Protect a WebSocket

[davidbrochart]

In FastAPI-Users it is not as easy to protect a WebSocket as an HTTP endpoint (see this issue).
What about the Fief client for FastAPI, can you use the dependency directly? Something like:

@app.websocket("/protected", name="protected")
async def protected(
    websocket: WebSocket,
    user: FiefUserInfo = Depends(auth.current_user()),
):
    ...

[frankie567]

Unfortunately, we hit the same limitations around security dependencies and WebSockets: FastAPI assume an HTTP Request in those, so it won't work with a websocket. Besides, error responses are quite different with WebSockets.

The only solution right now would be to:

• Retrieve the cookie headers from the WebSocket object.
• Validate it using the validate_access_token method on the Fief client.
• Re-implement the logic to get the user data and cache it
• If something goes wrong, close the socket with an adequate status code : await websocket.close(code=status.WS_1008_POLICY_VIOLATION)

I think it would be interesting though to have it natively in the FastAPI integration; so I'll add it to my backlog 👍

[davidbrochart]

Thanks a lot, it would be great indeed to have it integrated in the FastAPI Fief client!

[PAzter1101]

Good afternoon!
@frankie567
I'm facing the same problem. Please, could you give a more detailed example of how to implement what you wrote?

In this way:

@router.websocket("/story")
async def story(
   websocket: WebSocket,
   access_token_info: FiefAccessTokenInfo = Depends(auth.authenticated()),
):
  ...

I get this error on the server::

ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/uvicorn/protocols/websockets/websockets_impl.py", line 243, in run_asgi
    result = await self.app(self.scope, self.asgi_receive, self.asgi_send)  # type: ignore[func-returns-value]
  File "/usr/local/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/applications.py", line 113, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/middleware/errors.py", line 152, in __call__
    await self.app(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 715, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 735, in app
    await route.handle(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 362, in handle
    await self.app(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 95, in app
    await wrap_app_handling_exceptions(app, session)(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 93, in app
    await func(session)
  File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 371, in app
    solved_result = await solve_dependencies(
  File "/usr/local/lib/python3.10/site-packages/fastapi/dependencies/utils.py", line 615, in solve_dependencies
    solved_result = await solve_dependencies(
  File "/usr/local/lib/python3.10/site-packages/fastapi/dependencies/utils.py", line 638, in solve_dependencies
    solved = await call(**solved_result.values)
TypeError: OAuth2AuthorizationCodeBearer.__call__() missing 1 required positional argument: 'request'
INFO:     connection open
INFO:     connection closed

Such an error on the client:

[DEBUG  ] = connection is CONNECTING
[DEBUG  ] > GET /messages/story HTTP/1.1
[DEBUG  ] [> Host        ] game-review.example.domain
[DEBUG  ] [> Upgrade        ] websocket
[DEBUG  ] [> Connection        ] Upgrade
[DEBUG  ] [> Sec-WebSocket-Key        ] QSo16OHmUJu9kKZJyndwag==
[DEBUG  ] [> Sec-WebSocket-Version        ] 13
[DEBUG  ] [> Sec-WebSocket-Extensions        ] permessage-deflate; client_max_window_bits
[DEBUG  ] [> Authorization        ] Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlBTc0RsQnRhdHk0TXdFRENWSHN5SklWb2kxa3lmX1lLS19FMjFxM29Ha1UifQ.eyJhY3IiOiIwIiwiYXVkIjpbIl9Ud3UwTEpEUlpRY2trODNFZmM0eTlvVGdETk1iTzJhVGFJM0YwQjdNc28iXSwiYXV0aF90aW1lIjoxNzM0MDE2NzQ1LCJhenAiOiJfVHd1MExKRFJaUWNrazgzRWZjNHk5b1RnRE5NYk8yYVRhSTNGMEI3TXNvIiwiZXhwIjoxNzM2MzQ5OTE0LCJpYXQiOjE3MzYyNjM1MTQsImlzcyI6ImqweW4iXSwic2NvcGUiOiJvcGVuaWQgb2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiI4ZjIwZDA5YS1kZTY3LTQyYzUtOThhNC05MWZkZThkOGZhMWYifQ.FwCJUmZMFbWy4c8M3x1CgcgHOpOyDQGFOPQ9ICvj4ARwjUiQ-wZEe1LN8fMDJjvfk9O_RcSmFZDK7JlAb-a-gtYU4nx0V7oyY4sCf_ORnpBkT-poMW-pt7Zw2i1AOodSWqrnnUbRFzzc_goFDYTeANg4wACvuvcTwOX8ZkgMEBDCCrFWUtxEKCeWiebTSiQ_XHkTyRlNs6ug5h3EAZI5FuIjjlXP7O2LwmKHU6MXReQ3p4wB19u4gG8_3vYg5uHmuQN8XOdEdPM-hBUFLlMBUlAmuAmZet04z-iKMDuYjsUpjf26XYOAA2YJ8_fWDHxsUi1BAqGq7jJc6P1gz4E9-IE8qwNE-okiX5G9AMv4STroBMEv-9bkoPL5BJauSObAXQHriD9xEP8MaaIePO6voID2CrtA3Y228VRsN6qIxZI-N51iSrLBvVSdcLDXdtKD_1N33sN0utcl3alSFqsv2uti2M6AGv9060-iR1rDMd-M3PDQgyFq6ITCKDVmUmLhPFuVIjrfA93cEhKjS8G8p_ia4W0BJtW_UtQMuvYAMZmFHSGip14XqM8ZfNnUkgpXYiORicoev21WBGIRCtTldPaC2GQskC1LovXrHNY5j2OvG7FNDVCV8mAWaO920Z3eYB668ys73mYg2SFQocAq3MUfm_ndbi9brfMkrxyO-os
[DEBUG  ] [> User-Agent        ] Python/3.10 websockets/13.1
[DEBUG  ] < HTTP/1.1 500 Internal Server Error
[DEBUG  ] [< Content-Length        ] 21
[DEBUG  ] [< Content-Type        ] text/plain; charset=utf-8
[DEBUG  ] [< Date        ] Tue, 07 Jan 2025 15:34:49 GMT
[DEBUG  ] < [body] (21 bytes)
[DEBUG  ] > EOF
[DEBUG  ] x closing TCP connection
[INFO   ] ! connect failed; reconnecting in 8.1 seconds
Traceback (most recent call last):
  File "/Users/alex/.pyenv/versions/3.10.14/lib/python3.10/site-packages/websockets/asyncio/client.py", line 498, in __aiter__
    async with self as protocol:
  File "/Users/alex/.pyenv/versions/3.10.14/lib/python3.10/site-packages/websockets/asyncio/client.py", line 482, in __aenter__
    return await self
  File "/Users/alex/.pyenv/versions/3.10.14/lib/python3.10/site-packages/websockets/asyncio/client.py", line 441, in __await_impl__
    await self.connection.handshake(*self.handshake_args)
  File "/Users/alex/.pyenv/versions/3.10.14/lib/python3.10/site-packages/websockets/asyncio/client.py", line 102, in handshake
    raise self.protocol.handshake_exc
  File "/Users/alex/.pyenv/versions/3.10.14/lib/python3.10/site-packages/websockets/client.py", line 340, in parse
    self.process_response(response)
  File "/Users/alex/.pyenv/versions/3.10.14/lib/python3.10/site-packages/websockets/client.py", line 154, in process_response
    raise InvalidStatus(response)
websockets.exceptions.InvalidStatus: server rejected WebSocket connection: HTTP 500
[DEBUG  ] < EOF
[DEBUG  ] = connection is CLOSED

[PAzter1101]

I found advice on the Internet on how to get around this problem in FastAPI. We need to make a wrapper like this over the class:

class CustomOAuth2AuthorizationCodeBearer(OAuth2AuthorizationCodeBearer):
    async def __call__(self, request: Request = None, websocket: WebSocket = None):
        return await super().__call__(request or websocket)

fief = FiefAsync(
    "https://fief.example.domain",
    CLIENT_ID,
    CLIENT_SECRET,
)

scheme = CustomOAuth2AuthorizationCodeBearer(
    "https://fief.example.domain/authorize",
    "https://fief.example.domain/api/token",
    scopes={"openid": "openid", "offline_access": "offline_access"},
    auto_error=False,
)

auth = FiefAuth(fief, scheme)

Now I get the following error:

ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/uvicorn/protocols/websockets/websockets_impl.py", line 243, in run_asgi
    result = await self.app(self.scope, self.asgi_receive, self.asgi_send)  # type: ignore[func-returns-value]
  File "/usr/local/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/applications.py", line 113, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/middleware/errors.py", line 152, in __call__
    await self.app(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 715, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 735, in app
    await route.handle(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 362, in handle
    await self.app(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 95, in app
    await wrap_app_handling_exceptions(app, session)(scope, receive, send)
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/usr/local/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 93, in app
    await func(session)
  File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 371, in app
    solved_result = await solve_dependencies(
  File "/usr/local/lib/python3.10/site-packages/fastapi/dependencies/utils.py", line 638, in solve_dependencies
    solved = await call(**solved_result.values)
TypeError: FiefAuth.authenticated.<locals>._authenticated() missing 1 required positional argument: 'request'
INFO:     connection open
INFO:     connection closed

It is logical to receive this error, because "request" is a mandatory argument:

...
async def _authenticated(
            request: Request, response: Response, token: Optional[TokenType]
        ) -> Optional[FiefAccessTokenInfo]:
...

That's why I'm confused and don't understand how to use websocket authorization. Please help me figure it out