fastapi.security.APIKeyHeader auth class doesn't validate authentication scheme_name argument

[navhits]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from fastapi import FastAPI, Security, Depends
from fastapi.security.api_key import APIKeyHeader, APIKey


"""
We want the APIKeyHeader class to return the value of the provided header.
Along with that, we will also need the class to validate if the header's auth scheme matches the provided scheme.
"""


scheme="Token"

auth_header = APIKeyHeader(name="Authorization", scheme_name=scheme, auto_error=False)


async def get_auth(auth_header: str = Security(auth_header)):
    print(f'Original scheme is {scheme}')
    print(f'User provided scheme was {auth_header.split(" ")[0]}')
    if auth_header:
        return auth_header
    else:
        return None

app = FastAPI()


@app.get("/")
async def hello(api_key: APIKey = Depends(get_auth)):
    return "Hello"


if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8000)

Description

• Run the curl command,

  curl --location --request GET 'http://localhost:8000/' \
  --header 'Authorization: Token asd'

• If you check the console you will see,

  Original scheme is Token
  User provided scheme was Token
  

• Now change the Auth scheme to Basic or something else and run the same command

  curl --location --request GET 'http://localhost:8000/' \
  --header 'Authorization: Basic asd'

• If you check the console you will see,

  Original scheme is Token
  User provided scheme was Basic

• I expect fastapi.security.APIKeyHeader class to validate the provided auth scheme. Since it takes the arg. scheme_name I safely assume its best to validate it within the class rather than me writing the validation.
• Since this is already implemented in fastapi.security.HTTPBasic in line 71

Operating System

macOS

Operating System Details

No response

FastAPI Version

0.70.0

Python Version

3.9.4

Additional Context

I see that in line 53 of fastapi.security.APIKeyHeader class, the usage of self.__class__.__name__ when scheme_name is not provided, might cause confusion when implementing the validation of scheme. It is safe to either return the value and skip the scheme validation or simply raise Exception to the user.

[navhits]

I also have another suggestion for usage of scheme_name in APIKeyQuery and in APIKeyCookie. This argument won't be necessary as auth schemes are usually not part of query params or cookies according to my knowledge.

[navhits]

I'd be happy to send a PR if necessary. Let me know ;)

[YuriiMotov]

scheme_name parameter has different meaning, it's just the name that will be used in openapi for this security scheme:

    "securitySchemes": {
      "APIKeyCookie": {
        "type": "apiKey",
        "in": "cookie",
        "name": "session"
      }
    }

APIKey*** classes assume that token is sent as a value of parameter without any prefixes.
If you need to accept it as Authorization: Schema asd then you need to use another security class