HTTP 基本认证¶
对于最简单的情况,你可以使用 HTTP 基本认证。
在 HTTP 基本认证中,应用程序期望一个包含用户名和密码的 HTTP 头。
如果未收到,则返回 HTTP 401 "Unauthorized"(未授权)错误。
并返回一个 WWW-Authenticate 头,其值为 Basic,以及一个可选的 realm 参数。
这会告诉浏览器显示集成的用户名和密码提示框。
然后,当你输入用户名和密码后,浏览器会自动将它们发送到 HTTP 头中。
简单的 HTTP 基本认证¶
- 导入
HTTPBasic和HTTPBasicCredentials。 - 使用
HTTPBasic创建一个 “security方案”。 - 在你的路径操作中,将该
security用于一个依赖。 - 它会返回一个
HTTPBasicCredentials类型的对象。- 该对象包含发送的
username和password。
- 该对象包含发送的
from typing import Annotated
from fastapi import Depends, FastAPI
from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
@app.get("/users/me")
def read_current_user(credentials: Annotated[HTTPBasicCredentials, Depends(security)]):
return {"username": credentials.username, "password": credentials.password}
🤓 其他版本和变体
from fastapi import Depends, FastAPI
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from typing_extensions import Annotated
app = FastAPI()
security = HTTPBasic()
@app.get("/users/me")
def read_current_user(credentials: Annotated[HTTPBasicCredentials, Depends(security)]):
return {"username": credentials.username, "password": credentials.password}
提示
如果可能,请优先使用 Annotated 版本。
from fastapi import Depends, FastAPI
from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
@app.get("/users/me")
def read_current_user(credentials: HTTPBasicCredentials = Depends(security)):
return {"username": credentials.username, "password": credentials.password}
当你第一次尝试打开 URL(或点击文档中的“Execute”按钮)时,浏览器会要求你输入用户名和密码
检查用户名¶
这是一个更完整的示例。
使用依赖项来检查用户名和密码是否正确。
为此,请使用 Python 标准模块 secrets 来检查用户名和密码。
secrets.compare_digest() 需要接受 bytes 或仅包含 ASCII 字符(英文字符)的 str,这意味着它不适用于像 á(如 Sebastián)这样的字符。
为了处理这种情况,我们首先将 username 和 password 编码为 UTF-8 格式的 bytes。
然后我们可以使用 secrets.compare_digest() 来确保 credentials.username 是 "stanleyjobson",并且 credentials.password 是 "swordfish"。
import secrets
from typing import Annotated
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
def get_current_username(
credentials: Annotated[HTTPBasicCredentials, Depends(security)],
):
current_username_bytes = credentials.username.encode("utf8")
correct_username_bytes = b"stanleyjobson"
is_correct_username = secrets.compare_digest(
current_username_bytes, correct_username_bytes
)
current_password_bytes = credentials.password.encode("utf8")
correct_password_bytes = b"swordfish"
is_correct_password = secrets.compare_digest(
current_password_bytes, correct_password_bytes
)
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
@app.get("/users/me")
def read_current_user(username: Annotated[str, Depends(get_current_username)]):
return {"username": username}
🤓 其他版本和变体
import secrets
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from typing_extensions import Annotated
app = FastAPI()
security = HTTPBasic()
def get_current_username(
credentials: Annotated[HTTPBasicCredentials, Depends(security)],
):
current_username_bytes = credentials.username.encode("utf8")
correct_username_bytes = b"stanleyjobson"
is_correct_username = secrets.compare_digest(
current_username_bytes, correct_username_bytes
)
current_password_bytes = credentials.password.encode("utf8")
correct_password_bytes = b"swordfish"
is_correct_password = secrets.compare_digest(
current_password_bytes, correct_password_bytes
)
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
@app.get("/users/me")
def read_current_user(username: Annotated[str, Depends(get_current_username)]):
return {"username": username}
提示
如果可能,请优先使用 Annotated 版本。
import secrets
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
current_username_bytes = credentials.username.encode("utf8")
correct_username_bytes = b"stanleyjobson"
is_correct_username = secrets.compare_digest(
current_username_bytes, correct_username_bytes
)
current_password_bytes = credentials.password.encode("utf8")
correct_password_bytes = b"swordfish"
is_correct_password = secrets.compare_digest(
current_password_bytes, correct_password_bytes
)
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
@app.get("/users/me")
def read_current_user(username: str = Depends(get_current_username)):
return {"username": username}
这类似于
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
# Return some error
...
但通过使用 secrets.compare_digest(),它将能抵御一种称为“时序攻击”的攻击。
时序攻击¶
但什么是“时序攻击”?
让我们想象一些攻击者正在尝试猜测用户名和密码。
他们发送了一个请求,其中包含用户名 johndoe 和密码 love123。
那么你的应用程序中的 Python 代码将等同于类似这样的内容:
if "johndoe" == "stanleyjobson" and "love123" == "swordfish":
...
但是当 Python 比较 johndoe 中的第一个 j 和 stanleyjobson 中的第一个 s 时,它会立即返回 False,因为它已经知道这两个字符串不相同,认为“没有必要浪费更多计算来比较其余的字母”。然后你的应用程序会说“用户名或密码不正确”。
但随后攻击者尝试使用用户名 stanleyjobsox 和密码 love123。
你的应用程序代码会执行类似这样的操作:
if "stanleyjobsox" == "stanleyjobson" and "love123" == "swordfish":
...
Python 必须比较 stanleyjobsox 和 stanleyjobson 中完整的 stanleyjobso 部分,才能意识到这两个字符串不相同。因此,回复“用户名或密码不正确”会多花费几微秒。
响应时间会帮助攻击者¶
此时,攻击者通过注意到服务器发送“用户名或密码不正确”响应所需的时间多了几微秒,就会知道他们某种程度上猜对了,一些初始字母是正确的。
然后他们可以再次尝试,知道它可能更类似于 stanleyjobsox 而不是 johndoe。
“专业”攻击¶
当然,攻击者不会手动尝试这一切,他们会编写程序来完成,可能每秒进行数千或数百万次测试。他们每次只会猜对一个额外的字母。
但是通过这样做,在几分钟或几小时内,攻击者就能猜出正确的用户名和密码,这得益于我们应用程序的“帮助”,仅仅利用了响应时间。
使用 secrets.compare_digest() 修复¶
但在我们的代码中,我们实际上使用了 secrets.compare_digest()。
简而言之,比较 stanleyjobsox 和 stanleyjobson 所需的时间,与比较 johndoe 和 stanleyjobson 所需的时间是相同的。密码也是如此。
这样,在应用程序代码中使用 secrets.compare_digest(),就可以安全地抵御所有这些安全攻击。
返回错误¶
检测到凭据不正确后,返回一个状态码为 401 的 HTTPException(与未提供凭据时返回的相同),并添加 WWW-Authenticate 头部,以使浏览器再次显示登录提示框。
import secrets
from typing import Annotated
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
def get_current_username(
credentials: Annotated[HTTPBasicCredentials, Depends(security)],
):
current_username_bytes = credentials.username.encode("utf8")
correct_username_bytes = b"stanleyjobson"
is_correct_username = secrets.compare_digest(
current_username_bytes, correct_username_bytes
)
current_password_bytes = credentials.password.encode("utf8")
correct_password_bytes = b"swordfish"
is_correct_password = secrets.compare_digest(
current_password_bytes, correct_password_bytes
)
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
@app.get("/users/me")
def read_current_user(username: Annotated[str, Depends(get_current_username)]):
return {"username": username}
🤓 其他版本和变体
import secrets
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from typing_extensions import Annotated
app = FastAPI()
security = HTTPBasic()
def get_current_username(
credentials: Annotated[HTTPBasicCredentials, Depends(security)],
):
current_username_bytes = credentials.username.encode("utf8")
correct_username_bytes = b"stanleyjobson"
is_correct_username = secrets.compare_digest(
current_username_bytes, correct_username_bytes
)
current_password_bytes = credentials.password.encode("utf8")
correct_password_bytes = b"swordfish"
is_correct_password = secrets.compare_digest(
current_password_bytes, correct_password_bytes
)
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
@app.get("/users/me")
def read_current_user(username: Annotated[str, Depends(get_current_username)]):
return {"username": username}
提示
如果可能,请优先使用 Annotated 版本。
import secrets
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
app = FastAPI()
security = HTTPBasic()
def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
current_username_bytes = credentials.username.encode("utf8")
correct_username_bytes = b"stanleyjobson"
is_correct_username = secrets.compare_digest(
current_username_bytes, correct_username_bytes
)
current_password_bytes = credentials.password.encode("utf8")
correct_password_bytes = b"swordfish"
is_correct_password = secrets.compare_digest(
current_password_bytes, correct_password_bytes
)
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
@app.get("/users/me")
def read_current_user(username: str = Depends(get_current_username)):
return {"username": username}