Lenient Firebase authentication for FastAPI with configurable grace periods for time-based JWT claims
Project description
fastapi-cloudauth-lenient
Lenient Firebase authentication for FastAPI with configurable grace periods for time-based JWT claims.
Overview
fastapi-cloudauth-lenient extends fastapi-cloudauth to address issues where Firebase (and other JWT providers) may issue tokens with iat (issued at) or auth_time claims slightly in the future, causing unexpected verification failures.
This library provides a drop-in replacement for FirebaseCurrentUser with configurable grace periods for time-based claim validation.
Related Issue: fastapi-cloudauth#65
Features
- Drop-in replacement for
fastapi-cloudauth.firebase.FirebaseCurrentUser - Configurable grace periods for
iatandauth_timeclaims - Maintains all standard JWT validation (signature, expiration, audience, etc.)
- Full compatibility with FastAPI dependency injection
- Support for custom claims via Pydantic models
Requirements
- Python 3.8+
- FastAPI
- fastapi-cloudauth >= 0.4.0
Installation
# pip
pip install fastapi-cloudauth-lenient
# uv
uv add fastapi-cloudauth-lenient
# Poetry
poetry add fastapi-cloudauth-lenient
Usage
Basic Authentication
The simplest usage mirrors fastapi-cloudauth:
from fastapi import FastAPI, Depends
from fastapi_cloudauth_lenient import FirebaseCurrentUserLenient, FirebaseClaims
app = FastAPI()
get_current_user = FirebaseCurrentUserLenient(
project_id="your-firebase-project-id"
)
@app.get("/protected/")
def protected_route(current_user: FirebaseClaims = Depends(get_current_user)):
"""Protected endpoint that requires valid Firebase authentication."""
return {
"user_id": current_user.user_id,
"email": current_user.email,
}
Custom Grace Periods
Configure grace periods for iat and auth_time validation (defaults to 5 seconds):
get_current_user = FirebaseCurrentUserLenient(
project_id="your-firebase-project-id",
iat_grace_period_seconds=10, # Allow iat up to 10 seconds in the future
auth_time_grace_period_seconds=10, # Allow auth_time up to 10 seconds in the future
)
Custom Claims
Extend FirebaseClaims to capture additional custom claims from your Firebase tokens:
from pydantic import Field
from fastapi_cloudauth.firebase import FirebaseClaims
from fastapi_cloudauth_lenient import FirebaseCurrentUserLenient
class CustomFirebaseClaims(FirebaseClaims):
"""Extended claims model with custom fields."""
name: str = Field(None, alias="name")
admin: bool = Field(None, alias="admin")
auth_time: int = Field(None, alias="auth_time")
# Initialize the authentication handler
get_current_user = FirebaseCurrentUserLenient(
project_id="your-firebase-project-id"
)
# Override the user info model
get_current_user.user_info = CustomFirebaseClaims
@app.get("/user/profile/")
def user_profile(current_user: CustomFirebaseClaims = Depends(get_current_user)):
return {
"user_id": current_user.user_id,
"email": current_user.email,
"name": current_user.name,
"is_admin": current_user.admin,
}
Alternatively, use the claim() method:
get_user_detail = get_current_user.claim(CustomFirebaseClaims)
@app.get("/detailed/")
def detailed_user(user: CustomFirebaseClaims = Depends(get_user_detail)):
return f"Hello, {user.name}"
How It Works
When Firebase issues a JWT token, the iat (issued at) and auth_time claims may occasionally be set to a timestamp slightly in the future (typically 1 second). This is due to clock skew between Firebase servers and validation servers.
Standard JWT libraries reject these tokens as invalid, causing authentication failures.
fastapi-cloudauth-lenient adds a configurable grace period:
- iat grace period: Allows the
iatclaim to be up to N seconds in the future - auth_time grace period: Allows the
auth_timeclaim to be up to N seconds in the future
All other JWT validations (signature, expiration, audience, issuer) remain unchanged.
API Reference
FirebaseCurrentUserLenient
class FirebaseCurrentUserLenient(FirebaseCurrentUser):
def __init__(
self,
project_id: str,
iat_grace_period_seconds: int = 5,
auth_time_grace_period_seconds: int = 5,
):
...
Parameters:
project_id(str): Firebase project IDiat_grace_period_seconds(int, optional): Grace period foriatclaim validation. Default: 5auth_time_grace_period_seconds(int, optional): Grace period forauth_timeclaim validation. Default: 5
Inherits all methods from: fastapi_cloudauth.firebase.FirebaseCurrentUser
License
MIT License - see LICENSE file for details.
Acknowledgments
- Built on top of fastapi-cloudauth
- Inspired by the community discussion in fastapi-cloudauth#65
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fastapi_cloudauth_lenient-1.0.0.tar.gz.
File metadata
- Download URL: fastapi_cloudauth_lenient-1.0.0.tar.gz
- Upload date:
- Size: 30.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c92c64309e88d3373305efc2947b2b0b23b5d5065c30f428295cfef927f5de52
|
|
| MD5 |
15e4fdebd859945c47612e3dca07a270
|
|
| BLAKE2b-256 |
8c67ac520403686fe93a0dcf51565a06a2ae73ab8b1378c23f28e829fcc3ffaa
|
File details
Details for the file fastapi_cloudauth_lenient-1.0.0-py3-none-any.whl.
File metadata
- Download URL: fastapi_cloudauth_lenient-1.0.0-py3-none-any.whl
- Upload date:
- Size: 6.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
27d1747f4a2509d649011202649bec1d3c555d5725bdecfe5bda85b15c311a6f
|
|
| MD5 |
e30905b8e03cdff98e97e9aa125136b2
|
|
| BLAKE2b-256 |
bf86bf2c0c5b228c0385f91ed56d2e9c55c50f93b8254b7926f83843cdf55ad0
|
