Authentication with Fastapi

For our project we need a following packages:

• pip install pyjwt[crypto] - PyJWT is a library for encoding and decoding JWTs using Python.
• pip install passlib - Passlib is a library that supports various password hashing algorithms.

FastApi Frameworks provides a lot of Security Tools for implementation of Authentication and Authorization flows. But in this article we will do it by the regular way.

Let's construct the User Model first:

Also, we provide a schema with nessary fields with pydantic package:

The post api "/signup" as showen bellow:

I would like to create User Service class to take out the business logic from api function:

The utils file contain a same functions for password hashing:

The generate_password_hash function applied before than plain password will be saved in database.The function generate Password hashing and it's a one-way process of securing plain text password by creating a bit string of a fixed size called hash.

Let's test a SignUp with a request:

So, we got a response body with hashed password that has been saived in Database Table.

To exclude the password field from response body we are using exclude option in the Field decorator:

Result without password field:

The login Api:

In this api function we are check if user is existing if yes we raise the Exception that user already exists, if not we are verify the plain password with the hashed password that situated in database, after that we are creating the both tokens. One it's a access token and another is a refresh token. We will discuss about this tokens after a few moments.

We also using some helpers functions to encode token and to decode token:

Let's test the functionallity:

So, we got a response with access and refresh tokens in it. also the id detail of corrensponding user with successful message.

Discussion about tokens

• Access token allows temporary access to restricted resources such as APIs or websites.?Generally, access tokens are valid for only a few minutes or hours, depending on the setting to safeguard the resource server. They also include security features like signatures.
• Refresh tokens: A token used to obtain a renewed access token without having to re-authenticate the user. Refresh tokens can last from a few days to a few months.

When we passed a request to login api-point from frontend we get access and refresh token.

the frontend save the tokens on his side.

And with each another request sends the token/'s in request header/cookie.

If the access token has been expired the request for refresh token (api/refreshToken) are sent to backend. If refresh token still valid the new Access and Refresh tokens are generated, but if refresh token are also expired the request are rejected and user should to pass Authentication again.

The Main problem that how we can to pass a tokens from frontend to backend and vice versa in safe way.

HEADER??? COOKIES??? BODY???

One of the popular ways, it's pass Access token in the header of request.The Authorization header is a part of the HTTP request headers used in client-server communications. Its primary function is to authenticate a user-agent with a server, typically by carrying credentials in the form of a token or a set of credentials like username and password. This header is fundamental in implementing security measures for web applications and APIs.

The Authorization header follows a specific structure:

Authorization: <type> <credentials>        

• Type: This is the authentication scheme, such as Basic, Bearer, Digest, etc. It indicates the method used for encoding or handling the credentials.
• Credentials: These are the actual authentication tokens or encoded user credentials. The format and content depend on the authentication scheme.

I this example i tried to show how we can get the header of request that named "access_token" and sent by frontend. And after that validate the token and bring the existing user from Database.

Let's test it:

Cookies:

We added the refresh token to cookies in response by set_cookie method with additional properties.

In the same way like we did it with Header option we can verify the refresh token and get payload from the token and after that find the user in database.

The Code available on github: Auth project: cookies and headers