DEV Community: Akachi Anabanti The latest articles on DEV Community by Akachi Anabanti (@akachianabanti). https://dev.to/akachianabanti https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1195205%2Fbe4e30f7-3489-437a-a32e-877f6f95cd8f.jpeg DEV Community: Akachi Anabanti https://dev.to/akachianabanti en Building a Secure API with FastAPI, PostgreSQL, and Hanko Authentication Akachi Anabanti Mon, 30 Oct 2023 15:37:30 +0000 https://dev.to/akachianabanti/building-a-secure-api-with-fastapi-postgresql-and-hanko-authentication-3pei https://dev.to/akachianabanti/building-a-secure-api-with-fastapi-postgresql-and-hanko-authentication-3pei <p>In the continuous exponential growth of internet and web application users, building robust, secure and user-friendly API is a necessity. In this blog post, we'll explore the development of a fastapi application using a powerful tech stack consisting of <a href="https://fastapi.tiangolo.com/">FastAPI</a>, <a href="https://www.postgresql.org/">PostgreSQL</a>, and integrating <a href="https://docs.hanko.io/introduction">Hanko</a> authentication for enhanced security.</p> <p><strong>Introduction to the Tech Stack:</strong></p> <ul> <li><p><strong>FastAPI:</strong> Known for its high performance, simplicity, and ease of development, FastAPI is a modern Python web framework that enables the rapid creation of APIs with automatic interactive documentation.</p></li> <li><p><strong>PostgreSQL:</strong> A powerful open-source relational database known for its reliability and robustness, PostgreSQL is a popular choice for data storage in various applications.</p></li> <li><p><strong>Hanko Authentication:</strong> Hanko provides a secure, passwordless authentication solution that enhances user security and experience by utilizing biometric authentication methods, such as fingerprint, face or iris recognition.</p></li> </ul> <p><strong>Development Process</strong></p> <ol> <li> <strong>Project directory:</strong> Here is a brief overview of the project directory structure. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>|---- project-directory/ | |---- backend/ | | |---- app/ | | | |---- alembic/ | | | | |---- env.py | | | | |---- script.py.mako | | | |---- db/ | | | | |---- base.py | | | | |---- base_class.py | | | | |---- session.py | | | | |---- __init__.py | | | |---- models/ | | | | |---- item.py | | | | |---- __init__.py | | | |------routers/ | | | | |---item.py | | | |---- schemas/ | | | | |---- item.py | | | | |---- __init__.py | | | |---- alembic.ini | | | |---- config.py | | | |---- main.py | | | |---- utils.py | | | |---- __init__.py </code></pre> </div> <ol> <li> <strong>Setting up the Backend with FastAPI and PostgreSQL:</strong> <a href="https://python-poetry.org/">poetry</a> will be used to manage the backend project. Visit the official website of poetry to download and install poetry then initialize poetry dependency management in the backend project. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>backend poetry init </code></pre> </div> <p><br> follow the default options a pyproject.toml is created and poetry is setup for use. To install a package the command <code>poetry add [package-name]</code> is used a poetry.lock file is created, for subsequent package installations, the poetry.lock and pyproject.toml files are updated. You can open these files to inspect the contents.</p> <p><em>installing the packages</em></p> <p><code>poetry add fastapi[uvicorn] psycopg2-binary sqlalchemy pydantic-settings pyjwt alembic</code><br> uvicorn is the server that will be used to serve the fastapi application. pyscopg2-binary is a python-postgres interface that provides a means of connecting to postgresql. sqlalchemy is an orm mapper for relational databases. It is worth noting that pydantic is a core feature of the fastAPI framework.</p> <p>main.py<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">starlette.middleware.cors</span> <span class="kn">import</span> <span class="n">CORSMiddleware</span> <span class="kn">from</span> <span class="n">app.config</span> <span class="kn">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="n">app.routers</span> <span class="kn">import</span> <span class="n">item</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span> <span class="n">title</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">PROJECT_NAME</span><span class="p">,</span> <span class="n">openapi_url</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">settings</span><span class="p">.</span><span class="n">API_V1_STR</span><span class="si">}</span><span class="s">/openapi.json</span><span class="sh">"</span> <span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">include_router</span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="n">router</span><span class="p">,</span> <span class="n">prefix</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">API_V1_STR</span><span class="p">)</span> </code></pre> </div> <p>The main.py file is the entry point into the application. It defines the middlewares that the application needs and the routes associated with the application.<br> The CORSMiddleware in FastAPI is necessary to handle Cross-Origin Resource Sharing (CORS) policies effectively. CORS is a security feature implemented by web browsers to protect against cross-origin requests .When a frontend web application running in one domain (origin) wants to make requests to a backend API server in another domain, the browser enforces CORS to prevent potential security risks.</p> <p>utils.py<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">ssl</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Generator</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">status</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">ValidationError</span> <span class="kn">from</span> <span class="n">app.config</span> <span class="kn">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="n">app.db.session</span> <span class="kn">import</span> <span class="n">SessionLocal</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">Generator</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">db</span> <span class="o">=</span> <span class="nc">SessionLocal</span><span class="p">()</span> <span class="k">yield</span> <span class="n">db</span> <span class="k">finally</span><span class="p">:</span> <span class="n">db</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">deny</span><span class="p">():</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_401_UNAUTHORIZED</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">extract_token_from_header</span><span class="p">(</span><span class="n">header</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">parts</span> <span class="o">=</span> <span class="n">header</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">==</span> <span class="mi">2</span> <span class="ow">and</span> <span class="n">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="sh">"</span><span class="s">bearer</span><span class="sh">"</span> <span class="k">else</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">get_current_user</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">authorization</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">authorization</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="p">(</span><span class="n">authorization</span><span class="p">):</span> <span class="k">return</span> <span class="nf">deny</span><span class="p">()</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">extract_token_from_header</span><span class="p">(</span><span class="n">authorization</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">return</span> <span class="nf">deny</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">ssl_context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="nf">create_default_context</span><span class="p">()</span> <span class="n">ssl_context</span><span class="p">.</span><span class="n">check_hostname</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">ssl_context</span><span class="p">.</span><span class="n">verify_mode</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="n">CERT_NONE</span> <span class="n">jwks_client</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nc">PyJWKClient</span><span class="p">(</span> <span class="n">settings</span><span class="p">.</span><span class="n">HANKO_API_URL</span> <span class="o">+</span> <span class="sh">"</span><span class="s">/.well-known/jwks.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">ssl_context</span><span class="o">=</span><span class="n">ssl_context</span> <span class="p">)</span> <span class="n">signing_key</span> <span class="o">=</span> <span class="n">jwks_client</span><span class="p">.</span><span class="nf">get_signing_key_from_jwt</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">signing_key</span><span class="p">.</span><span class="n">key</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="n">settings</span><span class="p">.</span><span class="n">ALGORITHM</span><span class="p">],</span> <span class="n">audience</span><span class="o">=</span><span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># str(settings.SERVER_HOST), </span> <span class="p">)</span> <span class="nf">except </span><span class="p">(</span><span class="n">jwt</span><span class="p">.</span><span class="n">PyJWTError</span><span class="p">,</span> <span class="n">ValidationError</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_403_FORBIDDEN</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Could not validate credentials</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">User not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> </code></pre> </div> <p>The <code>get_current_user</code> function is a critical part of the authentication process. It checks the request's authorization header from the client(frontend) application, extracts the token, attempts to retrieve the signing key from Hanko authorization API, validate and decode the JWT token. If successful, it returns the user id associated with the token; otherwise, it raises appropriate HTTP exceptions.</p> <p>routers/item.py<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">List</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">APIRouter</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">Session</span> <span class="kn">from</span> <span class="n">app</span> <span class="kn">import</span> <span class="n">crud</span><span class="p">,</span> <span class="n">schemas</span> <span class="kn">from</span> <span class="n">app.utils</span> <span class="kn">import</span> <span class="n">get_current_user</span><span class="p">,</span> <span class="n">get_db</span> <span class="n">router</span> <span class="o">=</span> <span class="nc">APIRouter</span><span class="p">(</span><span class="n">prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">/item</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">List</span><span class="p">[</span><span class="n">schemas</span><span class="p">.</span><span class="n">Item</span><span class="p">])</span> <span class="k">def</span> <span class="nf">read_items</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">),</span> <span class="n">skip</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">100</span><span class="p">,</span> <span class="n">current_user</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Retrieve items. </span><span class="sh">"""</span> <span class="k">if</span> <span class="n">crud</span><span class="p">.</span><span class="n">user</span><span class="p">.</span><span class="nf">is_superuser</span><span class="p">(</span><span class="n">current_user</span><span class="p">):</span> <span class="n">items</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">get_multi</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">skip</span><span class="o">=</span><span class="n">skip</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="n">limit</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">items</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">get_multi_by_owner</span><span class="p">(</span> <span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="n">owner_id</span><span class="o">=</span><span class="n">current_user</span><span class="p">,</span> <span class="n">skip</span><span class="o">=</span><span class="n">skip</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="n">limit</span> <span class="p">)</span> <span class="k">return</span> <span class="n">items</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">schemas</span><span class="p">.</span><span class="n">Item</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_item</span><span class="p">(</span> <span class="o">*</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">),</span> <span class="n">item_in</span><span class="p">:</span> <span class="n">schemas</span><span class="p">.</span><span class="n">ItemCreate</span><span class="p">,</span> <span class="n">current_user</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Create new item. </span><span class="sh">"""</span> <span class="n">item</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">create_with_owner</span><span class="p">(</span><span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="n">obj_in</span><span class="o">=</span><span class="n">item_in</span><span class="p">,</span> <span class="n">owner_id</span><span class="o">=</span><span class="n">current_user</span><span class="p">)</span> <span class="k">return</span> <span class="n">item</span> <span class="nd">@router.put</span><span class="p">(</span><span class="sh">"</span><span class="s">/{id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">schemas</span><span class="p">.</span><span class="n">Item</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_item</span><span class="p">(</span> <span class="o">*</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">),</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">item_in</span><span class="p">:</span> <span class="n">schemas</span><span class="p">.</span><span class="n">ItemUpdate</span><span class="p">,</span> <span class="n">current_user</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Update an item. </span><span class="sh">"""</span> <span class="n">item</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="nb">id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Item not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">item</span><span class="p">.</span><span class="n">owner_id</span> <span class="o">!=</span> <span class="n">current_user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Not enough permissions</span><span class="sh">"</span><span class="p">)</span> <span class="n">item</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="n">db_obj</span><span class="o">=</span><span class="n">item</span><span class="p">,</span> <span class="n">obj_in</span><span class="o">=</span><span class="n">item_in</span><span class="p">)</span> <span class="k">return</span> <span class="n">item</span> <span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/{id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">schemas</span><span class="p">.</span><span class="n">Item</span><span class="p">)</span> <span class="k">def</span> <span class="nf">read_item</span><span class="p">(</span> <span class="o">*</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">),</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">current_user</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Get item by ID. </span><span class="sh">"""</span> <span class="n">item</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="nb">id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Item not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">item</span><span class="p">.</span><span class="n">owner_id</span> <span class="o">!=</span> <span class="n">current_user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Not enough permissions</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">item</span> <span class="nd">@router.delete</span><span class="p">(</span><span class="sh">"</span><span class="s">/{id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">schemas</span><span class="p">.</span><span class="n">Item</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delete_item</span><span class="p">(</span> <span class="o">*</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">),</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">current_user</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Delete an item. </span><span class="sh">"""</span> <span class="n">item</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="nb">id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Item not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">item</span><span class="p">.</span><span class="n">owner_id</span> <span class="o">!=</span> <span class="n">current_user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Not enough permissions</span><span class="sh">"</span><span class="p">)</span> <span class="n">item</span> <span class="o">=</span> <span class="n">crud</span><span class="p">.</span><span class="n">item</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="n">db</span><span class="o">=</span><span class="n">db</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="nb">id</span><span class="p">)</span> <span class="k">return</span> <span class="n">item</span> </code></pre> </div> <p>in the routers/item.py file, each route depends on the <code>get_current_user</code>, if the current user is not available the instructions in the route will not be executed and as such the route is protected.</p> <p>The complete Backend code is available on github <a href="https://www.github.com/AKachi-Anabanti/fastapi-hanko">fastapi-hanko</a> and the production ready fullstack application with Vue2.js is available at <a href="https://github.com/Akachi-Anabanti/authflowx">authflowx</a>. Also visit <a href="https://docs.hanko.io/introduction">Hanko</a> documentation on how you can integrate your favorite frontend framework.<br> <strong>Benefits and Use Cases:</strong></p> <ul> <li><p><strong>Enhanced Security:</strong> Leveraging Hanko's biometric authentication adds an extra layer of security, eliminating the need for traditional passwords and reducing the risk of unauthorized access.</p></li> <li><p><strong>Scalability and Performance:</strong> The combination of FastAPI and PostgreSQL ensures high performance and scalability, allowing the application to handle a growing user base and data load efficiently.</p></li> <li><p><strong>User-Friendly Experience:</strong> With any frontend framework and Hanko for authentication, users can enjoy a seamless and intuitive experience while ensuring their data remains secure.</p></li> </ul> <p>This project is a modification of the authentication flow of the awesome repository made by <a href="https://github.com/tiangolo">tiangolo</a> at <a href="https://github.com/tiangolo/full-stack-fastapi-postgresql">full-stack-fastapi-postgresql</a></p> hanko fastapi postgressql