Authentication & Security
OAuth2 with Password Flow
Basic OAuth2 Setup
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from pydantic import BaseModel
from typing import Optional
app = FastAPI()
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
class User(BaseModel):
username: str
email: Optional[str] = None
full_name: Optional[str] = None
disabled: Optional[bool] = None
class UserInDB(User):
hashed_password: str
def get_user(db, username: str):
if username in db:
user_dict = db[username]
return UserInDB(**user_dict)
async def get_current_user(token: str = Depends(oauth2_scheme)):
user = get_user(fake_users_db, token)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid authentication credentials",
headers={"WWW-Authenticate": "Bearer"},
)
return user
JWT Token Authentication
from datetime import datetime, timedelta
from jose import JWTError, jwt
from passlib.context import CryptContext
SECRET_KEY = "your-secret-key"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
class Token(BaseModel):
access_token: str
token_type: str
def verify_password(plain_password, hashed_password):
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password):
return pwd_context.hash(password)
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
async def get_current_user(token: str = Depends(oauth2_scheme)):
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
if username is None:
raise credentials_exception
except JWTError:
raise credentials_exception
user = get_user(fake_users_db, username=username)
if user is None:
raise credentials_exception
return user
@app.post("/token", response_model=Token)
async def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends()):
user = authenticate_user(fake_users_db, form_data.username, form_data.password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
access_token = create_access_token(
data={"sub": user.username}, expires_delta=access_token_expires
)
return {"access_token": access_token, "token_type": "bearer"}
Protected Routes
@app.get("/users/me", response_model=User)
async def read_users_me(current_user: User = Depends(get_current_user)):
return current_user
@app.get("/users/me/items/")
async def read_own_items(current_user: User = Depends(get_current_user)):
return [{"item_id": "Foo", "owner": current_user.username}]
API Key Authentication
API Key in Header
from fastapi import HTTPException, Depends
from fastapi.security import APIKeyHeader
API_KEY = "your-api-key"
API_KEY_NAME = "X-API-Key"
api_key_header = APIKeyHeader(name=API_KEY_NAME, auto_error=False)
async def get_api_key(api_key: str = Depends(api_key_header)):
if api_key != API_KEY:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid API Key"
)
return api_key
@app.get("/protected")
async def protected_route(api_key: str = Depends(get_api_key)):
return {"message": "This is a protected route"}
API Key in Query Parameter
from fastapi.security import APIKeyQuery
api_key_query = APIKeyQuery(name="api_key", auto_error=False)
async def get_api_key(api_key: str = Depends(api_key_query)):
if api_key != API_KEY:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid API Key"
)
return api_key
API Key in Cookie
from fastapi.security import APIKeyCookie
api_key_cookie = APIKeyCookie(name="session", auto_error=False)
async def get_api_key(api_key: str = Depends(api_key_cookie)):
if api_key != API_KEY:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid API Key"
)
return api_key
Role-Based Access Control
Role Models
from enum import Enum
class Role(str, Enum):
admin = "admin"
user = "user"
moderator = "moderator"
class User(BaseModel):
username: str
email: str
roles: List[Role] = []
is_active: bool = True
Permission Decorators
from functools import wraps
from typing import List
def require_roles(allowed_roles: List[Role]):
def decorator(func):
@wraps(func)
async def wrapper(*args, **kwargs):
current_user = kwargs.get('current_user')
if not current_user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Authentication required"
)
if not any(role in current_user.roles for role in allowed_roles):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Insufficient permissions"
)
return await func(*args, **kwargs)
return wrapper
return decorator
@app.get("/admin/users")
@require_roles([Role.admin])
async def get_all_users(current_user: User = Depends(get_current_user)):
return {"users": "all users"}
Permission Dependencies
def require_permission(permission: str):
async def permission_dependency(current_user: User = Depends(get_current_user)):
if not has_permission(current_user, permission):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Insufficient permissions"
)
return current_user
return permission_dependency
@app.delete("/users/{user_id}")
async def delete_user(
user_id: int,
current_user: User = Depends(require_permission("delete_user"))
):
return {"message": f"User {user_id} deleted"}
CORS Configuration
Basic CORS Setup
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
CORSMiddleware,
allow_origins=["http://localhost:3000"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
Advanced CORS Configuration
app.add_middleware(
CORSMiddleware,
allow_origins=["http://localhost:3000", "https://myapp.com"],
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "DELETE"],
allow_headers=["Content-Type", "Authorization", "X-API-Key"],
expose_headers=["X-Total-Count"],
max_age=3600,
)
Security Headers
Security Middleware
from fastapi import Request
@app.middleware("http")
async def add_security_headers(request: Request, call_next):
response = await call_next(request)
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-XSS-Protection"] = "1; mode=block"
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
response.headers["Content-Security-Policy"] = "default-src 'self'"
return response
Rate Limiting
from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.util import get_remote_address
from slowapi.errors import RateLimitExceeded
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
@app.get("/limited")
@limiter.limit("5/minute")
async def limited_endpoint(request: Request):
return {"message": "This endpoint is rate limited"}
Input Validation & Sanitization
SQL Injection Prevention
from sqlalchemy import text
from sqlalchemy.orm import Session
# Bad - vulnerable to SQL injection
def get_user_bad(db: Session, user_id: str):
query = f"SELECT * FROM users WHERE id = {user_id}"
return db.execute(text(query)).fetchone()
# Good - using parameters
def get_user_good(db: Session, user_id: int):
query = text("SELECT * FROM users WHERE id = :user_id")
return db.execute(query, {"user_id": user_id}).fetchone()
Input Sanitization
import html
import re
from pydantic import BaseModel, validator
class UserInput(BaseModel):
username: str
bio: str
@validator('username')
def sanitize_username(cls, v):
# Remove special characters
return re.sub(r'[^\w\s-]', '', v).strip()
@validator('bio')
def sanitize_bio(cls, v):
# HTML escape
return html.escape(v)
Session Management
Session-Based Authentication
from starlette.sessions import SessionMiddleware
from starlette.middleware.sessions import SessionMiddleware
app.add_middleware(SessionMiddleware, secret_key="your-secret-key")
@app.post("/login")
async def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()):
user = authenticate_user(form_data.username, form_data.password)
if user:
request.session["user_id"] = user.id
return {"message": "Login successful"}
raise HTTPException(status_code=401, detail="Invalid credentials")
@app.get("/logout")
async def logout(request: Request):
request.session.pop("user_id", None)
return {"message": "Logout successful"}
async def get_current_user_from_session(request: Request):
user_id = request.session.get("user_id")
if not user_id:
raise HTTPException(status_code=401, detail="Not authenticated")
return get_user_by_id(user_id)
OAuth2 Scopes
Scope-Based Permissions
from fastapi.security import OAuth2PasswordBearer, SecurityScopes
oauth2_scheme = OAuth2PasswordBearer(
tokenUrl="token",
scopes={"read": "Read access", "write": "Write access", "admin": "Admin access"}
)
async def get_current_user(
security_scopes: SecurityScopes,
token: str = Depends(oauth2_scheme)
):
if security_scopes.scopes:
authenticate_value = f'Bearer scope="{security_scopes.scope_str}"'
else:
authenticate_value = "Bearer"
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": authenticate_value},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
if username is None:
raise credentials_exception
token_scopes = payload.get("scopes", [])
token_data = TokenData(scopes=token_scopes, username=username)
except (JWTError, ValidationError):
raise credentials_exception
user = get_user(fake_users_db, username=token_data.username)
if user is None:
raise credentials_exception
for scope in security_scopes.scopes:
if scope not in token_data.scopes:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Not enough permissions",
headers={"WWW-Authenticate": authenticate_value},
)
return user
@app.get("/users/me", response_model=User)
async def read_users_me(current_user: User = Depends(get_current_user)):
return current_user
@app.get("/users/me/items")
async def read_own_items(
current_user: User = Security(get_current_user, scopes=["read"])
):
return [{"item_id": "Foo", "owner": current_user.username}]