Closed giosava94 closed 7 months ago
Hi @giosava94
Thank you very much for your contribution. I'll take a look in the coming days.
I had one alternative idea on how to address your use-case: I would define the callback vi `on_failure' . Just, I noticed, that this callback is only called, if an "Authorization" Header is present. This is another bug (#76). I'll need to find some time, to fix these.
Hi @marcvs, thank you for your response and suggestion!
Ok; I found that it works, if you do not pass the "credentials" parameter from the examples. That causes fastapi.security
to return "403" before flaat can even act.
Hello, In these days I've been working on developing a REST API using flaat to manage authentication and authorization. For some endpoints, I would like to allow access to both authenticated and unauthenticated users, returning different infos based on the fact that the user is authenticated.
Looking at functions documentation, I saw that the decorator @inject_user_infos is what I was looking for.
:param strict: If set to
True, an unauthenticated user will not be able to use the view functions and cause an error instead.
In fact, I would like to use it with strict=False and use the UserInfos object to determine if the user has been successfully authenticated or not (just checking it is None or not). But I noticed that using the endpoint without a bearer token raised an Unauthenticated error.
I looked at the repository issues and found that another user incurred into this behavior and specified that a bearer token is mandatory (#59). But, from the documentation, I would expect that, if strict is set to False, unauthenticated users, also ones not providing a bearer token, should be able to access the endpoint.
Since the issues was still opened, I tried to look at the cause of this behavior. I looked at the code and found that, when strict is False, self.ignore_no_authn in the _run_work_flow function of AuthWorkFlow class is True. But, when the self.authenticated_users function does not find a bearer token, it raises an exception before using the information to ignore non-authenticated users. So I added a try-except on that part to set user_infos = None when self.authenticate_user fails and self.ignore_no_authn is True.
I also run the tests, noticed that the test related to this behavior failed and updated it accordingly. The change involves only the test with no bearer token and using the /info_no_strict endpoint.
I hope this change could help to resolve the issue and make the code consistent with the documentation (or at least what I understood from the it).
Regards