New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add WebSocket handling support for HTTP security dependencies #10147
base: master
Are you sure you want to change the base?
Conversation
I think the encode/starlette#1263 is not enough for this feature. |
Yes, in large extent, it is caused by the limitations of ASGI. Although there are some ASGI extensions, allow us to custom denial response, but starlette does not support this feature right now: encode/starlette#2041, and only little amount of ASGI servers has implemented this extension. However, returning a 403 error has been better than raising a "request not found" exception on server side. Additionally, it makes more sense that these dependencies support both HTTP and WS requests. |
Hypercorn supports the WSDR (WebSocket Denial Response), and Uvicorn has a PR to implement it already. And... There aren't many server implementations around. Also, I'm a maintainer of Starlette, and I'm keen to have support for WSDR. I think it's better to wait Uvicorn and Starlette instead of getting this in. |
Am I understand correctly, that disagreements are about using Should we exclude |
Referencing the discussion in #11146 (comment), it appears that FastAPI won't be upgrading to Although the |
|
Oh, thanks for bringing this to my attention! I hadn't noticed that PR before. I'll get this PR prepared soon. |
Updated. Security dependencies are now functional for incoming WebSocket connections when However, I'm currently uncertain about how to integrate |
When
The code snippet you've provided has two critical flaws:
To address these problems, introducing a custom middleware that specifically handles |
Related: #8983
Since encode/starlette#1263 has been merged, that makes possible for us to add WebSocket handling support for current HTTP security dependencies.
This PR fixes exceptions like this: