How to avoid creating multiple sessions when using Dependencies with Security? #6024

DurandA · 2023-02-20T22:56:37Z

DurandA
Feb 20, 2023

First Check

I added a very descriptive title here.
I used the GitHub search to find a similar question and didn't find it.
I searched the FastAPI documentation, with the integrated search.
I already searched in Google "How to X in FastAPI" and didn't find any information.
I already read and followed all the tutorial in the docs and didn't find an answer.
I already checked if it is not related to FastAPI but to Pydantic.
I already checked if it is not related to FastAPI but to Swagger UI.
I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

I commit to help with one of those options 👆

Example Code (full working example)

from fastapi import Depends, Security
from fastapi.security import SecurityScopes
from sqlmodel import Session, create_engine, select


def get_session():
    with Session(engine) as session:
        yield session


async def get_current_user(
    security_scopes: SecurityScopes,
    token: str = Depends(oauth2_scheme),
    session: Session = Depends(get_session)
):
    # Token read omitted 👈
    user = session.get(User, token_data.user_uuid)
    if user is None:
        raise credentials_exception
    return user


async def get_current_app_user(
    current_user: User = Security(get_current_user, scopes=["app"])
):
    return current_user


@app.patch("/me", response_model=UserRead)
def update_current_user(
    user: UserUpdate,
    current_user: User = Depends(get_current_app_user),
    session: Session = Depends(get_session),
):
    user_data = user.dict(exclude_unset=True)
    for key, value in user_data.items():
        setattr(current_user, key, value)
    # Session and session from current_user are different ⚠️
    session.add(current_user) 
    session.commit()
    session.refresh(current_user)
    return current_user

Description

I am using a synchronous (SQLite) session in a FastAPI Dependency as shown in the SQLModel Tutorial.

When a route "depends" on a Dependency and a Security that use get_session, the session is created twice resulting in errors such as:

sqlalchemy.exc.InvalidRequestError: Object '<User at 0x7f218cbf6a00>' is already attached to session '1' (this is '2')

How can this be prevented? I would expect a Security to reuse Dependencies as long as use_cache=True.

Operating System

Linux

Operating System Details

Ubuntu 20.04

FastAPI Version

0.89.1

Python Version

Python 3.8.10

Additional Context

The question was originally asked in SQLModel discussion. However, I think this is unrelated to SQLModel and maybe bug with FastAPI Security object. I also created a StackOverflow question with a bounty if you have a nice solution on how to handle this.

yinziyan1206 · 2023-02-21T03:30:13Z

yinziyan1206
Feb 21, 2023

The cache_key of Security is different with that of Depends. it has to be two sessions if you use di. You can return the session in get_current_user or create session in middleware.

1 reply

YuriiMotov Feb 27, 2024
Collaborator

I think none of these options is a good solution.
get_current_user should return user, not session. And when you create session in middleware you can't override it easily.

Could you take a look at this post and give your opinion?

DurandA · 2023-02-21T20:00:50Z

DurandA
Feb 21, 2023
Author

This issue appears only if scopes of Security is a non empty list. This is because scopes are part of the cache_key:

self.cache_key = (self.call, tuple(sorted(set(self.security_scopes or []))))

I believe the intended behavior is to isolate Depends with different securit_scopes. I am however not sure why it should change the scope of parent Dependencies and not only their children. Also it would be nice to mark a Dependency with something like ignore_scopes parameter.

0 replies

DurandA · 2023-06-27T18:54:14Z

DurandA
Jun 27, 2023
Author

See #2945 about why the isolation of cache key with scopes was introduced.

0 replies

YuriiMotov · 2024-02-21T10:45:19Z

YuriiMotov
Feb 21, 2024
Collaborator

I would like to resume the discussion on dependency caching.

I apologize in advance for the long text..

The documentation says that

If one of your dependencies is declared multiple times for the same path operation, for example, multiple dependencies have a common sub-dependency, FastAPI will know to call that sub-dependency only once per request.

But this is not true. In the current implementation, FastAPI caches dependencies according to the dependency name and scopes. Thus, one dependency that is used twice with different scopes will be called twice (and cached twice).

This is not entirely intuitive behavior and it is undesirable in some cases.
For example, this leads to the opening of two database sessions in the following example:

In the example above, get_db_session will be called twice because scopes are different ([] and ["me"]).

There are a few discussions on this topic:

This one
Discussion in the comments of PR 🐛 Fix cached dependencies when using a dependency in Security() and other places (e.g. Depends()) with different OAuth2 scopes #2945
Dependency is not being cached; dependency called multiple times #9513

And @DurandA has created a PR to fix this problem #9790.
That PR fixes that particular problem, and get_db_session will be called only once:

Even though this PR doesn't brake any other tests, I think it brakes the logic of scopes propagation.
Let's take a look at the following example:

Let's assume that get_current_user uses security_scopes.
In current implementation (FastAPI 0.109.2) FastAPI will call get_current_user twice with different scopes ([] and ["me"]).
And after merging of this PR (#9790) FastAPI will call it only once (with scopes = []).
I think that's incorrect.

Before summarizing, let`s take a look at one more example:

Let`s assume that:

get_db_session doesn't use security_scopes in any way and it's subdependencies also doesn`t use it
get_current_user uses security_scopes
get_something doesn't use security_scopes itself, but it uses subdependency get_current_user that uses security_scopes
get_something_2 doesn't use security_scopes itself, but it uses subdependency get_something that uses subdependency get_current_user that uses security_scopes

From my point of view it would be logical to call get_db_session once and cache it using key={function_name} (without scopes).
But both of get_current_user and get_something must be called twice and cached with the keys that include scopes.
Do you agree? ** Is this how it was supposed to work?**

I think it's important to take a deeper look and figure it out before making changes to avoid new mistakes.
I suggest discussing this issue and implementing this logic as it was intended. And we need to fix the documentation (describe dependency caching rules) along the way.

7 replies

YuriiMotov Feb 27, 2024
Collaborator

No, not yet.
I think it's better to discuss how it should work before proceeding with the implementation.
Let's try to get more people involved in this discussion

rishabhc32 May 31, 2024

@YuriiMotov I think first we should include this caveat in the documentation so users are aware of it in advance.

Also I agree with @DurandA that adding an optional ignore_scopes parameter can help, where scopes are propagated but not used for cache keys.

rishabhc32 May 31, 2024

Does @tiangolo have any views on it?

thibautd Oct 9, 2024

Thank you for summarizing all this, I've spent hours trying to figure out what is happening. That behavior doesn't match the documentation, especially regarding SecurityScopes which never includes all the scopes in the path, but instead the security dependency is called multiple time for each scope. We won't use the "scopes" feature of FastAPI as it looks unreliable at moment, and fallback to classic dependencies per expected scopes. Thanks again for this very nice summary.

qmorek Feb 13, 2025

@YuriiMotov / @tiangolo is anything happening with that topic?

Uh oh!

How to avoid creating multiple sessions when using Dependencies with Security? #6024

Uh oh!

Uh oh!

DurandA Feb 20, 2023

First Check

Commit to Help

Example Code (full working example)

Description

Operating System

Operating System Details

FastAPI Version

Python Version

Additional Context

Replies: 4 comments · 8 replies

Uh oh!

yinziyan1206 Feb 21, 2023

Uh oh!

YuriiMotov Feb 27, 2024 Collaborator

Uh oh!

DurandA Feb 21, 2023 Author

Uh oh!

DurandA Jun 27, 2023 Author

Uh oh!

YuriiMotov Feb 21, 2024 Collaborator

Uh oh!

YuriiMotov Feb 27, 2024 Collaborator

Uh oh!

Uh oh!

rishabhc32 May 31, 2024

Uh oh!

rishabhc32 May 31, 2024

Uh oh!

thibautd Oct 9, 2024

Uh oh!

qmorek Feb 13, 2025

DurandA
Feb 20, 2023

Replies: 4 comments 8 replies

yinziyan1206
Feb 21, 2023

YuriiMotov Feb 27, 2024
Collaborator

DurandA
Feb 21, 2023
Author

DurandA
Jun 27, 2023
Author

YuriiMotov
Feb 21, 2024
Collaborator

YuriiMotov Feb 27, 2024
Collaborator