How to avoid creating multiple sessions when using Dependencies with Security?

[DurandA]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the SQLModel documentation, with the integrated search.
• I already searched in Google "How to X in SQLModel" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to SQLModel but to Pydantic.
• I already checked if it is not related to SQLModel but to SQLAlchemy.

Commit to Help

• I commit to help with one of those options 👆

Example Code (full working example)

from fastapi import Depends, Security
from fastapi.security import SecurityScopes
from sqlmodel import Session, create_engine, select


def get_session():
    with Session(engine) as session:
        yield session


async def get_current_user(
    security_scopes: SecurityScopes,
    token: str = Depends(oauth2_scheme),
    session: Session = Depends(get_session)
):
    # Token read omitted 👈
    user = session.get(User, token_data.user_uuid)
    if user is None:
        raise credentials_exception
    return user


async def get_current_app_user(
    current_user: User = Security(get_current_user, scopes=["app"])
):
    return current_user


@app.patch("/me", response_model=UserRead)
def update_current_user(
    user: UserUpdate,
    current_user: User = Depends(get_current_app_user).
    session: Session = Depends(get_session),
):
    user_data = user.dict(exclude_unset=True)
    for key, value in user_data.items():
        setattr(current_user, key, value)
    # Session and session from current_user are different ⚠️
    session.add(current_user) 
    session.commit()
    session.refresh(current_user)
    return current_user

Description

I am using a synchronous (SQLite) session in a FastAPI Dependency as shown in the SQLModel Tutorial.

When a route "depends" on a Dependency and a Security that use get_session, the session is created twice resulting in errors such as:

sqlalchemy.exc.InvalidRequestError: Object '<User at 0x7f218cbf6a00>' is already attached to session '1' (this is '2')

How can this be prevented? I would expect a Security to reuse Dependencies as long as use_cache=True.

Operating System

Linux

Operating System Details

No response

SQLModel Version

0.0.8

Python Version

Python 3.8.10

Additional Context

No response

I also created a StackOverflow question about this issue.

[Magnaillusion]

You can use Python's functools to explicitly cache the dependency, like so:

from sqlmodel import Session, create_engine, select
from functools import cache


@cache
def get_session():
    with Session(engine) as session:
        yield session

# Omitting the rest of the code

This way, the session will be created only once. Any subsequent calls to the function (i.e. via dependencies) will return the cached object.

[DurandA]

Won't this prevent the session to be recreated for every request (which should be the normal behavior I believe)? I want the session to be created exactly once per request.

[DurandA]

The original code was oversimplified. The issue is introduced when there is both a Security object and a Depends that use get_session(). It looks more like a FastAPI bug with Security behavior than a SQLModel issue. Consequently I created a FastAPI discussion and mark this discussion as solved.