Closed maparent closed 6 months ago
Hi @maparent, I understand your problem and would like to reproduce it myself. Also, I reviewed your pull request, and I think checking scheme.lower() != 'bearer'
is not appropriate. Could you please provide a sample application I could run and test locally?
Hi @maparent, I appreciate the issue you have faced in your non-standard system and reported about it. I am very interested in solving the problem, and for that, I need a sample application that would help me reproduce the issue and find solutions that don't affect the rest functionality. If you could add the minimal subsystem of your application to the demonstration, it would be the best contribution from you.
I am closing this issue because of the inactivity. Feel free to reopen it in the future.
Bug description
Context: I have created a mixed system, where I still allow OAuth against local users, but also allow social OAuth. It is possible I have done something wrong there, but let's still look at what happens downstream. (Sorry that code is not open yet.)
In the FastAPI-OpenAPI /docs page, when I initiate OAuth and it calls my local token endpoint, the browser sends a 'authorization': 'Basic Og==' header (for reasons that still elude me). This corresponds to a param value of ':'. Because it is not empty, jwt_decode gets called in OAuth2Backend:authenticate (at middleware.py:109), raises an exception and I get an unauthorized error.
First, I think a little more defensive coding would be appropriate in this function: I.e. not calling jwt_decode unless the scheme is 'Bearer'; maybe guard against the exception, etc. (Will provide a PR separately.)
Second, I made a subclass of OAuth2Backend in my code to guard against this case, but injecting it entailed also making a subclass of OAuth2Middleware; I think the backend could be provided as an optional parameter of the latter.
Regards
Reproduction URL
No response
Reproduction steps
Screenshots
No response
Logs
Browsers
Firefox, Safari
OS
Mac