|
| 1 | +# FastAPI Day 11: Production-Ready Auth with JWT |
| 2 | + |
| 3 | +Welcome to **Day 11** of the FastAPI tutorial series! Today, we're building a production-ready authentication system using JSON Web Tokens (JWT). You'll learn how to structure a FastAPI application with a clean separation of concerns, manage configurations, and implement secure password handling and token-based authentication. |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +## What You'll Learn |
| 8 | + |
| 9 | +- **Project Structure**: Organize your code into a scalable and maintainable structure with `src`, `core`, `database`, `models`, `routers`, `schemas`, and `services`. |
| 10 | +- **Configuration Management**: Use `pydantic-settings` to manage application settings from environment variables. |
| 11 | +- **Database Integration**: Connect to a database using SQLAlchemy and create tables based on your models. |
| 12 | +- **Password Hashing**: Securely hash and verify passwords with `passlib`. |
| 13 | +- **JWT Authentication**: Implement access and refresh tokens for secure authentication. |
| 14 | +- **Dependency Injection**: Use FastAPI's dependency injection system to manage database sessions and user authentication. |
| 15 | +- **Testing**: Write comprehensive tests for your authentication system using `pytest`. |
| 16 | + |
| 17 | +--- |
| 18 | + |
| 19 | +## Key Concepts |
| 20 | + |
| 21 | +For this tutorial, we've structured the application to be more modular and scalable. |
| 22 | + |
| 23 | +- `src/main.py`: The application's entry point. It initializes the FastAPI app and includes the routers. |
| 24 | +- `src/core/config.py`: Defines the application's configuration using `pydantic-settings`. |
| 25 | +- `src/core/security.py`: Contains all the logic for password hashing and JWT creation and verification. |
| 26 | +- `src/database/connection.py`: Manages the database connection and session. |
| 27 | +- `src/database/crud.py`: Contains functions for creating, reading, and updating data in the database. |
| 28 | +- `src/models/user.py`: Defines the SQLAlchemy user model. |
| 29 | +- `src/routers/auth.py`: Defines the authentication-related endpoints (`/register`, `/login`, `/refresh`). |
| 30 | +- `src/routers/users.py`: Defines user-related endpoints (`/me`). |
| 31 | +- `src/routers/dependencies.py`: Defines dependencies for getting the current authenticated user. |
| 32 | +- `src/schemas/user.py`: Defines the Pydantic models for user-related data. |
| 33 | +- `src/schemas/token.py`: Defines the Pydantic models for token-related data. |
| 34 | +- `src/services/auth_service.py`: Contains the business logic for authentication. |
| 35 | +- `src/services/user_service.py`: Contains the business logic for user-related operations. |
| 36 | +- `tests/`: Contains all the tests for the application. |
| 37 | + |
| 38 | +### 1. Configuration with `pydantic-settings` |
| 39 | + |
| 40 | +We use `pydantic-settings` to manage our application's configuration. This allows us to define our settings in a Pydantic model and automatically load them from environment variables or a `.env` file. |
| 41 | + |
| 42 | +```python-beginner/workspace/7_framework/fastapi/day11/src/core/config.py#L1-L18 |
| 43 | +from pydantic_settings import BaseSettings |
| 44 | +
|
| 45 | +class Settings(BaseSettings): |
| 46 | + # JWT Settings |
| 47 | + SECRET_KEY: str = "your-secret-key-change-in-production" |
| 48 | + ALGORITHM: str = "HS256" |
| 49 | + ACCESS_TOKEN_EXPIRE_MINUTES: int = 30 |
| 50 | + REFRESH_TOKEN_EXPIRE_DAYS: int = 7 |
| 51 | +
|
| 52 | + # Database |
| 53 | + DATABASE_URL: str = "sqlite:///./app.db" |
| 54 | +
|
| 55 | + # API Settings |
| 56 | + API_V1_STR: str = "/api/v1" |
| 57 | + PROJECT_NAME: str = "FastAPI Auth Tutorial" |
| 58 | +
|
| 59 | + class Config: |
| 60 | + env_file = ".env" |
| 61 | +
|
| 62 | +settings = Settings() |
| 63 | +``` |
| 64 | + |
| 65 | +### 2. Password Hashing and JWTs with `passlib` and `python-jose` |
| 66 | + |
| 67 | +We use `passlib` to hash passwords and `python-jose` to create and verify JWTs. |
| 68 | + |
| 69 | +- **Password Hashing**: We use `passlib`'s `CryptContext` to hash and verify passwords securely. |
| 70 | + |
| 71 | + ```python-beginner/workspace/7_framework/fastapi/day11/src/core/security.py#L6-L7 |
| 72 | + # Password hashing |
| 73 | + pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") |
| 74 | + ``` |
| 75 | +
|
| 76 | +- **JWT Creation**: We have functions to create both access and refresh tokens, which encapsulate user identity and expiration data. |
| 77 | +
|
| 78 | + ```python-beginner/workspace/7_framework/fastapi/day11/src/core/security.py#L9-L22 |
| 79 | + def create_access_token(subject: Union[str, Any], expires_delta: Optional[timedelta] = None) -> str: |
| 80 | + """Create JWT access token""" |
| 81 | + if expires_delta: |
| 82 | + expire = datetime.now() + expires_delta |
| 83 | + else: |
| 84 | + expire = datetime.now() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES) |
| 85 | + |
| 86 | + to_encode = {"exp": expire, "sub": str(subject), "type": "access"} |
| 87 | + encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM) |
| 88 | + return encoded_jwt |
| 89 | + ``` |
| 90 | +
|
| 91 | +### 3. Dependency Injection for Security |
| 92 | +
|
| 93 | +We use FastAPI's powerful dependency injection system to protect endpoints and retrieve the current authenticated user. This keeps the authentication logic clean and reusable. |
| 94 | +
|
| 95 | +```python-beginner/workspace/7_framework/fastapi/day11/src/routers/dependencies.py#L8-L34 |
| 96 | +async def get_current_user( |
| 97 | + credentials: HTTPAuthorizationCredentials = Depends(security), |
| 98 | + db: Session = Depends(get_db) |
| 99 | +) -> User: |
| 100 | + """Get current authenticated user""" |
| 101 | + credentials_exception = HTTPException( |
| 102 | + status_code=status.HTTP_401_UNAUTHORIZED, |
| 103 | + detail="Could not validate credentials", |
| 104 | + headers={"WWW-Authenticate": "Bearer"}, |
| 105 | + ) |
| 106 | +
|
| 107 | + if not credentials: |
| 108 | + raise credentials_exception |
| 109 | +
|
| 110 | + user_id = verify_token(credentials.credentials) |
| 111 | + if user_id is None: |
| 112 | + raise credentials_exception |
| 113 | +
|
| 114 | + user = get_user_by_id(db, int(user_id)) |
| 115 | + if user is None: |
| 116 | + raise credentials_exception |
| 117 | +
|
| 118 | + if not user.is_active: |
| 119 | + raise HTTPException( |
| 120 | + status_code=status.HTTP_400_BAD_REQUEST, |
| 121 | + detail="Inactive user" |
| 122 | + ) |
| 123 | +
|
| 124 | + return user |
| 125 | +``` |
| 126 | + |
| 127 | +--- |
| 128 | + |
| 129 | +## Next Steps |
| 130 | + |
| 131 | +- Install the dependencies: `pip install -r requirements.txt`. |
| 132 | +- Create a `.env` file from the `.env.example` and set your `SECRET_KEY`. |
| 133 | +- Run the application with `uvicorn src.main:app --reload`. |
| 134 | +- Use an API client like `curl` or Postman to test the endpoints: |
| 135 | + - `POST /api/v1/auth/register` to create a new user. |
| 136 | + - `POST /api/v1/auth/login` to get an access and refresh token. |
| 137 | + - `GET /api/v1/users/me` with the access token in the `Authorization` header to get your user profile. |
| 138 | + - `POST /api/v1/auth/refresh` with the refresh token to get a new set of tokens. |
| 139 | +- Run the automated tests with `python -m pytest`. |
| 140 | + |
| 141 | +--- |
0 commit comments