🔖 Release version 0.120.4

📝 Update release notes
[skip ci]
2025-12-30 09:39:20 -05:00 · 2025-10-31 19:35:33 +01:00 · 2025-10-31 18:35:03 +00:00 · 2025-10-31 19:34:30 +01:00
4 changed files with 75 additions and 11 deletions
--- a/docs/en/docs/release-notes.md
+++ b/docs/en/docs/release-notes.md
@@ -7,6 +7,12 @@ hide:

 ## Latest Changes

+## 0.120.4
+
+### Fixes
+
+* 🐛 Fix security schemes in OpenAPI when added at the top level app. PR [#14266](https://github.com/fastapi/fastapi/pull/14266) by [@YuriiMotov](https://github.com/YuriiMotov).
+
 ## 0.120.3

 ### Refactors
--- a/fastapi/init.py
+++ b/fastapi/init.py
@@ -1,6 +1,6 @@
 """FastAPI framework, high performance, easy to learn, fast to code, ready for production"""

-__version__ = "0.120.3"
+__version__ = "0.120.4"

 from starlette import status as status

--- a/fastapi/dependencies/utils.py
+++ b/fastapi/dependencies/utils.py
@@ -248,6 +248,14 @@ def get_dependant(
    path_param_names = get_path_param_names(path)
    endpoint_signature = get_typed_signature(call)
    signature_params = endpoint_signature.parameters
+    if isinstance(call, SecurityBase):
+        use_scopes: List[str] = []
+        if isinstance(call, (OAuth2, OpenIdConnect)):
+            use_scopes = security_scopes
+        security_requirement = SecurityRequirement(
+            security_scheme=call, scopes=use_scopes
+        )
+        dependant.security_requirements.append(security_requirement)
    for param_name, param in signature_params.items():
        is_path_param = param_name in path_param_names
        param_details = analyze_param(
@@ -269,16 +277,6 @@ def get_dependant(
                security_scopes=use_security_scopes,
                use_cache=param_details.depends.use_cache,
            )
-            if isinstance(param_details.depends.dependency, SecurityBase):
-                use_scopes: List[str] = []
-                if isinstance(
-                    param_details.depends.dependency, (OAuth2, OpenIdConnect)
-                ):
-                    use_scopes = use_security_scopes
-                security_requirement = SecurityRequirement(
-                    security_scheme=param_details.depends.dependency, scopes=use_scopes
-                )
-                sub_dependant.security_requirements.append(security_requirement)
            dependant.dependencies.append(sub_dependant)
            continue
        if add_non_field_param_to_dependency(
--- a/tests/test_top_level_security_scheme_in_openapi.py
+++ b/tests/test_top_level_security_scheme_in_openapi.py
@@ -0,0 +1,60 @@
+# Test security scheme at the top level, including OpenAPI
+# Ref: https://github.com/fastapi/fastapi/discussions/14263
+# Ref: https://github.com/fastapi/fastapi/issues/14271
+from fastapi import Depends, FastAPI
+from fastapi.security import HTTPBearer
+from fastapi.testclient import TestClient
+from inline_snapshot import snapshot
+
+app = FastAPI()
+
+bearer_scheme = HTTPBearer()
+
+
+@app.get("/", dependencies=[Depends(bearer_scheme)])
+async def get_root():
+    return {"message": "Hello, World!"}
+
+
+client = TestClient(app)
+
+
+def test_get_root():
+    response = client.get("/", headers={"Authorization": "Bearer token"})
+    assert response.status_code == 200, response.text
+    assert response.json() == {"message": "Hello, World!"}
+
+
+def test_get_root_no_token():
+    response = client.get("/")
+    assert response.status_code == 403, response.text
+    assert response.json() == {"detail": "Not authenticated"}
+
+
+def test_openapi_schema():
+    response = client.get("/openapi.json")
+    assert response.status_code == 200, response.text
+    assert response.json() == snapshot(
+        {
+            "openapi": "3.1.0",
+            "info": {"title": "FastAPI", "version": "0.1.0"},
+            "paths": {
+                "/": {
+                    "get": {
+                        "summary": "Get Root",
+                        "operationId": "get_root__get",
+                        "responses": {
+                            "200": {
+                                "description": "Successful Response",
+                                "content": {"application/json": {"schema": {}}},
+                            }
+                        },
+                        "security": [{"HTTPBearer": []}],
+                    }
+                }
+            },
+            "components": {
+                "securitySchemes": {"HTTPBearer": {"type": "http", "scheme": "bearer"}}
+            },
+        }
+    )
Author	SHA1	Message	Date
Sebastián Ramírez	fad35ef43f	🔖 Release version 0.120.4	2025-10-31 19:35:33 +01:00
github-actions[bot]	4d57c13055	📝 Update release notes [skip ci]	2025-10-31 18:35:03 +00:00
Motov Yurii	496de1816a	🐛 Fix security schemes in OpenAPI when added at the top level app (#14266 ) Co-authored-by: Sebastián Ramírez <tiangolo@gmail.com>	2025-10-31 19:34:30 +01:00