-1

I have an endpoint in FastAPI that receives json data and file from client. My main goal is to secure this endpoint since receiving files without validation could be risky. I have to make validation before uploading file and tried dependency injection. Is "Depends" function enough to prevent file uploading and if not what are the alternatives? Note: I cannot make the validation in client-side code so do not consider that as an option please.

My current program gives uuid to proper clients and checks the uuid using Depends function. It works for now but i am not certain that if the file is still uploaded before depends or not. This is the code(the json data contains string and dict. these are extracted from the fields below):

async def validate_uuid(uuid: str):

    if uuid == "a valid uuid":
        print("success")
        return uuid
    else:
        print("fail")
        raise HTTPException(status_code=400, detail="UUID invalid")

@app.post("/file")
async def file_upload(
     request: Request, response: Response, file: UploadFile = File(...), check_uuid: str = Depends(validate_uuid), dict_data: dict
):
#do smth
Chris
  • 18,724
  • 6
  • 46
  • 80
ivenoidea
  • 1
  • 5
  • I am afraid not. The program wont have an user interface. It will run in the background sending data to API. – ivenoidea May 08 '23 at 09:07
  • Your app does not have to provide a user interface for authentication to work. You could pass the `token` in the `Authorization` header instead. Using `cookies` should also be possible, when the client side uses `requests.Session()` or `httpx.Client()` - see [here](https://stackoverflow.com/a/70702903/17865804) and [here](https://stackoverflow.com/a/74003282/17865804) – Chris May 08 '23 at 09:19
  • Sorry I am new to authorization in APIs. Is using JWT tokens or Middleware a better option in my case? – ivenoidea May 08 '23 at 10:59

2 Answers2

0

It seems that the file is uploaded before the dependency. Take a look at this. Answer there suggests that you could use stream instead of upload file. Hope that helps.

Chris Karvouniaris
  • 11
  • 5
  • So you say i should use middleware? – ivenoidea May 08 '23 at 09:10
  • It appears it is either that or streaming the bytes if you are interested in a single file – Chris Karvouniaris May 08 '23 at 12:28
  • Only single file will be sent but i want my API to be secure and my current approach is to validate requests before file is sent to my server. Is there any type of malware that can execute itself when i send the file content as bytes? – ivenoidea May 08 '23 at 13:46
  • I m not the expert to answer that but my instinct says nothing can be executed as a code at this level. Ofc that might be wrong. In any case a simple middleware should do it without that much penalty in speed. – Chris Karvouniaris May 08 '23 at 20:08
  • Thank you. I will try it and give you feedback afterwards – ivenoidea May 09 '23 at 09:05
0

I tried to implement a middleware to my application but it was stuck when i try to run it. After my researches i found out that structure of BaseHTTPMiddleware cause this problem. Only solution is to write your own middleware from scracth.

ivenoidea
  • 1
  • 5