Prevent 401 error to be raised when token is expired and auth is optional in FastAPI and Flask integration

frankie567 · frankie567 · commit e2c275e35ad9 · 2023-02-20T10:51:37.000+01:00
diff --git a/fief_client/integrations/fastapi.py b/fief_client/integrations/fastapi.py
@@ -176,6 +176,8 @@ async def _authenticated(
                 else:
                     info = result
             except (FiefAccessTokenInvalid, FiefAccessTokenExpired):
+                if optional:
+                    return None
                 return await self.get_unauthorized_response(request, response)
             except (FiefAccessTokenMissingScope, FiefAccessTokenMissingPermission):
                 return await self.get_forbidden_response(request, response)
diff --git a/fief_client/integrations/flask.py b/fief_client/integrations/flask.py
@@ -206,6 +206,9 @@ def decorated_function(*args, **kwargs):
                         token, required_scope=scope, required_permissions=permissions
                     )
                 except (FiefAccessTokenInvalid, FiefAccessTokenExpired) as e:
+                    if optional:
+                        g.access_token_info = None
+                        return f(*args, **kwargs)
                     raise FiefAuthUnauthorized() from e
                 except (
                     FiefAccessTokenMissingScope,
diff --git a/tests/test_integrations_fastapi.py b/tests/test_integrations_fastapi.py
@@ -180,17 +180,24 @@ async def test_optional(
         self, test_client: httpx.AsyncClient, generate_access_token, user_id: str
     ):
         response = await test_client.get("/authenticated-optional")
+        assert response.status_code == status.HTTP_200_OK
+        assert response.json() is None
 
+        expired_access_token = generate_access_token(
+            encrypt=False, scope="openid", exp=0
+        )
+        response = await test_client.get(
+            "/authenticated-optional",
+            headers={"Authorization": f"Bearer {expired_access_token}"},
+        )
         assert response.status_code == status.HTTP_200_OK
         assert response.json() is None
 
         access_token = generate_access_token(encrypt=False, scope="openid")
-
         response = await test_client.get(
             "/authenticated-optional",
             headers={"Authorization": f"Bearer {access_token}"},
         )
-
         assert response.status_code == status.HTTP_200_OK
         assert response.json() == {
             "id": user_id,
@@ -334,17 +341,24 @@ async def test_optional(
         )
 
         response = await test_client.get("/current-user-optional")
+        assert response.status_code == status.HTTP_200_OK
+        assert response.json() is None
 
+        expired_access_token = generate_access_token(
+            encrypt=False, scope="openid", exp=0
+        )
+        response = await test_client.get(
+            "/current-user-optional",
+            headers={"Authorization": f"Bearer {expired_access_token}"},
+        )
         assert response.status_code == status.HTTP_200_OK
         assert response.json() is None
 
         access_token = generate_access_token(encrypt=False, scope="openid")
-
         response = await test_client.get(
             "/current-user-optional",
             headers={"Authorization": f"Bearer {access_token}"},
         )
-
         assert response.status_code == status.HTTP_200_OK
         assert response.json() == {"sub": user_id}
 
diff --git a/tests/test_integrations_flask.py b/tests/test_integrations_flask.py
@@ -147,15 +147,22 @@ def test_optional(
         assert response.status_code == 200
         assert response.json == {}
 
-        access_token = generate_access_token(encrypt=False, scope="openid")
+        expired_access_token = generate_access_token(
+            encrypt=False, scope="openid", exp=0
+        )
+        response = test_client.get(
+            "/authenticated-optional",
+            headers={"Authorization": f"Bearer {expired_access_token}"},
+        )
+        assert response.status_code == 200
+        assert response.json == {}
 
+        access_token = generate_access_token(encrypt=False, scope="openid")
         response = test_client.get(
             "/authenticated-optional",
             headers={"Authorization": f"Bearer {access_token}"},
         )
-
         assert response.status_code == 200
-
         assert response.json == {
             "id": user_id,
             "scope": ["openid"],
@@ -299,15 +306,22 @@ def test_optional(
         assert response.status_code == 200
         assert response.json == {}
 
-        access_token = generate_access_token(encrypt=False, scope="openid")
+        expired_access_token = generate_access_token(
+            encrypt=False, scope="openid", exp=0
+        )
+        response = test_client.get(
+            "/current-user-optional",
+            headers={"Authorization": f"Bearer {expired_access_token}"},
+        )
+        assert response.status_code == 200
+        assert response.json == {}
 
+        access_token = generate_access_token(encrypt=False, scope="openid")
         response = test_client.get(
             "/current-user-optional",
             headers={"Authorization": f"Bearer {access_token}"},
         )
-
         assert response.status_code == 200
-
         assert response.json == {"sub": user_id}
 
     def test_missing_scope(self, test_client: FlaskClient, generate_access_token):
