fastapi-authz is an authorization middleware for FastAPI, it's based on PyCasbin.
Install from pip
pip install fastapi-authz
Clone this repo
git clone https://github.com/pycasbin/fastapi-authz.git
python setup.py install
This middleware is designed to work with another middleware which implement AuthenticationMiddleware
interface.
import base64
import binascii
import casbin
from fastapi import FastAPI
from starlette.authentication import AuthenticationBackend, AuthenticationError, SimpleUser, AuthCredentials
from starlette.middleware.authentication import AuthenticationMiddleware
from fastapi_authz import CasbinMiddleware
app = FastAPI()
class BasicAuth(AuthenticationBackend):
async def authenticate(self, request):
if "Authorization" not in request.headers:
return None
auth = request.headers["Authorization"]
try:
scheme, credentials = auth.split()
decoded = base64.b64decode(credentials).decode("ascii")
except (ValueError, UnicodeDecodeError, binascii.Error):
raise AuthenticationError("Invalid basic auth credentials")
username, _, password = decoded.partition(":")
return AuthCredentials(["authenticated"]), SimpleUser(username)
enforcer = casbin.Enforcer('../examples/rbac_model.conf', '../examples/rbac_policy.csv')
app.add_middleware(CasbinMiddleware, enforcer=enforcer)
app.add_middleware(AuthenticationMiddleware, backend=BasicAuth())
@app.get('/')
async def index():
return "If you see this, you have been authenticated."
@app.get('/dataset1/protected')
async def auth_test():
return "You must be alice to see this."
- anonymous request
curl -i http://127.0.0.1:8000/dataset1/protected
HTTP/1.1 403 Forbidden
date: Mon, 01 Mar 2021 09:00:08 GMT
server: uvicorn
content-length: 11
content-type: application/json
"Forbidden"
- authenticated request
curl -i -u alice:password http://127.0.0.1:8000/dataset1/protected
HTTP/1.1 200 OK
date: Mon, 01 Mar 2021 09:04:54 GMT
server: uvicorn
content-length: 32
content-type: application/json
"You must be alice to see this."
It used the casbin config from examples
folder, and you can find this demo in demo
folder.
You can also view the unit tests to understand this middleware.
Besides, there is another example for CasbinMiddleware
which is designed to work with JWT authentication. You can find
it in demo/jwt_test.py
.
- Fork/Clone repository
- Install fastapi-authz dependencies, and run
pytest
pip install -r dev_requirements.txt
pip install -r requirements.txt
pytest
# update requirements.txt
pip-compile --no-annotate --no-header --rebuild requirements.in
# sync venv
pip-sync
bumpversion major # major release
or
bumpversion minor # minor release
or
bumpversion patch # hotfix release
The authorization determines a request based on {subject, object, action}
, which means what subject
can perform
what action
on what object
. In this plugin, the meanings are:
subject
: the logged-in user nameobject
: the URL path for the web resource likedataset1/item1
action
: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", " write-blog" (currently no official support in this middleware)
For how to write authorization policy and other details, please refer to the Casbin's documentation.
This project is under Apache 2.0 License. See the LICENSE file for the full license text.