Integrate Casbin and FastAPI to support access control #7831

shizidushu · 2019-11-28T17:05:18Z

shizidushu
Nov 28, 2019

Is your feature request related to a problem? Please describe.
It is a useful addition to have access control over FastAPI. Some framework have builtin support and some can get this feature with a plugin.

Describe the solution you'd like
According to its docs, Casbin provides support for enforcing authorization based on various access control models.
Here is the function I image:

Check permission before handle the request. Maybe implement is using a custom class APIRoute class.
Sync FastAPI path operation with Casbin policy file (or policy storage adapter).
Maybe a function to execute on application startup; it gets all path operation's path, method and some other optional information like tags, user_id and user_role, then write it to Casbin policy file.
It cleans redundant row in Casbin policy file and keep it update with FastAPI routes.
Document to describe how to use it (with example code).

prostomarkeloff · 2019-11-28T18:12:02Z

prostomarkeloff
Nov 28, 2019

I think it should be implemented in independent library, not in fastapi core.

0 replies

NJannasch · 2020-01-05T17:43:16Z

NJannasch
Jan 5, 2020

This could be easily achived with a custom middleware.

Dummy Code Example:

from starlette.datastructures import Headers
from starlette.requests import Request
from starlette.responses import JSONResponse
from starlette.status import HTTP_401_UNAUTHORIZED
from starlette.types import ASGIApp, Receive, Scope, Send

class CasbinMiddleware:
    def __init__(self, app: ASGIApp, enforcer) -> None:
        self.app = app
        self.enforcer = enforcer

    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:

        # ToDo Adjust me
        headers = Headers(scope=scope)
        token = headers.get('authorization', None)
        # validate user and get user from token
        user = 'test123'
        #######################################

        request = Request(scope, receive)

        if self.check_permission(user=user, request=request):
            await self.app(scope, receive, send)
            return

        # Invalid request
        response = JSONResponse(
            status_code=HTTP_401_UNAUTHORIZED,
            content="Insufficient permissions",
            headers={"WWW-Authenticate": "Bearer"},
        )

        await response(scope, receive, send)
        return

    def check_permission(self, user: str, request: Request):
        path = request.path
        method = request.method
        return self.enforcer.enforce(user, path, method)

In your main file:

from middleware import CasbinMiddleware
import casbin
...
enforcer = casbin.Enforcer("authz_model.conf", "authz_policy.csv")
app.add_middleware(CasbinMiddleware,enforcer=enforcer)

0 replies

shizidushu · 2020-01-06T07:01:27Z

shizidushu
Jan 6, 2020
Author

@NJannasch Thanks for your reply. Although I have implemented some function I imaged some days ago. I check the permissions with Depends to get more control. Here is a piece of code:

def get_current_active_authorized_user(request: Request, current_active_user: User = Security(get_current_active_user)) -> Optional[User]:
    username = current_active_user.Username
    path = request.state.path

    sub = username
    obj = path
    act = request.method.lower()

    print(sub, obj, act)

    if enforcer.enforce(sub, obj, act):
        return current_active_user
    else:
        raise HTTPException(status_code = HTTP_403_FORBIDDEN, detail="No permission")

I just make all my code public here: https://github.com/shizidushu/simple-report-data-table-vuetify

0 replies

tiangolo · 2020-04-10T10:34:07Z

tiangolo
Apr 10, 2020
Maintainer

Thanks for the help here everyone! 👏 🙇

Thanks @shizidushu for reporting back and closing the issue 👍

0 replies

Neko1313 · 2026-02-24T12:44:17Z

Neko1313
Feb 24, 2026

Guys, I made a small library for the integration of fastapi and casbin, which makes it possible to add a rights check to the router levels. Could you evaluate it?

https://pypi.org/project/casbin-fastapi-decorator/

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Integrate Casbin and FastAPI to support access control #7831

Uh oh!

{{title}}

Uh oh!

Replies: 5 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Integrate Casbin and FastAPI to support access control #7831

Uh oh!

shizidushu Nov 28, 2019

Replies: 5 comments

Uh oh!

prostomarkeloff Nov 28, 2019

Uh oh!

Uh oh!

NJannasch Jan 5, 2020

Uh oh!

shizidushu Jan 6, 2020 Author

Uh oh!

tiangolo Apr 10, 2020 Maintainer

Uh oh!

Neko1313 Feb 24, 2026

shizidushu
Nov 28, 2019

prostomarkeloff
Nov 28, 2019

NJannasch
Jan 5, 2020

shizidushu
Jan 6, 2020
Author

tiangolo
Apr 10, 2020
Maintainer

Neko1313
Feb 24, 2026