🐛 Fix hierarchical security scope propagation (#5624)

Co-authored-by: Sebastián Ramírez <tiangolo@gmail.com>
Co-authored-by: Motov Yurii <109919500+YuriiMotov@users.noreply.github.com>
Co-authored-by: svlandeg <svlandeg@github.com>
Co-authored-by: Sofie Van Landeghem <svlandeg@users.noreply.github.com>

fastapi/dependencies/utils.py

@@ -278,7 +278,9 @@ def get_dependant(
             use_security_scopes = security_scopes or []
             if isinstance(param_details.depends, params.Security):
                 if param_details.depends.scopes:
-                    use_security_scopes.extend(param_details.depends.scopes)
+                    use_security_scopes = use_security_scopes + list(
+                        param_details.depends.scopes
+                    )
             sub_dependant = get_dependant(
                 path=path,
                 call=param_details.depends.dependency,

tests/test_security_scopes_dont_propagate.py

@@ -0,0 +1,45 @@
+# Ref: https://github.com/tiangolo/fastapi/issues/5623
+
+from typing import Any, Dict, List
+
+from fastapi import FastAPI, Security
+from fastapi.security import SecurityScopes
+from fastapi.testclient import TestClient
+from typing_extensions import Annotated
+
+
+async def security1(scopes: SecurityScopes):
+    return scopes.scopes
+
+
+async def security2(scopes: SecurityScopes):
+    return scopes.scopes
+
+
+async def dep3(
+    dep1: Annotated[List[str], Security(security1, scopes=["scope1"])],
+    dep2: Annotated[List[str], Security(security2, scopes=["scope2"])],
+):
+    return {"dep1": dep1, "dep2": dep2}
+
+
+app = FastAPI()
+
+
+@app.get("/scopes")
+def get_scopes(
+    dep3: Annotated[Dict[str, Any], Security(dep3, scopes=["scope3"])],
+):
+    return dep3
+
+
+client = TestClient(app)
+
+
+def test_security_scopes_dont_propagate():
+    response = client.get("/scopes")
+    assert response.status_code == 200
+    assert response.json() == {
+        "dep1": ["scope3", "scope1"],
+        "dep2": ["scope3", "scope2"],
+    }