feat(server): allow standard FastAPI Security in routes

[ianchi]

Description

Current FastAPI app does not allow to use standard FastAPI Security mechanism to authenticate distinct routes. You could add as middleware but it would apply to all routes, even the agent card.
Add a dependency parameter, to allow to pass dependency that will only be added to main endpoint and the extended agent card, but not the general one.

Thank you for opening a Pull Request!
Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

• Follow the CONTRIBUTING Guide.
• Make your Pull Request title in the https://www.conventionalcommits.org/ specification.
  • Important Prefixes for release-please:
    • fix: which represents bug fixes, and correlates to a SemVer patch.
    • feat: represents a new feature, and correlates to a SemVer minor.
    • feat!:, or fix!:, refactor!:, etc., which represent a breaking change (indicated by the !) and will result in a SemVer major.
• Ensure the tests and linter pass (Run bash scripts/format.sh from the repository root to format)
• Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 🦕

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the flexibility of security configurations within the FastAPI application. By introducing a dedicated dependencies parameter, it allows developers to apply FastAPI's standard security features to individual routes, such as the RPC endpoint and the authenticated extended agent card, without affecting public-facing endpoints. This change moves away from a global middleware approach, offering more precise control over authentication and authorization for different API paths.

Highlights

• Enhanced FastAPI Security: Introduced a new dependencies parameter to the add_routes_to_app and build methods, allowing for the application of standard FastAPI security mechanisms to specific routes.
• Granular Route Protection: Enabled the application of security dependencies specifically to the A2A JSON-RPC endpoint and the authenticated extended agent card endpoint, providing more granular control over API access.
• Unprotected Public Endpoint: Ensured that the public agent card endpoint remains unprotected, maintaining its accessibility while securing other sensitive routes.

Changelog

• src/a2a/server/apps/jsonrpc/fastapi_app.py
  • Imported Sequence for type hinting.
  • Added a dependencies parameter to the add_routes_to_app and build methods.
  • Modified add_routes_to_app to conditionally apply the provided dependencies to the RPC endpoint and the authenticated extended agent card endpoint.
  • Updated the docstrings for add_routes_to_app and build to describe the new dependencies parameter and its usage.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable feature by allowing FastAPI dependencies to be passed to secure specific routes, specifically applying them to the RPC and extended agent card endpoints. The implementation is clean, and a thorough security audit confirmed that this addition is a security improvement for authentication and authorization, introducing no new vulnerabilities. I have a couple of minor suggestions to improve type hinting for the new dependencies parameter and to enhance consistency in the documentation examples.

[ianchi]

updated with suggestions