Excluded URLs (#6)

* excluded urls for auth middleware possible

* added additional tests

Co-authored-by: Yannic Schröer <yannicschroer@Yannics-MBP.fritz.box>

Author: yannicschroeer

fastapi_auth_middleware/middleware.py

@@ -46,13 +46,15 @@ def identity(self) -> str:
 class FastAPIAuthBackend(AuthenticationBackend):
     """ Auth Backend for FastAPI """
 
-    def __init__(self, verify_header: Callable[[Dict], Tuple[List[str], BaseUser]]):
+    def __init__(self, verify_header: Callable[[Dict], Tuple[List[str], BaseUser]], excluded_urls: List[str] = None):
         """ Auth Backend constructor. Part of an AuthenticationMiddleware as backend.
 
         Args:
             verify_header (callable): A function handle that returns a list of scopes and a BaseUser
+            excluded_urls (List[str]): A list of URL paths (e.g. ['/login', '/contact']) the middleware should not check for user credentials ( == public routes)
         """
         self.verify_header = verify_header
+        self.excluded_urls = [] if excluded_urls is None else excluded_urls
 
     async def authenticate(self, conn: HTTPConnection) -> Tuple[AuthCredentials, BaseUser]:
         """ The 'magic' happens here. The authenticate method is invoked each time a route is called that the middleware is applied to.
@@ -63,6 +65,9 @@ async def authenticate(self, conn: HTTPConnection) -> Tuple[AuthCredentials, Bas
         Returns:
             Tuple[AuthCredentials, BaseUser]: A tuple of AuthCredentials (scopes) and a user object that is or inherits from BaseUser
         """
+        if conn.url.path in self.excluded_urls:
+            return AuthCredentials(scopes=[]), "Unauthenticated User"
+
         if "Authorization" not in conn.headers:
             raise AuthenticationError("Authorization header missing")
 
@@ -82,7 +87,8 @@ async def authenticate(self, conn: HTTPConnection) -> Tuple[AuthCredentials, Bas
 def AuthMiddleware(
         app: FastAPI,
         verify_header: Callable[[str], Tuple[List[str], BaseUser]],
-        auth_error_handler: Callable[[Request, AuthenticationError], JSONResponse] = None
+        auth_error_handler: Callable[[Request, AuthenticationError], JSONResponse] = None,
+        excluded_urls: List[str] = None
 ):
     """ Factory method, returning an AuthenticationMiddleware
     Intentionally not named with lower snake case convention as this is a factory method returning a class. Should feel like a class.
@@ -91,6 +97,7 @@ def AuthMiddleware(
         app (FastAPI): The FastAPI instance the middleware should be applied to. The `add_middleware` function of FastAPI adds the app as first argument by default.
         verify_header (Callable[[str], Tuple[List[str], BaseUser]]): A function handle that returns a list of scopes and a BaseUser
         auth_error_handler (Callable[[Request, Exception], JSONResponse]): Optional error handler for creating responses when an exception was raised in verify_authorization_header
+        excluded_urls (List[str]): A list of URL paths (e.g. ['/login', '/contact']) the middleware should not check for user credentials ( == public routes)
 
     Examples:
         ```python
@@ -103,4 +110,4 @@ def verify_authorization_header(auth_header: str) -> Tuple[List[str], FastAPIUse
         app.add_middleware(AuthMiddleware, verify_authorization_header=verify_authorization_header)
         ```
     """
-    return AuthenticationMiddleware(app, backend=FastAPIAuthBackend(verify_header), on_error=auth_error_handler)
+    return AuthenticationMiddleware(app, backend=FastAPIAuthBackend(verify_header=verify_header, excluded_urls=excluded_urls), on_error=auth_error_handler)

tests/test_middleware.py

@@ -28,9 +28,13 @@ def raise_exception_in_verify_authorization_header(_):
 
 
 #  Sample app with simple routes, takes a verify_authorization_header callable that is applied to the middleware
-def fastapi_app(verify_header: Callable, auth_error_handler: Callable = None):
+def fastapi_app(verify_header: Callable, auth_error_handler: Callable = None, excluded_urls: List[str] = None):
     app = FastAPI()
-    app.add_middleware(AuthMiddleware, verify_header=verify_header, auth_error_handler=auth_error_handler)
+    app.add_middleware(AuthMiddleware, verify_header=verify_header, auth_error_handler=auth_error_handler, excluded_urls=excluded_urls)
+
+    @app.get("/public")
+    def public():
+        return 'Hello Public World'
 
     @app.get("/")
     def home():
@@ -57,7 +61,7 @@ class TestBasicBehaviour:
 
     @fixture
     def client(self) -> TestClient:
-        app = fastapi_app(verify_header)
+        app = fastapi_app(verify_header, excluded_urls=["/public"])
         return TestClient(app)
 
     @fixture
@@ -97,3 +101,12 @@ def handle_auth_error(request: Request, exception: AuthenticationError):
 
         response = client_with_auth_error.get('/', headers={"Authorization": "ey.."})
         assert response.status_code == 401
+
+    def test_public_path(self, client):
+        assert client.get("/public").status_code == 200
+
+    def test_public_path_with_fragments(self, client):
+        assert client.get("/public#abcdef").status_code == 200
+
+    def test_public_path_with_query(self, client):
+        assert client.get("/public?abcdef=x").status_code == 200