Make OAuth2PasswordBearer compatible with WebSocket objects #8983
Replies: 14 comments 1 reply
-
We don't have the from fastapi.websockets import WebSocket
from fastapi import FastAPI
app = FastAPI()
@app.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket):
print(websocket.headers)
await websocket.accept()
while True:
data = await websocket.receive_text()
await websocket.send_text(f"Message text was: {data}") For those who want to verify, run wtih: And establish a connection: |
Beta Was this translation helpful? Give feedback.
-
I know, that's what I'm saying. |
Beta Was this translation helpful? Give feedback.
-
It's not possible to implement it for What is possible to do is:
A "clean way" could be just returning P.S.: As soon as I saw your last message I tried to implement it, then I faced the mentioned issue. |
Beta Was this translation helpful? Give feedback.
-
Your efforts are highly appreciated! I'm not very familiar with the internals of FastAPI, so I'm not sure which option is best for this use case. Should we keep this issue open for others to think along? |
Beta Was this translation helpful? Give feedback.
-
Sure! 🤓 👍 |
Beta Was this translation helpful? Give feedback.
-
Haven't used this myself, but you might have a look at: https://indominusbyte.github.io/fastapi-jwt-auth/advanced-usage/websocket/ |
Beta Was this translation helpful? Give feedback.
-
Hi, just encountered this issue too. I am not familiar with FastAPI internals, but maybe it's worth adding websocket support when |
Beta Was this translation helpful? Give feedback.
-
Also interested in this 👀 I maintain an authentication library which rely internally on I get questions from some users who don't understand why it's not working for websockets. It would be nice indeed if those security schemes could support websockets in some way. I get that there is a gotcha with the
I've not thought about it very much, so maybe it's totally wrong and it probably needs lot of changes in the codebase. Would be happy to help if needed though 😄 |
Beta Was this translation helpful? Give feedback.
-
Just found out this PR on Starlette: encode/starlette#527 |
Beta Was this translation helpful? Give feedback.
-
Clearly, that would definitely help! But it seems there are some blockers there. Not sure, how we could help though 😅 |
Beta Was this translation helpful? Give feedback.
-
Any news about this? it would be great to be able to easily secure websocket routes |
Beta Was this translation helpful? Give feedback.
-
It seems that Websocket API in browser doesn't support custom header (e.g. 'Authorization') yet... Even though FastAPI would support extracting and verifying token for both websocket & HTTP endpoints, We, developers, have to implement webosocket security by hand refer to suggestion from 'https://websockets.readthedocs.io/en/stable/topics/authentication.html'. |
Beta Was this translation helpful? Give feedback.
-
I've made a PR for this issue: #10147 Please feel free to review or comment :) |
Beta Was this translation helpful? Give feedback.
-
If you've interested this guy did a nice job by simply overriding |
Beta Was this translation helpful? Give feedback.
-
I'm trying to implement WebSockets.
Just like with HTTP, I use a header called 'X-Authorization' for my JWT token:
websocket.WebSocketApp("ws://localhost:5000/api/v1/subscriptions/", header={"X-Authorization": f"Bearer {token}"})
I inject a dependency called
get_current_user
. This dependency usesOAuth2PasswordBearer
(in line with documentation).This results in the following error:
... because
OAuth2PasswordBearer
always looks at theRequest
object, which we don't have when using WebSockets:fastapi/fastapi/security/oauth2.py
Line 153 in 5614b94
According to the documentation,
WebSocket
objects haveHeader
as well, so shouldn't we allow for looking at theWebSocket
object?Beta Was this translation helpful? Give feedback.
All reactions