FastAPI 中的不同 OpenAPI 架构取决于环境

Question

We have a FastApi application that is hosted behind a reverse proxy.

The proxy authenticates the user using Kerberos and adds a X-Remote-User HTTP header to the request.

This header is required by the FastApi application. Here is an example route:

@app.get("/user/me")
async def get_user_me(x_remote_user: str = Header(...)):
    return {"User": x_remote_user}

The X-Remote-User header is required for the request which is expected behavior.

When we now open the Swagger Ui , the header is documented and when clicking on "Try it out", we can provide the header value. This behavior is great for development, but in all other cases it is undesired, because that header is provided by the reverse proxy. For instance, we generate clients using OpenAPI Generator and the clients then all require the X-Remote-User parameter in their requests.

Hence, it would be useful to have a configuration that distinguishes between the environments. If we are behind a reverse proxy, then the generated OpenAPI Schema by FastApi should not include the X-Remote-Header, otherwise if we are in development, it should be included.

What I did so far:

• I checked the documentation about security and also some source code of these modules, but I was not able to find a solution.
• In the documentation, I read the section Behind a Proxy , but nothing there points me to a potential solution.
• I also read about Middleware , but again, no solution.
• We could change the generated OpenApi schema. I sketched this in my answer below , but this is not a very elegant solution

Does anyone have a good solution to this problem?

Answer 1

We can use APIKeyHeader to remove the X-Remote-User header from the API signature, but still enforcing the header to be present.

from fastapi.security import APIKeyHeader

apiKey = APIKeyHeader(name="X-Remote-User")

@app.get("/user/me")
async def get_user_me(x_remote_user: str = Depends(apiKey)):
    return {"User": x_remote_user}

When the header is not present, we get a "403 Forbidden". If it is present, we retrieve the header value.

The Swagger UI now has a button "Authorize" where we can fill-in the value of the X-Remote-User for testing purposes.

Answer 2

One approach is to generate the OpenApi schema as described in the documentation Extending OpenAPI . After the generation, remove the X-Remote-User from the schema. In the configuration could be a flag that the application it is behind a reverse proxy to execute the code conditionally:

from fastapi import FastAPI
from fastapi.openapi.utils import get_openapi
from MyConfig import Config


app = FastAPI()


@app.get("/items/")
async def read_items():
    return [{"name": "Foo"}]

if Config.reverse_proxy:
    def custom_openapi():
        if app.openapi_schema:
            return app.openapi_schema
        openapi_schema = get_openapi(
            title="Custom title",
            version="2.5.0",
            description="This is a very custom OpenAPI schema",
            routes=app.routes,
        )
        // remove X-Remote-User here
        app.openapi_schema = openapi_schema
        return app.openapi_schema


    app.openapi = custom_openapi

However this is not a very elegant solution, as we need to parse the Json string and remove the different deeply-nested occurrences of the X-Remote-User header everywhere. This is prone to bugs resulting in an invalid schema. Furthermore it could break if new Rest endpoints are added.

Answer 3

A new param will be soon available for Header , Query and other to exclude elements from the openAPI output: include_in_schema=False

Example:

def test(x_forwarded_for: str = Header(None, include_in_schema=False)):
    ...

Here the patch state: https://github.com/tiangolo/fastapi/pull/3144