Hi!

First off, thank you for a nice and useful package! Please find a bug report below.

Repro

• any fastapi app
• fastapi security configured with:

from fastapi_security import FastAPISecurity
security = FastAPISecurity()
security.init_basic_auth(settings.BASIC_AUTH_CREDENTIALS)

• request:

$ curl localhost:8080/api/v1/ -v

Expected Behaviour

Response contains WWW-Authenticate: Basic header, as it is the only supported authentication method.

Actual Behaviour:

$ curl localhost:8080/api/v1/ -v
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /api/v1/ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< date: Thu, 03 Jun 2021 10:34:20 GMT
< server: uvicorn
< www-authenticate: Bearer
< content-length: 43
< content-type: application/json
< 
* Connection #0 to host localhost left intact
{"detail":"Could not validate credentials"}

There's a section of code that is responsible for www-authenticate header, https://github.com/jmagnusson/fastapi-security/blob/main/fastapi_security/api.py#L212-L215, that is only returning "Basic" if there is a valid Authorization: Basic ... header, which seems like it is not needed.

According to https://datatracker.ietf.org/doc/html/rfc7235#section-4.1, a WWW-Authenticate header may contain multiple challenges,

,

so it should be possible to return both Basic and Bearer if they are initialized.

:robot: I have created a release beep boop

0.5.0 (2022-03-11)

⚠ BREAKING CHANGES

• Make oauth2 dependencies optional

Bug Fixes

• Make oauth2 dependencies optional (e0db0f4)

Documentation

• Document new extra for oauth2 support (73e1696)
• Update changelog to conform to release-please format (c9bfb16)

This PR was generated with Release Please. See documentation.

Problem

By declaring ubuntu-latest on the workflows.ci like so:

jobs:
  ci:
    runs-on: ubuntu-latest

the following happens:

(screenshot taken from the latest CI action of this project)

However, given that the purpose of the CI is to test multiple python versions on multiple OS environments, this is not correct. Instead, the above should declare something like:

(screenshot taken from another open-source project)

Proposed Solution

We could replace the above code snippet with a parameterized version of it:

jobs:
  ci:
    runs-on: ${{ matrix.os }}

Sometimes it's not required to check for aud. Previously, this library didn't allow that, requiring a list of audiences to check the JWT token against. A simple change of logic allows now allows doing so.

This PR's goal is to enable storing password digests (instead of plaintext) to increase security.

It is admittedly a very early version aimed mostly at collecting feedback. I tried to introduce this with as little change as possible to the existing functionality to maintain backward compat, althought it is probably possible to add this to the basic_auth class directly.

I'm open to suggestions, and I have enabled edits by maintainers if you feel like applying some minor changes directly. Also, feel free to take this as a proof-of-concept, and implement it in a completely independent branch, that's absolutely fine by me.