DEV Community: Nikita Rybalchenko The latest articles on DEV Community by Nikita Rybalchenko (@neko1313). https://dev.to/neko1313 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3821999%2Ff5029f55-abd0-45da-8ffc-5171666d32f6.png DEV Community: Nikita Rybalchenko https://dev.to/neko1313 en FastAPI Authorization Without Middleware: Decorator-Based Casbin Integration Nikita Rybalchenko Fri, 13 Mar 2026 09:58:36 +0000 https://dev.to/neko1313/fastapi-authorization-without-middleware-decorator-based-casbin-integration-4n3o https://dev.to/neko1313/fastapi-authorization-without-middleware-decorator-based-casbin-integration-4n3o <p>Authorization in FastAPI tends to start clean and quietly become a mess. One <code>Depends(require_admin)</code>, then <code>Depends(require_editor)</code>, then <code>Depends(require_editor_or_admin_but_only_on_weekdays)</code>... and three months later nobody wants to touch the permissions file.</p> <p>I've been there. So I wrote <strong>casbin-fastapi-decorator</strong> — a library that brings <a href="https://casbin.org/" rel="noopener noreferrer">Casbin</a> into FastAPI with zero middleware, using a decorator factory pattern. One decorator above each route. No boilerplate in function signatures.</p> <ul> <li>📦 PyPI: <a href="https://pypi.org/project/casbin-fastapi-decorator" rel="noopener noreferrer">pypi.org/project/casbin-fastapi-decorator</a> </li> <li>🐙 GitHub: <a href="https://github.com/Neko1313/casbin-fastapi-decorator" rel="noopener noreferrer">github.com/Neko1313/casbin-fastapi-decorator</a> </li> <li>📖 Docs: <a href="https://neko1313.github.io/casbin-fastapi-decorator-docs/" rel="noopener noreferrer">neko1313.github.io/casbin-fastapi-decorator-docs</a> </li> </ul> <h2> The Problem </h2> <p>Standard FastAPI authorization ends up looking like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">require_admin</span><span class="p">(</span><span class="n">user</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="k">if</span> <span class="n">user</span><span class="p">.</span><span class="n">role</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">require_editor</span><span class="p">(</span><span class="n">user</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="k">if</span> <span class="n">user</span><span class="p">.</span><span class="n">role</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">editor</span><span class="sh">"</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_articles</span><span class="p">(</span><span class="n">user</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">require_editor</span><span class="p">)):</span> <span class="bp">...</span> <span class="nd">@app.delete</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles/{id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">delete_article</span><span class="p">(</span><span class="nb">id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">require_admin</span><span class="p">)):</span> <span class="bp">...</span> </code></pre> </div> <p>It works — until it doesn't. Adding a new role means hunting through every dependency function. Want to change what editors can do? Same hunt. No single place that says "here is who can do what."</p> <h2> The Solution </h2> <p><code>casbin-fastapi-decorator</code> uses <a href="https://pypi.org/project/fastapi-decorators/" rel="noopener noreferrer">fastapi-decorators</a> under the hood — no middleware required. You configure a <code>PermissionGuard</code> once and use it as a decorator factory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">casbin</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">casbin_fastapi_decorator</span> <span class="kn">import</span> <span class="n">PermissionGuard</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_current_user</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">alice</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">}</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_enforcer</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">casbin</span><span class="p">.</span><span class="n">Enforcer</span><span class="p">:</span> <span class="k">return</span> <span class="n">casbin</span><span class="p">.</span><span class="nc">Enforcer</span><span class="p">(</span><span class="sh">"</span><span class="s">model.conf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy.csv</span><span class="sh">"</span><span class="p">)</span> <span class="n">guard</span> <span class="o">=</span> <span class="nc">PermissionGuard</span><span class="p">(</span> <span class="n">user_provider</span><span class="o">=</span><span class="n">get_current_user</span><span class="p">,</span> <span class="n">enforcer_provider</span><span class="o">=</span><span class="n">get_enforcer</span><span class="p">,</span> <span class="n">error_factory</span><span class="o">=</span><span class="k">lambda</span> <span class="n">user</span><span class="p">,</span> <span class="o">*</span><span class="n">rv</span><span class="p">:</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/me</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.auth_required</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">me</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.require_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_articles</span><span class="p">():</span> <span class="k">return</span> <span class="p">[]</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.require_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_article</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="n">ArticleIn</span><span class="p">):</span> <span class="bp">...</span> <span class="nd">@app.delete</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles/{id}</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.require_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">delete_article</span><span class="p">(</span><span class="nb">id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="bp">...</span> </code></pre> </div> <p>Arguments to <code>require_permission</code> are passed directly to <code>enforcer.enforce(user, *args)</code>. The Casbin model decides what "user" and <code>("post", "read")</code> mean — your route handlers know nothing about it.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>casbin-fastapi-decorator <span class="c"># Optional extras</span> pip <span class="nb">install</span> <span class="s2">"casbin-fastapi-decorator[jwt]"</span> <span class="c"># JWT token support</span> pip <span class="nb">install</span> <span class="s2">"casbin-fastapi-decorator[db]"</span> <span class="c"># DB-backed policies (SQLAlchemy async)</span> pip <span class="nb">install</span> <span class="s2">"casbin-fastapi-decorator[casdoor]"</span> <span class="c"># Casdoor OAuth2/SSO</span> </code></pre> </div> <p>Python 3.10+ required.</p> <h2> Deep Dive: JWT Authentication </h2> <p>The <code>[jwt]</code> extra provides <code>JWTUserProvider</code> — a FastAPI dependency that reads and validates a JWT from the <code>Authorization: Bearer</code> header (and optionally a cookie):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="kn">from</span> <span class="n">casbin_fastapi_decorator_jwt</span> <span class="kn">import</span> <span class="n">JWTUserProvider</span> <span class="k">class</span> <span class="nc">UserSchema</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">role</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># JWT claim </span> <span class="n">user_provider</span> <span class="o">=</span> <span class="nc">JWTUserProvider</span><span class="p">(</span> <span class="n">secret_key</span><span class="o">=</span><span class="sh">"</span><span class="s">your-secret-key</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># default </span> <span class="n">cookie_name</span><span class="o">=</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># optional: also read from cookie </span> <span class="n">user_model</span><span class="o">=</span><span class="n">UserSchema</span><span class="p">,</span> <span class="c1"># optional: validate payload with Pydantic </span><span class="p">)</span> </code></pre> </div> <p>Pass it to <code>PermissionGuard</code> as the <code>user_provider</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">casbin</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">casbin_fastapi_decorator</span> <span class="kn">import</span> <span class="n">PermissionGuard</span> <span class="kn">from</span> <span class="n">auth</span> <span class="kn">import</span> <span class="n">user_provider</span> <span class="c1"># the JWTUserProvider instance above </span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_enforcer</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">casbin</span><span class="p">.</span><span class="n">Enforcer</span><span class="p">:</span> <span class="k">return</span> <span class="n">casbin</span><span class="p">.</span><span class="nc">Enforcer</span><span class="p">(</span><span class="sh">"</span><span class="s">model.conf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy.csv</span><span class="sh">"</span><span class="p">)</span> <span class="n">guard</span> <span class="o">=</span> <span class="nc">PermissionGuard</span><span class="p">(</span> <span class="n">user_provider</span><span class="o">=</span><span class="n">user_provider</span><span class="p">,</span> <span class="n">enforcer_provider</span><span class="o">=</span><span class="n">get_enforcer</span><span class="p">,</span> <span class="n">error_factory</span><span class="o">=</span><span class="k">lambda</span> <span class="o">*</span><span class="n">_</span><span class="p">:</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">role</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">({</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="n">role</span><span class="p">},</span> <span class="sh">"</span><span class="s">your-secret-key</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.require_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_articles</span><span class="p">():</span> <span class="k">return</span> <span class="p">[]</span> </code></pre> </div> <p>When <code>user_model</code> is provided, <code>JWTUserProvider</code> validates the decoded payload via <code>UserSchema.model_validate()</code>. This means your <code>user_provider</code> returns a typed Pydantic model — not a raw dict.</p> <p>The Casbin model matcher accesses it as an attribute: <code>r.sub.role == p.sub</code>.</p> <h2> Deep Dive: DB-Backed Policies </h2> <p>CSV files work fine for development. Production needs database-backed policies so you can change them without redeploying. Define an ORM model for your policy table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">DeclarativeBase</span><span class="p">,</span> <span class="n">Mapped</span><span class="p">,</span> <span class="n">mapped_column</span> <span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio</span> <span class="kn">import</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">async_sessionmaker</span><span class="p">,</span> <span class="n">create_async_engine</span> <span class="k">class</span> <span class="nc">Base</span><span class="p">(</span><span class="n">DeclarativeBase</span><span class="p">):</span> <span class="k">pass</span> <span class="k">class</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">policies</span><span class="sh">"</span> <span class="nb">id</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">autoincrement</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">sub</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">obj</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">act</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">engine</span> <span class="o">=</span> <span class="nf">create_async_engine</span><span class="p">(</span><span class="sh">"</span><span class="s">sqlite+aiosqlite:///./app.db</span><span class="sh">"</span><span class="p">)</span> <span class="n">async_session</span> <span class="o">=</span> <span class="nf">async_sessionmaker</span><span class="p">(</span><span class="n">engine</span><span class="p">,</span> <span class="n">class_</span><span class="o">=</span><span class="n">AsyncSession</span><span class="p">,</span> <span class="n">expire_on_commit</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <p>Wire it up with <code>DatabaseEnforcerProvider</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">casbin_fastapi_decorator</span> <span class="kn">import</span> <span class="n">PermissionGuard</span> <span class="kn">from</span> <span class="n">casbin_fastapi_decorator_db</span> <span class="kn">import</span> <span class="n">DatabaseEnforcerProvider</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span> <span class="n">enforcer_provider</span> <span class="o">=</span> <span class="nc">DatabaseEnforcerProvider</span><span class="p">(</span> <span class="n">model_path</span><span class="o">=</span><span class="sh">"</span><span class="s">casbin/model.conf</span><span class="sh">"</span><span class="p">,</span> <span class="n">session_factory</span><span class="o">=</span><span class="n">async_session</span><span class="p">,</span> <span class="n">policy_model</span><span class="o">=</span><span class="n">Policy</span><span class="p">,</span> <span class="n">policy_mapper</span><span class="o">=</span><span class="k">lambda</span> <span class="n">p</span><span class="p">:</span> <span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">sub</span><span class="p">,</span> <span class="n">p</span><span class="p">.</span><span class="n">obj</span><span class="p">,</span> <span class="n">p</span><span class="p">.</span><span class="n">act</span><span class="p">),</span> <span class="n">default_policies</span><span class="o">=</span><span class="p">[(</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">)],</span> <span class="c1"># optional static rules on top </span><span class="p">)</span> <span class="n">guard</span> <span class="o">=</span> <span class="nc">PermissionGuard</span><span class="p">(</span> <span class="n">user_provider</span><span class="o">=</span><span class="n">get_current_user</span><span class="p">,</span> <span class="n">enforcer_provider</span><span class="o">=</span><span class="n">enforcer_provider</span><span class="p">,</span> <span class="n">error_factory</span><span class="o">=</span><span class="k">lambda</span> <span class="o">*</span><span class="n">_</span><span class="p">:</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>On every request, the provider opens a session, loads all rows, maps them via <code>policy_mapper</code>, merges with <code>default_policies</code>, and returns a fresh <code>casbin.Enforcer</code>. No restart needed — update rows in the DB and the next request sees new policies.</p> <p>Seed the database on startup with FastAPI's lifespan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextlib</span> <span class="kn">import</span> <span class="n">asynccontextmanager</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="k">async</span> <span class="k">with</span> <span class="n">engine</span><span class="p">.</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">run_sync</span><span class="p">(</span><span class="n">Base</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="n">create_all</span><span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="nf">async_session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="n">session</span><span class="p">.</span><span class="nf">add_all</span><span class="p">([</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">sub</span><span class="o">=</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="n">obj</span><span class="o">=</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="n">act</span><span class="o">=</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">),</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">sub</span><span class="o">=</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="n">obj</span><span class="o">=</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="n">act</span><span class="o">=</span><span class="sh">"</span><span class="s">write</span><span class="sh">"</span><span class="p">),</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">sub</span><span class="o">=</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="n">obj</span><span class="o">=</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="n">act</span><span class="o">=</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">),</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">sub</span><span class="o">=</span><span class="sh">"</span><span class="s">editor</span><span class="sh">"</span><span class="p">,</span> <span class="n">obj</span><span class="o">=</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="n">act</span><span class="o">=</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">),</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">sub</span><span class="o">=</span><span class="sh">"</span><span class="s">editor</span><span class="sh">"</span><span class="p">,</span> <span class="n">obj</span><span class="o">=</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="n">act</span><span class="o">=</span><span class="sh">"</span><span class="s">write</span><span class="sh">"</span><span class="p">),</span> <span class="nc">Policy</span><span class="p">(</span><span class="n">sub</span><span class="o">=</span><span class="sh">"</span><span class="s">viewer</span><span class="sh">"</span><span class="p">,</span> <span class="n">obj</span><span class="o">=</span><span class="sh">"</span><span class="s">post</span><span class="sh">"</span><span class="p">,</span> <span class="n">act</span><span class="o">=</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">),</span> <span class="p">])</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">yield</span> <span class="k">await</span> <span class="n">engine</span><span class="p">.</span><span class="nf">dispose</span><span class="p">()</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">lifespan</span><span class="o">=</span><span class="n">lifespan</span><span class="p">)</span> </code></pre> </div> <h2> Dynamic Arguments: AccessSubject </h2> <p>Sometimes the arguments for <code>enforce()</code> need to come from the request itself — from the database, path params, or request body. That's what <code>AccessSubject</code> is for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">casbin_fastapi_decorator</span> <span class="kn">import</span> <span class="n">AccessSubject</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_article</span><span class="p">(</span><span class="n">article_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Could be a DB query — it's a regular FastAPI dependency </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">article_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">alice</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles/{article_id}</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.require_permission</span><span class="p">(</span> <span class="nc">AccessSubject</span><span class="p">(</span><span class="n">val</span><span class="o">=</span><span class="n">get_article</span><span class="p">,</span> <span class="n">selector</span><span class="o">=</span><span class="k">lambda</span> <span class="n">a</span><span class="p">:</span> <span class="n">a</span><span class="p">[</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">]),</span> <span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">read_article</span><span class="p">(</span><span class="n">article_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">article_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">article_id</span><span class="p">}</span> </code></pre> </div> <p><code>AccessSubject</code> is resolved through FastAPI DI, then the <code>selector</code> extracts the value before it's passed to <code>enforcer.enforce(user, owner, "read")</code>. The default <code>selector</code> is identity (<code>lambda x: x</code>). This unlocks ownership-based authorization and fine-grained ABAC patterns.</p> <h2> Casdoor Extra: Centralized OAuth2/SSO </h2> <p>Running multiple services? <a href="https://casdoor.org/" rel="noopener noreferrer">Casdoor</a> is a lightweight open-source IAM that pairs naturally with Casbin. The <code>[casdoor]</code> extra provides a high-level facade:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">casbin_fastapi_decorator_casdoor</span> <span class="kn">import</span> <span class="n">CasdoorEnforceTarget</span><span class="p">,</span> <span class="n">CasdoorIntegration</span> <span class="n">casdoor</span> <span class="o">=</span> <span class="nc">CasdoorIntegration</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">http://localhost:8000</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_id</span><span class="o">=</span><span class="sh">"</span><span class="s">your-client-id</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_secret</span><span class="o">=</span><span class="sh">"</span><span class="s">your-client-secret</span><span class="sh">"</span><span class="p">,</span> <span class="n">certificate</span><span class="o">=</span><span class="n">cert_pem</span><span class="p">,</span> <span class="c1"># PEM string from Casdoor → Application → Cert </span> <span class="n">org_name</span><span class="o">=</span><span class="sh">"</span><span class="s">my-org</span><span class="sh">"</span><span class="p">,</span> <span class="n">application_name</span><span class="o">=</span><span class="sh">"</span><span class="s">my-app</span><span class="sh">"</span><span class="p">,</span> <span class="n">target</span><span class="o">=</span><span class="nc">CasdoorEnforceTarget</span><span class="p">(</span><span class="n">enforce_id</span><span class="o">=</span><span class="sh">"</span><span class="s">my-org/my-enforcer</span><span class="sh">"</span><span class="p">),</span> <span class="n">redirect_after_login</span><span class="o">=</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">cookie_secure</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="c1"># False for local HTTP dev </span> <span class="n">cookie_samesite</span><span class="o">=</span><span class="sh">"</span><span class="s">lax</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="nf">include_router</span><span class="p">(</span><span class="n">casdoor</span><span class="p">.</span><span class="n">router</span><span class="p">)</span> <span class="c1"># GET /login, GET /callback, POST /logout </span><span class="n">guard</span> <span class="o">=</span> <span class="n">casdoor</span><span class="p">.</span><span class="nf">create_guard</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/articles</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@guard.require_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">articles</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_articles</span><span class="p">():</span> <span class="k">return</span> <span class="n">MOCK_DB</span> </code></pre> </div> <p><code>CasdoorEnforceTarget</code> decides which Casbin enforcer to call in Casdoor's <code>/api/enforce</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Static enforcer ID </span><span class="nc">CasdoorEnforceTarget</span><span class="p">(</span><span class="n">enforce_id</span><span class="o">=</span><span class="sh">"</span><span class="s">my-org/my-enforcer</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Dynamic — org from user's JWT </span><span class="nc">CasdoorEnforceTarget</span><span class="p">(</span><span class="n">enforce_id</span><span class="o">=</span><span class="k">lambda</span> <span class="n">parsed</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">parsed</span><span class="p">[</span><span class="sh">'</span><span class="s">owner</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/my-enforcer</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># By permission object </span><span class="nc">CasdoorEnforceTarget</span><span class="p">(</span><span class="n">permission_id</span><span class="o">=</span><span class="sh">"</span><span class="s">my-org/can_edit_posts</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> How the Casbin Model Connects </h2> <p>For reference, here's the model used in the examples above. The matcher uses <code>r.sub.role</code> because the user object is a Pydantic model with a <code>role</code> field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[request_definition]</span> <span class="py">r</span> <span class="p">=</span> <span class="s">sub, obj, act</span> <span class="nn">[policy_definition]</span> <span class="py">p</span> <span class="p">=</span> <span class="s">sub, obj, act</span> <span class="nn">[policy_effect]</span> <span class="py">e</span> <span class="p">=</span> <span class="s">some(where (p.eft == allow))</span> <span class="nn">[matchers]</span> <span class="py">m</span> <span class="p">=</span> <span class="s">r.obj == p.obj &amp;&amp; r.sub.role == p.sub &amp;&amp; r.act == p.act</span> </code></pre> </div> <p>And the policy file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>p, admin, post, read p, admin, post, write p, admin, post, delete p, editor, post, read p, editor, post, write p, viewer, post, read </code></pre> </div> <p>When you switch to user-ID based policies instead of role-based, update the matcher to <code>r.sub.sub == p.sub</code> and adjust your policy rows accordingly — no changes to route handlers.</p> <h2> Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th><strong>casbin-fastapi-decorator</strong></th> <th><strong>fastapi-authz</strong></th> <th><strong>Manual Depends</strong></th> </tr> </thead> <tbody> <tr> <td>API style</td> <td><code>@guard.require_permission(...)</code></td> <td>Starlette middleware</td> <td><code>Depends(func)</code></td> </tr> <tr> <td>Middleware required</td> <td>❌</td> <td>✅</td> <td>❌</td> </tr> <tr> <td>Authorization logic</td> <td>Centralized (Casbin model)</td> <td>Centralized (Casbin model)</td> <td>In code</td> </tr> <tr> <td>Dynamic enforce args</td> <td>✅ <code>AccessSubject</code> </td> <td>❌</td> <td>⚠️ Manual</td> </tr> <tr> <td>DB-backed policies</td> <td>✅ <code>[db]</code> extra</td> <td>✅ Casbin adapters</td> <td>❌</td> </tr> <tr> <td>JWT integration</td> <td>✅ <code>[jwt]</code> extra</td> <td>❌ built-in</td> <td>❌</td> </tr> <tr> <td>SSO / Casdoor</td> <td>✅ <code>[casdoor]</code> extra</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>Python</td> <td>3.10+</td> <td>3.6+</td> <td>any</td> </tr> </tbody> </table></div> <h2> When to Use It </h2> <p><strong>Good fit:</strong></p> <ul> <li>More than a handful of roles and resources</li> <li>Policies need to change without code deployments</li> <li>You want ABAC or ownership-based checks (<code>AccessSubject</code>)</li> <li>Multi-tenancy or SSO across multiple services</li> </ul> <p><strong>Overkill:</strong></p> <ul> <li>Two roles (admin/user), no plans to grow</li> <li>Team has zero Casbin experience and no time to ramp up</li> </ul> <h2> Wrapping Up </h2> <p><code>casbin-fastapi-decorator</code> moves authorization out of route handlers and into declarative policies. The <code>@guard.require_permission(resource, action)</code> decorator is explicit, readable, and keeps function signatures clean. Changing who can delete articles means editing a CSV or a database row — not hunting through FastAPI dependencies.</p> <p>The library is MIT-licensed and actively maintained. Feedback welcome via GitHub issues!</p> <p><em>Have you used Casbin with FastAPI before? What approach did you go with? Happy to chat in the comments.</em></p> python fastapi security tutorial