🐛 Bug Report - Guarding against spurious Basic authentication

maparent commented 7 months ago

Bug description

Context: I have created a mixed system, where I still allow OAuth against local users, but also allow social OAuth. It is possible I have done something wrong there, but let's still look at what happens downstream. (Sorry that code is not open yet.)

In the FastAPI-OpenAPI /docs page, when I initiate OAuth and it calls my local token endpoint, the browser sends a 'authorization': 'Basic Og==' header (for reasons that still elude me). This corresponds to a param value of ':'. Because it is not empty, jwt_decode gets called in OAuth2Backend:authenticate (at middleware.py:109), raises an exception and I get an unauthorized error.

First, I think a little more defensive coding would be appropriate in this function: I.e. not calling jwt_decode unless the scheme is 'Bearer'; maybe guard against the exception, etc. (Will provide a PR separately.)

Second, I made a subclass of OAuth2Backend in my code to guard against this case, but injecting it entailed also making a subclass of OAuth2Middleware; I think the backend could be provided as an optional parameter of the latter.

Regards

Reproduction URL

No response

Reproduction steps

Create an application that allows both FastAPI/OpenAPI token login against internal users and social login (...)
Access the /docs page (OpenAPI)
Press the Authorize button We get an unauthorized result on the /token route. The response content is "Not enough segments", which is a Jose error. The /token request contains an unexplained "Authorization: Basic Og==" header.

Screenshots

No response

Logs

INFO:     127.0.0.1:8000 - "POST /api/token HTTP/1.1" 401 Unauthorized

Browsers

Firefox, Safari

OS

Mac

ArtyomVancyan commented 7 months ago

Hi @maparent, I understand your problem and would like to reproduce it myself. Also, I reviewed your pull request, and I think checking scheme.lower() != 'bearer' is not appropriate. Could you please provide a sample application I could run and test locally?

ArtyomVancyan commented 7 months ago

Hi @maparent, I appreciate the issue you have faced in your non-standard system and reported about it. I am very interested in solving the problem, and for that, I need a sample application that would help me reproduce the issue and find solutions that don't affect the rest functionality. If you could add the minimal subsystem of your application to the demonstration, it would be the best contribution from you.

ArtyomVancyan commented 6 months ago

I am closing this issue because of the inactivity. Feel free to reopen it in the future.

pysnippet / fastapi-oauth2