Fix: Make Basic Auth realm required per RFC 7235

2025-11-22 17:29:05 +05:30 · 2025-11-22 17:29:05 +05:30 · a053ad6bea
parent cbe5bdb85f
commit a053ad6bea
6 changed files with 11 additions and 11 deletions
--- a/docs_src/security/tutorial006.py
+++ b/docs_src/security/tutorial006.py
@ -3,7 +3,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
 app = FastAPI()
-security = HTTPBasic()
+security = HTTPBasic(realm="simple")
@app.get("/users/me")
--- a/docs_src/security/tutorial006_an.py
+++ b/docs_src/security/tutorial006_an.py
@ -4,7 +4,7 @@ from typing_extensions import Annotated
 app = FastAPI()
-security = HTTPBasic()
+security = HTTPBasic(realm="simple")
@app.get("/users/me")
--- a/docs_src/security/tutorial006_an_py39.py
+++ b/docs_src/security/tutorial006_an_py39.py
@ -5,7 +5,7 @@ from fastapi.security import HTTPBasic, HTTPBasicCredentials
 app = FastAPI()
-security = HTTPBasic()
+security = HTTPBasic(realm="simple")
@app.get("/users/me")
--- a/fastapi/security/http.py
+++ b/fastapi/security/http.py
@ -142,13 +142,13 @@ class HTTPBasic(HTTPBase):
            ),
        ] = None,
        realm: Annotated[
-            Optional[str],
+            str,
            Doc(
                """
                HTTP Basic authentication realm.
                """
            ),
-        ] = None,
+        ],
        description: Annotated[
            Optional[str],
            Doc(
--- a/tests/test_security_http_basic_optional.py
+++ b/tests/test_security_http_basic_optional.py
@ -7,7 +7,7 @@ from fastapi.testclient import TestClient
 app = FastAPI()
-security = HTTPBasic(auto_error=False)
+security = HTTPBasic(realm="simple", auto_error=False)
@app.get("/users/me")
@ -37,7 +37,7 @@ def test_security_http_basic_invalid_credentials():
        "/users/me", headers={"Authorization": "Basic notabase64token"}
    )
    assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
    assert response.json() == {"detail": "Invalid authentication credentials"}
@ -46,7 +46,7 @@ def test_security_http_basic_non_basic_credentials():
    auth_header = f"Basic {payload}"
    response = client.get("/users/me", headers={"Authorization": auth_header})
    assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
    assert response.json() == {"detail": "Invalid authentication credentials"}
--- a/tests/test_tutorial/test_security/test_tutorial006.py
+++ b/tests/test_tutorial/test_security/test_tutorial006.py
@ -32,7 +32,7 @@ def test_security_http_basic_no_credentials(client: TestClient):
    response = client.get("/users/me")
    assert response.json() == {"detail": "Not authenticated"}
    assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
 def test_security_http_basic_invalid_credentials(client: TestClient):
@ -40,7 +40,7 @@ def test_security_http_basic_invalid_credentials(client: TestClient):
        "/users/me", headers={"Authorization": "Basic notabase64token"}
    )
    assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
    assert response.json() == {"detail": "Invalid authentication credentials"}
@ -49,7 +49,7 @@ def test_security_http_basic_non_basic_credentials(client: TestClient):
    auth_header = f"Basic {payload}"
    response = client.get("/users/me", headers={"Authorization": auth_header})
    assert response.status_code == 401, response.text
-    assert response.headers["WWW-Authenticate"] == "Basic"
+    assert response.headers["WWW-Authenticate"] == 'Basic realm="simple"'
    assert response.json() == {"detail": "Invalid authentication credentials"}