Dependencies#
Request token dependencies#
Sometimes, you may need to access data relative to JWT authentication in a request. Such data might include the encoded JWT, the CSRF double submit token, or the location of the JWT.
To retrieve this information from a request, AuthX provides AuthX.get_token_from_request
.
get_token_from_request
allows you to specify the token type you wish to retrieve with the type
argument and to enforce token availability with the optional
argument.
from fastapi import FastAPI, Depends
from authx import AuthX, RequestToken
app = FastAPI()
security = AuthX()
TokenGetter = Callable[[Request], Awaitable[RequestToken]]
OptTokenGetter = Callable[[Request], Awaitable[RequestToken | None]]
get_access_from_request: TokenGetter = security.get_token_from_request(
type: TokenType = "access",
optional: bool = False
)
get_optional_refresh_from_request: OptTokenGetter = security.get_token_from_request(
type: TokenType = "access",
optional: bool = False
)
@app.get('/get_token')
async def get_token(token: RequestToken = Depends(get_access_from_request)):
...
Please note that even if optional
is set to False
, the route will raise an error only because no token is available in the request and not because the token in the request has been invalidated.
get_token_from_request
dependencies do not provide token validation. This dependency only looks for the token's presence in the request.
Token validation dependencies#
AuthX provides three main dependencies for token requirements.
These methods are AuthX properties returning a FastAPI dependency Callable[[Request], TokenPayload]
. When these dependencies are resolved, they return a TokenPayload
.
AuthX.access_token_required
#
access_token_required
is a property returning a FastAPI dependency to enforce the presence and validity of an access
token in the request. This dependency will apply the following verification:
- JWT Validation: verify
exp
,iat
,nbf
,iss
,aud
claims - Token type verification:
access
only - CSRF double submit verification: if CSRF enabled and token location in cookies
- Token freshness: not required for this dependency
AuthX.refresh_token_required
#
refresh_token_required
is a property returning a FastAPI dependency to enforce the presence and validity of a refresh
token in the request. This dependency will apply the following verification:
- JWT Validation: verify
exp
,iat
,nbf
,iss
,aud
claims - Token type verification:
request
only - CSRF double submit verification: if CSRF enabled and token location in cookies
- Token freshness: not required for this dependency
AuthX.fresh_token_required
#
access_token_required
is a property returning a FastAPI dependency to enforce the presence and validity of an access
token in the request. It also needs the token to be fresh
. This dependency will apply the following verification:
- JWT Validation: verify
exp
,iat
,nbf
,iss
,aud
claims - Token type verification:
access
only - CSRF double submit verification: if CSRF enabled and token location in cookies
- Token freshness: not required for this dependency
Additional token dependency#
In addition to the three dependencies specified above, AuthX provides AuthX.token_required
as an additional layer of customization for token requirements.
from fastapi import FastAPI, Depends
from authx import AuthX, TokenPayload
app = FastAPI()
security = AuthX()
access_token_required = security.token_required(
type: str = "access",
verify_type: bool = True,
verify_fresh: bool = False,
verify_csrf: Optional[bool] = None
)
fresh_token_required = security.token_required(
type: str = "access",
verify_type: bool = True,
verify_fresh: bool = True,
verify_csrf: Optional[bool] = None
)
refresh_token_required = security.token_required(
type: str = "refresh",
verify_type: bool = True,
verify_fresh: bool = False,
verify_csrf: Optional[bool] = None
)
no_csrf_required = security.token_required(
type: str = "access",
verify_type: bool = True,
verify_fresh: bool = False,
verify_csrf: Optional[bool] = False
)
@app.post('/no_csrf')
def post_no_csrf(payload: TokenPayload = Depends(no_csrf_required)):
# This function is protected but does not require
# CSRF double submit token in case of authentication via Cookies
# This is useful for API calls that are not protected by CSRF
# but are protected by other means
...
We have regenerated the main token dependencies from the AuthX.token_required
method in the highlighted section. AuthX.token_required
returns a Callable to be used as a dependency.
(str, bool, bool, Optional[bool]) -> Callable[[Request], TokenPayload]
As a custom token validation dependency, we have created no_csrf_required
. This dependency requires a valid access
token in the request, but it will not execute CSRF validation if the token is located in cookies.
Work in progress
The verify_csrf
argument is an optional boolean to enable/disable CSRF protection. If None
, it uses the default AuthXConfig.JWT_COOKIE_CSRF_PROTECT
settings to determine if CSRF protection is enabled or not.