Fastapi: [QUESTION] Protect API docs behind authentication?

Created on 3 Jul 2019 · 5Comments · Source: tiangolo/fastapi

Basic Question

Does FastAPI provide a method for implementing authentication middleware or similar on the docs themselves (e.g. to protect access to /docs and /redoc)?

Additional context

My company is currently relying on a needlessly-complex Django backend, whose main purpose is serving an API via the Django REST framework. However, it feels like half the bugs the frontend app folks are running into are caused by a disconnect between what the Django app is doing and the API documentation wiki (which is maintained by hand; it's a monster).

FastAPI thus looks like a perfect alternative. However, it's a requirement for us that the API documentation only be accessible to specific authenticated users. It looks like I could easily disable the docs when run in a production environment (as opposed to a local testing environment), but if it's possible to serve the docs on production but explicitly protect them that would be ideal (the API in part facilitates interaction between frontend apps and IOT devices, so the interactive portions of the docs would be a lot easier to use and maintain on specific hosted servers; setting up working local environments is complicated).

In my ideal world, I'd love to also auto-populate the initial authentication credentials for the interactive queries with the current user's authentication token (to allow no-configuration usage of them immediately upon access). I wasn't able to find anything in the FastAPI docs about meddling with the way the documentation is handled, but if I missed it I'd love a link!

question

Source

ghost

Most helpful comment

https://medium.com/data-rebels/fastapi-how-to-add-basic-and-cookie-authentication-a45c85ef47d3

euri10 on 3 Jul 2019

👍5 🎉1

All 5 comments

You can look in the docs, there's a list of articles, one of them by niels
does that, will edit if you can't find it

Le mer. 3 juil. 2019 à 8:18 AM, ianbeck notifications@github.com a écrit :

Basic Question

Does FastAPI provide a method for implementing authentication middleware
or similar on the docs themselves (e.g. to protect access to /docs and
/redoc)?

Additional context

My company is currently relying on a needlessly-complex Django backend,
whose main purpose is serving an API via the Django REST framework.
However, it feels like half the bugs the frontend app folks are running
into are caused by a disconnect between what the Django app is doing and
the API documentation wiki (which is maintained by hand; it's a monster).

FastAPI thus looks like a perfect alternative. However, it's a requirement
for us that the API documentation only be accessible to specific
authenticated users. It looks like I could easily disable the docs when run
in a production environment (as opposed to a local testing environment),
but if it's possible to serve the docs on production but explicitly protect
them that would be ideal (the API in part facilitates interaction between
frontend apps and IOT devices, so the interactive portions of the docs
would be a lot easier to use and maintain on specific hosted servers;
setting up working local environments is complicated).

In my ideal world, I'd love to also auto-populate the initial
authentication credentials for the interactive queries with the current
user's authentication token (to allow no-configuration usage of them
immediately upon access). I wasn't able to find anything in the FastAPI
docs about meddling with the way the documentation is handled, but if I
missed it I'd love a link!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/tiangolo/fastapi/issues/364?email_source=notifications&email_token=AAINSPSO6VDYNHF3BDH2QVLP5RABXA5CNFSM4H5CISY2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G5BN7KA,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAINSPS7OVVHVUODRHMOAPTP5RABXANCNFSM4H5CISYQ
.