Python Installation Requirements

sudo pip3 install oso FastAPI passlib[bcrypt] python-jose[cryptography]

Explore

Before getting started, read the following documentation:

Comments are left throughout main.py to guide you through the application's logic.

This application is written with the assumption that it is being passed query params and/or data through the response body.

Policies are defined in auth.polar

Authentication logic is modelled from the FastAPI Security Chapter (see link above) is abstracted to the '/auth' folder.

To test the various API calls are their results, open your terminal and perform the following commands:


# change directory
cd /path/to/this/directory

# spin up FastAPI
bash spin.sh

# In your browser, navigate to: 127.0.0.1:1337/docs
# Through the FastAPI swagger UI, you can test the various example API calls for their results.
# Next, read each route defined in main.py to explore oso + FastAPI functionality.
# When a route header label is clicked through the FastAPI swagger UI, the comments from main.py will be displayed for each corresponding route.

fastapi-oso-hello-world's People

Contributors

Stargazers

Watchers

fastapi-oso-hello-world's Issues

Make use of `FastAPI().middlewear()`

Relevant conversation from slack:

We normally think about authorization decisions as being either (a) middleware over the route, or (b) resource-level in the method bodies. I think your allow_xyz decorator is maybe somewhere between the two? Maybe having something like a one off middleware would avoid needing to duplicate the logic a bit. And then using oso.is_allowed directly in the methods would mean you could do the type validation first using fastapi?

What I'm picturing is something like:

A middleware to check each request is allowed. That can be used to check for route-level access.

Fine-grained access control over data models like:

@app.post("/items/")
async def create_item(item: Item, current_user: User = Depends(get_current_user):
if oso.is_allowed(current_user, "create", item):
return item
else:
return ...

Bonus points -- generic decorator:

The thing that is (imo) really cool about FastAPI is the use of typing and validation. I wonder whether you could make (2) into a generic decorator:

@app.post("/items/")
@oso.authorize
async def create_item(item: Item):
return item

That would do all of:

Adds the get_current_user dependency

Calls oso.is_allowed(current_user, , )

e.g. calls oso.is_allowed(current_user, "create_item", item)

Then the policy could just look like:
allow(user: User, "create_item", item: Item) if
   user.is_admin;allow(user: User, "create_item", item: Item) if
   user = item.created_by;

Include `get_current_user` pattern example

From slack conversation -- demonstrate use of get_current_user:

It would be really nice to show how to use oso with a pattern like this get_current_user pattern: https://fastapi.tiangolo.com/tutorial/security/get-current-user/ so that you can use the user object in the policy.

Recommend Projects