search

indigo-dc / flaat

FLAsk with Access Tokens - FLAAT
MIT License
11 stars 6 forks source link

No strict auth #75

Closed giosava94 closed 7 months ago

giosava94 commented 7 months ago

Hello, In these days I've been working on developing a REST API using flaat to manage authentication and authorization. For some endpoints, I would like to allow access to both authenticated and unauthenticated users, returning different infos based on the fact that the user is authenticated.

Looking at functions documentation, I saw that the decorator @inject_user_infos is what I was looking for.

:param strict: If set toTrue, an unauthenticated user will not be able to use the view functions and cause an error instead.

In fact, I would like to use it with strict=False and use the UserInfos object to determine if the user has been successfully authenticated or not (just checking it is None or not). But I noticed that using the endpoint without a bearer token raised an Unauthenticated error.

I looked at the repository issues and found that another user incurred into this behavior and specified that a bearer token is mandatory (#59). But, from the documentation, I would expect that, if strict is set to False, unauthenticated users, also ones not providing a bearer token, should be able to access the endpoint.

Since the issues was still opened, I tried to look at the cause of this behavior. I looked at the code and found that, when strict is False, self.ignore_no_authn in the _run_work_flow function of AuthWorkFlow class is True. But, when the self.authenticated_users function does not find a bearer token, it raises an exception before using the information to ignore non-authenticated users. So I added a try-except on that part to set user_infos = None when self.authenticate_user fails and self.ignore_no_authn is True.

I also run the tests, noticed that the test related to this behavior failed and updated it accordingly. The change involves only the test with no bearer token and using the /info_no_strict endpoint.

I hope this change could help to resolve the issue and make the code consistent with the documentation (or at least what I understood from the it).

Regards

marcvs commented 7 months ago

Hi @giosava94

Thank you very much for your contribution. I'll take a look in the coming days.

I had one alternative idea on how to address your use-case: I would define the callback vi `on_failure' . Just, I noticed, that this callback is only called, if an "Authorization" Header is present. This is another bug (#76). I'll need to find some time, to fix these.

giosava94 commented 7 months ago

Hi @marcvs, thank you for your response and suggestion!

marcvs commented 7 months ago

Ok; I found that it works, if you do not pass the "credentials" parameter from the examples. That causes fastapi.security to return "403" before flaat can even act.