From a053ad6bea127c397afbd8e8a5f2314296366903 Mon Sep 17 00:00:00 2001
From: kumarvishwajeettrivedi <kumarvishwajeettrivedi@gmail.com>
Date: Sat, 22 Nov 2025 17:29:05 +0530
Subject: [PATCH] Fix: Make Basic Auth realm required per RFC 7235

---
 docs_src/security/tutorial006.py                      | 2 +-
 docs_src/security/tutorial006_an.py                   | 2 +-
 docs_src/security/tutorial006_an_py39.py              | 2 +-
 fastapi/security/http.py                              | 4 ++--
 tests/test_security_http_basic_optional.py            | 6 +++---
 tests/test_tutorial/test_security/test_tutorial006.py | 6 +++---
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs_src/security/tutorial006.py b/docs_src/security/tutorial006.py
index 29121ffd6..5b9e9a8e8 100644
--- a/docs_src/security/tutorial006.py
+++ b/docs_src/security/tutorial006.py
@@ -3,7 +3,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
 
 app = FastAPI()
 
-security = HTTPBasic()
+security = HTTPBasic(realm="simple")
 
 
 @app.get("/users/me")
diff --git a/docs_src/security/tutorial006_an.py b/docs_src/security/tutorial006_an.py
index 985e4b2ad..43e970397 100644
--- a/docs_src/security/tutorial006_an.py
+++ b/docs_src/security/tutorial006_an.py
@@ -4,7 +4,7 @@ from typing_extensions import Annotated
 
 app = FastAPI()
 
-security = HTTPBasic()
+security = HTTPBasic(realm="simple")
 
 
 @app.get("/users/me")
diff --git a/docs_src/security/tutorial006_an_py39.py b/docs_src/security/tutorial006_an_py39.py
index 03c696a4b..721716a15 100644
--- a/docs_src/security/tutorial006_an_py39.py
+++ b/docs_src/security/tutorial006_an_py39.py
@@ -5,7 +5,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
 
 app = FastAPI()
 
-security = HTTPBasic()
+security = HTTPBasic(realm="simple")
 
 
 @app.get("/users/me")
diff --git a/fastapi/security/http.py b/fastapi/security/http.py
index 3a5985650..496383571 100644
--- a/fastapi/security/http.py
+++ b/fastapi/security/http.py
@@ -142,13 +142,13 @@ class HTTPBasic(HTTPBase):
             ),
         ] = None,
         realm: Annotated[
-            Optional[str],
+            str,
             Doc(
                 """
                 HTTP Basic authentication realm.
                 """
             ),
-        ] = None,
+        ],
         description: Annotated[
             Optional[str],
             Doc(
diff --git a/tests/test_security_http_basic_optional.py b/tests/test_security_http_basic_optional.py
index 9b6cb6c45..7e5ccbf97 100644
--- a/tests/test_security_http_basic_optional.py
+++ b/tests/test_security_http_basic_optional.py
@@ -7,7 +7,7 @@ from fastapi.testclient import TestClient
 
 app = FastAPI()
 
-security = HTTPBasic(auto_error=False)
+security = HTTPBasic(realm="simple", auto_error=False)
 
 
 @app.get("/users/me")
@@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials():
         "/users/me", headers={"Authorization": "Basic notabase64token"}
     )
     assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
     assert response.json() == {"detail": "Invalid authentication credentials"}
 
 
@@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials():
     auth_header = f"Basic {payload}"
     response = client.get("/users/me", headers={"Authorization": auth_header})
     assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
     assert response.json() == {"detail": "Invalid authentication credentials"}
 
 
diff --git a/tests/test_tutorial/test_security/test_tutorial006.py b/tests/test_tutorial/test_security/test_tutorial006.py
index 40b413806..d7bccefdf 100644
--- a/tests/test_tutorial/test_security/test_tutorial006.py
+++ b/tests/test_tutorial/test_security/test_tutorial006.py
@@ -32,7 +32,7 @@ def test_security_http_basic_no_credentials(client: TestClient):
     response = client.get("/users/me")
     assert response.json() == {"detail": "Not authenticated"}
     assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
 
 
 def test_security_http_basic_invalid_credentials(client: TestClient):
@@ -40,7 +40,7 @@ def test_security_http_basic_invalid_credentials(client: TestClient):
         "/users/me", headers={"Authorization": "Basic notabase64token"}
     )
     assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
     assert response.json() == {"detail": "Invalid authentication credentials"}
 
 
@@ -49,7 +49,7 @@ def test_security_http_basic_non_basic_credentials(client: TestClient):
     auth_header = f"Basic {payload}"
     response = client.get("/users/me", headers={"Authorization": auth_header})
     assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
     assert response.json() == {"detail": "Invalid authentication credentials"}