I'm trying to use scopes with fastapi-users. Is there a simple example of how to use scopes?

My goal is to use scopes for things that don't require accessing user data (e.g. I don't need to query the database and get user id if my API is just rendering a list (in memory/redis) that requires the user to have read access), for this I can just check the scope.

Is it possible?

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

martincolladodev commented 4 years ago

Hi @nullhack, working on this kind of things this weekend I found this library (fastapi-permissions) and it's used by Netflix on the dispatch project (dispatch) It's not using scopes, but I think that could be a good starting point. @frankie567 maybe could be included in fastapi-users to manage the permissions? (Probably related with #220)

nullhack commented 4 years ago

Thank you, I'll take a look.

frankie567 commented 4 years ago

Currently, the approach is to check against the database if the user id. in the JWT still exists and that it has the right permission (active and superuser).

However, if you implement your own authentication class, I think you can make an authentication that works without DB query. The only constraint is that it returns a valid User object.

I think a scope approach could be interesting, but I don't think it's in the scope of this project. I think we can wire things pretty easily between fastapi-permissions (for example) and fastapi-users with dependency callables.

nullhack commented 4 years ago

The only problem I see is that by design, fastapi-users check against database for every request. This defeats the purpose of permissions from scope (we want to check fast without database requests as much as possible).

However, if you implement your own authentication class, I think you can make an authentication that works without DB query

This would be nice.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.