day #48 fastapi #6 dependencies & dependency injection

Author: stackjay

workspace/7_framework/fastapi/README.md

@@ -85,6 +85,10 @@ uvicorn main:app --reload
   Learn how to use and return appropriate HTTP status codes, create custom exception classes, handle validation and business logic errors, and implement global exception handlers for consistent error responses.
   _Includes: custom error classes, exception handlers, validation and business logic error handling, logging, and test coverage._
 
+- [Day 06: Dependencies and Dependency Injection](day06/README.md)
+  Learn how to use FastAPI's powerful dependency injection system to manage dependencies, handle security, and create reusable components.
+  _Includes: function and class-based dependencies, authentication, authorization, sub-dependencies, and dependency caching._
+
 ---
 
 ## Recommended Project Structure

workspace/7_framework/fastapi/day06/README.md

@@ -0,0 +1,147 @@
+# FastAPI Day 06: Dependencies and Dependency Injection
+
+Welcome to **Day 06** of the FastAPI tutorial! Today you'll learn how to leverage FastAPI's powerful dependency injection system to write cleaner, more modular, and maintainable code.
+
+---
+
+## What You'll Learn
+
+- Understand the core principles of dependency injection in FastAPI.
+- Create simple, reusable function-based and class-based dependencies.
+- Implement robust authentication and authorization using dependencies.
+- Manage complex dependency chains with sub-dependencies.
+- Understand and utilize dependency caching for better performance.
+- Write effective tests for endpoints that rely on dependencies.
+
+---
+
+## Key Concepts
+
+### 1. Dependency Injection System
+
+**Dependency Injection (DI)** is a design pattern where a component's dependencies (i.e., services or objects it needs to function) are "injected" from an external source rather than created internally. In FastAPI, this is managed by the `Depends` function.
+
+This system allows you to:
+-   **Share Logic**: Reuse the same code across multiple endpoints.
+-   **Share Database Connections**: Manage the lifecycle of database connections.
+-   **Enforce Security**: Implement authentication, authorization, and role-based access control.
+-   **Improve Testability**: Easily mock or override dependencies during testing.
+
+### 2. Creating Dependencies
+
+Any function or class that returns a value can be a dependency. You simply define it and then pass it to `Depends` in your path operation function.
+
+**Function-based Dependency:** A simple Python function can serve as a dependency. This is useful for self-contained logic like managing a database session.
+
+Example dependency:
+```python
+# from dependencies.py
+
+class DatabaseConnection:
+    def __init__(self):
+        self.connection_id = f"conn_{datetime.now().timestamp()}"
+
+def get_database():
+    db = DatabaseConnection()
+    try:
+        yield db  # Provide the connection
+    finally:
+        # Code here runs after the request is finished
+        print(f"Closing DB connection {db.connection_id}")
+```
+
+**Class-based Dependency:** A class can be used to group related request parameters. FastAPI will treat the class itself as a dependency and instantiate it with parameters from the request.
+
+Example dependency for query parameters:
+```python
+# from dependencies.py
+
+class CommonQueryParams:
+    def __init__(
+        self,
+        q: Optional[str] = Query(None),
+        include_inactive: bool = Query(False)
+    ):
+        self.q = q
+        self.include_inactive = include_inactive
+```
+
+### 3. Authentication with Dependencies
+
+A common and powerful use case for dependencies is handling security. You can create a dependency that verifies a token and returns the current user.
+
+Example `get_current_user` dependency:
+```python
+# from dependencies.py
+
+def get_current_user(username: str = Depends(verify_token)) -> User:
+    user_data = users_db.get(username)
+    if user_data is None or not user_data["is_active"]:
+        raise HTTPException(status_code=401, detail="Could not validate credentials")
+    return User(**user_data)
+```
+
+You can then protect an endpoint by adding this dependency:
+```python
+# from main.py
+
+@app.get("/users/me")
+def read_users_me(current_user: User = Depends(get_current_user)):
+    return current_user
+```
+If the token is invalid or the user doesn't exist, the request will be stopped with a `401 Unauthorized` error before your endpoint code is even executed.
+
+### 4. Sub-dependencies and Authorization
+
+Dependencies can depend on other dependencies. FastAPI automatically handles resolving this chain. This is useful for building layers of functionality, like adding authorization on top of authentication.
+
+For example, `get_admin_user` first ensures the user is authenticated by depending on `get_current_user`, and then it performs an additional check to ensure the user has the "admin" role.
+
+Example admin check:
+```python
+# from dependencies.py
+
+def get_admin_user(current_user: User = Depends(get_current_user)) -> User:
+    if "admin" not in current_user.roles:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough permissions"
+        )
+    return current_user
+```
+
+### 5. Dependency Caching
+
+Within a single request, FastAPI caches the return value of a dependency. If multiple parts of your code (e.g., your endpoint and another dependency) depend on the same dependency with the same parameters, FastAPI will only call it once and reuse the result.
+
+This is crucial for performance, especially for expensive operations or database connections.
+
+Example of a cached dependency:
+```python
+# from main.py
+
+# This function will only run once per request, even if multiple
+# endpoints or other dependencies require it.
+def expensive_operation():
+    time.sleep(0.1)  # Simulate delay
+    return {"computed_value": "expensive_result"}
+
+@app.get("/expensive")
+def get_expensive_data(result=Depends(expensive_operation)):
+    return {"expensive_data": result}
+```
+
+---
+
+## Next Steps
+
+- Explore `dependencies.py` to see how various dependencies are defined and structured.
+- Examine `main.py` and trace how dependencies like `get_current_user` and `get_admin_user` are used to protect different endpoints.
+- Run the application and use the interactive API docs at `/api/docs` to test the authenticated endpoints. Try getting a token and using it as a bearer token.
+- Review `tests/test_main.py` to understand how to test endpoints that have dependencies.
+
+---
+
+**Tip:** FastAPI’s automatic docs are available at `/api/docs` when you run your app. They will automatically include fields for authentication when you use security dependencies!
+
+---

workspace/7_framework/fastapi/day06/pytest.ini

@@ -0,0 +1,3 @@
+[pytest]
+asyncio_default_fixture_loop_scope = function
+pythonpath = . src

workspace/7_framework/fastapi/day06/requirements.txt

@@ -0,0 +1,10 @@
+fastapi>=0.115.0
+pydantic>=1.10.0
+pyjwt>=2.4.0
+uvicorn>=0.30.0
+python-multipart>=0.0.20
+pytest>=7.0.0
+pytest-asyncio>=0.20.0
+pytest-cov>=4.0.0
+httpx>=0.24.0
+flake8>=5.0.0

workspace/7_framework/fastapi/day06/src/dependencies.py

@@ -0,0 +1,216 @@
+"""
+Dependencies for FastAPI application
+
+How it works:
+    *Declare dependencies*
+    - Define regular functions, these functions can take parameters, including other dependencies
+
+    *Inject dependencies*
+    - Inject dependencies into routes using the `Depends` function (decorated with `@` like @app.get, @app.post)
+
+Benefits:
+    - Improved Code Organization: Separates concerns by allowing you to extract shared logic into reusable dependency functions.
+    - Enhanced Testability: Dependencies can be easily mocked or replaced during testing.
+    - Reusability: Dependencies can be used across multiple routes and endpoints.
+    - Reduced duplication of code: Dependencies can be used across multiple routes and endpoints.
+    - Better maintainability: Centralizes dependency creation and management, simplifying updates and changes.
+    - Automatic Handling: Dependencies can be automatically handled by FastAPI, such as dependency injection and error handling.
+
+"""
+from fastapi import Depends, HTTPException, status, Header, Query
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from typing import Optional, List
+import jwt
+from datetime import datetime, timedelta
+import hashlib
+
+# Security
+security = HTTPBearer()
+
+# Mock user database
+users_db = {
+    "admin": {
+        "id": 1,
+        "username": "admin",
+        "email": "admin@example.com",
+        "hashed_password": hashlib.sha256("admin123".encode()).hexdigest(),
+        "roles": ["admin", "user"],
+        "is_active": True
+    },
+    "user": {
+        "id": 2,
+        "username": "jay",
+        "email": "jay@example.com",
+        "hashed_password": hashlib.sha256("user123".encode()).hexdigest(),
+        "roles": ["user"],
+        "is_active": True
+    }
+}
+
+SECRET_KEY = "python-secret-key" # In real application, this should be a secret key stored securely
+ALGORITHM = "HS256"
+
+class User:
+    def __init__(self, id: int, username: str, email: str, roles: List[str], is_active: bool):
+        self.id = id
+        self.username = username
+        self.email = email
+        self.roles = roles
+        self.is_active = is_active
+
+# Database dependency
+class DatabaseConnection:
+    def __init__(self):
+        self.connected = True # Mocked for demonstration purposes, this should be replaced with actual database connection logic
+        self.connection_id = f"conn_{datetime.now().timestamp()}"
+
+    def close(self):
+        self.connected = False
+
+def get_database():
+    db = DatabaseConnection()
+    try:
+        yield db
+    finally:
+        db.close()
+
+# Authentication dependencies
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.now() + expires_delta
+    else:
+        expire = datetime.now() + timedelta(minutes=15)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
+    try:
+        payload = jwt.decode(credentials.credentials, SECRET_KEY, algorithms=[ALGORITHM])
+        username: str = payload.get("sub")
+        print(f"Token decoded: username={username}, payload={payload}")  # Debug output
+        if username is None:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Could not validate credentials",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        return username
+    except jwt.PyJWTError as e:
+        print(f"Token validation failed: {str(e)}")  # Debug output
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+"""
+In this get_current_user, verify_token is the dependency that verifies the token and returns the username.
+"""
+def get_current_user(username: str = Depends(verify_token)) -> User:
+    user_data = users_db.get(username)
+    if user_data is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="User not found"
+        )
+    if not user_data["is_active"]:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Inactive user"
+        )
+    user_data_without_password = {
+        "id": user_data["id"],
+        "username": user_data["username"],
+        "email": user_data["email"],
+        "roles": user_data["roles"],
+        "is_active": user_data["is_active"]
+    }
+    return User(**user_data_without_password)
+
+def get_admin_user(current_user: User = Depends(get_current_user)) -> User:
+    if "admin" not in current_user.roles:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough permissions"
+        )
+    return current_user
+
+# Pagination dependency
+class PaginationParams:
+    def __init__(
+        self,
+        skip: int = Query(0, ge=0, description="Number of records to skip"),
+        limit: int = Query(10, ge=1, le=100, description="Number of records to return")
+    ):
+        self.skip = skip
+        self.limit = limit
+
+# Sorting dependency
+class SortingParams:
+    def __init__(
+        self,
+        sort_by: str = Query("id", description="Field to sort by"),
+        sort_order: str = Query("asc", patterns="^(asc|desc)$", description="Sort order")
+    ):
+        self.sort_by = sort_by
+        self.sort_order = sort_order
+
+# Rate limiting dependency
+class RateLimiter:
+    def __init__(self):
+        self.requests = {}
+
+    def is_allowed(self, client_ip: str, limit: int = 100, window: int = 3600) -> bool:
+        now = datetime.now()
+        if client_ip not in self.requests:
+            self.requests[client_ip] = []
+
+        # Clean old requests
+        self.requests[client_ip] = [
+            req_time for req_time in self.requests[client_ip]
+            if (now - req_time).seconds < window
+        ]
+
+        if len(self.requests[client_ip]) >= limit:
+            return False
+
+        self.requests[client_ip].append(now)
+        return True
+
+rate_limiter = RateLimiter()
+
+def check_rate_limit(
+    x_forwarded_for: Optional[str] = Header(None),
+    x_real_ip: Optional[str] = Header(None)
+):
+    client_ip = x_forwarded_for or x_real_ip or "127.0.0.1"
+    if not rate_limiter.is_allowed(client_ip):
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail="Rate limit exceeded"
+        )
+    return client_ip
+
+# Validation dependencies
+def validate_positive_int(value: int) -> int:
+    if value <= 0:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Value must be positive"
+        )
+    return value
+
+def get_item_id(item_id: int) -> int:
+    return validate_positive_int(item_id)
+
+# Common query parameters
+class CommonQueryParams:
+    def __init__(
+        self,
+        q: Optional[str] = Query(None, min_length=1, max_length=50, description="Search query"),
+        include_inactive: bool = Query(False, description="Include inactive items")
+    ):
+        self.q = q
+        self.include_inactive = include_inactive