From 35f78211830dc510d09b6072b0bb9a4c3943949b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?dni=20=E2=9A=A1?= <office@dnilabs.com>
Date: Thu, 27 Mar 2025 10:14:42 +0100
Subject: [PATCH] fix: make swagger understand the access token `HTTPBearer`
 (#3068)

---
 lnbits/decorators.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/lnbits/decorators.py b/lnbits/decorators.py
index 4a36ac5a..a3bbea8f 100644
--- a/lnbits/decorators.py
+++ b/lnbits/decorators.py
@@ -5,7 +5,7 @@ import jwt
 from fastapi import Cookie, Depends, Query, Request, Security
 from fastapi.exceptions import HTTPException
 from fastapi.openapi.models import APIKey, APIKeyIn, SecuritySchemeType
-from fastapi.security import APIKeyHeader, APIKeyQuery, OAuth2PasswordBearer
+from fastapi.security import APIKeyHeader, APIKeyQuery, HTTPBearer, OAuth2PasswordBearer
 from fastapi.security.base import SecurityBase
 from loguru import logger
 from pydantic.types import UUID4
@@ -31,8 +31,15 @@ from lnbits.db import Connection, Filter, Filters, TFilterModel
 from lnbits.helpers import path_segments
 from lnbits.settings import AuthMethods, settings
 
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/v1/auth", auto_error=False)
-
+oauth2_scheme = OAuth2PasswordBearer(
+    tokenUrl="api/v1/auth",
+    auto_error=False,
+    description="OAuth2 access token for authentication with username and password.",
+)
+http_bearer = HTTPBearer(
+    auto_error=False,
+    description="Bearer Token for custom ACL based access control",
+)
 api_key_header = APIKeyHeader(
     name="X-API-KEY",
     auto_error=False,
@@ -132,8 +139,9 @@ async def require_invoice_key(
 async def check_access_token(
     header_access_token: Annotated[Union[str, None], Depends(oauth2_scheme)],
     cookie_access_token: Annotated[Union[str, None], Cookie()] = None,
+    bearer_access_token: Annotated[Union[str, None], Depends(http_bearer)] = None,
 ) -> Optional[str]:
-    return header_access_token or cookie_access_token
+    return header_access_token or cookie_access_token or bearer_access_token
 
 
 async def check_user_exists(