API-key based security utilities for FastAPI, focused on simplicity of use

Overview

FastAPI simple security

API key based security package for FastAPI, focused on simplicity of use:

  • Full functionality out of the box, no configuration required
  • API key security with local sqlite backend, working with both header and query parameters
  • Default 15 days deprecation for generated API keys
  • Key creation, revocation, renewing, and usage logs handled through administrator endpoints
  • No dependencies, only requiring FastAPI and the python standard library

Installation

pip install fastapi_simple_security

Usage

Creating an application

from fastapi_simple_security import api_key_router, api_key_security
from fastapi import Depends, FastAPI

app = FastAPI()

app.include_router(api_key_router, prefix="/auth", tags=["_auth"])

@app.get("/secure", dependencies=[Depends(api_key_security)])
async def secure_endpoint():
    return {"message": "This is a secure endpoint"} 

Resulting app is:

app

API key creation through docs

Start your API and check the logs for the automatically generated secret key if you did not provide one through environment variables.

secret

Go to /docs on your API and inform this secret key in the Authorize/Secret header box. All the administrator endpoints only support header security to make sure the secret key is not inadvertently shared when sharing an URL.

secret_header

Then, you can use /auth/new to generate a new API key.

api key

And finally, you can use this API key to access the secure endpoint.

secure endpoint

API key creation in python

You can of course automate API key acquisition through python with requests and directly querying the endpoints.

If you do so, you can hide the endpoints from your API documentation with the environment variable FASTAPI_SIMPLE_SECURITY_HIDE_DOCS.

Configuration

Environment variables:

  • FASTAPI_SIMPLE_SECURITY_SECRET: Secret administrator key
    • Generated automatically on server startup if not provided
    • Allows generation of new API keys, revoking of existing ones, and API key usage view
    • It being compromised compromises the security of the API
  • FASTAPI_SIMPLE_SECURITY_HIDE_DOCS: Whether or not to hide the API key related endpoints from the documentation
  • FASTAPI_SIMPLE_SECURITY_DB_LOCATION: Location of the local sqlite database file
    • /app/sqlite.db by default
    • When running the app inside Docker, use a bind mount for persistence.
  • FAST_API_SIMPLE_SECURITY_AUTOMATIC_EXPIRATION: Duration, in days, until an API key is deemed expired
    • 15 days by default

Contributing

Running the dev environment

The attached docker image runs a test app on localhost:8080 with secret key TEST_SECRET. Run it with:

git clone https://github.com/mrtolkien/fastapi_simple_security.git . && docker-compose build && docker-compose up

Needed contributions

  • Unit tests
  • More options with sensible defaults
  • Logging per API key?
  • More back-end options for API key storage?
Issues
  • Error while runing

    Error while runing

    I was trying to run the sample code in the Readme. I got an error

    Traceback (most recent call last):
      File "pdfkitv2.py", line 8, in <module>
        from fastapi_simple_security import api_key_router, api_key_security
      File "D:\enviorments\pdfkit\lib\site-packages\fastapi_simple_security\__init__.py", line 1, in <module>
        from fastapi_simple_security.endpoints import api_key_router
      File "D:\enviorments\pdfkit\lib\site-packages\fastapi_simple_security\endpoints.py", line 7, in <module>
        from fastapi_simple_security._security_secret import secret_based_security
      File "<fstring>", line 1
        (SECRET=)
    

    I think there is an error in the file _security_secret.py Line 18.

    opened by devildani 4
  • improved endpoitnt documentation

    improved endpoitnt documentation

    converted endpoint arguments to proper query to have openapi docs display it correctly

    opened by fboerman 4
  • Access api key from function

    Access api key from function

    Thank you for this great library. I have a question. Is there a way to access the API key that was used to request a secure endpoint when the dependency is used globally? For example:

    app.include_router(myrouter, prefix='/myrouter', dependencies=[Depends(api_key_security)])
    
    @myrouter.get('/secured-endpoint/')
    async def secured_endpoint():
        return {'key': 'api-key'}
    

    Does the request state contain the API key or it isn't passed anywhere? If the key isn't available in any context, we will have to use the dependency in each function like this:

    from fastapi.security.api_key import APIKey
    
    
    @app.get('/secured-endpoint/')
    async def secured_endpoint(api_key: APIKey = Depends(api_key_security)):
        return {'key': api_key}
    

    Please let me know if there's a possibility to use the dependency globally on a router and still get the API key value in all sub-routes.

    opened by rehmatworks 2
  • sqllite unable to open database file

    sqllite unable to open database file

    Also reported in #1 here

    Running the script like described in the readme results in a

     File "/home/kai/PycharmProjects/fdm-api/app/main.py", line 5, in <module>
        from fastapi_simple_security import api_key_router, api_key_security
      File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/__init__.py", line 1, in <module>
        from fastapi_simple_security.endpoints import api_key_router
      File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/endpoints.py", line 8, in <module>
        from fastapi_simple_security._sqlite_access import sqlite_access
      File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/_sqlite_access.py", line 218, in <module>
        sqlite_access = SQLiteAccess()
      File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/_sqlite_access.py", line 21, in __init__
        self.init_db()
      File "/home/kai/PycharmProjects/fdm-api/venv/lib/python3.9/site-packages/fastapi_simple_security/_sqlite_access.py", line 24, in init_db
        with sqlite3.connect(self.db_location) as connection:
    sqlite3.OperationalError: unable to open database file
    

    Tried with Python 3.6 as well as 3.9

    opened by Herrner 2
  • Created account_name in createKey request and in usage logs

    Created account_name in createKey request and in usage logs

    Updated the create api request with an additional field 'account_name' in order to create a link between a client/account and the corresponding generated API key. The field is optional and will simply insert a string of "Not Provided" in the database if not provided.

    opened by crossoveranx 1
  • Replaced underscore with hyphen in SECRET_KEY_NAME

    Replaced underscore with hyphen in SECRET_KEY_NAME

    Because nginx by default drops headers with underscores.

    Missing (disappearing) HTTP Headers

    If you do not explicitly set underscores_in_headers on;, NGINX will silently drop HTTP headers with underscores (which are perfectly valid according to the HTTP standard). This is done in order to prevent ambiguities when mapping headers to CGI variables as both dashes and underscores are mapped to underscores during that process. https://www.nginx.com/nginx-wiki/build/dirhtml/start/topics/tutorials/config_pitfalls/

    While it seems possible to reconfigure nginx to accept underscored headers, just getting to the bottom of the issue could take some time (it did for me) and it might be desirable to avoid jumping through hoops by simply replacing the underscore with a hyphen in the SECRET_KEY_NAME, to be secret-key.

    opened by yourkin 1
  • unable to open sqlite db path

    unable to open sqlite db path

    Using: fastapi==0.68.0

    After setup, setting the FASTAPI_SIMPLE_SECURITY_DB_LOCATION does not change the path from the default of /app/sqlite.db as expected. Instead getting hit with this error sqlite3.OperationalError: unable to open database file Looking at the _sqlite_access.py definition doing this instead: def __init__(self): try: self.db_location = os.environ["FASTAPI_SIMPLE_SECURITY_DB_LOCATION"] except KeyError: self.db_location = ""

    seems to work.

    opened by ejakait 1
  • any plan to keep key working after new deployment?

    any plan to keep key working after new deployment?

    basically the db file is not kept

    opened by boltomli 1
  • typo error in _security_secret.py

    typo error in _security_secret.py

     warnings.warn(
         f"ENVIRONMENT VARIABLE 'FASTAPI_SIMPLE_SECURITY_SECRET' NOT FOUND\n"
         f"\tGenerated a single-use secret key for this session:\n"
         f"\t{SECRET=}"
    

    )

    opened by bijonguha 1
  • Changed underscore to hyphen in API_KEY_NAME

    Changed underscore to hyphen in API_KEY_NAME

    Yet another small change in the same line as the previous fix for underscored header (where nginx complains). This also will be a breaking change, but hopefully the users are pinning their releases and it'll be a small thing to fix, and for new users it'll be easier to setup. While a new package is not released it makes sense to have it all consistent header-wise.

    opened by yourkin 0
Releases(1.0.0)
  • 1.0.0(Dec 6, 2021)

Owner
Tolki
Data Analyst in Esports.
Tolki
Ready-to-use and customizable users management for FastAPI

FastAPI Users Ready-to-use and customizable users management for FastAPI Documentation: https://frankie567.github.io/fastapi-users/ Source Code: https

FranƧois Voron 1.5k Jan 12, 2022
FastAPI extension that provides JWT Auth support (secure, easy to use, and lightweight)

FastAPI JWT Auth Documentation: https://indominusbyte.github.io/fastapi-jwt-auth Source Code: https://github.com/IndominusByte/fastapi-jwt-auth Featur

Nyoman Pradipta Dewantara 313 Jan 11, 2022
Auth for use with FastAPI

FastAPI Auth Pluggable auth for use with FastAPI Supports OAuth2 Password Flow Uses JWT access and refresh tokens 100% mypy and test coverage Supports

David Montague 70 Jan 13, 2022
JWT Key Confusion PoC (CVE-2015-9235) Written for the Hack the Box challenge - Under Construction

JWT Key Confusion PoC (CVE-2015-9235) Written for the Hack the Box challenge - Under Construction This script performs a Java Web Token Key Confusion

Alex Fronteddu 1 Jan 13, 2022
A full Rest-API With Oauth2 and JWT for request & response a JSON file Using FastAPI and SQLAlchemy šŸ”‘

Pexon-Rest-API A full Rest-API for request & response a JSON file, Building a Simple WorkFlow that help you to Request a JSON File Format and Handling

Yasser Tahiri 16 Nov 12, 2021
Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS).

Welcome to Corsair_scan Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS) misconfigurations. CORS is a mechanism that allow

Santander Security Research 112 Dec 15, 2021
Strong, Simple, and Precise security for Flask APIs (using jwt)

flask-praetorian Strong, Simple, and Precise security for Flask APIs API security should be strong, simple, and precise like a Roman Legionary. This p

Tucker Beck 304 Jan 15, 2022
Quick and simple security for Flask applications

Note This project is non maintained anymore. Consider the Flask-Security-Too project as an alternative. Flask-Security It quickly adds security featur

Matt Wright 1.6k Jan 7, 2022
Quick and simple security for Flask applications

Note This project is non maintained anymore. Consider the Flask-Security-Too project as an alternative. Flask-Security It quickly adds security featur

Matt Wright 1.6k Feb 17, 2021
Strong, Simple, and Precise security for Flask APIs (using jwt)

flask-praetorian Strong, Simple, and Precise security for Flask APIs API security should be strong, simple, and precise like a Roman Legionary. This p

Tucker Beck 266 Feb 15, 2021
This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes

SyscallExtractorAnalyzer This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes Goals Teach

Truvis Thornton 19 Nov 24, 2021
Luca Security Concept

Luca Security Concept This is the document source of luca's security concept. Please go here for the HTML version: https://luca-app.de/securityconcept

luca 45 Jan 11, 2022
FastAPI-Login tries to provide similar functionality as Flask-Login does.

FastAPI-Login FastAPI-Login tries to provide similar functionality as Flask-Login does. Installation $ pip install fastapi-login Usage To begin we hav

null 271 Jan 11, 2022
Implements authentication and authorization as FastAPI dependencies

FastAPI Security Implements authentication and authorization as dependencies in FastAPI. Features Authentication via JWT-based OAuth 2 access tokens a

Jacob Magnusson 70 Jan 12, 2022
Imia is an authentication library for Starlette and FastAPI (python 3.8+).

Imia Imia (belarussian for "a name") is an authentication library for Starlette and FastAPI (python 3.8+). Production status The library is considered

Alex Oleshkevich 63 Jan 8, 2022
Easy and secure implementation of Azure AD for your FastAPI APIs šŸ”’ Single- and multi-tenant support.

Easy and secure implementation of Azure AD for your FastAPI APIs ?? Single- and multi-tenant support.

Intility 118 Jan 8, 2022
Simple implementation of authentication in projects using FastAPI

Fast Auth Facilita implementaĆ§Ć£o de um sistema de autenticaĆ§Ć£o bĆ”sico e uso de uma sessĆ£o de banco de dados em projetos com tFastAPi. InstalaĆ§Ć£o e con

null 3 Jan 8, 2022
Auth-Starters - Different APIs using Django & Flask & FastAPI to see Authentication Service how its work

Auth-Starters Different APIs using Django & Flask & FastAPI to see Authentication Service how its work, and how to use it. This Repository based on my

Yasser Tahiri 3 Jan 3, 2022
Authentication with fastapi and jwt cd realistic

Authentication with fastapi and jwt cd realistic Dependencies bcrypt==3.1.7 data

Fredh Macau 1 Jan 4, 2022