The latest articles on DEV Community by Ravi Gupta (@ravigupta97). https://dev.to/ravigupta97 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3784807%2F6af58333-fc08-430f-9df5-a19e579fcea9.jpg https://dev.to/ravigupta97 en Ravi Gupta Mon, 06 Apr 2026 03:15:00 +0000 https://dev.to/ravigupta97/i-thought-jwts-were-stateless-turns-out-logout-made-me-build-a-stateful-layer-anyway-48nd https://dev.to/ravigupta97/i-thought-jwts-were-stateless-turns-out-logout-made-me-build-a-stateful-layer-anyway-48nd <p><em>This is Part 3 of a 4-part series on building AuthShield - a production-ready standalone authentication microservice. This post covers JWT design, the logout problem, Redis blacklisting, the two-token strategy, and refresh token rotation with reuse detection.<br> Part 1 is here: <a href="https://dev.to/ravigupta97/why-i-stopped-writing-auth-code-for-every-project-and-built-authshield-21cj">Why I Stopped Writing Auth Code for Every Project and Built AuthShield</a><br> Part 2 is here: <a href="https://dev.to/ravigupta97/i-thought-oauth-was-just-adding-a-google-button-turns-out-its-a-csrf-problem-disguised-as-a-5gek">I Thought OAuth Was Just Adding a Google Button. Turns Out It's a CSRF Problem Disguised as a Feature</a></em></p> <p>The selling point of JWTs is that they are stateless.</p> <p>The server issues a token, signs it, and forgets about it. Every subsequent request includes the token. The server verifies the signature, reads the claims, and knows everything it needs - who the user is, what roles they have, when the token expires. No database lookup. No session store. No shared state between instances.</p> <p>For an auth microservice like AuthShield that needs to work across multiple downstream services, this is exactly the right foundation. Any service with the same signing secret can verify any token independently.</p> <p>Then I implemented logout.</p> <h2> The Logout Problem </h2> <p>When a user logs out, what actually happens to their JWT?</p> <p>Nothing. It keeps working until it expires.</p> <p>A JWT is a signed string. It is not stored anywhere on the server. There is nothing to delete. If a user logs out and someone else - an attacker, a browser tab left open on a shared computer, anyone - has that token, it is still valid for the remainder of its lifetime.</p> <p>That is not logout. That is the appearance of logout.</p> <p>The solution is a blacklist. When a user logs out, you store the token's unique identifier in a fast lookup store and check every incoming token against it. If the token is on the blacklist, reject it regardless of the signature being valid.</p> <p>AuthShield uses Redis for this, and the specific identifier used is the <code>jti</code> claim - JWT ID - a unique value embedded in every token at creation time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span><span class="p">,</span> <span class="n">timezone</span> <span class="kn">from</span> <span class="n">redis.asyncio</span> <span class="kn">import</span> <span class="n">Redis</span> <span class="k">def</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">roles</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="n">jti</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="c1"># Unique token ID - used for blacklisting </span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="n">expires_at</span> <span class="o">=</span> <span class="n">now</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">15</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="n">email</span><span class="p">,</span> <span class="sh">"</span><span class="s">roles</span><span class="sh">"</span><span class="p">:</span> <span class="n">roles</span><span class="p">,</span> <span class="sh">"</span><span class="s">jti</span><span class="sh">"</span><span class="p">:</span> <span class="n">jti</span><span class="p">,</span> <span class="c1"># The blacklist key </span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">access</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">iat</span><span class="sh">"</span><span class="p">:</span> <span class="n">now</span><span class="p">,</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">expires_at</span><span class="p">,</span> <span class="p">}</span> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">jti</span> <span class="c1"># Return both - jti needed for blacklisting on logout </span> <span class="k">async</span> <span class="k">def</span> <span class="nf">blacklist_token</span><span class="p">(</span><span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span><span class="p">,</span> <span class="n">jti</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">expires_at</span><span class="p">:</span> <span class="n">datetime</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="c1"># Calculate remaining lifetime of the token </span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="n">remaining_seconds</span> <span class="o">=</span> <span class="nf">int</span><span class="p">((</span><span class="n">expires_at</span> <span class="o">-</span> <span class="n">now</span><span class="p">).</span><span class="nf">total_seconds</span><span class="p">())</span> <span class="k">if</span> <span class="n">remaining_seconds</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># Store in Redis with TTL matching token's remaining life </span> <span class="c1"># When the token would have expired naturally, Redis removes it automatically </span> <span class="c1"># No cleanup job needed — it is self-managing </span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">blacklist:</span><span class="si">{</span><span class="n">jti</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">remaining_seconds</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">is_token_blacklisted</span><span class="p">(</span><span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span><span class="p">,</span> <span class="n">jti</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">blacklist:</span><span class="si">{</span><span class="n">jti</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span> </code></pre> </div> <p>The TTL on the Redis key is important. There is no point keeping a blacklisted token in Redis after it would have expired naturally - it is already invalid. Setting the TTL to match the remaining token lifetime means the blacklist is self-cleaning. Old entries disappear automatically without any maintenance.</p> <p>Every protected request checks the blacklist before doing anything else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">get_current_user</span><span class="p">(</span> <span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">),</span> <span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_redis</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">User</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Always specify explicitly — never trust the token's own alg header </span> <span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Token expired</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Check blacklist before anything else </span> <span class="n">jti</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">jti</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="k">await</span> <span class="nf">is_token_blacklisted</span><span class="p">(</span><span class="n">redis</span><span class="p">,</span> <span class="n">jti</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Token has been revoked</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Token is valid and not blacklisted — proceed </span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="n">user_repo</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> </code></pre> </div> <p>One detail worth calling out: <code>algorithms=["HS256"]</code> is explicit and non-negotiable. Early JWT libraries had a vulnerability where if the token header specified <code>"alg": "none"</code>, some libraries would skip signature verification entirely. An attacker could forge any payload they wanted. Always specify exactly which algorithms you accept and reject everything else.</p> <p>Now logout works. But solving logout uncovered the next problem.</p> <h2> The Two-Token Problem </h2> <p>If the logout blacklist works, why not just use a single long-lived token? Issue it on login, blacklist it on logout, done.</p> <p>Because if that token is stolen, the attacker has access for the entire duration of its lifetime. A 7-day token stolen on day one gives an attacker 7 days of undetected access. A 30-day token is worse. The longer the lifetime, the larger the window of damage from theft.</p> <p>So make it short-lived. 15 minutes. Now a stolen token is only useful for 15 minutes.</p> <p>But now the user has to log in every 15 minutes. That is not a user experience - that is punishment.</p> <p>The solution is two tokens with different purposes and different lifetimes.</p> <p>An access token is short-lived - 15 minutes in AuthShield. It is sent with every API request. If it is stolen, the damage window is 15 minutes maximum.</p> <p>A refresh token is long-lived - 7 days. It is used for exactly one purpose: getting a new access token when the old one expires. It is never sent to API endpoints. It never touches the application layer. It only ever goes to the <code>/auth/refresh</code> endpoint.</p> <p>The user experience is seamless. The access token expires silently, the client uses the refresh token to get a new one, and the user never knows it happened. Security and UX are no longer in conflict.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">secrets</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="k">def</span> <span class="nf">generate_refresh_token</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="c1"># Generate a cryptographically random token </span> <span class="n">raw_token</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="c1"># Hash it before storing — same reason we hash passwords </span> <span class="c1"># If the database is breached, raw tokens are not exposed </span> <span class="n">token_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">raw_token</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="k">return</span> <span class="n">raw_token</span><span class="p">,</span> <span class="n">token_hash</span> <span class="c1"># Return raw to client, store hash in DB </span> <span class="k">async</span> <span class="k">def</span> <span class="nf">store_refresh_token</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">token_hash</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">family_id</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># More on this shortly </span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">RefreshToken</span><span class="p">:</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="nc">RefreshToken</span><span class="p">(</span> <span class="n">user_id</span><span class="o">=</span><span class="n">user_id</span><span class="p">,</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="n">token_hash</span><span class="o">=</span><span class="n">token_hash</span><span class="p">,</span> <span class="n">family_id</span><span class="o">=</span><span class="n">family_id</span><span class="p">,</span> <span class="n">is_used</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">is_revoked</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">expires_at</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">7</span><span class="p">),</span> <span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">refresh_token</span><span class="p">)</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="n">refresh_token</span> </code></pre> </div> <p>Refresh tokens are not JWTs. They are opaque random strings, stored hashed in PostgreSQL. There is no benefit to making them JWTs because they are always verified against the database anyway - a database lookup is required regardless, so the self-contained nature of JWTs adds nothing here.</p> <p>Storing them hashed mirrors the same principle as password hashing. If the database is compromised, an attacker gets hashes, not usable tokens.</p> <p>Two tokens solved the UX problem. But it introduced another one: what happens if the refresh token is stolen?</p> <h2> Refresh Token Rotation and Reuse Detection </h2> <p>A 7-day refresh token is a valuable target. If an attacker gets hold of one, they can keep generating new access tokens for 7 days without the user's password. The user might log out, the access token gets blacklisted, but the attacker still has the refresh token and can get a new access token immediately.</p> <p>The first defence is rotation. Every time a refresh token is used, it is immediately invalidated and a new one is issued. The client must always use the latest token. Old tokens stop working the moment they are used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">rotate_refresh_token</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">old_token_hash</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">family_id</span><span class="p">:</span> <span class="nb">str</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="c1"># Mark the old token as used </span> <span class="n">old_token</span> <span class="o">=</span> <span class="k">await</span> <span class="n">token_repo</span><span class="p">.</span><span class="nf">get_by_hash</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">old_token_hash</span><span class="p">)</span> <span class="n">old_token</span><span class="p">.</span><span class="n">is_used</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">flush</span><span class="p">()</span> <span class="c1"># Issue a new token in the same family </span> <span class="n">new_raw_token</span><span class="p">,</span> <span class="n">new_token_hash</span> <span class="o">=</span> <span class="nf">generate_refresh_token</span><span class="p">()</span> <span class="k">await</span> <span class="nf">store_refresh_token</span><span class="p">(</span> <span class="n">db</span><span class="p">,</span> <span class="n">user_id</span><span class="o">=</span><span class="n">user_id</span><span class="p">,</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="n">token_hash</span><span class="o">=</span><span class="n">new_token_hash</span><span class="p">,</span> <span class="n">family_id</span><span class="o">=</span><span class="n">family_id</span> <span class="c1"># Same family as the old token </span> <span class="p">)</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="n">new_raw_token</span><span class="p">,</span> <span class="n">new_token_hash</span> </code></pre> </div> <p>Rotation limits the damage window. But it does not fully solve the theft problem. If an attacker steals the refresh token and uses it before the real user does, the attacker gets a new valid token and the real user's next refresh attempt fails - their token was already rotated.</p> <p>The real user gets a confusing error. The attacker continues undetected.</p> <p>This is where token families solve the problem completely.</p> <p>Every refresh token belongs to a family - a UUID assigned at login time and shared by all tokens in a rotation chain. When a token is rotated, the new token carries the same family ID. The chain is trackable.</p> <p>The key insight: if a token that has already been marked as used is presented again, it means one of two things. Either there is a bug in the client — unlikely. Or the token was stolen and used by a second party - the real user rotated it, then the attacker tried to use the original.</p> <p>When reuse is detected, the correct response is not just to reject the request. It is to revoke the entire family - every token descended from that login. Both the attacker's current token and the real user's current token become invalid simultaneously.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">handle_refresh_token</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span><span class="p">,</span> <span class="n">raw_token</span><span class="p">:</span> <span class="nb">str</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="c1"># Hash the incoming token to look it up </span> <span class="n">token_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">raw_token</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="n">token_record</span> <span class="o">=</span> <span class="k">await</span> <span class="n">token_repo</span><span class="p">.</span><span class="nf">get_by_hash</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">token_hash</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token_record</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid refresh token</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">token_record</span><span class="p">.</span><span class="n">is_revoked</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Refresh token has been revoked</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># REUSE DETECTION — this is the critical check </span> <span class="k">if</span> <span class="n">token_record</span><span class="p">.</span><span class="n">is_used</span><span class="p">:</span> <span class="c1"># This token was already rotated — someone is using an old token </span> <span class="c1"># Could be an attacker who stole it before the real user rotated it </span> <span class="c1"># Revoke the entire family — both attacker and real user are logged out </span> <span class="k">await</span> <span class="n">token_repo</span><span class="p">.</span><span class="nf">revoke_family</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">token_record</span><span class="p">.</span><span class="n">family_id</span><span class="p">)</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Token reuse detected. All sessions have been revoked.</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Token is valid — rotate it </span> <span class="k">if</span> <span class="n">token_record</span><span class="p">.</span><span class="n">expires_at</span> <span class="o">&lt;</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Refresh token expired</span><span class="sh">"</span><span class="p">)</span> <span class="n">new_raw_token</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">rotate_refresh_token</span><span class="p">(</span> <span class="n">db</span><span class="p">,</span> <span class="n">old_token_hash</span><span class="o">=</span><span class="n">token_hash</span><span class="p">,</span> <span class="n">user_id</span><span class="o">=</span><span class="n">token_record</span><span class="p">.</span><span class="n">user_id</span><span class="p">,</span> <span class="n">session_id</span><span class="o">=</span><span class="n">token_record</span><span class="p">.</span><span class="n">session_id</span><span class="p">,</span> <span class="n">family_id</span><span class="o">=</span><span class="n">token_record</span><span class="p">.</span><span class="n">family_id</span> <span class="p">)</span> <span class="c1"># Issue a new access token </span> <span class="n">user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">user_repo</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">token_record</span><span class="p">.</span><span class="n">user_id</span><span class="p">)</span> <span class="n">new_access_token</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span> <span class="n">user_id</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">),</span> <span class="n">email</span><span class="o">=</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">roles</span><span class="o">=</span><span class="p">[</span><span class="n">role</span><span class="p">.</span><span class="n">name</span> <span class="k">for</span> <span class="n">role</span> <span class="ow">in</span> <span class="n">user</span><span class="p">.</span><span class="n">roles</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">new_access_token</span><span class="p">,</span> <span class="n">new_raw_token</span> </code></pre> </div> <p>The outcome of reuse detection is uncomfortable for the real user - they get logged out and have to re-authenticate. But that is the correct response. Something is wrong. Either the token was stolen, or the client has a bug. Either way, forcing re-authentication is the right call. The real user is inconvenienced for 30 seconds. The attacker loses access entirely.</p> <h2> What Lives Where and Why </h2> <p>After working through all of this, the storage decisions become clear.</p> <p>Access tokens live in client memory - never in localStorage, which is accessible to any JavaScript on the page including third-party scripts. Memory is cleared when the tab closes, which is acceptable given the 15-minute TTL.</p> <p>Refresh tokens live in PostgreSQL, stored as SHA-256 hashes. The raw token is given to the client once and never stored on the server. If the database is breached, the hashes are useless without the raw tokens.</p> <p>The blacklist lives in Redis, keyed by JTI with TTLs matching each token's remaining lifetime. Self-cleaning, fast, and adds under 1 millisecond to every protected request.</p> <h2> What JWT Security Actually Is </h2> <p>Working through all four of these problems changed how I think about token security.</p> <p>The stateless property of JWTs is real and valuable - it is what makes AuthShield's tokens verifiable by any downstream service without calling back to AuthShield. But statelessness and revocability are fundamentally in conflict. The solution is not to pick one. It is to understand which layer handles which concern.</p> <p>JWTs handle identity and authorization - who the user is and what they can do. Redis handles revocation - making logout immediate. PostgreSQL handles refresh token lifecycle - rotation, family tracking, and theft detection. Each layer does one thing.</p> <p>Understanding that separation is what made the implementation make sense.</p> <h2> What Is Next </h2> <p>Next week: rate limiting, integration testing against real infrastructure, Docker, and what I found out about the gap between working locally and running in production.</p> <p>I thought finishing the code meant I was done. It did not.</p> <p><em>AuthShield on GitHub: <a href="https://github.com/ravigupta97/authshield" rel="noopener noreferrer">AuthShield-Repository</a></em></p> <p><em>Always learning, always observing.</em></p> python security backend authentication Ravi Gupta Mon, 30 Mar 2026 03:15:00 +0000 https://dev.to/ravigupta97/i-thought-oauth-was-just-adding-a-google-button-turns-out-its-a-csrf-problem-disguised-as-a-5gek https://dev.to/ravigupta97/i-thought-oauth-was-just-adding-a-google-button-turns-out-its-a-csrf-problem-disguised-as-a-5gek <p><em>This is Part 2 of a 4-part series on building AuthShield - a production-ready standalone authentication microservice. This post covers the OAuth 2.0 implementation: Authorization Code Flow, PKCE, CSRF protection, and account linking.<br> Part 1 is here: <a href="https://dev.to/ravigupta97/why-i-stopped-writing-auth-code-for-every-project-and-built-authshield-21cj">Why I Stopped Writing Auth Code for Every Project and Built AuthShield</a></em></p> <p>When I started implementing OAuth 2.0 in AuthShield, I thought it was going to be one of the easier parts.</p> <p>Add a Google button. Redirect the user. Get their email back. Done.</p> <p>I was wrong - not because OAuth is complicated, but because I did not understand what it actually is. I thought it was a login mechanism. It is not. OAuth 2.0 is an authorization framework, and almost every step in the flow exists to defend against a specific attack.</p> <p>Once I understood that, everything clicked. But getting there took more time than I expected.</p> <h2> What OAuth 2.0 Actually Is </h2> <p>Most engineers encounter OAuth for the first time through social login. Click "Sign in with Google," get redirected, come back logged in. The experience is smooth and the implementation feels like it should match that smoothness.</p> <p>But OAuth 2.0 was not designed for authentication. It was designed for authorization - specifically, for allowing a third-party application to access resources on a user's behalf without ever seeing the user's password.</p> <p>The "Sign in with Google" use case is built on top of OAuth 2.0 using OpenID Connect, which adds an identity layer. When you implement Google login, you are using both, whether you realise it or not.</p> <p>This distinction matters because it changes how you think about the flow. You are not just "getting the user." You are asking Google to vouch for the user's identity and hand you a verified email address. Every step in the flow is about ensuring that handoff cannot be tampered with.</p> <h2> The Authorization Code Flow </h2> <p>AuthShield uses the Authorization Code Flow, which is the most secure OAuth flow for server-side applications. Here is how it works:</p> <ol> <li>The user clicks "Sign in with Google"</li> <li>AuthShield redirects the user to Google's authorization server with a set of parameters — client ID, requested scopes, redirect URI, and two security parameters we will come back to</li> <li>The user logs into Google and grants permission</li> <li>Google redirects the user back to AuthShield's callback URL with a short-lived authorization code</li> <li>AuthShield exchanges that code for an access token by making a server-to-server request to Google — this is the key step, because the exchange happens on the backend, never in the browser</li> <li>AuthShield uses the access token to fetch the user's profile from Google</li> <li>AuthShield creates or finds the user in its own database and issues its own JWT</li> </ol> <p>Step 5 is what makes this flow secure. The authorization code is short-lived and single-use. Even if someone intercepts the redirect in step 4, they cannot exchange the code - they do not have the client secret required for the server-to-server exchange.</p> <p>The implicit flow, which used to be recommended for single-page applications, skipped step 5 and returned tokens directly in the URL fragment. That meant tokens were exposed in browser history, server logs, and referrer headers. It is deprecated now. Do not use it.</p> <h2> The State Parameter: The CSRF Problem I Almost Skipped </h2> <p>The first security parameter in the authorization request is the state parameter, and I almost did not implement it properly because it looked optional in the documentation.</p> <p>It is not optional.</p> <p>Here is the attack it prevents. Without a state parameter, an attacker can initiate an OAuth flow on your site and craft a malicious link to the callback URL. If they trick a victim into clicking that link — through a phishing email, a malicious website, anything - the victim's browser completes the OAuth callback and their account gets linked to the attacker's identity. The attacker now has access to the victim's account.</p> <p>This is a Cross-Site Request Forgery attack applied to an OAuth flow. The state parameter prevents it by creating a binding between the authorization request and the callback.</p> <p>Here is how AuthShield implements it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">secrets</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">redis.asyncio</span> <span class="kn">import</span> <span class="n">Redis</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">generate_oauth_state</span><span class="p">(</span><span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Generate a cryptographically random state token </span> <span class="n">state</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="c1"># Store in Redis with a short TTL — 10 minutes is enough </span> <span class="c1"># After that, the state is invalid and the flow must restart </span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">oauth_state:</span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="mi">600</span><span class="p">,</span> <span class="c1"># 10 minutes in seconds </span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="n">state</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">verify_oauth_state</span><span class="p">(</span><span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span><span class="p">,</span> <span class="n">state</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="c1"># Check if the state exists in Redis </span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">oauth_state:</span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="sh">"</span> <span class="n">exists</span> <span class="o">=</span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">exists</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># Delete immediately — state tokens are single-use </span> <span class="c1"># A replayed callback with the same state will fail </span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <p>A few things worth noting here. The state is stored in Redis, not the database. It is short-lived and single-use - once it is verified in the callback, it is deleted immediately. If an attacker somehow captures the state and tries to replay the callback, the token is already gone.</p> <p>The callback handler verifies the state before doing anything else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">google_callback</span><span class="p">(</span> <span class="n">code</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">state</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_redis</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">):</span> <span class="c1"># First thing — verify the state </span> <span class="c1"># If this fails, reject the request entirely </span> <span class="n">is_valid</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verify_oauth_state</span><span class="p">(</span><span class="n">redis</span><span class="p">,</span> <span class="n">state</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_valid</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid or expired state parameter</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Only proceed if state is valid </span> <span class="c1"># Exchange code for token, fetch user info, etc. </span> <span class="bp">...</span> </code></pre> </div> <h2> PKCE: The Part That Took Me the Longest </h2> <p>The second security parameter is PKCE - Proof Key for Code Exchange, pronounced "pixie." This is the part of the OAuth implementation that surprised me the most and took the longest to understand properly.</p> <p>PKCE was originally designed for mobile and single-page applications that cannot securely store a client secret. But it is now recommended for all OAuth flows regardless of application type.</p> <p>Here is the problem it solves. In the Authorization Code Flow, the authorization code is passed through the browser in a redirect. If an attacker can intercept that redirect - through a malicious app on the same device, a compromised browser extension, or a misconfigured redirect URI - they have the code. And if they also have the client secret, they can exchange it for tokens.</p> <p>PKCE removes the client secret from the equation for the code exchange. Instead, the client proves it initiated the original request by solving a cryptographic challenge.</p> <p>Here is how it works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">secrets</span> <span class="k">def</span> <span class="nf">generate_pkce_pair</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="c1"># Step 1: Generate a random code verifier </span> <span class="c1"># This is a long random string that only the client knows </span> <span class="n">code_verifier</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="c1"># Step 2: Hash the verifier to create the code challenge </span> <span class="c1"># SHA-256 hash, then base64url encode it </span> <span class="n">digest</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">code_verifier</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">digest</span><span class="p">()</span> <span class="n">code_challenge</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">digest</span><span class="p">).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">return</span> <span class="n">code_verifier</span><span class="p">,</span> <span class="n">code_challenge</span> </code></pre> </div> <p>The flow with PKCE works like this:</p> <ol> <li>AuthShield generates the code verifier and code challenge before redirecting to Google</li> <li>The code challenge is sent to Google in the authorization request</li> <li>The code verifier is stored temporarily - in AuthShield's case, in Redis alongside the state token</li> <li>When Google redirects back with the authorization code, AuthShield sends both the code and the original code verifier to exchange for tokens</li> <li>Google hashes the verifier, compares it to the challenge it stored from step 2, and only issues tokens if they match</li> </ol> <p>An attacker who intercepts the authorization code cannot exchange it because they do not have the code verifier. It never left the server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">initiate_google_oauth</span><span class="p">(</span><span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Generate state and PKCE pair </span> <span class="n">state</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generate_oauth_state</span><span class="p">(</span><span class="n">redis</span><span class="p">)</span> <span class="n">code_verifier</span><span class="p">,</span> <span class="n">code_challenge</span> <span class="o">=</span> <span class="nf">generate_pkce_pair</span><span class="p">()</span> <span class="c1"># Store the code verifier in Redis linked to the state </span> <span class="c1"># So we can retrieve it in the callback </span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">pkce_verifier:</span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="mi">600</span><span class="p">,</span> <span class="n">code_verifier</span> <span class="p">)</span> <span class="c1"># Build the Google authorization URL </span> <span class="n">params</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">client_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">settings</span><span class="p">.</span><span class="n">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="sh">"</span><span class="s">redirect_uri</span><span class="sh">"</span><span class="p">:</span> <span class="n">settings</span><span class="p">.</span><span class="n">GOOGLE_REDIRECT_URI</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">code</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scope</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">openid email profile</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">:</span> <span class="n">state</span><span class="p">,</span> <span class="sh">"</span><span class="s">code_challenge</span><span class="sh">"</span><span class="p">:</span> <span class="n">code_challenge</span><span class="p">,</span> <span class="sh">"</span><span class="s">code_challenge_method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">S256</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="n">base_url</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://accounts.google.com/o/oauth2/v2/auth</span><span class="sh">"</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base_url</span><span class="si">}</span><span class="s">?</span><span class="si">{</span><span class="sh">'</span><span class="s">&amp;</span><span class="sh">'</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">k</span><span class="si">}</span><span class="o">=</span><span class="si">{</span><span class="n">v</span><span class="si">}</span><span class="sh">'</span><span class="s"> for k, v in params.items())</span><span class="si">}</span><span class="sh">"</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">exchange_code_for_token</span><span class="p">(</span> <span class="n">code</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">state</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">redis</span><span class="p">:</span> <span class="n">Redis</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Retrieve the code verifier stored during initiation </span> <span class="n">code_verifier</span> <span class="o">=</span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">pkce_verifier:</span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">code_verifier</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">PKCE verifier not found</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Clean up </span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">pkce_verifier:</span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Exchange code for token — include the verifier, not the challenge </span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://oauth2.googleapis.com/token</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">client_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">settings</span><span class="p">.</span><span class="n">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="sh">"</span><span class="s">client_secret</span><span class="sh">"</span><span class="p">:</span> <span class="n">settings</span><span class="p">.</span><span class="n">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="sh">"</span><span class="s">code</span><span class="sh">"</span><span class="p">:</span> <span class="n">code</span><span class="p">,</span> <span class="sh">"</span><span class="s">redirect_uri</span><span class="sh">"</span><span class="p">:</span> <span class="n">settings</span><span class="p">.</span><span class="n">GOOGLE_REDIRECT_URI</span><span class="p">,</span> <span class="sh">"</span><span class="s">grant_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">authorization_code</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">code_verifier</span><span class="sh">"</span><span class="p">:</span> <span class="n">code_verifier</span><span class="p">,</span> <span class="c1"># This is what proves we initiated the request </span> <span class="p">}</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <p>The reason this took me time to understand was not the code itself - it is not complicated once you see it. It was understanding <em>why</em> each step exists and what happens if you skip it. The docs describe PKCE as an enhancement. In practice, for any public-facing OAuth flow, it is a requirement.</p> <h2> Account Linking: The Edge Case Nobody Thinks About </h2> <p>Once the OAuth flow works, there is an edge case that is easy to miss: what happens when a user who already has an email and password account tries to sign in with Google using the same email?</p> <p>There are two options. Reject them with an error - "this email is already registered, please log in with your password." Or link the accounts - recognise that it is the same person and give them access.</p> <p>Rejecting them is the wrong call. It creates a confusing user experience and forces the user to remember which method they used to sign up. Linking them is the right call, but it requires careful handling.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">find_or_create_oauth_user</span><span class="p">(</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">full_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">oauth_provider</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">oauth_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">avatar_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">User</span><span class="p">:</span> <span class="c1"># First, check if a user with this OAuth provider ID already exists </span> <span class="c1"># This handles returning OAuth users </span> <span class="n">existing_oauth_user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">user_repo</span><span class="p">.</span><span class="nf">get_by_oauth</span><span class="p">(</span> <span class="n">db</span><span class="p">,</span> <span class="n">provider</span><span class="o">=</span><span class="n">oauth_provider</span><span class="p">,</span> <span class="n">oauth_id</span><span class="o">=</span><span class="n">oauth_id</span> <span class="p">)</span> <span class="k">if</span> <span class="n">existing_oauth_user</span><span class="p">:</span> <span class="k">return</span> <span class="n">existing_oauth_user</span> <span class="c1"># Check if a user with this email exists (registered with password) </span> <span class="n">existing_email_user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">user_repo</span><span class="p">.</span><span class="nf">get_by_email</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">email</span><span class="o">=</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="n">existing_email_user</span><span class="p">:</span> <span class="c1"># Link the OAuth account to the existing user </span> <span class="c1"># They can now sign in with either method </span> <span class="n">existing_email_user</span><span class="p">.</span><span class="n">oauth_provider</span> <span class="o">=</span> <span class="n">oauth_provider</span> <span class="n">existing_email_user</span><span class="p">.</span><span class="n">oauth_id</span> <span class="o">=</span> <span class="n">oauth_id</span> <span class="n">existing_email_user</span><span class="p">.</span><span class="n">avatar_url</span> <span class="o">=</span> <span class="n">avatar_url</span> <span class="c1"># Mark as verified — the OAuth provider already verified the email </span> <span class="n">existing_email_user</span><span class="p">.</span><span class="n">is_verified</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="n">existing_email_user</span> <span class="c1"># New user — create them </span> <span class="c1"># No password hash needed — they authenticate via OAuth </span> <span class="c1"># Mark as verified immediately — OAuth provider verified the email </span> <span class="n">new_user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span> <span class="n">email</span><span class="o">=</span><span class="n">email</span><span class="p">,</span> <span class="n">full_name</span><span class="o">=</span><span class="n">full_name</span><span class="p">,</span> <span class="n">password_hash</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="c1"># Nullable — OAuth users have no password </span> <span class="n">oauth_provider</span><span class="o">=</span><span class="n">oauth_provider</span><span class="p">,</span> <span class="n">oauth_id</span><span class="o">=</span><span class="n">oauth_id</span><span class="p">,</span> <span class="n">avatar_url</span><span class="o">=</span><span class="n">avatar_url</span><span class="p">,</span> <span class="n">is_verified</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># Google already verified it </span> <span class="n">is_active</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">new_user</span><span class="p">)</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="n">new_user</span> </code></pre> </div> <p>Two things worth noting in this implementation.</p> <p>First, the lookup order matters. We check by OAuth provider ID first, then by email. This handles the case where a user has already linked their OAuth account - we find them immediately without touching the email lookup.</p> <p>Second, OAuth users are marked as verified immediately. Google has already verified the email address. Requiring them to go through email verification again would be both redundant and confusing. The <code>password_hash</code> field in the database is nullable specifically to accommodate users who authenticate only through OAuth and have no password.</p> <h2> What OAuth Actually Is </h2> <p>After implementing all of this, my understanding of OAuth shifted.</p> <p>It is not a login feature. It is a set of security boundaries, each one defending against a specific attack. The state parameter defends against CSRF. PKCE defends against authorization code interception. The server-side code exchange defends against token exposure in the browser. Account linking defends against a fragmented user experience that pushes users toward insecure workarounds.</p> <p>When I thought of it as "adding a Google button," I was looking at the 1% of the implementation that is visible. The other 99% is the security reasoning underneath it.</p> <p>Understanding that reasoning is the difference between OAuth that works and OAuth that holds up.</p> <h2> What Is Next </h2> <p>Next week: JWTs, logout, and the conflict between stateless tokens and immediate revocation.</p> <p>I thought JWTs were stateless and that was their whole point. Then I tried to implement logout. The solution - Redis blacklisting, token families, and reuse detection - turned out to be the most interesting engineering problem in the entire project.</p> <p><em>AuthShield on GitHub: <a href="https://github.com/ravigupta97/authshield" rel="noopener noreferrer">AuthShield-Repository</a></em></p> <p><em>Always learning, always observing.</em></p> python oauth security backend Ravi Gupta Mon, 23 Mar 2026 03:27:46 +0000 https://dev.to/ravigupta97/why-i-stopped-writing-auth-code-for-every-project-and-built-authshield-21cj https://dev.to/ravigupta97/why-i-stopped-writing-auth-code-for-every-project-and-built-authshield-21cj <p><em>This is Part 1 of a 4-part series on building AuthShield - a production-ready standalone authentication microservice. This post is the origin story. No code, just the thinking.</em></p> <p>Every backend project I have built starts the same way.</p> <p>New repo. Fresh database. And then before writing a single line of product code, auth.</p> <p>Registration. Email verification. Login. JWT tokens. Password reset. OAuth. Roles. Sessions.</p> <p>The first time I built it, I learned a lot. I understood JWTs, token expiry, password hashing, OAuth flows. It was genuinely valuable.</p> <p>Then I started the next project. And built it again.</p> <p>Then the next one. And built it again.</p> <p>At some point I stopped and looked at what I was doing. Every project needs authentication. The requirements are almost identical across all of them. The security concerns are exactly the same. Yet I was treating it as a fresh problem every single time.</p> <p>That is not engineering. That is repetition.</p> <p>So I asked myself a simple question: why am I solving the same problem again?</p> <h2> The Real Problem With Copying Auth Code </h2> <p>The obvious solution is to copy it from the previous project. Most engineers do this. I did it too.</p> <p>But copying auth code carries a problem that only shows up later. Auth logic gets tangled with the application it was written for. It references that project's database models, that project's config structure, that project's way of handling errors. You copy it, spend a day untangling it, make adjustments to fit the new project, and ship it.</p> <p>Two months later you find a security issue in the original. You patch it there. The copy still has the old version. You forget. It happens.</p> <p>The deeper issue is that every time you touch auth code to make it fit a new project, you introduce risk. Security code is not the place for casual modifications. A small change in how tokens are validated, how refresh tokens are stored, or how OAuth state is handled can create a vulnerability that looks completely normal in a code review.</p> <p>Copying is not reusing. It is duplicating - and duplicating security-critical code is one of the quieter ways things go wrong in backend engineering.</p> <h2> The Idea: A Microservice Built Once, Used Everywhere </h2> <p>The question was not how to write better auth code. The question was how to write it once and never write it again.</p> <p>Authentication is infrastructure. It is not a feature of any specific application — it is the layer that makes features possible. And like any infrastructure, it should live in one place, be maintained in one place, and be consumed by everything that needs it.</p> <p>That is what microservices are for. We separate payment processing into its own service. We separate email sending into its own service. Auth deserves the same treatment, arguably more so, because the consequences of getting it wrong are more severe than a failed payment webhook.</p> <p>The vision was straightforward: build a standalone auth microservice that any backend project can plug into. Not import as a library. Not copy code from. Actually plug into - send it an HTTP request, get back a JWT, validate that JWT locally, done. The application never touches passwords, tokens, or OAuth flows directly.</p> <p>One service. Any number of consumers. One place to maintain security. One place to patch vulnerabilities.</p> <p>That is AuthShield.</p> <h2> What AuthShield Actually Handles </h2> <p>AuthShield is a deployable FastAPI service backed by PostgreSQL and Redis. Here is what it covers out of the box:</p> <p><strong>Authentication</strong> - Email and password registration with email verification, login returning JWT access and refresh tokens, Google and GitHub OAuth 2.0 via Authorization Code Flow, and TOTP-based two-factor authentication compatible with Google Authenticator and Authy.</p> <p><strong>Authorisation</strong> - Role-based access control with three built-in roles: user, moderator, and admin. Roles are embedded in the JWT so downstream services check permissions without a single database call.</p> <p><strong>Token security</strong> - 15-minute access tokens, 7-day refresh tokens with rotation on every use, Redis-based blacklisting so logout takes effect on the very next request, and refresh token reuse detection that revokes an entire token family the moment theft is suspected.</p> <p><strong>Session management</strong> - Every login creates a tracked session recording IP address and device info. Users can list all active sessions and revoke any of them individually.</p> <p><strong>Rate limiting</strong> - Redis sliding-window rate limits on every sensitive endpoint. Not fixed-window — sliding-window, which means there is no clock boundary reset to exploit.</p> <p><strong>Production infrastructure</strong> - Dockerised with a multi-stage build, Nginx for TLS termination and security headers on every response, structured JSON logging, and 48 integration tests running against real PostgreSQL and Redis.</p> <p>The integration pattern is the part that makes this actually useful as a reusable service. Any downstream project needs exactly one file and one shared environment variable. The file is 40 lines of Python. It validates the JWT locally - no runtime call to AuthShield on every request - extracts the user ID and roles from the token, and makes them available to every protected route. That is it. The application never thinks about auth again.</p> <h2> Why Not Auth0, Clerk, or Any Existing Solution </h2> <p>This is the question worth answering honestly.</p> <p>Managed auth services are good products. Auth0, Clerk, Supabase Auth - they are mature, well-documented, and genuinely save time. For many teams and many products, they are the right call.</p> <p>But I had two specific reasons for not going that route.</p> <p><strong>The first is understanding.</strong> When you use a managed auth service, you are trusting a black box with the most security-critical layer of your application. That is a reasonable tradeoff for speed. But it means that when something goes wrong - and in auth, something eventually always goes wrong — you are dependent on someone else's documentation, someone else's support, and someone else's timeline to fix it.</p> <p>I wanted to understand every decision in my auth layer. Why the token TTL is what it is. Why refresh tokens are stored hashed rather than plain. Why the OAuth state parameter exists and what happens if it is missing. Why sliding-window rate limiting behaves differently from fixed-window at the boundary. Not because I enjoy complexity, but because understanding your security layer is the difference between debugging a problem and being surprised by one.</p> <p><strong>The second is control.</strong> Security decisions should belong to the engineer shipping the system. What hashing algorithm, what token strategy, what revocation mechanism, what rate limit thresholds - these are decisions that have real consequences. Delegating them entirely to a third-party service means accepting their defaults without always knowing what those defaults are or why they were chosen.</p> <p>AuthShield gives full control over every one of those decisions. Every choice is visible, documented, and mine to change.</p> <p>Neither of these reasons means managed auth services are wrong. They mean they were wrong for what I was trying to build.</p> <h2> What This Series Covers </h2> <p>This post is the origin story. The next three go into the parts that actually made me think.</p> <p><strong>Next week -</strong> OAuth and why it is more than just adding a Google button</p> <p><strong>Week after -</strong> JWTs, logout, and why stateless tokens create a stateful problem.</p> <p><strong>Final week -</strong> Rate limiting, testing, and the gap between working locally and running in production.</p> <p>The GitHub repo is linked below. The README has a full integration guide — how to plug AuthShield into any backend project in under 30 minutes. Contributions and feedback are welcome.</p> <h2> One Last Thought </h2> <p>I built AuthShield because I saw a problem I kept solving repeatedly and decided to solve it once properly.</p> <p>But there is something else that came out of building it that I did not expect. The process of designing a security-focused microservice from scratch - making every decision deliberately, documenting every tradeoff, writing tests that actually run against real infrastructure - changed how I think about backend engineering in general.</p> <p>Not every project needs a custom auth microservice. But every engineer who has built one has a different relationship with the auth layer in every project they touch after that.</p> <p>That, more than anything, is why I would recommend the experience.</p> <p><em>AuthShield on GitHub: <a href="https://github.com/ravigupta97/authshield" rel="noopener noreferrer">https://github.com/ravigupta97/authshield</a></em></p> <p><em>Always learning, always observing.</em></p> python backend security webdev Ravi Gupta Mon, 16 Mar 2026 03:15:00 +0000 https://dev.to/ravigupta97/the-faster-we-build-with-ai-the-more-dangerous-bad-auth-becomes-and-the-rarer-good-auth-becomes-1oeg https://dev.to/ravigupta97/the-faster-we-build-with-ai-the-more-dangerous-bad-auth-becomes-and-the-rarer-good-auth-becomes-1oeg <h2> The Faster We Build with AI, the More Dangerous Bad Auth Becomes - And the Rarer Good Auth Becomes </h2> <p><em>While everyone races to ship with AI, understanding authentication and authorization is quietly becoming the most valuable skill in backend engineering.</em></p> <p>Let me set a scene that probably sounds familiar.</p> <p>You're building a new backend service. You open Cursor, type a prompt - <em>"implement OAuth 2.0 login with JWT tokens"</em> - and in about 8 seconds you have 150 lines of clean, readable, production-looking code. You skim it. It looks right. You move on.</p> <p>I've done this. Most engineers I know have done this.</p> <p>And here's what nobody talks about: that code is often <em>almost</em> correct. Not obviously broken - just subtly, silently wrong in ways that don't surface until something goes wrong in production. A token that should expire doesn't. A user who should lose access still has it. An endpoint that should be protected isn't.</p> <p>The AI didn't fail you. You just didn't know what to check.</p> <p>That's what this post is about.</p> <h2> First, Let's Get the Basics Right - Because Most People Still Conflate These </h2> <p>Before we go deeper, one thing I need to address: <strong>Authentication and Authorization are not the same thing</strong>, and confusing them is the root cause of more bugs than I can count.</p> <p><strong>Authentication</strong> answers: <em>Who are you?</em><br> It's the process of verifying identity. When you log in with a username and password, or sign in with Google - that's authentication.</p> <p><strong>Authorization</strong> answers: <em>What are you allowed to do?</em><br> It's the process of determining permissions. After the system knows who you are, authorization decides what resources you can access and what actions you can take.</p> <p>Here's a simple way to remember it:</p> <blockquote> <p>Authentication is the bouncer checking your ID at the door.<br> Authorization is the VIP list that decides which rooms you can enter.</p> </blockquote> <p>You need both. In that order. Always.</p> <p>Most AI-generated auth code handles authentication passably. Authorization is where things quietly go wrong — missing scope checks, over-permissioned tokens, endpoints that assume "logged in" means "allowed."</p> <p>Keep this distinction in your head for the rest of this post.</p> <h2> Why This Matters More Right Now Than It Ever Has </h2> <p>A few years ago, building a backend with proper auth took meaningful effort. You had to understand the flow, write the code, debug it, test it. That friction was annoying - but it also meant you spent <em>time</em> with the code. You understood it.</p> <p>Today, that friction is largely gone.</p> <p>Copilot, ChatGPT, Claude, Cursor - these tools can scaffold an entire authentication system in minutes. That's genuinely incredible. It's also genuinely risky when the engineer shipping that code doesn't understand what's under the hood.</p> <p>Think about what's happening at scale:</p> <ul> <li>Thousands of developers are shipping AI-generated auth code every day</li> <li>Many of them are newer engineers who haven't been burned by auth bugs yet</li> <li>The code <em>looks</em> correct - it has the right function names, the right libraries, the right structure</li> <li>But subtle mistakes - wrong grant type, missing token validation, no refresh rotation - slip through</li> </ul> <p><strong>The attack surface of the internet is growing faster than collective security knowledge.</strong> That's the uncomfortable reality.</p> <p>And here's the flip side - the opportunity: engineers who genuinely understand auth, who can look at AI-generated OAuth code and immediately spot what's missing or wrong, are increasingly rare and increasingly valuable.</p> <p>Let's make sure you're one of them.</p> <h2> OAuth 2.0: What It Actually Is (And What People Get Wrong About It) </h2> <p>OAuth 2.0 is an <strong>authorization framework</strong> - not an authentication protocol. This trips people up constantly. OAuth 2.0 on its own does not tell you who the user is. It tells you what a client application is allowed to do on behalf of a user.</p> <p>Authentication on top of OAuth 2.0 is what OpenID Connect (OIDC) adds. If you're using OAuth to log users in, you're almost certainly using OIDC on top — whether you know it or not.</p> <p>OAuth 2.0 works through <strong>flows</strong>, also called grant types. Different situations call for different flows. This is where I see AI-generated code go wrong most often - it picks a flow, but not necessarily the right one for the context.</p> <h3> The Four Flows You Need to Know </h3> <p><strong>1. Authorization Code Flow + PKCE</strong><br> <em>Use this for: web apps, mobile apps, SPAs - anything where a user is present</em></p> <p>This is the most common and most secure flow for user-facing applications. Here's how it works:</p> <ol> <li>Your app redirects the user to the authorization server (e.g., Google, Auth0)</li> <li>The user logs in and grants permission</li> <li>The authorization server redirects back to your app with a short-lived <strong>authorization code</strong> </li> <li>Your app exchanges that code for an <strong>access token</strong> (and optionally a refresh token)</li> </ol> <p>The code is single-use and expires quickly. Even if someone intercepts the redirect, they can't do much with just the code.</p> <p><strong>PKCE</strong> (Proof Key for Code Exchange - pronounced "pixie") is the security enhancement that makes this flow safe for public clients like SPAs and mobile apps that can't securely store a client secret.</p> <p>How PKCE works:</p> <ol> <li>Your app generates a random <strong>code verifier</strong> (a long random string)</li> <li>It hashes that verifier to create a <strong>code challenge</strong> </li> <li>It sends the code challenge with the authorization request</li> <li>When exchanging the code for tokens, it sends the original code verifier</li> <li>The authorization server verifies the verifier matches the challenge</li> </ol> <p>This means even if an attacker intercepts the authorization code, they can't exchange it - they don't have the code verifier.</p> <p><strong>AI-generated code mistake I see here:</strong> Omitting PKCE entirely for SPAs, or implementing the Authorization Code flow without PKCE for mobile apps. It looks fine. It isn't.</p> <p><strong>2. Client Credentials Flow</strong><br> <em>Use this for: machine-to-machine (M2M), service-to-service, backend APIs</em></p> <p>No user involved here. This is for when one service needs to talk to another service. Your backend requests a token directly from the authorization server using its client ID and client secret.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Backend Service → Authorization Server: "Here's my client ID and secret" Authorization Server → Backend Service: "Here's your access token" Backend Service → Resource API: "Here's my access token" </code></pre> </div> <p>Simple. But the mistakes here are costly:</p> <ul> <li> <strong>Storing the client secret in version control</strong> (it happens more than you think — and AI-generated setup instructions sometimes put secrets in example config files that get committed)</li> <li> <strong>Not rotating secrets</strong> - a secret that never changes is a liability</li> <li> <strong>Over-scoping the token</strong> - requesting all scopes "just in case" instead of the minimum required</li> <li> <strong>Not handling token expiry</strong> - the service breaks at 2am because nobody implemented token refresh logic</li> </ul> <p><strong>3. Implicit Flow</strong><br> <em>Status: Deprecated. Do not use.</em></p> <p>I'm mentioning this because AI tools sometimes still generate it - especially if trained on older code. The Implicit Flow was designed for SPAs before PKCE existed. It returned access tokens directly in the URL fragment, which is a significant security issue. PKCE-enhanced Authorization Code Flow replaced it entirely.</p> <p>If you see Implicit Flow in AI-generated code, replace it.</p> <p><strong>4. Resource Owner Password Credentials (ROPC)</strong><br> <em>Status: Highly discouraged. Almost never appropriate.</em></p> <p>This flow has the user send their username and password directly to your application, which then exchanges them for tokens. It defeats the entire point of OAuth - the user should never give their credentials to a third-party app.</p> <p>The only time this might be acceptable is for highly trusted first-party applications, and even then, there are usually better alternatives. AI tools sometimes generate this for "simplicity." It isn't worth it.</p> <h2> Token Security: Where Most Bugs Live </h2> <p>Let's talk about the actual tokens - because this is where subtle mistakes cause the most damage.</p> <h3> JWT: The Good, The Bad, and The Dangerous </h3> <p>JSON Web Tokens (JWTs) are everywhere. An access token in most OAuth implementations is a JWT. Here's what one looks like under the hood:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>header.payload.signature </code></pre> </div> <ul> <li> <strong>Header</strong>: algorithm used to sign the token (<code>RS256</code>, <code>HS256</code>, etc.)</li> <li> <strong>Payload</strong>: the claims - user ID, scopes, expiry, issuer</li> <li> <strong>Signature</strong>: cryptographic proof the token hasn't been tampered with</li> </ul> <p><strong>The most dangerous JWT mistake: accepting <code>alg: none</code></strong></p> <p>Early JWT libraries had a flaw - if the header said <code>"alg": "none"</code>, some libraries would skip signature verification entirely. An attacker could forge any token they wanted.</p> <p>The fix: always explicitly specify which algorithms your server accepts. Reject anything else.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">jwt</span> <span class="c1"># Bad - trusting the token's own algorithm header # Some libraries will skip verification if alg is "none" </span><span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">secret</span><span class="p">)</span> <span class="c1"># Better - explicitly specify accepted algorithms </span><span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">secret</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">RS256</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># reject anything else </span><span class="p">)</span> </code></pre> </div> <p><strong>Other JWT mistakes I've observed:</strong></p> <ul> <li> <strong>No expiry (<code>exp</code> claim missing)</strong>: A token that never expires is a permanent backdoor. Always set short expiry - 15 minutes for access tokens is common.</li> <li> <strong>Sensitive data in the payload</strong>: The payload is base64-encoded, not encrypted. Anyone can decode it. Don't put passwords, PII, or sensitive business logic in JWT claims.</li> <li> <strong>Not validating the issuer (<code>iss</code>) and audience (<code>aud</code>)</strong>: A token issued for Service A should not be accepted by Service B. Always validate these claims.</li> <li> <strong>Weak signing secrets</strong>: If you're using HMAC (HS256), your secret needs to be long and random. <code>secret123</code> is not a secret.</li> </ul> <h3> Refresh Tokens: The Part Everyone Forgets to Secure </h3> <p>Access tokens are short-lived. Refresh tokens are long-lived - they're used to get new access tokens without the user re-authenticating. That makes them valuable targets.</p> <p><strong>Refresh Token Rotation</strong> is the security practice you should be using:</p> <p>Every time a refresh token is used, the authorization server issues a <em>new</em> refresh token and <strong>invalidates the old one</strong>. If an attacker steals a refresh token and tries to use it after the legitimate user already has, the server detects the reuse and can invalidate the entire session.</p> <p>AI-generated code often implements refresh token logic without rotation. It works - it just doesn't protect against token theft.</p> <p><strong>Refresh token storage matters too:</strong></p> <ul> <li>In web apps: <code>HttpOnly</code>, <code>Secure</code>, <code>SameSite=Strict</code> cookies - not localStorage (XSS can read localStorage)</li> <li>In mobile apps: the device's secure keychain/keystore</li> <li>In backend services: encrypted at rest</li> </ul> <h3> Token Revocation: The Feature Nobody Implements Until They Need It </h3> <p>What happens when a user reports their account was compromised? Or when an employee leaves the company? Or when you detect suspicious activity?</p> <p>You need to <strong>revoke tokens</strong> - immediately invalidate them before they expire naturally.</p> <p>JWTs are stateless by design, which means the server doesn't track them. A revoked JWT is still cryptographically valid until it expires. There are two practical approaches:</p> <ol> <li><p><strong>Token blocklist</strong>: Maintain a fast store (Redis works well) of revoked token IDs (<code>jti</code> claim). Check every incoming token against this list. Overhead is low if done right.</p></li> <li><p><strong>Short expiry + refresh rotation</strong>: Keep access tokens extremely short-lived (5-15 minutes). Revoke the refresh token at the authorization server. The user's access naturally expires within minutes.</p></li> </ol> <p>Most AI-generated code implements neither. It's not a bug that shows up in testing — only in an incident.</p> <h2> Common Vulnerabilities: A Quick-Reference List </h2> <p>These are the ones I check for when reviewing auth code — AI-generated or otherwise:</p> <p><strong>Scope Creep</strong>: Requesting more OAuth scopes than needed. Always use minimum required scopes. If your app only needs to read a user's email, don't request write access to their entire account.</p> <p><strong>Open Redirect</strong>: OAuth flows use redirect URIs. If your server doesn't strictly validate the redirect URI against a whitelist, an attacker can redirect tokens to their own server. Always validate exact URI matches — not just domain matches.</p> <p><strong>State Parameter Missing</strong>: The <code>state</code> parameter in OAuth flows is CSRF protection. It's a random value your app sends with the authorization request and expects back in the callback. Without it, an attacker can trick a user into completing an OAuth flow the attacker initiated. AI-generated code frequently omits this.</p> <p><strong>Logging Tokens</strong>: Access tokens and refresh tokens should never appear in logs. One misconfigured logger that records request headers or bodies, and your tokens are in your logging system - accessible to anyone with log access. Scrub tokens from logs explicitly.</p> <p><strong>Trusting Client-Provided User IDs</strong>: If your API accepts a <code>user_id</code> in the request body and acts on it without verifying it matches the authenticated token's subject claim - that's a broken authorization vulnerability. Always derive the user identity from the validated token, never from user-provided input.</p> <h2> What This Means for Your Career </h2> <p>Here's what I've been observing and thinking about.</p> <p>AI tools are genuinely compressing the time it takes to build things. That's not going away. More backends will be built, by more people, faster than ever before.</p> <p>But auth is not a problem that's been solved by AI generation. It's a domain where:</p> <ul> <li>Mistakes are invisible until they're exploited</li> <li>"Looks correct" and "is correct" are dangerously different things</li> <li>The consequences of getting it wrong fall on real users</li> </ul> <p>Engineers who can look at AI-generated auth code and immediately know <em>what to look for</em>, <em>why certain patterns are dangerous</em>, and <em>what questions to ask</em> - those engineers are not being replaced by AI tools. They're the ones who can actually use those tools responsibly.</p> <p>That's a real differentiator. Not just technically, but professionally.</p> <h2> The Practical Checklist: What to Review in Every Auth Implementation </h2> <p>Whether the code is AI-generated or hand-written, here's what I run through:</p> <ul> <li>[ ] Are we using the right OAuth flow for this use case?</li> <li>[ ] Is PKCE implemented for public clients?</li> <li>[ ] Are JWTs validated with explicit algorithm specification?</li> <li>[ ] Do access tokens have short expiry (<code>exp</code> claim set)?</li> <li>[ ] Is the <code>iss</code> (issuer) and <code>aud</code> (audience) being validated?</li> <li>[ ] Is refresh token rotation implemented?</li> <li>[ ] Are refresh tokens stored securely (not in localStorage)?</li> <li>[ ] Is there a token revocation strategy?</li> <li>[ ] Are redirect URIs strictly validated against a whitelist?</li> <li>[ ] Is the <code>state</code> parameter used to prevent CSRF?</li> <li>[ ] Are tokens being excluded from logs?</li> <li>[ ] Does each OAuth scope request follow the principle of least privilege?</li> <li>[ ] Is user identity derived from the token, not from request input?</li> </ul> <p>Print it. Bookmark it. Run through it before every auth PR you review.</p> <h2> Final Thought </h2> <p>AI didn't make auth easier to get right. It made it easier to get <em>almost</em> right - which in security, is the most dangerous place to be.</p> <p>The engineers who will stand out in the next few years aren't the ones who can prompt the fastest. They're the ones who understand what the prompt produced deeply enough to know when to trust it, when to question it, and when to rewrite it.</p> <p>Auth is one of those areas where that judgment is everything.</p> <p>Go build - but build like you know what's under the hood.</p> <p><em>Found this useful? A backend engineer - always learning, always observing, and writing about what I pick up along the way. If this resonated, <br> let's connect on <a href="https://www.linkedin.com/in/ravigupta97/" rel="noopener noreferrer">LinkedIn</a> | <a href="https://github.com/ravigupta97" rel="noopener noreferrer">GitHub</a>.</em></p> <p><strong>#Authentication #Authorization #OAuth #Security #BackendDevelopment #SoftwareEngineering</strong></p> security oauth backend webdev Ravi Gupta Mon, 09 Mar 2026 03:19:27 +0000 https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-testing-deployment-production-1j1c https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-testing-deployment-production-1j1c <h2> Building a Production-Ready Task Management API with FastAPI: Testing, Deployment &amp; Production (Part 3) </h2> <blockquote> <p><strong>Part 3 of 3:</strong> After the architecture and development phases, I thought deployment would be straightforward. I was wrong. This is the final chapter of my journey from local code to live production system.</p> </blockquote> <p>The API worked perfectly on my laptop.</p> <p>50+ endpoints responding.<br> Authentication solid.<br> Clean architecture.<br> All tests passing locally.</p> <p>I was ready to deploy.</p> <p>Then I clicked "Deploy."</p> <p><strong>That's when everything broke.</strong></p> <p>CORS errors I'd never seen.<br> Environment variables mysteriously missing.<br> Database migrations failing for no reason.<br> Rate limiting crashing the entire app.<br> Cold starts taking 30 seconds.</p> <p>This article covers <strong>Phase 3: Testing, Deployment &amp; Production</strong> - where theory meets reality, and "working" becomes "production-ready."</p> <p>Not just what worked.<br> What broke, what surprised me, and what I learned debugging a live system at midnight.</p> <p><strong>Quick Links:</strong></p> <ul> <li>📖 <a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a">Part 1: Architecture &amp; Design</a> </li> <li>📖 <a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-development-implementation-part-2-2h14">Part 2: Development &amp; Implementation</a> </li> <li>🔗 <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">GitHub Repository</a> </li> <li>🚀 <a href="https://task-management-api-a775.onrender.com/docs" rel="noopener noreferrer">Live API Docs</a> </li> </ul> <h2> 📚 What You'll Learn </h2> <ul> <li>Testing async FastAPI with pytest (the setup that actually works)</li> <li>Docker optimization strategies (1.2GB → 380MB)</li> <li>Free-tier deployment with Render + Neon PostgreSQL</li> <li>5 production bugs that only happen after deployment</li> <li>Real metrics from 30 days of uptime</li> <li>What I'd do differently if I started over</li> <li>Cost breakdown of running production API ($0!)</li> </ul> <p><strong>Reading time:</strong> ~15 minutes</p> <p><strong>GitHub Repository:</strong> <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">https://github.com/ravigupta97/task_management_api</a></p> <p><strong>Live API:</strong> <a href="https://task-management-api-a775.onrender.com/docs" rel="noopener noreferrer">https://task-management-api-a775.onrender.com/docs</a></p> <h2> 🎯 The Journey So Far </h2> <p><strong>Phase 1:</strong> Spent days designing the perfect architecture.<br> <strong>Phase 2:</strong> Built features, fought async bugs, implemented JWT from scratch.<br> <strong>Phase 3:</strong> Time to deploy. How hard could it be?</p> <p><em>Spoiler: Very hard.</em></p> <p>In <a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a">Part 1</a>, I designed a clean architecture:</p> <ul> <li>FastAPI + PostgreSQL</li> <li>Repository pattern</li> <li>Service layer separation</li> <li>Clean project structure</li> </ul> <p>In <a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-development-implementation-part-2-2h14">Part 2</a>, I built the actual system:</p> <ul> <li>JWT authentication</li> <li>50+ endpoints</li> <li>Rate limiting</li> <li>Advanced features</li> </ul> <p>On paper, everything looked solid.</p> <p>In development, everything worked.</p> <p>But there's a gap between "works on my machine" and "works in production."</p> <p><strong>A massive gap.</strong></p> <p>This phase was about:</p> <ul> <li>Writing tests that catch real bugs (not just make CI green)</li> <li>Containerizing with Docker (and learning why 1.2GB is unacceptable)</li> <li>Deploying to actual infrastructure (free tier!)</li> <li>Debugging production issues at midnight</li> <li>Measuring real performance (not synthetic benchmarks)</li> </ul> <p><strong>The honest truth:</strong> This phase took almost as long as building the features.</p> <p>Because deployment isn't just "push to Render."</p> <p>It's environment variables you forgot. CORS configurations that work locally but fail remotely. Database connection pools that exhaust mysteriously. Cold starts that make your API feel broken. Migrations that succeed locally but fail in production.</p> <p>Every bug taught me something tutorials never mentioned.</p> <p>This is where you stop being a tutorial follower and start being an engineer.</p> <h2> 🧪 Testing Strategy </h2> <h3> The Wake-Up Call </h3> <p>I thought I could skip comprehensive testing.</p> <p>"I manually tested everything. It works."</p> <p>Then I added a new feature.</p> <p><strong>Broke 3 existing endpoints.</strong></p> <p>Didn't notice until I tried to create a task and got a 500 error.</p> <p>That's when I learned: Manual testing doesn't scale.</p> <p>You need automated tests. Not because they're trendy.</p> <p>Because your memory isn't perfect.</p> <h3> The Goal: 85%+ Coverage </h3> <p>Target: <strong>85%+ test coverage</strong></p> <p>Not arbitrary.</p> <p>85% forces you to test:</p> <ul> <li>Happy paths (obviously)</li> <li>Error cases (what happens when things fail)</li> <li>Edge cases (empty strings, null values, boundary conditions)</li> <li>Integration points (do layers work together?)</li> </ul> <p>Below 85%? You're probably skipping important scenarios.</p> <p>Above 90%? Diminishing returns (testing getters/setters, framework code).</p> <p><strong>My target:</strong> 85-87%. Test what matters.</p> <h3> The Challenge: Async Testing </h3> <p>Coming from Spring Boot, testing was familiar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Test</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">testGetTasks</span><span class="o">()</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Task</span><span class="o">&gt;</span> <span class="n">tasks</span> <span class="o">=</span> <span class="n">taskService</span><span class="o">.</span><span class="na">getTasks</span><span class="o">();</span> <span class="n">assertEquals</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="n">tasks</span><span class="o">.</span><span class="na">size</span><span class="o">());</span> <span class="o">}</span> </code></pre> </div> <p>Synchronous. Simple. Works.</p> <p><strong>In FastAPI with async?</strong></p> <p>Nothing worked initially.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># This failed </span><span class="k">def</span> <span class="nf">test_get_tasks</span><span class="p">():</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Error: can't await </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># This also failed </span><span class="k">async</span> <span class="k">def</span> <span class="nf">test_get_tasks</span><span class="p">():</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Error: client not async </span></code></pre> </div> <p>Async testing requires:</p> <ul> <li>Async test client (not regular <code>TestClient</code>)</li> <li>Async fixtures</li> <li>Event loop management</li> <li>Database session handling</li> </ul> <p><strong>It's not intuitive.</strong></p> <p>But once you understand it, it's powerful.</p> <h3> The Setup That Finally Worked </h3> <p>After hours of trial and error, here's the pytest configuration that actually works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># conftest.py </span><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">from</span> <span class="n">httpx</span> <span class="kn">import</span> <span class="n">AsyncClient</span> <span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio</span> <span class="kn">import</span> <span class="n">create_async_engine</span><span class="p">,</span> <span class="n">AsyncSession</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">sessionmaker</span> <span class="kn">from</span> <span class="n">app.main</span> <span class="kn">import</span> <span class="n">app</span> <span class="kn">from</span> <span class="n">app.database</span> <span class="kn">import</span> <span class="n">get_db</span><span class="p">,</span> <span class="n">Base</span> <span class="c1"># Test database URL </span><span class="n">TEST_DATABASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">postgresql+asyncpg://test_user:test_pass@localhost/test_db</span><span class="sh">"</span> <span class="c1"># Create test engine </span><span class="n">test_engine</span> <span class="o">=</span> <span class="nf">create_async_engine</span><span class="p">(</span><span class="n">TEST_DATABASE_URL</span><span class="p">,</span> <span class="n">echo</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># Create test session factory </span><span class="n">TestingSessionLocal</span> <span class="o">=</span> <span class="nf">sessionmaker</span><span class="p">(</span> <span class="n">test_engine</span><span class="p">,</span> <span class="n">class_</span><span class="o">=</span><span class="n">AsyncSession</span><span class="p">,</span> <span class="n">expire_on_commit</span><span class="o">=</span><span class="bp">False</span> <span class="p">)</span> <span class="nd">@pytest.fixture</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">session</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">event_loop</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Create event loop for async tests.</span><span class="sh">"""</span> <span class="n">loop</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">get_event_loop_policy</span><span class="p">().</span><span class="nf">new_event_loop</span><span class="p">()</span> <span class="k">yield</span> <span class="n">loop</span> <span class="n">loop</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nd">@pytest.fixture</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">function</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">db_session</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Create fresh test database for each test.</span><span class="sh">"""</span> <span class="k">async</span> <span class="k">with</span> <span class="n">test_engine</span><span class="p">.</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">run_sync</span><span class="p">(</span><span class="n">Base</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="n">create_all</span><span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">TestingSessionLocal</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="k">yield</span> <span class="n">session</span> <span class="k">async</span> <span class="k">with</span> <span class="n">test_engine</span><span class="p">.</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">run_sync</span><span class="p">(</span><span class="n">Base</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="n">drop_all</span><span class="p">)</span> <span class="nd">@pytest.fixture</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">function</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">client</span><span class="p">(</span><span class="n">db_session</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Create test client with database override.</span><span class="sh">"""</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">override_get_db</span><span class="p">():</span> <span class="k">yield</span> <span class="n">db_session</span> <span class="n">app</span><span class="p">.</span><span class="n">dependency_overrides</span><span class="p">[</span><span class="n">get_db</span><span class="p">]</span> <span class="o">=</span> <span class="n">override_get_db</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">AsyncClient</span><span class="p">(</span><span class="n">app</span><span class="o">=</span><span class="n">app</span><span class="p">,</span> <span class="n">base_url</span><span class="o">=</span><span class="sh">"</span><span class="s">http://test</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">ac</span><span class="p">:</span> <span class="k">yield</span> <span class="n">ac</span> <span class="n">app</span><span class="p">.</span><span class="n">dependency_overrides</span><span class="p">.</span><span class="nf">clear</span><span class="p">()</span> </code></pre> </div> <p><strong>Why this setup works:</strong></p> <ol> <li> <strong>Separate test database</strong> - Never pollute your dev database</li> <li> <strong>Fresh database per test</strong> - Isolation prevents flaky tests</li> <li> <strong>Async fixtures</strong> - Match your application's async nature</li> <li> <strong>Dependency override</strong> - FastAPI's killer feature for testing</li> </ol> <p><strong>Time to figure this out:</strong> 4 hours of Stack Overflow and trial and error.</p> <p><strong>Worth it?</strong> Absolutely. Tests are now fast, isolated, and reliable.</p> <h3> Testing Authentication: The Fixture Pattern </h3> <p><strong>Challenge:</strong> How do you test protected endpoints without logging in every time?</p> <p><strong>Solution:</strong> Create authenticated test client fixture.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># conftest.py </span><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">from</span> <span class="n">app.core.security</span> <span class="kn">import</span> <span class="n">create_access_token</span> <span class="kn">from</span> <span class="n">app.models.user</span> <span class="kn">import</span> <span class="n">User</span> <span class="nd">@pytest.fixture</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_user</span><span class="p">(</span><span class="n">db_session</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Create a test user.</span><span class="sh">"""</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span> <span class="n">email</span><span class="o">=</span><span class="sh">"</span><span class="s">test@example.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="sh">"</span><span class="s">testuser</span><span class="sh">"</span><span class="p">,</span> <span class="n">hashed_password</span><span class="o">=</span><span class="sh">"</span><span class="s">$2b$12$...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># hashed "testpassword" </span> <span class="n">is_active</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">is_verified</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">await</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">await</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">refresh</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="nd">@pytest.fixture</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">authenticated_client</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">test_user</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Create authenticated test client.</span><span class="sh">"""</span> <span class="n">access_token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">test_user</span><span class="p">.</span><span class="nb">id</span><span class="p">)})</span> <span class="n">client</span><span class="p">.</span><span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="o">**</span><span class="n">client</span><span class="p">.</span><span class="n">headers</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">access_token</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="k">return</span> <span class="n">client</span> </code></pre> </div> <p><strong>Now testing is clean:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.mark.asyncio</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_create_task</span><span class="p">(</span><span class="n">authenticated_client</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Test creating a task.</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">authenticated_client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">/api/v1/tasks/</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Test Task</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Test Description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">TODO</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">priority</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">HIGH</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span> <span class="n">data</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">assert</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Test Task</span><span class="sh">"</span> <span class="k">assert</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">priority</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">HIGH</span><span class="sh">"</span> </code></pre> </div> <p><strong>No manual login. No token management. Just test the business logic.</strong></p> <p>This pattern saved me hundreds of lines of repetitive setup code.</p> <h3> Integration Tests: The Full Journey </h3> <p>Integration tests verify the entire flow works together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@pytest.mark.asyncio</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_complete_task_lifecycle</span><span class="p">(</span><span class="n">authenticated_client</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Test full CRUD flow for tasks.</span><span class="sh">"""</span> <span class="c1"># Create </span> <span class="n">create_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">authenticated_client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">/api/v1/tasks/</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Integration Test</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">TODO</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">priority</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">LOW</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">create_response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span> <span class="n">task_id</span> <span class="o">=</span> <span class="n">create_response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Read </span> <span class="n">get_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">authenticated_client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/api/v1/tasks/</span><span class="si">{</span><span class="n">task_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">get_response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">get_response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Integration Test</span><span class="sh">"</span> <span class="c1"># Update </span> <span class="n">update_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">authenticated_client</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">/api/v1/tasks/</span><span class="si">{</span><span class="n">task_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">COMPLETED</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">update_response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">update_response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">COMPLETED</span><span class="sh">"</span> <span class="c1"># Delete </span> <span class="n">delete_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">authenticated_client</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/api/v1/tasks/</span><span class="si">{</span><span class="n">task_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">delete_response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">204</span> <span class="c1"># Verify deletion </span> <span class="n">verify_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">authenticated_client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/api/v1/tasks/</span><span class="si">{</span><span class="n">task_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">verify_response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">404</span> </code></pre> </div> <p><strong>What this caught:</strong></p> <ul> <li>Forgot to add CASCADE DELETE (got constraint violation errors)</li> <li>Token expiry during long test runs</li> <li>Session closure issues in UPDATE operations</li> </ul> <p><strong>Integration tests = real-world scenarios = real bugs found.</strong></p> <h3> Test Coverage: The Results </h3> <p>After writing tests for all critical paths:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pytest <span class="nt">--cov</span><span class="o">=</span>app tests/ <span class="nt">----------</span> coverage: platform linux, python 3.11.16 <span class="nt">-----------</span> Name Stmts Miss Cover <span class="nt">-----------------------------------------------------</span> app/main.py 45 2 96% app/api/v1/auth.py 89 8 91% app/api/v1/tasks.py 102 10 90% app/services/task_service.py 124 15 88% app/core/security.py 52 3 94% <span class="nt">-----------------------------------------------------</span> TOTAL 1247 158 87% </code></pre> </div> <p><strong>87% coverage achieved.</strong></p> <p><strong>What I didn't test (the remaining 13%):</strong></p> <ul> <li>Some error handling edge cases</li> <li>Specific database constraint failures</li> <li>Rate limiter timing dependencies</li> </ul> <p><strong>Why that's okay:</strong> 87% covers all critical paths. The remaining 13% is mostly defensive code and edge cases that are hard to reliably test.</p> <p><strong>Time invested in testing:</strong> 1 week</p> <p><strong>Bugs caught before production:</strong> 15+</p> <p><strong>Worth it?</strong> Absolutely.</p> <h2> 🐳 Docker: From 1.2GB to 380MB </h2> <h3> My First Docker Image Was Embarrassing </h3> <p>1.2GB.</p> <p>For a Python API.</p> <p>I pushed it to Docker Hub, proud of myself.</p> <p>Then I tried to deploy it to Render.</p> <p>"Build timeout: Image too large"</p> <p><strong>Panic.</strong></p> <p>That's when I learned: Docker image size matters.</p> <p>Not just for build time.<br> For deployment speed.<br> For resource usage.<br> For everything.</p> <p>Time to optimize.</p> <h3> The Naive Approach </h3> <p>My first Dockerfile was... simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.11</span> <span class="k">COPY</span><span class="s"> . /app</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="k">CMD</span><span class="s"> ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]</span> </code></pre> </div> <p><strong>Image size:</strong> 1.2GB</p> <p><strong>Problems:</strong></p> <ul> <li>Includes full Python image (300MB+ of unnecessary tools)</li> <li>Build dependencies stay in final image</li> <li>pip cache included</li> <li>Unnecessary files copied</li> </ul> <p><strong>Build time:</strong> 8 minutes</p> <p><strong>Deployment:</strong> Timed out on Render's free tier</p> <p>Not acceptable.</p> <h3> Multi-Stage Builds: The Solution </h3> <p>After researching Docker best practices, I discovered multi-stage builds.</p> <p><strong>The concept:</strong> Build in one image, run in another.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Builder - Install dependencies</span> <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11-slim</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install build dependencies</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> gcc <span class="se">\ </span> postgresql-client <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Copy and install Python dependencies</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">--user</span> <span class="nt">-r</span> requirements.txt <span class="c"># Stage 2: Runtime - Small, clean image</span> <span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install only runtime dependencies</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> libpq5 <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Copy installed packages from builder</span> <span class="k">COPY</span><span class="s"> --from=builder /root/.local /root/.local</span> <span class="c"># Copy application code</span> <span class="k">COPY</span><span class="s"> ./app ./app</span> <span class="k">COPY</span><span class="s"> alembic.ini .</span> <span class="k">COPY</span><span class="s"> ./alembic ./alembic</span> <span class="c"># Ensure pip packages are in PATH</span> <span class="k">ENV</span><span class="s"> PATH=/root/.local/bin:$PATH</span> <span class="k">EXPOSE</span><span class="s"> 8000</span> <span class="c"># Run migrations and start server</span> <span class="k">CMD</span><span class="s"> alembic upgrade head &amp;&amp; uvicorn app.main:app --host 0.0.0.0 --port 8000</span> </code></pre> </div> <p><strong>Final image size:</strong> 380MB</p> <p><strong>Reduction:</strong> 68% smaller!</p> <p><strong>Key optimizations:</strong></p> <ol> <li> <strong>Multi-stage build</strong> - Builder stage separate from runtime</li> <li> <strong>Slim base image</strong> - <code>python:3.11-slim</code> instead of full <code>python:3.11</code> </li> <li> <strong>No cache in pip</strong> - <code>--no-cache-dir</code> flag</li> <li> <strong>Clean apt lists</strong> - <code>rm -rf /var/lib/apt/lists/*</code> after installs</li> <li> <strong>Only runtime dependencies</strong> - gcc and build tools left in builder stage</li> </ol> <p><strong>Build time:</strong> 3 minutes (down from 8!)</p> <p><strong>Deployment:</strong> Successful on Render free tier</p> <p><strong>That felt good.</strong></p> <h3> Local Development: docker-compose </h3> <p>For local development, I needed:</p> <ul> <li>PostgreSQL database</li> <li>API server</li> <li>Hot reload</li> <li>Easy setup</li> </ul> <p>docker-compose made it simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">taskapi</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">taskapi</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">taskapi_dev</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5432:5432"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data</span> <span class="na">api</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">command</span><span class="pi">:</span> <span class="s">uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./app:/app/app</span> <span class="c1"># Hot reload</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:8000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s">postgresql+asyncpg://taskapi:taskapi@db:5432/taskapi_dev</span> <span class="na">SECRET_KEY</span><span class="pi">:</span> <span class="s">dev-secret-key</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> </code></pre> </div> <p><strong>One command to start everything:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Consistent environment across team</li> <li>No "works on my machine" issues</li> <li>Easy onboarding for new developers</li> <li>Matches production setup</li> </ul> <p><strong>This decision saved hours of environment debugging.</strong></p> <h2> 🚀 Deployment: Free Tier Reality </h2> <h3> Platform Choice: The $0 Constraint </h3> <p>I had a strict budget for infrastructure.</p> <p>$0.</p> <p>Not "limited." Zero dollars.</p> <p>This eliminated most options immediately.</p> <p><strong>The Contenders:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Platform</th> <th>Free Tier</th> <th>PostgreSQL</th> <th>Catches</th> </tr> </thead> <tbody> <tr> <td><strong>Render</strong></td> <td>✅ Yes</td> <td>✅ Neon integration</td> <td>Sleeps after 15min</td> </tr> <tr> <td>Heroku</td> <td>❌ No longer free</td> <td>✅ Yes</td> <td>Killed free tier</td> </tr> <tr> <td>AWS</td> <td>⚠️ 12 months only</td> <td>✅ Yes</td> <td>Complex setup</td> </tr> <tr> <td>Railway</td> <td>✅ Limited hours</td> <td>✅ Yes</td> <td>$5 credit/month</td> </tr> <tr> <td>Fly.io</td> <td>✅ Yes</td> <td>✅ Yes</td> <td>Credit system</td> </tr> </tbody> </table></div> <p><strong>Decision: Render</strong></p> <p>Why?</p> <ul> <li>Truly free forever (not trial)</li> <li>Docker support</li> <li>Auto-deploy from GitHub</li> <li>Simple configuration</li> <li>Good documentation</li> </ul> <p><strong>Trade-off:</strong> Cold starts after 15 minutes of inactivity.</p> <p>Acceptable for a learning project.</p> <h3> Database: Neon PostgreSQL </h3> <p><strong>The Problem:</strong> Most free PostgreSQL offerings have catches.</p> <ul> <li> <strong>Heroku:</strong> Limited to 10K rows (not enough)</li> <li> <strong>Supabase:</strong> Pauses after 7 days inactivity (annoying)</li> <li> <strong>AWS RDS:</strong> Only 12 months free (not sustainable)</li> </ul> <p><strong>Neon's free tier:</strong></p> <ul> <li>✅ Actually free forever</li> <li>✅ 3GB storage</li> <li>✅ Serverless (auto-scales)</li> <li>✅ Branch-based development (like git!)</li> <li>✅ No sleep/pause</li> </ul> <p><strong>Setup time:</strong> 5 minutes</p> <ol> <li>Create Neon account</li> <li>Create database</li> <li>Copy connection string</li> <li>Add to Render environment variables</li> </ol> <p>Done.</p> <p><strong>This was the easiest part of deployment.</strong></p> <p>The rest? Not so much.</p> <h3> First Deployment: Everything Broke </h3> <p>I pushed to GitHub.</p> <p>Render detected the Dockerfile.</p> <p>Build started.</p> <p><strong>Then:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Environment variable DATABASE_URL not found Error: SECRET_KEY is None Error: Application failed to start </code></pre> </div> <p><strong>What I forgot:</strong></p> <p>Environment variables don't automatically transfer from <code>.env</code> file to Render.</p> <p>You have to set them manually in Render's dashboard.</p> <p><strong>Lesson learned:</strong> Environment configuration is separate from code.</p> <p>Never assume.</p> <h3> The Health Check Endpoint </h3> <p><strong>Critical for free tier deployments.</strong></p> <p>Render's free tier sleeps after 15 minutes of inactivity.</p> <p>Health checks can:</p> <ul> <li>Wake it up automatically</li> <li>Verify it's actually running</li> <li>Test database connectivity </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">status</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_200_OK</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">health_check</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="sh">"""</span><span class="s"> Health check endpoint. Tests database connectivity. </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT 1</span><span class="sh">"</span><span class="p">))</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">database</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">connected</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">environment</span><span class="sh">"</span><span class="p">:</span> <span class="n">settings</span><span class="p">.</span><span class="n">ENVIRONMENT</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">unhealthy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">database</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">disconnected</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Confirms app is running</li> <li>Tests database connection</li> <li>Used by monitoring services</li> <li>Simple debugging tool</li> </ul> <p><strong>This endpoint became my best friend during deployment debugging.</strong></p> <h2> 🚧 Production Bugs: The 2 AM Stories </h2> <h3> Bug #1: The 30-Second Cold Start </h3> <p><strong>The Problem:</strong></p> <p>I sent the API link to a friend.</p> <p>"Check out my live project!"</p> <p>I waited.</p> <p>30 seconds passed.</p> <p>Still loading.</p> <p>I refreshed. 30 more seconds.</p> <p><strong>Internal panic.</strong></p> <p>"Is it down? Did I break something??"</p> <p>Checked Render logs: "Spinning up service from sleep..."</p> <p>Oh.</p> <p>Free tier sleeps after 15 minutes.</p> <p><strong>Every. Single. Time.</strong></p> <p><strong>The Solution:</strong></p> <p>Can't eliminate cold starts on free tier.</p> <p>But I could handle the UX:</p> <ol> <li> <strong>Health check endpoint</strong> - Wake it up faster</li> <li> <strong>Frontend loading state</strong> - "Server waking up, please wait..."</li> <li> <strong>Set expectations</strong> - Document it's free tier</li> </ol> <p><strong>Better solution:</strong> Upgrade to paid tier ($7/month for always-on).</p> <p>But this is a learning project. Free tier it is.</p> <p><strong>Lesson learned:</strong> Constraints force creative solutions. Or at least, creative messaging.</p> <h3> Bug #2: The Case-Sensitive Environment Variable </h3> <p><strong>The Problem:</strong></p> <p>API deployed successfully.</p> <p>Opened the docs page.</p> <p>Everything loaded.</p> <p>Tried to login.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Internal Server Error"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Checked logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AttributeError: 'NoneType' object has no attribute 'decode' </code></pre> </div> <p><strong>What?</strong></p> <p>Spent an hour debugging.</p> <p>Checked JWT code. Looked fine.<br> Checked database connection. Working.<br> Checked everything. Nothing made sense.</p> <p>Then I saw it.</p> <p>Environment variable in Render dashboard:</p> <p><code>SECRECT_KEY</code> instead of <code>SECRET_KEY</code></p> <p><strong>I misspelled "SECRET" as "SECRECT".</strong></p> <p>JWT library tried to decode with <code>None</code> as the key.</p> <p>Crashed.</p> <p><strong>The Fix:</strong></p> <ol> <li>Fixed the typo</li> <li>Added startup validation: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/main.py </span><span class="nd">@app.on_event</span><span class="p">(</span><span class="sh">"</span><span class="s">startup</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">validate_config</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Validate required configuration on startup.</span><span class="sh">"""</span> <span class="n">required</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">SECRET_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">REFRESH_SECRET_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DATABASE_URL</span><span class="sh">"</span><span class="p">]</span> <span class="n">missing</span> <span class="o">=</span> <span class="p">[</span><span class="n">key</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">required</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">settings</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="bp">None</span><span class="p">)]</span> <span class="k">if</span> <span class="n">missing</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Missing required config: </span><span class="si">{</span><span class="n">missing</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ Configuration validated</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><strong>Now if a required variable is missing, the app fails immediately on startup.</strong></p> <p>Not after the first request.</p> <p><strong>Lesson learned:</strong> Fail fast. Validate early. Save yourself hours of debugging.</p> <h3> Bug #3: Database Connection Pool Exhaustion </h3> <p><strong>The Problem:</strong></p> <p>API ran fine for a few hours.</p> <p>Then started throwing errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>asyncpg.exceptions.TooManyConnectionsError: too many connections </code></pre> </div> <p><strong>What?</strong></p> <p>I wasn't doing anything different.</p> <p>No traffic spike.</p> <p>Just... ran out of connections.</p> <p><strong>The Root Cause:</strong></p> <p>Some error paths weren't closing database sessions.</p> <p>Session leaked.<br> Connection leaked.<br> Pool exhausted.</p> <p><strong>The Fix:</strong></p> <ol> <li> <strong>Ensure session cleanup in dependency:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/database.py </span><span class="k">async</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">AsyncSession</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">AsyncSessionLocal</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">yield</span> <span class="n">session</span> <span class="k">finally</span><span class="p">:</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="c1"># Always close, even on error </span></code></pre> </div> <ol> <li> <strong>Configure connection pool limits:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/database.py </span><span class="n">engine</span> <span class="o">=</span> <span class="nf">create_async_engine</span><span class="p">(</span> <span class="n">settings</span><span class="p">.</span><span class="n">DATABASE_URL</span><span class="p">,</span> <span class="n">pool_size</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="c1"># Max connections </span> <span class="n">max_overflow</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="c1"># Overflow allowed </span> <span class="n">pool_pre_ping</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># Verify before use </span> <span class="n">pool_recycle</span><span class="o">=</span><span class="mi">3600</span> <span class="c1"># Recycle after 1 hour </span><span class="p">)</span> </code></pre> </div> <p><strong>After the fix:</strong> No more connection errors.</p> <p><strong>Lesson learned:</strong> Connection pools are finite resources. Manage them carefully.</p> <h3> Bug #4: Alembic Migration Conflicts </h3> <p><strong>The Problem:</strong></p> <p>Deployed new code with database migration.</p> <p>Render build failed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alembic.util.exc.CommandError: Can't locate revision identified by 'abc123' </code></pre> </div> <p><strong>Why?</strong></p> <p>I created migrations locally.<br> Pushed code.<br> But Render's database didn't have the previous migrations.</p> <p><strong>The Fix:</strong></p> <p>Run migrations as part of deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># In Dockerfile CMD</span> <span class="k">CMD</span><span class="s"> alembic upgrade head &amp;&amp; uvicorn app.main:app --host 0.0.0.0 --port 8000</span> </code></pre> </div> <p><strong>This ensures:</strong></p> <ul> <li>Migrations run before app starts</li> <li>Database is always up to date</li> <li>No manual migration steps</li> </ul> <p><strong>Also added:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Before creating new migration locally</span> alembic current <span class="c"># Check current state</span> alembic upgrade <span class="nb">head</span> <span class="c"># Apply all pending</span> </code></pre> </div> <p><strong>Lesson learned:</strong> Migrations are sequential. Treat them like git commits. Linear history matters.</p> <h2> 📊 Performance: 30 Days of Real Data </h2> <h3> The Numbers </h3> <p>After 30 days of production traffic, here's how it actually performed:</p> <p><strong>Response Times:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Average</th> <th>P95</th> <th>P99</th> </tr> </thead> <tbody> <tr> <td>Health check</td> <td>45ms</td> <td>89ms</td> <td>142ms</td> </tr> <tr> <td>Login</td> <td>156ms</td> <td>278ms</td> <td>421ms</td> </tr> <tr> <td>Get tasks</td> <td>87ms</td> <td>156ms</td> <td>289ms</td> </tr> <tr> <td>Create task</td> <td>112ms</td> <td>198ms</td> <td>334ms</td> </tr> </tbody> </table></div> <p><strong>Overall average:</strong> ~190ms</p> <p><strong>My initial target:</strong> 100ms</p> <p><strong>Reality:</strong> Almost 2x slower.</p> <p><strong>Why?</strong></p> <ul> <li>Neon serverless adds latency (~20ms)</li> <li>Free tier CPU is shared</li> <li>No caching layer</li> <li>Some queries not optimized</li> </ul> <p><strong>Is 190ms acceptable?</strong></p> <p>For a free-tier learning project? Yes.</p> <p>For a production SaaS? No. I'd need caching and optimization.</p> <h3> Uptime Tracking </h3> <p><strong>Tool:</strong> UptimeRobot (free tier)</p> <p><strong>30-day results:</strong></p> <ul> <li>✅ <strong>99.2% uptime</strong> </li> <li>❌ <strong>3 outages</strong> (total: 5 hours 47 minutes)</li> <li>⏱️ <strong>Average response:</strong> 180ms</li> <li>📈 <strong>Checks performed:</strong> 43,200</li> </ul> <p><strong>Outage breakdown:</strong></p> <ol> <li>Render platform maintenance (2 hours)</li> <li>Neon database scaling issue (30 minutes)</li> <li>My deployment bug (15 minutes - the ENV variable typo)</li> </ol> <p><strong>99.2% uptime on $0 infrastructure?</strong></p> <p>Honestly better than I expected.</p> <p>For comparison, AWS promises 99.99% (that's 4 minutes downtime per month).</p> <p>I had ~5 hours downtime in 30 days.</p> <p><strong>Not bad for free.</strong></p> <h3> Database Query Performance </h3> <p><strong>Biggest optimization:</strong> Fixing N+1 queries.</p> <p><strong>Before:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Get tasks - N+1 problem </span><span class="n">tasks</span> <span class="o">=</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">get_by_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">for</span> <span class="n">task</span> <span class="ow">in</span> <span class="n">tasks</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="n">task</span><span class="p">.</span><span class="n">category</span><span class="p">.</span><span class="n">name</span><span class="p">)</span> <span class="c1"># Separate query for each! </span></code></pre> </div> <p><strong>After:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Eager load relationships </span><span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">selectinload</span> <span class="n">tasks</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">)</span> <span class="p">.</span><span class="nf">options</span><span class="p">(</span><span class="nf">selectinload</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">category</span><span class="p">))</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">user_id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p><strong>Performance improvement:</strong> 3x faster for lists with categories.</p> <p><strong>Lesson learned:</strong> Async doesn't make bad queries good. Optimize your database access.</p> <h2> 💰 Cost Analysis: The $0 Stack </h2> <h3> Monthly Infrastructure Costs </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Plan</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td><strong>Render</strong></td> <td>Free tier</td> <td>$0</td> </tr> <tr> <td><strong>Neon PostgreSQL</strong></td> <td>Free tier</td> <td>$0</td> </tr> <tr> <td> <strong>Domain</strong> (optional)</td> <td>Namecheap</td> <td>~$1/month</td> </tr> <tr> <td><strong>Monitoring</strong></td> <td>UptimeRobot free</td> <td>$0</td> </tr> <tr> <td><strong>Total</strong></td> <td></td> <td><strong>$0/month</strong></td> </tr> </tbody> </table></div> <p><strong>Yearly cost:</strong> $0 (or $12 if you buy a domain)</p> <h3> Free Tier Constraints </h3> <p><strong>Render Free Tier:</strong></p> <ul> <li>✅ 750 hours/month (enough for one service)</li> <li>✅ Auto-deploy from Git</li> <li>✅ SSL certificate included</li> <li>❌ Sleeps after 15 min inactivity</li> <li>❌ Limited to 512MB RAM</li> <li>❌ Shared CPU</li> </ul> <p><strong>Neon Free Tier:</strong></p> <ul> <li>✅ 3GB storage</li> <li>✅ Unlimited databases</li> <li>✅ Serverless auto-scaling</li> <li>❌ Limited compute units</li> <li>❌ Shared resources</li> </ul> <h3> When to Upgrade? </h3> <p><strong>Stay on free tier if:</strong></p> <ul> <li>Learning project</li> <li>Portfolio piece</li> <li>Low traffic (&lt;1000 requests/day)</li> <li>Can tolerate cold starts</li> <li>No SLA requirements</li> </ul> <p><strong>Upgrade to paid ($7-10/month) if:</strong></p> <ul> <li>Real users depending on it</li> <li>Need consistent performance</li> <li>Can't afford downtime</li> <li>Traffic grows</li> <li>Professional project</li> </ul> <p><strong>For this project:</strong> Free tier is perfect.</p> <p>It does everything I need for a portfolio piece.</p> <h2> 💡 Lessons Learned </h2> <h3> 1. Tests Save More Time Than They Take </h3> <p><strong>My initial thought:</strong> "Tests slow me down. I'll skip them."</p> <p><strong>Reality:</strong> Tests caught 15+ bugs before production.</p> <p><strong>Time spent writing tests:</strong> 1 week<br> <strong>Time saved debugging production:</strong> Probably 2+ weeks</p> <p><strong>ROI:</strong> Massively positive.</p> <p>Tests aren't overhead. They're insurance.</p> <h3> 2. Docker Isn't Optional </h3> <p><strong>Why Docker matters:</strong></p> <p><strong>Reason 1:</strong> "Works on my machine" becomes "works everywhere"<br> <strong>Reason 2:</strong> Deployment is just "push image"<br> <strong>Reason 3:</strong> Forces you to think about dependencies</p> <p><strong>Time invested learning Docker:</strong> 2 days<br> <strong>Time saved in deployment issues:</strong> Countless hours</p> <p>Every modern backend project should use Docker.</p> <p>Not optional.</p> <h3> 3. Monitoring Isn't Optional Either </h3> <p>Without monitoring, you're blind.</p> <p><strong>Questions you can't answer:</strong></p> <ul> <li>Is the API down?</li> <li>Why is it slow?</li> <li>Where are errors happening?</li> <li>What's the actual performance?</li> </ul> <p><strong>With basic monitoring:</strong></p> <ul> <li>Health check endpoint</li> <li>Logging to stdout</li> <li>UptimeRobot for uptime</li> <li>Manual log review</li> </ul> <p><strong>Cost:</strong> $0<br> <strong>Value:</strong> Priceless</p> <p>You can't fix what you can't measure.</p> <h3> 4. Free Tier Forces Better Decisions </h3> <p><strong>Constraints I faced:</strong></p> <ul> <li>No Redis → In-memory rate limiting</li> <li>Cold starts → UX handling + health checks</li> <li>Limited resources → Query optimization</li> </ul> <p><strong>Result:</strong> Better architecture.</p> <p>Paid tiers let you throw money at problems.</p> <p>Free tiers force you to solve them properly.</p> <p><strong>The best learning happens under constraints.</strong></p> <h3> 5. Production Is the Real Teacher </h3> <p><strong>Local development teaches:</strong></p> <ul> <li>How to write code</li> <li>How to structure projects</li> <li>How to use frameworks</li> </ul> <p><strong>Production teaches:</strong></p> <ul> <li>How systems fail</li> <li>How to debug without IDE</li> <li>How to handle real constraints</li> <li>How to think about users</li> </ul> <p>The gap between these two is where engineers are made.</p> <h2> 🔄 What I'd Do Differently </h2> <h3> 1. Write Tests Earlier (TDD) </h3> <p><strong>What I did:</strong> Built features, then wrote tests.</p> <p><strong>Problem:</strong> Had to refactor code to make it testable.</p> <p><strong>Better approach:</strong> Test-Driven Development</p> <ul> <li>Write test first</li> <li>Implement feature</li> <li>Refactor</li> </ul> <p><strong>Why:</strong> Forces good design from the start.</p> <h3> 2. Set Up CI/CD Immediately </h3> <p><strong>What I did:</strong> Manually ran tests before deploying.</p> <p><strong>Problem:</strong> Forgot twice. Deployed broken code.</p> <p><strong>Better approach:</strong> GitHub Actions<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Simple workflow</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="m">3.11</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install -r requirements.txt</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pytest --cov=app tests/</span> </code></pre> </div> <p><strong>Benefit:</strong> Tests run automatically. Can't merge broken code.</p> <h3> 3. Add Caching Earlier </h3> <p><strong>What I did:</strong> Direct database queries for everything.</p> <p><strong>Problem:</strong> Repeated queries for same data.</p> <p><strong>Better approach:</strong> Redis caching for:</p> <ul> <li>User sessions</li> <li>Frequently accessed data</li> <li>API rate limit counters</li> </ul> <p><strong>Why I didn't:</strong> Free tier doesn't include Redis.</p> <p><strong>Workaround:</strong> <code>functools.lru_cache</code> for config/static data.</p> <h3> 4. Implement Database Backups </h3> <p><strong>What I did:</strong> Relied on Neon's automatic backups.</p> <p><strong>Problem:</strong> No control over backup schedule or retention.</p> <p><strong>Better approach:</strong></p> <ul> <li>Scheduled <code>pg_dump</code> to S3</li> <li>Version-controlled schema</li> <li>Tested restore process</li> </ul> <p><strong>Why it matters:</strong> Data loss is unacceptable. Even for learning projects.</p> <h3> 5. Use Feature Flags </h3> <p><strong>What I did:</strong> Deploy features directly to production.</p> <p><strong>Problem:</strong> Can't disable buggy features without rollback.</p> <p><strong>Better approach:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Simple feature flags </span><span class="k">class</span> <span class="nc">FeatureFlags</span><span class="p">:</span> <span class="n">ENABLE_EMAIL_VERIFICATION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">FEATURE_EMAIL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">true</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">true</span><span class="sh">"</span> <span class="n">ENABLE_ADVANCED_SEARCH</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">FEATURE_SEARCH</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">false</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">true</span><span class="sh">"</span> <span class="c1"># Usage </span><span class="k">if</span> <span class="n">FeatureFlags</span><span class="p">.</span><span class="n">ENABLE_ADVANCED_SEARCH</span><span class="p">:</span> <span class="c1"># New feature logic </span><span class="k">else</span><span class="p">:</span> <span class="c1"># Old feature logic </span></code></pre> </div> <p><strong>Benefit:</strong> Enable/disable features without deploying.</p> <h2> 🎯 Final Thoughts </h2> <h3> What This Project Taught Me </h3> <p><strong>1. Architecture matters</strong> — but implementation teaches you why</p> <p><strong>2. Tests aren't optional</strong> — they're the difference between hobby and professional</p> <p><strong>3. Production is different</strong> — cold starts, CORS, connection pools, migrations... none of this shows up in tutorials</p> <p><strong>4. Free tier is enough</strong> — to learn, to build portfolio, to prove you can ship</p> <p><strong>5. Building in public works</strong> — documenting this journey kept me accountable</p> <h3> The Numbers </h3> <p><strong>What I built:</strong></p> <ul> <li>✅ 50+ API endpoints</li> <li>✅ JWT authentication</li> <li>✅ 87% test coverage</li> <li>✅ Clean architecture</li> <li>✅ Dockerized</li> <li>✅ Deployed (99.2% uptime)</li> <li>✅ $0 infrastructure cost</li> </ul> <p><strong>What I learned:</strong></p> <ul> <li>Way more than any tutorial could teach</li> <li>The gap between "working" and "production-ready"</li> <li>How to debug systems you can't see</li> <li>How to make architectural decisions under constraints</li> <li>How to ship something real</li> </ul> <h3> Was It Worth It? </h3> <p><strong>Absolutely.</strong></p> <p>Not just for the portfolio.</p> <p>Not just for the resume.</p> <p>For the learning.</p> <p>There's a massive difference between:</p> <ul> <li>Following a tutorial</li> <li>Building from scratch</li> <li>Deploying to production</li> </ul> <p>This project forced me through all three.</p> <p>Every bug taught me something.<br> Every constraint forced creativity.<br> Every deployment taught me production.</p> <p><strong>That's the real value.</strong></p> <h2> 🚀 Try It Yourself </h2> <p><strong>Live API:</strong> <a href="https://task-management-api-a775.onrender.com/docs" rel="noopener noreferrer">https://task-management-api-a775.onrender.com/docs</a></p> <p>(First request might take 30 seconds if it's sleeping - free tier!)</p> <p><strong>GitHub:</strong> <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">https://github.com/ravigupta97/task_management_api</a></p> <p><strong>Clone and run:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/ravigupta97/task_management_api <span class="nb">cd </span>task_management_api docker-compose up </code></pre> </div> <p>Open <a href="http://localhost:8000/docs" rel="noopener noreferrer">http://localhost:8000/docs</a></p> <p><strong>Everything you need is in the README.</strong></p> <h2> 💬 Discussion </h2> <p><strong>Questions for you:</strong></p> <ol> <li>What's your testing strategy for async APIs?</li> <li>How do you handle cold starts on free tiers?</li> <li>What was your biggest production surprise?</li> <li>What free tier tools do you use?</li> </ol> <p>Let's learn together - comment below! 👇</p> <p><em>This completes the 3-part series on building a production-ready FastAPI application.</em></p> <ul> <li><em><a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a">Part 1: Architecture &amp; Design</a></em></li> <li><em><a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-development-implementation-part-2-2h14">Part 2: Development &amp; Implementation</a></em></li> <li><em>Part 3: Testing, Deployment &amp; Production (you just read it)</em></li> </ul> <p><strong>What's next for me?</strong></p> <p><strong>Follow along:</strong> <a href="https://www.linkedin.com/in/ravigupta97/" rel="noopener noreferrer">LinkedIn</a> | <a href="https://github.com/ravigupta97" rel="noopener noreferrer">GitHub</a></p> <p><strong>#FastAPI #Python #Testing #Docker #Deployment #DevOps #BackendDevelopment #BuildInPublic #SoftwareEngineering</strong></p> fastapi python docker devops Ravi Gupta Mon, 02 Mar 2026 03:10:00 +0000 https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-development-implementation-part-2-2h14 https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-development-implementation-part-2-2h14 <h2> Building a Production-Ready Task Management API with FastAPI: Development &amp; Implementation (Part 2) </h2> <blockquote> <p><strong>Part 2 of 3:</strong> Architecture is comfortable. Implementation is humbling.</p> </blockquote> <p>In Part 1, everything looked clean.</p> <p>The layers were well separated.<br><br> The database schema made sense.<br><br> The architecture diagram looked impressive.</p> <p>And then I started writing code.<br> That’s when things stopped being theoretical.<br> Not just what worked — but what broke, what surprised me, and that forced me to level up.<br> This article covers JWT authentication, CRUD operations, advanced features, and the real challenges of building production-ready APIs.</p> <p><strong>Quick Links:</strong></p> <ul> <li>📖 <a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a">Part 1: Architecture &amp; Design</a> </li> <li>🔗 <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">GitHub Repository</a> </li> <li>🚀 <a href="https://task-management-api-a775.onrender.com/docs" rel="noopener noreferrer">Live API Docs</a> </li> </ul> <h2> 📋 Table of Contents </h2> <ol> <li>Introduction &amp; Recap</li> <li>JWT Authentication Implementation</li> <li>Repository Pattern in Practice</li> <li>Service Layer Development</li> <li>CRUD Operations</li> <li>Advanced Features</li> <li>Real Challenges &amp; Solutions</li> <li>Code Examples &amp; Patterns</li> <li>Lessons Learned</li> <li>What's Next</li> </ol> <p><strong>Reading time:</strong> ~12 minutes</p> <h2> 🎯 Introduction &amp; Recap </h2> <p>In <a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a">Part 1</a>, I designed the architecture for a production-ready Task Management API using FastAPI and PostgreSQL.</p> <p><strong>What we covered:</strong></p> <ul> <li>Technology stack selection (FastAPI, PostgreSQL, SQLAlchemy 2.0)</li> <li>Database schema design (Users, Tasks, Categories)</li> <li>Clean architecture layers (API → Service → Repository → Database)</li> <li>Project structure organization</li> </ul> <p><strong>Phase 1 Result:</strong> A solid foundation ready for implementation.<br> On paper, it was solid.</p> <p>But architecture doesn’t test your assumptions, Implementation does.</p> <p><strong>Phase 2 Goal:</strong> Build the actual features while maintaining architectural integrity.<br> And discovering that “working” is not the same as “production-ready.”</p> <p>This article covers the development journey - the features I built, patterns I implemented, and challenges I faced turning architecture diagrams into working code.</p> <h2> 🔐 JWT Authentication Implementation </h2> <h3> The Challenge </h3> <p>Coming from Spring Boot, I was used to this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="c1">// Spring Security handles everything</span> <span class="o">}</span> </code></pre> </div> <p>In FastAPI, there's no magic <code>@EnableWebSecurity</code>.</p> <p>You build authentication from the ground up.</p> <h3> What I Built </h3> <p><strong>Complete authentication system with:</strong></p> <ol> <li> <p><strong>User Registration</strong></p> <ul> <li>Email validation</li> <li>Password strength requirements</li> <li>Duplicate email/username checking</li> <li>Automatic password hashing</li> </ul> </li> <li> <p><strong>Login Flow</strong></p> <ul> <li>Credential verification</li> <li>Access token generation (15 min expiry)</li> <li>Refresh token generation (7 days expiry)</li> <li>Token storage strategy</li> </ul> </li> <li> <p><strong>Token Management</strong></p> <ul> <li>Token validation middleware</li> <li>Token refresh endpoint</li> <li>Automatic token expiry handling</li> <li>Logout mechanism</li> </ul> </li> <li> <p><strong>Security Features</strong></p> <ul> <li>Email verification flow</li> <li>Password reset mechanism</li> <li>Account activation</li> <li>Rate limiting on auth endpoints</li> </ul> </li> </ol> <h3> Implementation Deep Dive </h3> <h4> <strong>1. Password Hashing with bcrypt</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/core/security.py </span><span class="kn">from</span> <span class="n">passlib.context</span> <span class="kn">import</span> <span class="n">CryptContext</span> <span class="n">pwd_context</span> <span class="o">=</span> <span class="nc">CryptContext</span><span class="p">(</span><span class="n">schemes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">bcrypt</span><span class="sh">"</span><span class="p">],</span> <span class="n">deprecated</span><span class="o">=</span><span class="sh">"</span><span class="s">auto</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">hash_password</span><span class="p">(</span><span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Hash a password using bcrypt.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">pwd_context</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_password</span><span class="p">(</span><span class="n">plain_password</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">hashed_password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify a password against a hashed password.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">pwd_context</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="n">plain_password</span><span class="p">,</span> <span class="n">hashed_password</span><span class="p">)</span> </code></pre> </div> <p><strong>Why bcrypt?</strong></p> <ul> <li>Industry standard for password hashing</li> <li>Built-in salt generation</li> <li>Adaptive cost factor (future-proof against hardware improvements)</li> <li>Slow by design (prevents brute force)</li> </ul> <p>This was my first mindset shift:</p> <p>FastAPI gives flexibility.<br> Security becomes your responsibility.</p> <p><strong>Spring Boot comparison:</strong> Similar to <code>BCryptPasswordEncoder</code>, but more explicit configuration.</p> <h4> <strong>2. JWT Token Generation</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/core/security.py </span><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="kn">from</span> <span class="n">jose</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">app.config</span> <span class="kn">import</span> <span class="n">settings</span> <span class="k">def</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">expires_delta</span><span class="p">:</span> <span class="n">timedelta</span> <span class="o">=</span> <span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create JWT access token.</span><span class="sh">"""</span> <span class="n">to_encode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">copy</span><span class="p">()</span> <span class="k">if</span> <span class="n">expires_delta</span><span class="p">:</span> <span class="n">expire</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">expires_delta</span> <span class="k">else</span><span class="p">:</span> <span class="n">expire</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">15</span><span class="p">)</span> <span class="n">to_encode</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">expire</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">access</span><span class="sh">"</span><span class="p">})</span> <span class="n">encoded_jwt</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">to_encode</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">ALGORITHM</span> <span class="p">)</span> <span class="k">return</span> <span class="n">encoded_jwt</span> <span class="k">def</span> <span class="nf">create_refresh_token</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create JWT refresh token.</span><span class="sh">"""</span> <span class="n">to_encode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">copy</span><span class="p">()</span> <span class="n">expire</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">7</span><span class="p">)</span> <span class="n">to_encode</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">expire</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">refresh</span><span class="sh">"</span><span class="p">})</span> <span class="n">encoded_jwt</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">to_encode</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">REFRESH_SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">ALGORITHM</span> <span class="p">)</span> <span class="k">return</span> <span class="n">encoded_jwt</span> </code></pre> </div> <p>Design decisions here matter.</p> <p>JWT is just a token format.</p> <p>Security comes from validation.</p> <p><strong>Key decisions:</strong></p> <ol> <li> <p><strong>Two token types:</strong></p> <ul> <li>Access tokens (short-lived, 15 min)</li> <li>Refresh tokens (long-lived, 7 days)</li> </ul> </li> <li> <p><strong>Separate secrets:</strong></p> <ul> <li>Different keys for access vs refresh tokens</li> <li>Compromised access token ≠ compromised refresh token</li> </ul> </li> <li><p><strong>Token payload:</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234567890</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"access"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> <strong>3. Token Validation Dependency</strong> </h4> <p><strong>How it works:</strong></p> <ol> <li>Extract JWT from <code>Authorization: Bearer &lt;token&gt;</code> header</li> <li>Decode and validate token signature</li> <li>Check token type (must be "access")</li> <li>Fetch user from database</li> <li>Verify user is active</li> <li>Return user object</li> </ol> <p><strong>Usage in routes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/me</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">UserResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_current_user_profile</span><span class="p">(</span> <span class="n">current_user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)</span> <span class="p">):</span> <span class="sh">"""</span><span class="s">Get current user</span><span class="sh">'</span><span class="s">s profile.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">current_user</span> </code></pre> </div> <p>Clean. Type-safe. Reusable.</p> <h4> <strong>4. Login Endpoint Implementation</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/api/v1/auth.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">APIRouter</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">status</span> <span class="kn">from</span> <span class="n">app.schemas.token</span> <span class="kn">import</span> <span class="n">TokenResponse</span> <span class="kn">from</span> <span class="n">app.schemas.user</span> <span class="kn">import</span> <span class="n">UserLogin</span> <span class="n">router</span> <span class="o">=</span> <span class="nc">APIRouter</span><span class="p">(</span><span class="n">prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">/auth</span><span class="sh">"</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">Authentication</span><span class="sh">"</span><span class="p">])</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TokenResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span> <span class="n">credentials</span><span class="p">:</span> <span class="n">UserLogin</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">):</span> <span class="sh">"""</span><span class="s"> Authenticate user and return access + refresh tokens. </span><span class="sh">"""</span> <span class="c1"># Get user by email </span> <span class="n">user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">user_repository</span><span class="p">.</span><span class="nf">get_by_email</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">credentials</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_401_UNAUTHORIZED</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Incorrect email or password</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Verify password </span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">verify_password</span><span class="p">(</span><span class="n">credentials</span><span class="p">.</span><span class="n">password</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">hashed_password</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_401_UNAUTHORIZED</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Incorrect email or password</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Check if user is active </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_403_FORBIDDEN</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">User account is inactive</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Generate tokens </span> <span class="n">access_token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)})</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="nf">create_refresh_token</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)})</span> <span class="k">return</span> <span class="nc">TokenResponse</span><span class="p">(</span> <span class="n">access_token</span><span class="o">=</span><span class="n">access_token</span><span class="p">,</span> <span class="n">refresh_token</span><span class="o">=</span><span class="n">refresh_token</span><span class="p">,</span> <span class="n">token_type</span><span class="o">=</span><span class="sh">"</span><span class="s">bearer</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p><strong>Security considerations:</strong></p> <ol> <li>✅ Generic error messages (don't reveal if email exists)</li> <li>✅ Password verification before any other checks</li> <li>✅ Account status validation</li> <li>✅ Proper HTTP status codes</li> </ol> <h4> <strong>5. Token Refresh Flow</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/refresh</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TokenResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">refresh_access_token</span><span class="p">(</span> <span class="n">refresh_token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">):</span> <span class="sh">"""</span><span class="s"> Generate new access token using refresh token. </span><span class="sh">"""</span> <span class="n">credentials_exception</span> <span class="o">=</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_401_UNAUTHORIZED</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Could not validate refresh token</span><span class="sh">"</span> <span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Decode refresh token </span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">refresh_token</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">REFRESH_SECRET_KEY</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="n">settings</span><span class="p">.</span><span class="n">ALGORITHM</span><span class="p">]</span> <span class="p">)</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">)</span> <span class="n">token_type</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">user_id</span> <span class="ow">is</span> <span class="bp">None</span> <span class="ow">or</span> <span class="n">token_type</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">refresh</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="n">credentials_exception</span> <span class="k">except</span> <span class="n">JWTError</span><span class="p">:</span> <span class="k">raise</span> <span class="n">credentials_exception</span> <span class="c1"># Verify user still exists and is active </span> <span class="n">user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">user_repository</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="nc">UUID</span><span class="p">(</span><span class="n">user_id</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="n">credentials_exception</span> <span class="c1"># Generate new access token </span> <span class="n">new_access_token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">})</span> <span class="k">return</span> <span class="nc">TokenResponse</span><span class="p">(</span> <span class="n">access_token</span><span class="o">=</span><span class="n">new_access_token</span><span class="p">,</span> <span class="n">refresh_token</span><span class="o">=</span><span class="n">refresh_token</span><span class="p">,</span> <span class="c1"># Reuse refresh token </span> <span class="n">token_type</span><span class="o">=</span><span class="sh">"</span><span class="s">bearer</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p><strong>Why this approach?</strong></p> <ul> <li>Access tokens expire quickly (security)</li> <li>Refresh tokens last longer (user experience)</li> <li>User doesn't need to re-login every 15 minutes</li> <li>Compromised access token has limited damage window</li> </ul> <h3> Real Challenge: Token Storage Strategy </h3> <p><strong>The Question:</strong> Where do clients store JWT tokens?</p> <p><strong>Options I considered:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Storage Method</th> <th>Pros</th> <th>Cons</th> <th>My Choice</th> </tr> </thead> <tbody> <tr> <td><strong>localStorage</strong></td> <td>Simple, persists across tabs</td> <td>XSS vulnerable</td> <td>✅ Used (with CSP headers)</td> </tr> <tr> <td><strong>httpOnly Cookies</strong></td> <td>XSS safe</td> <td>Needs CSRF protection, CORS complexity</td> <td>Future improvement</td> </tr> <tr> <td><strong>Memory (state)</strong></td> <td>Most secure</td> <td>Lost on refresh, UX issues</td> <td>Not practical</td> </tr> </tbody> </table></div> <p><strong>For this project:</strong></p> <ul> <li>Documented the trade-offs in code comments</li> <li>Implemented localStorage for simplicity</li> <li>Added Content Security Policy headers</li> <li>Noted httpOnly cookies as production improvement</li> </ul> <p><strong>Lesson learned:</strong> Perfect security doesn't exist. Understand trade-offs, document decisions, implement appropriate for context.</p> <h3> The Bug That Taught Me the Most </h3> <p>My first refresh token implementation worked.</p> <p>It decoded the token.<br> It generated a new access token.<br> It returned 200 OK.</p> <p>It was also insecure.</p> <p>I forgot to check:</p> <ul> <li>If the user still existed</li> <li>If the user was still active</li> </ul> <p>Meaning a banned user could still refresh tokens.</p> <p>The fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">user</span> <span class="o">=</span> <span class="k">await</span> <span class="n">user_repository</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="nc">UUID</span><span class="p">(</span><span class="n">user_id</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">is_active</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid user</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>That bug changed how I think about "working code."</p> <p>Working ≠ Secure<br> Passing tests ≠ Safe</p> <h2> 📦 Repository Pattern in Practice </h2> <p>In Spring Boot, repositories are generated for you.</p> <p>In FastAPI, you write them.</p> <p>Explicitly.</p> <p>I implemented a generic base repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">BaseRepository</span><span class="p">(</span><span class="n">Generic</span><span class="p">[</span><span class="n">ModelType</span><span class="p">]):</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">model</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">model</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="nb">id</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar_one_or_none</span><span class="p">()</span> </code></pre> </div> <p>Then extended it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TaskRepository</span><span class="p">(</span><span class="n">BaseRepository</span><span class="p">[</span><span class="n">Task</span><span class="p">]):</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_user</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">user_id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">.</span><span class="nf">order_by</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">desc</span><span class="p">())</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">all</span><span class="p">()</span> </code></pre> </div> <p>Benefits:</p> <ul> <li>Centralized query logic</li> <li>Cleaner services</li> <li>Easier unit testing</li> <li>Reusable across features</li> </ul> <p>At first, it felt verbose.</p> <p>Later, it felt disciplined.</p> <h3> Real Challenge: Async Session Management </h3> <p><strong>The Problem I Hit:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># WRONG - This caused session closure errors </span><span class="k">async</span> <span class="k">def</span> <span class="nf">get_tasks</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">tasks</span> <span class="o">=</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">get_by_user</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> <span class="c1"># Session closes here </span> <span class="k">for</span> <span class="n">task</span> <span class="ow">in</span> <span class="n">tasks</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="n">task</span><span class="p">.</span><span class="n">category</span><span class="p">.</span><span class="n">name</span><span class="p">)</span> <span class="c1"># ERROR: Session closed! </span></code></pre> </div> <p><strong>Why?</strong> SQLAlchemy's async sessions close after the query completes. Accessing related objects (like <code>task.category</code>) requires the session to still be open.</p> <p><strong>The Solution:</strong></p> <ol> <li> <strong>Eager loading with <code>selectinload</code>:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">selectinload</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_user_with_category</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Task</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Get tasks with categories eagerly loaded.</span><span class="sh">"""</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">)</span> <span class="p">.</span><span class="nf">options</span><span class="p">(</span><span class="nf">selectinload</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">category</span><span class="p">))</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">user_id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">all</span><span class="p">()</span> </code></pre> </div> <ol> <li> <strong>Access relationships within session scope:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">get_task_with_details</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_id</span><span class="p">:</span> <span class="n">UUID</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Get task with all related data.</span><span class="sh">"""</span> <span class="n">task</span> <span class="o">=</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">task</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Access relationships while session is active </span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="n">category</span><span class="p">.</span><span class="n">name</span> <span class="k">if</span> <span class="n">task</span><span class="p">.</span><span class="n">category</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="n">owner</span><span class="p">.</span><span class="n">username</span> <span class="p">}</span> </code></pre> </div> <p><strong>Lesson learned:</strong> Async requires explicit relationship loading. Plan your queries based on what data you'll need.</p> <h2> ⚙️ Service Layer Development </h2> <h3> Purpose of Service Layer </h3> <p><strong>Why not put business logic in routes?</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># BAD - Business logic in routes </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span><span class="n">task_in</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="c1"># Validation logic here </span> <span class="c1"># Database operations here </span> <span class="c1"># Error handling here </span> <span class="c1"># All mixed together! </span></code></pre> </div> <p><strong>Better - Service layer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># GOOD - Clean separation </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TaskResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span> <span class="n">task_in</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">,</span> <span class="n">current_user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">):</span> <span class="k">return</span> <span class="k">await</span> <span class="n">task_service</span><span class="p">.</span><span class="nf">create_task</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_in</span><span class="p">,</span> <span class="n">current_user</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Routes handle HTTP concerns only</li> <li>Services contain business logic</li> <li>Easier to test services independently</li> <li>Reusable business logic</li> </ul> <p>Business logic doesn't belong in routes.</p> <p>So I moved rules into services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_in</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Task</span><span class="p">:</span> <span class="k">if</span> <span class="n">task_in</span><span class="p">.</span><span class="n">due_date</span> <span class="ow">and</span> <span class="n">task_in</span><span class="p">.</span><span class="n">due_date</span> <span class="o">&lt;</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">():</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Due date must be in the future</span><span class="sh">"</span> <span class="p">)</span> <span class="n">task_data</span> <span class="o">=</span> <span class="n">task_in</span><span class="p">.</span><span class="nf">dict</span><span class="p">()</span> <span class="n">task_data</span><span class="p">[</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_id</span> <span class="k">return</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_data</span><span class="p">)</span> </code></pre> </div> <p>Now:</p> <ul> <li>Routes handle HTTP</li> <li>Services enforce rules</li> <li>Repositories manage data</li> </ul> <p>The architecture from Part 1 finally paid off here.</p> <h2> 🔧 CRUD Operations </h2> <p><strong>Routes → Services → Repositories pattern in action.</strong></p> <p><strong>What makes this production-ready?</strong></p> <ol> <li>✅ <strong>Clear documentation</strong> (auto-generated in Swagger)</li> <li>✅ <strong>Input validation</strong> (Pydantic schemas)</li> <li>✅ <strong>Authorization</strong> (user can only access their tasks)</li> <li>✅ <strong>Proper HTTP status codes</strong> </li> <li>✅ <strong>Type hints</strong> (IDE autocomplete, catch errors)</li> <li>✅ <strong>Pagination</strong> (prevent large response payloads)</li> <li>✅ <strong>Filtering &amp; search</strong> (flexible queries)</li> </ol> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">List</span><span class="p">[</span><span class="n">TaskResponse</span><span class="p">])</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_tasks</span><span class="p">(</span> <span class="n">status</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">TaskStatus</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">search</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">current_user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">):</span> <span class="k">return</span> <span class="k">await</span> <span class="n">task_service</span><span class="p">.</span><span class="nf">get_user_tasks</span><span class="p">(</span> <span class="n">db</span><span class="p">,</span> <span class="n">current_user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">status</span><span class="p">,</span> <span class="n">search</span><span class="o">=</span><span class="n">search</span> <span class="p">)</span> </code></pre> </div> <p>Underneath that simple endpoint is:</p> <ul> <li>Query composition</li> <li>Security enforcement</li> <li>Async session handling</li> </ul> <p>"Simple" rarely stays simple at scale.</p> <h2> 🚀 Advanced Features </h2> <h3> 1. Rate Limiting with SlowAPI </h3> <p><strong>Why rate limiting?</strong></p> <ul> <li>Prevent brute force attacks on auth endpoints</li> <li>Protect against API abuse</li> <li>Ensure fair resource usage</li> </ul> <p><strong>Configuration by endpoint type:</strong></p> <ul> <li>Auth endpoints: 5 requests/minute</li> <li>Regular endpoints: 100 requests/minute</li> <li>Global limit: Configurable per environment</li> </ul> <p><strong>Real challenge:</strong> SlowAPI needed custom middleware configuration on Render. Spent time debugging connection pooling and Redis integration options.</p> <h3> 2. Advanced Filtering &amp; Pagination </h3> <p><strong>Requirements:</strong></p> <ul> <li>Filter by status, priority, category</li> <li>Search in title/description</li> <li>Date range queries</li> <li>Pagination with metadata</li> </ul> <p><strong>Benefits:</strong></p> <ul> <li>Flexible filtering combinations</li> <li>Consistent pagination structure</li> <li>Metadata for building UI pagination</li> <li>Type-safe responses</li> </ul> <h3> 3. Full-Text Search </h3> <p><strong>Simple but effective search implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">search_tasks</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">,</span> <span class="n">search_query</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">skip</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">100</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Task</span><span class="p">]:</span> <span class="sh">"""</span><span class="s"> Search tasks by title or description. Case-insensitive partial match. </span><span class="sh">"""</span> <span class="n">search_pattern</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">%</span><span class="si">{</span><span class="n">search_query</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span> <span class="nf">and_</span><span class="p">(</span> <span class="n">Task</span><span class="p">.</span><span class="n">user_id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">,</span> <span class="nf">or_</span><span class="p">(</span> <span class="n">Task</span><span class="p">.</span><span class="n">title</span><span class="p">.</span><span class="nf">ilike</span><span class="p">(</span><span class="n">search_pattern</span><span class="p">),</span> <span class="n">Task</span><span class="p">.</span><span class="n">description</span><span class="p">.</span><span class="nf">ilike</span><span class="p">(</span><span class="n">search_pattern</span><span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">offset</span><span class="p">(</span><span class="n">skip</span><span class="p">)</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="n">limit</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">all</span><span class="p">()</span> </code></pre> </div> <p><strong>For future improvement:</strong></p> <ul> <li>PostgreSQL full-text search with <code>tsvector</code> </li> <li>Search ranking/relevance scoring</li> <li>Elasticsearch integration for large datasets</li> </ul> <h3> 4. Error Handling &amp; Logging </h3> <p><strong>Centralized exception handling:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/core/exceptions.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span> <span class="k">class</span> <span class="nc">TaskNotFoundError</span><span class="p">(</span><span class="n">HTTPException</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Task not found</span><span class="sh">"</span> <span class="p">)</span> <span class="k">class</span> <span class="nc">UnauthorizedTaskAccessError</span><span class="p">(</span><span class="n">HTTPException</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Not authorized to access this task</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># app/main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">JSONResponse</span> <span class="nd">@app.exception_handler</span><span class="p">(</span><span class="nb">Exception</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">global_exception_handler</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">exc</span><span class="p">:</span> <span class="nb">Exception</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Global exception handler for unexpected errors.</span><span class="sh">"""</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unhandled exception: </span><span class="si">{</span><span class="n">exc</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Internal server error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p><strong>Request/Response logging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/core/monitoring.py </span><span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">Request</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">log_requests</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Log all HTTP requests with timing.</span><span class="sh">"""</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="c1"># Log request </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Process request </span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="c1"># Calculate duration </span> <span class="n">duration</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="c1"># Log response </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="s"> - </span><span class="si">{</span><span class="n">duration</span><span class="si">:</span><span class="p">.</span><span class="mi">3</span><span class="n">f</span><span class="si">}</span><span class="s">s</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Consistent error responses</li> <li>Request tracing for debugging</li> <li>Performance monitoring</li> <li>Production-ready logging</li> </ul> <h2> 🚧 Real Challenges &amp; Solutions </h2> <h3> Challenge 1: Async Session Closure </h3> <p><strong>The Problem:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># This caused "Session is already closed" errors </span><span class="k">async</span> <span class="k">def</span> <span class="nf">get_task_with_category</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">task</span> <span class="o">=</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_id</span><span class="p">)</span> <span class="c1"># Session closes after repository call </span> <span class="n">category_name</span> <span class="o">=</span> <span class="n">task</span><span class="p">.</span><span class="n">category</span><span class="p">.</span><span class="n">name</span> <span class="c1"># ERROR! </span></code></pre> </div> <p><strong>Why it happened:</strong></p> <ul> <li>SQLAlchemy async sessions have shorter lifecycle</li> <li>Relationships not loaded by default</li> <li>Accessing unloaded relationships after session closes → error</li> </ul> <p><strong>The Solution:</strong></p> <ol> <li> <strong>Eager loading:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">selectinload</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_id_with_relations</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_id</span><span class="p">:</span> <span class="n">UUID</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">Task</span><span class="p">]:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">)</span> <span class="p">.</span><span class="nf">options</span><span class="p">(</span> <span class="nf">selectinload</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">category</span><span class="p">),</span> <span class="nf">selectinload</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">owner</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">task_id</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar_one_or_none</span><span class="p">()</span> </code></pre> </div> <ol> <li> <strong>Access within session scope:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">get_task_details</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">task</span> <span class="o">=</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">get_by_id</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">task</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Access all relationships while session is active </span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="n">category</span><span class="p">.</span><span class="n">name</span> <span class="k">if</span> <span class="n">task</span><span class="p">.</span><span class="n">category</span> <span class="k">else</span> <span class="bp">None</span> <span class="p">}</span> </code></pre> </div> <p><strong>Time lost:</strong> ~3 hours debugging various "session closed" errors</p> <p><strong>Lesson learned:</strong> With async SQLAlchemy, plan your data access patterns. Decide upfront what relationships you'll need.</p> <h3> Challenge 2: Repository Pattern Adaptation </h3> <p><strong>The Struggle:</strong></p> <p>Coming from Spring Boot's <code>JpaRepository</code>, I initially wrote this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># WRONG - Trying to replicate Spring Boot directly </span><span class="k">class</span> <span class="nc">TaskRepository</span><span class="p">:</span> <span class="k">def</span> <span class="nf">find_by_user_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="c1"># Sync! </span> <span class="c1"># How do I make this async? </span></code></pre> </div> <p>Spring Boot's repository interfaces work because of proxy magic at runtime.</p> <p>FastAPI doesn't have that.</p> <p><strong>The Solution:</strong></p> <p>Accept that Python is explicit, not magic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># RIGHT - Explicit async </span><span class="k">class</span> <span class="nc">TaskRepository</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_user</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="c1"># Explicit session </span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="n">Task</span><span class="p">]:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="n">user_id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">all</span><span class="p">()</span> </code></pre> </div> <p><strong>Lesson learned:</strong> Don't fight the language. FastAPI's explicitness is a feature, not a bug. It makes dependencies clear and testable.</p> <h3> Challenge 3: Token Refresh Logic </h3> <p><strong>The Problem:</strong></p> <p>First implementation of token refresh had a security flaw:</p> <p><strong>What's wrong?</strong></p> <ul> <li>Doesn't check if user still exists</li> <li>Doesn't check if user is still active</li> <li>Could issue tokens for deleted/banned users</li> </ul> <p><strong>Time to discover:</strong> 2 days (caught during security review)</p> <p><strong>Lesson learned:</strong> JWT tokens are stateless, but security checks shouldn't be. Always validate against source of truth (database).</p> <h3> Challenge 4: Rate Limiting on Render </h3> <p><strong>The Problem:</strong></p> <p>SlowAPI worked perfectly locally, but failed on Render:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SlowAPI: Failed to connect to Redis Rate limiting disabled </code></pre> </div> <p><strong>Why?</strong></p> <p>Render's free tier doesn't include Redis.<br> SlowAPI uses Redis for distributed rate limiting.</p> <p><strong>The Solution:</strong></p> <p>Switch to in-memory rate limiting for free tier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app/core/rate_limiter.py </span><span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="kn">from</span> <span class="n">slowapi.middleware</span> <span class="kn">import</span> <span class="n">SlowAPIMiddleware</span> <span class="c1"># Use in-memory storage (single instance) </span><span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span> <span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">,</span> <span class="n">storage_uri</span><span class="o">=</span><span class="sh">"</span><span class="s">memory://</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># In-memory instead of Redis </span> <span class="n">enabled</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="c1"># In main.py </span><span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">limiter</span> <span class="o">=</span> <span class="n">limiter</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">SlowAPIMiddleware</span><span class="p">)</span> </code></pre> </div> <p><strong>Trade-offs:</strong></p> <ul> <li>✅ Works on free tier</li> <li>✅ No external dependencies</li> <li>❌ Not distributed (single instance only)</li> <li>❌ Resets on deployment</li> </ul> <p><strong>For production:</strong> Upgrade to Redis for distributed rate limiting across multiple instances.</p> <p><strong>Lesson learned:</strong> Free tiers have constraints. Design for your deployment environment, not just local development.</p> <h3> Challenge 5: Alembic Migration Conflicts </h3> <p><strong>The Problem:</strong></p> <p>After developing features in parallel (tasks + categories), Alembic migrations conflicted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alembic revision --autogenerate Error: Multiple head revisions present </code></pre> </div> <p><strong>Why?</strong></p> <p>Created migrations from different branches without syncing.</p> <p><strong>The Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Merge heads</span> alembic merge heads <span class="nt">-m</span> <span class="s2">"merge task and category features"</span> <span class="c"># Apply merged migration</span> alembic upgrade <span class="nb">head</span> </code></pre> </div> <p><strong>Prevention strategy:</strong></p> <ol> <li>Always pull latest migrations before creating new ones</li> <li>Run <code>alembic upgrade head</code> before creating new migration</li> <li>Use linear migration history (avoid parallel migrations)</li> </ol> <p><strong>Time lost:</strong> 1 hour debugging + fixing migration history</p> <p><strong>Lesson learned:</strong> Database migrations are sequential, not parallel. Coordinate with team (or yourself across branches).</p> <h2> 💡 Lessons Learned </h2> <h3> 1. Async Requires Discipline </h3> <p><strong>Spring Boot (blocking):</strong> Forgiving. Mix sync/async, it'll work (maybe slower).</p> <p><strong>FastAPI (async):</strong> Strict. One blocking call blocks the entire event loop.</p> <p><strong>Key rules:</strong></p> <ul> <li>Always <code>await</code> database calls</li> <li>Use <code>AsyncSession</code>, not <code>Session</code> </li> <li>Don't mix sync and async carelessly</li> <li>Plan async from the start</li> </ul> <h3> 2. Explicit is Better Than Magic </h3> <p><strong>Spring Boot:</strong> Annotations do magic (<code>@Autowired</code>, <code>@Transactional</code>)</p> <p><strong>FastAPI:</strong> Dependency injection is explicit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">get_tasks</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">),</span> <span class="n">current_user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)</span> <span class="p">):</span> <span class="c1"># Dependencies explicit in function signature </span></code></pre> </div> <p><strong>Initially:</strong> Felt verbose<br> <strong>After building:</strong> Appreciate the clarity</p> <p><strong>Benefit:</strong> Testability. Mock dependencies easily.</p> <h3> 3. Repository Pattern Pays Off </h3> <p>Centralizing database logic in repositories:</p> <ul> <li>✅ Made service layer cleaner</li> <li>✅ Enabled easy testing (mock repositories)</li> <li>✅ Reused queries across services</li> <li>✅ Single source of truth for data access</li> </ul> <p><strong>Worth the upfront effort.</strong></p> <h3> 4. Security is a Process </h3> <p>Built authentication in iterations:</p> <ol> <li>Basic password check</li> <li>Added JWT tokens</li> <li>Added token refresh</li> <li>Added rate limiting</li> <li>Added email verification</li> <li>Added password reset</li> </ol> <p><strong>Each iteration revealed new attack vectors to defend against.</strong></p> <p>Security isn't a feature you add once. It's continuous hardening.</p> <h3> 5. Documentation Writes Itself </h3> <p>FastAPI's auto-generated docs are incredible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TaskResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span> <span class="n">task_in</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">,</span> <span class="n">current_user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)</span> <span class="p">):</span> <span class="sh">"""</span><span class="s"> Create a new task. - **title**: Required, 1-200 characters - **priority**: LOW, MEDIUM, HIGH, URGENT </span><span class="sh">"""</span> <span class="k">pass</span> </code></pre> </div> <p><strong>Result:</strong> Interactive Swagger UI with:</p> <ul> <li>All endpoints documented</li> <li>Request/response schemas</li> <li>Try-it-out functionality</li> <li>Type information</li> </ul> <p><strong>No separate documentation tool needed.</strong></p> <h2> 🔮 What's Next: Phase 3 </h2> <p><strong>Coming in Part 3:</strong></p> <h3> Testing </h3> <ul> <li>pytest setup with async support</li> <li>Unit tests for services</li> <li>Integration tests for API endpoints</li> <li>Test coverage &gt; 85%</li> <li>Testing async code patterns</li> </ul> <h3> Deployment </h3> <ul> <li>Docker multi-stage builds</li> <li>Render.com deployment</li> <li>Neon PostgreSQL setup</li> <li>Environment variable management</li> <li>Health checks &amp; monitoring</li> </ul> <h3> Production Features </h3> <ul> <li>Performance metrics</li> <li>Uptime tracking</li> <li>Cost analysis ($0 free tier!)</li> <li>CI/CD pipeline</li> <li>Production best practices</li> </ul> <p><strong>Follow me to get notified when Part 3 drops!</strong></p> <h2> 📝 Complete Code &amp; Resources </h2> <p><strong>GitHub Repository:</strong></p> <ul> <li>🔗 <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">https://github.com/ravigupta97/task_management_api</a> </li> <li>Fully documented code</li> <li>Clean commit history</li> <li>README with setup instructions</li> </ul> <p><strong>Live API Documentation:</strong></p> <ul> <li>🚀 <a href="https://task-management-api-a775.onrender.com/docs" rel="noopener noreferrer">https://task-management-api-a775.onrender.com/docs</a> </li> <li>Interactive Swagger UI</li> <li>Try all endpoints</li> <li>See request/response schemas</li> </ul> <p><strong>Key Files to Explore:</strong></p> <ul> <li> <code>app/core/security.py</code> - JWT implementation</li> <li> <code>app/repositories/</code> - Repository pattern</li> <li> <code>app/services/</code> - Business logic layer</li> <li> <code>app/api/v1/</code> - Route handlers</li> </ul> <h2> 🙏 Acknowledgments </h2> <p><strong>Tools &amp; Resources:</strong></p> <ul> <li>FastAPI documentation (exceptional quality)</li> <li>SQLAlchemy 2.0 docs (comprehensive)</li> <li>AI assistants (concept clarification)</li> <li>Open-source community</li> </ul> <p><strong>What helped most:</strong></p> <ul> <li>Reading production FastAPI codebases on GitHub</li> <li>AI tools for understanding complex concepts</li> <li>Trial and error (every bug taught something)</li> </ul> <h2> 💬 Discussion </h2> <p><strong>Questions for you:</strong></p> <ol> <li><strong>How do you handle async session management?</strong></li> <li><strong>What's your approach to API authentication?</strong></li> <li><strong>Repository pattern: overkill or essential?</strong></li> <li><strong>Biggest challenge you've faced with FastAPI?</strong></li> </ol> <p>Let's learn together - comment below! 👇</p> <p><em>This is Part 2 of 3 in my FastAPI journey.</em></p> <ul> <li><em><a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a">Part 1: Architecture &amp; Design</a></em></li> <li><em><a href="https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-testing-deployment-production-1j1c">Part 3: Testing &amp; Deployment</a></em></li> </ul> <p><em>Connect with me:</em></p> <ul> <li><em>LinkedIn: [<a href="https://www.linkedin.com/in/ravigupta97/" rel="noopener noreferrer">https://www.linkedin.com/in/ravigupta97/</a>]</em></li> <li><em>GitHub: [<a href="https://github.com/ravigupta97" rel="noopener noreferrer">https://github.com/ravigupta97</a>]</em></li> </ul> <p><strong>#FastAPI #Python #Backend #JWT #Authentication #API #CleanArchitecture #WebDevelopment #SoftwareEngineering</strong></p> fastapi python api backend Ravi Gupta Mon, 23 Feb 2026 03:31:21 +0000 https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a https://dev.to/ravigupta97/building-a-production-ready-task-management-api-with-fastapi-complete-architecture-guide-25a <h2> Building a Production-Ready Task Management API with FastAPI: Complete Architecture Guide </h2> <blockquote> <p><strong>Context:</strong> After 3 years building backend services with Spring Boot, I decided to explore Python's modern web framework ecosystem. This is Part 1 of a 3-part series documenting my journey building a production-grade REST API with FastAPI.</p> </blockquote> <p>Three weeks ago, I started a new learning project: build a production-ready Task Management API using FastAPI.</p> <p>Not a tutorial-level "TODO app in 100 lines."</p> <p>A real, production-grade application with authentication, proper architecture, database migrations, and deployment-ready code.</p> <p><strong>The goal:</strong> Learn modern Python web development while applying enterprise patterns I knew from Spring Boot.</p> <p><strong>The result:</strong> A fully functional API with 50+ endpoints, JWT authentication, and clean architecture - deployed on free tier infrastructure.</p> <p>This article covers <strong>Phase 1: Architecture &amp; Design</strong> - the foundation that made everything else possible.</p> <h2> 📚 What You'll Learn </h2> <ul> <li>Why FastAPI over Flask/Django (from a Spring Boot developer's perspective)</li> <li>Designing a clean, scalable project architecture</li> <li>Database schema design with PostgreSQL</li> <li>Key technology decisions and trade-offs</li> <li>Mistakes I made and how I fixed them</li> <li>Resources that accelerated my learning</li> </ul> <p><strong>Reading time:</strong> ~12 minutes</p> <p><strong>GitHub Repository:</strong> <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">GitHub Repo</a></p> <p><strong>Live API Docs:</strong> <a href="https://task-management-api-a775.onrender.com/docs" rel="noopener noreferrer">API</a></p> <h2> 🎯 The Challenge: From Tutorials to Production </h2> <p>Most FastAPI tutorials teach you this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py - Everything in one file </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">read_root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">Hello</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">World</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p><strong>150 lines. No auth. SQLite. Single file.</strong></p> <p>But production applications need:</p> <p>✅ 50+ endpoints organized logically<br> ✅ User authentication &amp; authorization<br> ✅ Database migrations<br> ✅ Proper error handling<br> ✅ Rate limiting<br> ✅ Clean, testable architecture<br> ✅ Docker deployment<br> ✅ API documentation</p> <p><strong>The gap between tutorials and production is massive.</strong></p> <p>This article bridges that gap.</p> <h2> 🚀 My Background &amp; Motivation </h2> <p><strong>Experience:</strong> Around 3 years backend development with Spring Boot (Java)</p> <p><strong>Why FastAPI?</strong></p> <p>Coming from Spring Boot, I was curious about Python's modern web frameworks:</p> <ul> <li>Django: Too heavy for an API-first project</li> <li>Flask: Popular but felt dated (no native async)</li> <li>FastAPI: Modern, async-first, great docs</li> </ul> <p><strong>The learning goal:</strong> Not just "learn FastAPI" but understand:</p> <ul> <li>How to structure large Python projects</li> <li>Modern async patterns in Python</li> <li>Production-ready API design</li> </ul> <p><strong>Coming from Spring Boot</strong>, I wanted to see:</p> <ul> <li>How Python's simplicity compares to Java's verbosity</li> <li>Whether FastAPI's async is easier than Spring WebFlux</li> <li>If I could apply enterprise patterns (service layer, repositories) in Python</li> </ul> <p><em>Note: This isn't about "which is better" - both Spring Boot and FastAPI are excellent. This was about expanding my toolkit.</em></p> <h2> 🔍 Phase 1 Research: FastAPI vs Flask vs Django </h2> <p><strong>Time spent:</strong> A few days researching frameworks, reading docs, watching talks</p> <h3> Decision Matrix </h3> <p>I created this framework for choosing technologies:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Criteria</th> <th>FastAPI</th> <th>Flask</th> <th>Django</th> </tr> </thead> <tbody> <tr> <td><strong>Async Support</strong></td> <td>✅ Native</td> <td>⚠️ Via extensions</td> <td>⚠️ Limited</td> </tr> <tr> <td><strong>Performance</strong></td> <td>✅ Very fast</td> <td>🟡 Moderate</td> <td>🟡 Moderate</td> </tr> <tr> <td><strong>Auto Docs</strong></td> <td>✅ Swagger/ReDoc</td> <td>❌ Manual</td> <td>❌ DRF only</td> </tr> <tr> <td><strong>Data Validation</strong></td> <td>✅ Pydantic built-in</td> <td>🟡 Libraries needed</td> <td>🟡 DRF serializers</td> </tr> <tr> <td><strong>Learning Curve</strong></td> <td>🟡 Moderate</td> <td>✅ Easy</td> <td>🔴 Steep</td> </tr> <tr> <td><strong>Type Hints</strong></td> <td>✅ Required</td> <td>🟡 Optional</td> <td>🟡 Optional</td> </tr> <tr> <td><strong>API-First</strong></td> <td>✅ Yes</td> <td>🟡 Flexible</td> <td>❌ Full-stack focus</td> </tr> </tbody> </table></div> <h3> Why FastAPI Won </h3> <p><strong>1. Native Async/Await</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># FastAPI - async is first-class </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_tasks</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">))</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">all</span><span class="p">()</span> </code></pre> </div> <p>Clean, intuitive async. No additional configuration needed.</p> <p><strong>2. Auto-Generated API Documentation</strong></p> <p>FastAPI generates interactive Swagger UI automatically:</p> <ul> <li> <code>/docs</code> - Swagger UI</li> <li> <code>/redoc</code> - ReDoc</li> <li> <code>/openapi.json</code> - OpenAPI schema</li> </ul> <p>Zero configuration. Just write your code.</p> <p><strong>3. Built-in Data Validation with Pydantic</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TaskCreate</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">min_length</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">200</span><span class="p">)</span> <span class="n">priority</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">pattern</span><span class="o">=</span><span class="sh">"</span><span class="s">^(LOW|MEDIUM|HIGH)$</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Validation happens automatically </span><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span><span class="n">task</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">):</span> <span class="c1"># task is validated, type-safe </span> <span class="k">return</span> <span class="n">task</span> </code></pre> </div> <p>Reminded me of Bean Validation in Spring Boot, but more Pythonic.</p> <h3> Final Decision </h3> <p>✅ <strong>FastAPI</strong> for this project because:</p> <ul> <li>API-first design (perfect for backend learning)</li> <li>Modern Python features (async, type hints)</li> <li>Great documentation</li> <li>Growing ecosystem and job market demand</li> </ul> <h2> 🏗️ Designing Clean Architecture </h2> <p><strong>Challenge:</strong> How do you structure a FastAPI project for scale?</p> <h3> Coming from Spring Boot </h3> <p>In Spring Boot, I was used to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TaskController</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">TaskService</span> <span class="n">taskService</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/tasks"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Task</span><span class="o">&gt;</span> <span class="nf">getTasks</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">taskService</span><span class="o">.</span><span class="na">findAll</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Clear separation: Controller → Service → Repository → Entity</p> <p><strong>Could I apply the same pattern in FastAPI?</strong></p> <h3> The Architecture I Designed </h3> <p>After researching production FastAPI projects, I landed on this structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>task_management_api/ ├── app/ │ ├── models/ # SQLAlchemy models (like @Entity) │ ├── schemas/ # Pydantic schemas (DTOs) │ ├── repositories/ # Data access layer │ ├── services/ # Business logic │ ├── api/ # Route handlers │ │ └── v1/ # API versioning │ ├── core/ # Security, config │ └── main.py # App initialization ├── tests/ ├── alembic/ # Database migrations └── requirements.txt </code></pre> </div> <p><strong>Why this structure?</strong></p> <ol> <li> <p><strong>Separation of Concerns</strong></p> <ul> <li>Routes handle HTTP</li> <li>Services contain business logic</li> <li>Repositories handle database</li> </ul> </li> <li> <p><strong>Testability</strong></p> <ul> <li>Each layer can be tested independently</li> <li>Mock repositories in service tests</li> <li>Mock services in route tests</li> </ul> </li> <li> <p><strong>Scalability</strong></p> <ul> <li>Easy to add new features</li> <li>Clear place for everything</li> <li>Team can work on different layers</li> </ul> </li> </ol> <h3> Layer-by-Layer Breakdown </h3> <p><strong>📁 Models (app/models/)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># SQLAlchemy ORM models (database tables) </span><span class="k">class</span> <span class="nc">Task</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">tasks</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">UUID</span><span class="p">,</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">title</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">200</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">user_id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">UUID</span><span class="p">,</span> <span class="nc">ForeignKey</span><span class="p">(</span><span class="sh">"</span><span class="s">users.id</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p>Like Spring's <code>@Entity</code> classes.</p> <p><strong>📁 Schemas (app/schemas/)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Pydantic models (request/response validation) </span><span class="k">class</span> <span class="nc">TaskCreate</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">priority</span><span class="p">:</span> <span class="n">TaskPriority</span> <span class="k">class</span> <span class="nc">TaskResponse</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="nb">id</span><span class="p">:</span> <span class="n">UUID</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">created_at</span><span class="p">:</span> <span class="n">datetime</span> </code></pre> </div> <p>Like Spring's DTOs, but with automatic validation.</p> <p><strong>📁 Repositories (app/repositories/)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Data access layer </span><span class="k">class</span> <span class="nc">TaskRepository</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">Task</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">task_id</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar_one_or_none</span><span class="p">()</span> </code></pre> </div> <p>Like Spring's <code>@Repository</code> classes.</p> <p><strong>📁 Services (app/services/)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Business logic </span><span class="k">class</span> <span class="nc">TaskService</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_data</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">):</span> <span class="c1"># Validation logic </span> <span class="c1"># Business rules </span> <span class="n">task</span> <span class="o">=</span> <span class="k">await</span> <span class="n">task_repository</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_data</span><span class="p">)</span> <span class="k">return</span> <span class="n">task</span> </code></pre> </div> <p>Like Spring's <code>@Service</code> classes.</p> <p><strong>📁 API Routes (app/api/v1/)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># HTTP handlers </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/tasks</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TaskResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span> <span class="n">task_in</span><span class="p">:</span> <span class="n">TaskCreate</span><span class="p">,</span> <span class="n">current_user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)</span> <span class="p">):</span> <span class="k">return</span> <span class="k">await</span> <span class="n">task_service</span><span class="p">.</span><span class="nf">create_task</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">task_in</span><span class="p">)</span> </code></pre> </div> <p>Like Spring's <code>@RestController</code> classes.</p> <h3> Architecture Diagram </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyrj6tdqprmcfdhtqnwok.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyrj6tdqprmcfdhtqnwok.png" alt="Architecture Diagram" width="800" height="1071"></a></p> <p><strong>Detailed Architecture Diagram:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ Client Request │ └──────────────────────┬──────────────────────────────┘ │ ┌──────────────────────▼──────────────────────────────┐ │ API Layer (Routes) │ │ • Route handlers │ │ • Request validation (Pydantic) │ │ • Response serialization │ │ • Dependency injection │ └──────────────────────┬──────────────────────────────┘ │ ┌──────────────────────▼──────────────────────────────┐ │ Service Layer (Business Logic) │ │ • Business rules │ │ • Data transformation │ │ • Error handling │ │ • Transaction management │ └──────────────────────┬──────────────────────────────┘ │ ┌──────────────────────▼──────────────────────────────┐ │ Repository Layer (Data Access) │ │ • Database queries │ │ • ORM operations │ │ • Data mapping │ └──────────────────────┬──────────────────────────────┘ │ ┌──────────────────────▼──────────────────────────────┐ │ Database (PostgreSQL) │ │ • Tables: Users, Tasks, Categories │ │ • Relationships &amp; constraints │ └─────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>Benefits of this architecture:</strong><br> ✅ Clear separation of concerns<br> ✅ Easy to test each layer<br> ✅ Scales with team size<br> ✅ Familiar to developers from other frameworks</p> <h2> 🗄️ Database Schema Design </h2> <h3> Requirements Analysis </h3> <p>Before designing the schema, I listed what the API needed:</p> <p><strong>User Management:</strong></p> <ul> <li>Users can register and login</li> <li>Email verification</li> <li>Password reset functionality</li> </ul> <p><strong>Task Management:</strong></p> <ul> <li>Users create tasks</li> <li>Tasks have status (TODO, IN_PROGRESS, COMPLETED)</li> <li>Tasks have priority levels</li> <li>Optional due dates</li> <li>Tasks belong to users</li> </ul> <p><strong>Organization:</strong></p> <ul> <li>Users can create categories</li> <li>Tasks can be assigned to categories</li> <li>Categories have colors for UI</li> </ul> <h3> Entity-Relationship Design </h3> <p>After a few iterations, here's the final schema:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foa8u5izwdsxz4lc4n8k4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foa8u5izwdsxz4lc4n8k4.png" alt="Entity-Relationship Diagram" width="800" height="568"></a></p> <p><strong>Entity-Relationship Diagram:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────┐ │ USERS │ ├──────────────────────────────────────┤ │ 🔑 id (UUID, PK) │ │ 📧 email (UNIQUE, NOT NULL) │ │ 👤 username (UNIQUE, NOT NULL) │ │ 🔒 hashed_password (NOT NULL) │ │ ✅ is_active (BOOLEAN,DEFAULT TRUE) │ │ ✉️ is_verified(BOOLEAN,DEFAULT FALSE)│ │ 📝 full_name (TEXT, NULLABLE) │ │ 📅 created_at (TIMESTAMP) │ │ 📅 updated_at (TIMESTAMP) │ └──────────────┬───────────────────────┘ │ 1 │ │ N ┌──────────────▼───────────────────────┐ │ TASKS │ ├──────────────────────────────────────┤ │ 🔑 id (UUID, PK) │ │ 📝 title (VARCHAR(200), NOT NULL) │ │ 📄 description (TEXT, NULLABLE) │ │ 📊 status (ENUM, NOT NULL) │ │ └─ TODO, IN_PROGRESS, COMPLETED │ │ ⭐ priority (ENUM, NOT NULL) │ │ └─ LOW, MEDIUM, HIGH, URGENT │ │ 📆 due_date (TIMESTAMP, NULLABLE) │ │ 🔗 user_id (UUID, FK → users.id) │ │ 🏷️ category_id (UUID, FK→categories)│ │ 📅 created_at (TIMESTAMP) │ │ 📅 updated_at (TIMESTAMP) │ └──────────────┬───────────────────────┘ │ N │ │ 1 ┌──────────────▼───────────────────────┐ │ CATEGORIES │ ├──────────────────────────────────────┤ │ 🔑 id (UUID, PK) │ │ 🏷️ name (VARCHAR(50), NOT NULL) │ │ 🎨 color (VARCHAR(7),DEFAULT '#...')│ │ 🔗 user_id (UUID, FK → users.id) │ │ 📅 created_at (TIMESTAMP) │ │ 📅 updated_at (TIMESTAMP) │ │ │ │ UNIQUE CONSTRAINT (user_id, name) │ └───────────────────────────────────────┘ </code></pre> </div> <h3> Key Design Decisions </h3> <p><strong>1. UUID Primary Keys</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nb">id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">UUID</span><span class="p">(</span><span class="n">as_uuid</span><span class="o">=</span><span class="bp">True</span><span class="p">),</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">uuid</span><span class="p">.</span><span class="n">uuid4</span><span class="p">)</span> </code></pre> </div> <p><strong>Why UUID over auto-increment integers?</strong><br> ✅ Better security (can't enumerate resources)<br> ✅ Globally unique (helpful for distributed systems)<br> ✅ Can generate client-side<br> ❌ Slightly larger storage footprint</p> <p><strong>Trade-off accepted:</strong> Security and flexibility &gt; minor storage increase</p> <p><strong>2. Enum Types for Status &amp; Priority</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TaskStatus</span><span class="p">(</span><span class="nb">str</span><span class="p">,</span> <span class="n">Enum</span><span class="p">):</span> <span class="n">TODO</span> <span class="o">=</span> <span class="sh">"</span><span class="s">TODO</span><span class="sh">"</span> <span class="n">IN_PROGRESS</span> <span class="o">=</span> <span class="sh">"</span><span class="s">IN_PROGRESS</span><span class="sh">"</span> <span class="n">COMPLETED</span> <span class="o">=</span> <span class="sh">"</span><span class="s">COMPLETED</span><span class="sh">"</span> <span class="n">ARCHIVED</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ARCHIVED</span><span class="sh">"</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Database-level constraint validation</li> <li>Type safety in Python code</li> <li>Clear API documentation</li> </ul> <p><strong>3. Soft Timestamps</strong></p> <p>Every table has:</p> <ul> <li> <code>created_at</code> - Automatically set on insert</li> <li> <code>updated_at</code> - Automatically updated on modification</li> </ul> <p><strong>Implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">created_at</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">updated_at</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">,</span> <span class="n">onupdate</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">)</span> </code></pre> </div> <p><strong>4. Cascade Behaviors</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># If user is deleted, delete their tasks </span><span class="n">tasks</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span><span class="sh">"</span><span class="s">Task</span><span class="sh">"</span><span class="p">,</span> <span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">,</span> <span class="n">cascade</span><span class="o">=</span><span class="sh">"</span><span class="s">all, delete-orphan</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># If category is deleted, set task category_id to NULL </span><span class="n">category_id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">UUID</span><span class="p">,</span> <span class="nc">ForeignKey</span><span class="p">(</span><span class="sh">"</span><span class="s">categories.id</span><span class="sh">"</span><span class="p">,</span> <span class="n">ondelete</span><span class="o">=</span><span class="sh">"</span><span class="s">SET NULL</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p><strong>Why?</strong> Data integrity while preserving user intent.</p> <h3> SQLAlchemy Model Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">Column</span><span class="p">,</span> <span class="n">String</span><span class="p">,</span> <span class="n">Boolean</span><span class="p">,</span> <span class="n">ForeignKey</span> <span class="kn">from</span> <span class="n">sqlalchemy.dialects.postgresql</span> <span class="kn">import</span> <span class="n">UUID</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">relationship</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">users</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">UUID</span><span class="p">(</span><span class="n">as_uuid</span><span class="o">=</span><span class="bp">True</span><span class="p">),</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">uuid</span><span class="p">.</span><span class="n">uuid4</span><span class="p">)</span> <span class="n">email</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">unique</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">username</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">50</span><span class="p">),</span> <span class="n">unique</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">is_active</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Boolean</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">is_verified</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Boolean</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">full_name</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># Timestamps </span> <span class="n">created_at</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">updated_at</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">,</span> <span class="n">onupdate</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">)</span> <span class="c1"># Relationships </span> <span class="n">tasks</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span><span class="sh">"</span><span class="s">Task</span><span class="sh">"</span><span class="p">,</span> <span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">,</span> <span class="n">cascade</span><span class="o">=</span><span class="sh">"</span><span class="s">all, delete-orphan</span><span class="sh">"</span><span class="p">)</span> <span class="n">categories</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span><span class="sh">"</span><span class="s">Category</span><span class="sh">"</span><span class="p">,</span> <span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">owner</span><span class="sh">"</span><span class="p">,</span> <span class="n">cascade</span><span class="o">=</span><span class="sh">"</span><span class="s">all, delete-orphan</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Clean, readable, type-safe.</p> <h2> 🛠️ Complete Tech Stack &amp; Justification </h2> <h3> Final Stack </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Technology</th> <th>Why?</th> </tr> </thead> <tbody> <tr> <td><strong>Framework</strong></td> <td>FastAPI</td> <td>Async-first, auto docs, Pydantic</td> </tr> <tr> <td><strong>Language</strong></td> <td>Python 3.11</td> <td>Latest stable, performance improvements</td> </tr> <tr> <td><strong>Database</strong></td> <td>PostgreSQL 16</td> <td>Advanced features, JSON support</td> </tr> <tr> <td><strong>ORM</strong></td> <td>SQLAlchemy 2.0</td> <td>Async support, mature ecosystem</td> </tr> <tr> <td><strong>Migrations</strong></td> <td>Alembic</td> <td>Industry standard for SQLAlchemy</td> </tr> <tr> <td><strong>Auth</strong></td> <td>JWT (python-jose)</td> <td>Stateless, scalable</td> </tr> <tr> <td><strong>Validation</strong></td> <td>Pydantic v2</td> <td>Built into FastAPI</td> </tr> <tr> <td><strong>Container</strong></td> <td>Docker</td> <td>Consistent environments</td> </tr> <tr> <td><strong>Server</strong></td> <td>Uvicorn</td> <td>ASGI server optimized for FastAPI</td> </tr> <tr> <td><strong>DB Hosting</strong></td> <td>Neon (Serverless PostgreSQL)</td> <td>Free tier, excellent for learning</td> </tr> <tr> <td><strong>App Hosting</strong></td> <td>Render</td> <td>Free tier, easy deployment</td> </tr> </tbody> </table></div> <h3> Decision Process for Each </h3> <p><strong>PostgreSQL vs MySQL vs MongoDB</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Criteria</th> <th>PostgreSQL</th> <th>MySQL</th> <th>MongoDB</th> </tr> </thead> <tbody> <tr> <td>JSON Support</td> <td>✅ Excellent (JSONB)</td> <td>🟡 Basic</td> <td>✅ Native</td> </tr> <tr> <td>Transactions</td> <td>✅ Full ACID</td> <td>✅ Full ACID</td> <td>🟡 Limited</td> </tr> <tr> <td>Advanced Features</td> <td>✅ Rich</td> <td>🟡 Good</td> <td>❌ Different paradigm</td> </tr> <tr> <td>Free Hosting</td> <td>✅ Neon, Supabase</td> <td>✅ PlanetScale</td> <td>✅ Atlas</td> </tr> </tbody> </table></div> <p><strong>Winner: PostgreSQL</strong></p> <ul> <li>Better for structured data (tasks, users)</li> <li>JSONB for future flexibility</li> <li>Excellent free tier options</li> </ul> <p><strong>SQLAlchemy vs Raw SQL vs other ORMs</strong></p> <p><strong>SQLAlchemy 2.0 won because:</strong></p> <ul> <li>Native async support</li> <li>Type hints and IDE autocomplete</li> <li>Migration management (Alembic)</li> <li>Mature, battle-tested</li> </ul> <p><strong>The learning curve</strong> was worth it for long-term maintainability.</p> <p><strong>Docker: Day 1 Decision</strong></p> <p>Why containerize from the start?<br> ✅ Consistent dev/prod environments<br> ✅ Easy onboarding for collaborators<br> ✅ Deployment simplicity<br> ✅ Learning industry standard practice</p> <p><strong>No regrets on this decision.</strong></p> <h3> Decision Matrix Template </h3> <p>For each technology choice, I asked:</p> <ol> <li> <strong>Does it solve my problem?</strong> (must-have features)</li> <li> <strong>Is it actively maintained?</strong> (community, updates)</li> <li> <strong>Can I learn it reasonably?</strong> (documentation, resources)</li> <li> <strong>Does it scale?</strong> (production-ready)</li> <li> <strong>Is it resume-worthy?</strong> (job market demand)</li> </ol> <p>This framework helped avoid analysis paralysis.</p> <h2> 📚 Resources That Helped Me </h2> <h3> Official Documentation </h3> <p><strong>1. FastAPI Docs</strong></p> <ul> <li>Link: <a href="https://fastapi.tiangolo.com/" rel="noopener noreferrer">https://fastapi.tiangolo.com/</a> </li> <li>⭐⭐⭐⭐⭐ (Exceptional quality)</li> <li>Start here. Seriously. Best framework docs I've seen.</li> </ul> <p><strong>2. SQLAlchemy 2.0 Docs</strong></p> <ul> <li>Link: <a href="https://docs.sqlalchemy.org/" rel="noopener noreferrer">https://docs.sqlalchemy.org/</a> </li> <li>⭐⭐⭐⭐ (Comprehensive but dense)</li> <li>The async section took multiple readings to understand</li> </ul> <p><strong>3. Pydantic Docs</strong></p> <ul> <li>Link: <a href="https://docs.pydantic.dev/" rel="noopener noreferrer">https://docs.pydantic.dev/</a> </li> <li>⭐⭐⭐⭐⭐ (Clear examples)</li> <li>Great migration guide from v1 to v2</li> </ul> <h3> Video Courses / Tutorials </h3> <p><strong>1. FastAPI - The Complete Course (YouTube)</strong></p> <ul> <li>Covers basics to advanced patterns</li> <li>Helped visualize concepts</li> </ul> <p><strong>2. SQLAlchemy 2.0 Tutorial (Official)</strong></p> <ul> <li>Essential for understanding async patterns</li> </ul> <h3> Tools I Used Daily </h3> <p><strong>Development:</strong></p> <ul> <li> <strong>VS Code</strong> + Python extension</li> <li> <strong>Postman</strong> for API testing</li> <li> <strong>pgAdmin</strong> for database management</li> </ul> <p><strong>Design:</strong></p> <ul> <li> <strong>dbdiagram.io</strong> - Database schema design</li> <li> <strong>Excalidraw</strong> - Architecture diagrams</li> <li> <strong>Markdown editors</strong> - Documentation</li> </ul> <p><strong>Learning:</strong></p> <ul> <li> <strong>ChatGPT / Claude</strong> - Explaining complex concepts <ul> <li>"Explain SQLAlchemy async sessions like I'm coming from Spring Boot"</li> <li>"What's the Python equivalent of @Autowired dependency injection?"</li> </ul> </li> <li> <strong>GitHub</strong> - Studying production FastAPI projects <ul> <li>fastapi/full-stack-fastapi-postgresql (official template)</li> <li>tiangolo's examples</li> </ul> </li> </ul> <h3> Learning Strategy </h3> <p><strong>What worked:</strong><br> ✅ Read docs first, code second<br> ✅ Study production codebases<br> ✅ Use AI for concept clarification (not copy-paste)<br> ✅ Build incrementally, test often</p> <p><strong>What didn't work:</strong><br> ❌ Jumping straight to coding without planning<br> ❌ Following outdated tutorials (SQLAlchemy 1.x vs 2.0)<br> ❌ Trying to learn everything at once</p> <h2> 🚧 Real Challenges I Faced </h2> <h3> Challenge 1: Environment Setup </h3> <p><strong>The Problem:</strong></p> <p>Setting up Python, PostgreSQL, virtual environments, and managing dependencies was more complex than expected.</p> <p><strong>What went wrong:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># This shouldn't have taken 2 hours, but it did</span> pip <span class="nb">install </span>asyncpg <span class="c"># Error: pg_config not found</span> </code></pre> </div> <p><strong>The Solution:</strong></p> <p>Documented every step for reproducibility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Python 3.11 installation</span> <span class="c"># 2. Virtual environment</span> python <span class="nt">-m</span> venv venv <span class="nb">source </span>venv/bin/activate <span class="c"># or .\venv\Scripts\activate on Windows</span> <span class="c"># 3. PostgreSQL installation</span> brew <span class="nb">install </span>postgresql@16 <span class="c"># macOS</span> <span class="c"># Or use Neon for cloud PostgreSQL (easier)</span> <span class="c"># 4. Dependencies</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <p><strong>Lesson learned:</strong> Good documentation saves hours of debugging later.</p> <h3> Challenge 2: Async/Await Debugging </h3> <p><strong>The Problem:</strong></p> <p>Spent 4 hours debugging this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>RuntimeError: Task &lt;Task pending&gt; attached to a different loop </code></pre> </div> <p><strong>What went wrong:</strong></p> <p>Mixed synchronous and asynchronous session calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># WRONG - mixing sync and async </span><span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">Session</span><span class="p">,</span> <span class="n">task_data</span><span class="p">):</span> <span class="c1"># Sync session </span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(...)</span> <span class="c1"># Async call </span></code></pre> </div> <p><strong>The Solution:</strong></p> <p>Consistency is key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># CORRECT - all async </span><span class="k">async</span> <span class="k">def</span> <span class="nf">create_task</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">task_data</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">select</span><span class="p">(</span><span class="n">Task</span><span class="p">))</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> </code></pre> </div> <p><strong>How AI helped:</strong><br> I asked Claude: "Why am I getting 'attached to a different loop' error in SQLAlchemy async?"</p> <p>Got a clear explanation and code examples that saved me hours.</p> <p><strong>Lesson learned:</strong> Async is all-or-nothing. Mix carefully.</p> <h3> Challenge 3: SQLAlchemy 2.0 Documentation Overwhelm </h3> <p><strong>The Problem:</strong></p> <p>SQLAlchemy docs are comprehensive but overwhelming for beginners.</p> <p>The async section felt like reading a PhD thesis.</p> <p><strong>What helped:</strong></p> <ol> <li> <p><strong>Used AI as a tutor</strong></p> <ul> <li>"Explain SQLAlchemy AsyncSession vs Session"</li> <li>"Show me a complete example of async CRUD operations"</li> </ul> </li> <li> <p><strong>Studied working examples</strong></p> <ul> <li>Found production codebases on GitHub</li> <li>Copied patterns, then understood them</li> </ul> </li> <li><p><strong>Started simple</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Simple async query - master this first </span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="n">UUID</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">User</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">User</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar_one_or_none</span><span class="p">()</span> </code></pre> </div> <p>Then built complexity gradually.</p> <p><strong>Lesson learned:</strong> Don't try to understand everything. Master the basics, build on them.</p> <h3> Challenge 4: JWT Token Security </h3> <p><strong>The Problem:</strong></p> <p>Confused about where to store JWT tokens:</p> <ul> <li>localStorage? (XSS vulnerable)</li> <li>Cookies? (CSRF vulnerable)</li> <li>Memory only? (lost on refresh)</li> </ul> <p><strong>The Solution:</strong></p> <p>Researched trade-offs:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Storage</th> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td>localStorage</td> <td>Simple, survives refresh</td> <td>XSS vulnerable</td> </tr> <tr> <td>httpOnly Cookie</td> <td>XSS safe</td> <td>Needs CSRF protection</td> </tr> <tr> <td>Memory only</td> <td>Most secure</td> <td>Lost on refresh</td> </tr> </tbody> </table></div> <p><strong>My choice:</strong> httpOnly cookies + CSRF tokens</p> <p>But for this learning project: Documented the trade-offs, implemented localStorage (simpler frontend), added strong CSP headers.</p> <p><strong>Lesson learned:</strong> Perfect security doesn't exist. Understand trade-offs, document decisions.</p> <h3> What I'd Do Differently </h3> <p>If I started over:</p> <ol> <li>✅ Plan architecture BEFORE writing code</li> <li>✅ Set up Docker from Day 1 (not Day 5)</li> <li>✅ Write tests alongside features (not after)</li> <li>✅ Study one production codebase deeply</li> <li>✅ Ask for help sooner (AI, communities, docs)</li> </ol> <p><strong>Real talk:</strong> Every "mistake" taught me something. The frustration was part of learning.</p> <h2> ✅ Phase 1 Results </h2> <p>After this planning phase, I had:</p> <p><strong>Documentation:</strong><br> ✅ Database schema designed and documented<br> ✅ Architecture patterns decided<br> ✅ Technology stack finalized<br> ✅ Project structure defined</p> <p><strong>Technical Foundation:</strong><br> ✅ Docker environment configured<br> ✅ PostgreSQL database set up<br> ✅ SQLAlchemy models defined<br> ✅ Alembic migrations initialized<br> ✅ Project structure created</p> <p><strong>Learning Outcomes:</strong><br> ✅ Deep understanding of FastAPI vs other frameworks<br> ✅ SQLAlchemy 2.0 async patterns<br> ✅ Clean architecture principles in Python<br> ✅ Production-ready project organization</p> <p><strong>Time invested:</strong> A few days of focused learning and planning</p> <p><strong>Was it worth it?</strong></p> <p>Absolutely. This foundation made Phase 2 (development) much smoother.</p> <p>The hours spent planning saved days of refactoring later.</p> <h2> 🚀 What's Next: Phase 2 </h2> <p><strong>Coming in Part 2:</strong></p> <p>⏳ JWT Authentication Implementation</p> <ul> <li>Access + refresh token flow</li> <li>Password hashing with bcrypt</li> <li>Token validation middleware</li> </ul> <p>⏳ Repository Pattern in Practice</p> <ul> <li>Generic CRUD operations</li> <li>User-specific queries</li> <li>Transaction management</li> </ul> <p>⏳ Service Layer Development</p> <ul> <li>Business logic separation</li> <li>Error handling strategies</li> <li>Dependency injection</li> </ul> <p>⏳ Real Development Challenges</p> <ul> <li>Bugs I encountered</li> <li>Performance optimizations</li> <li>Testing strategies</li> </ul> <p><strong>Follow me</strong> to get notified when Part 2 drops!</p> <h2> 📝 Complete Code &amp; Resources </h2> <p><strong>GitHub Repository:</strong></p> <ul> <li>🔗 <a href="https://github.com/ravigupta97/task_management_api" rel="noopener noreferrer">https://github.com/ravigupta97/task_management_api</a> </li> <li>Fully documented code</li> <li>Clean commit history</li> <li>Setup instructions</li> </ul> <p><strong>Additional Resources:</strong></p> <ul> <li>Architecture diagrams (in this article)</li> <li>Database schema (ER diagram above)</li> <li>Technology decision matrix</li> <li>Learning resources list</li> </ul> <p><strong>Have questions?</strong> Drop them in the comments below!</p> <h2> 🙏 Acknowledgments </h2> <p><strong>Resources that helped:</strong></p> <ul> <li>FastAPI documentation (exceptional quality)</li> <li>SQLAlchemy docs (comprehensive)</li> <li>AI tools (ChatGPT, Claude) for concept clarification</li> <li>FastAPI community on Discord</li> </ul> <p><strong>Special thanks to:</strong></p> <ul> <li>Anyone reading this and learning alongside me</li> <li>The open-source community making these tools free</li> </ul> <h2> 💬 Discussion </h2> <p><strong>Questions for you:</strong></p> <ol> <li>Are you considering FastAPI for your next project?</li> <li>What's your biggest challenge with async Python?</li> <li>Any architectural patterns you'd recommend?</li> </ol> <p>Let's learn together - comment below! 👇</p> <p><em>This is Part 1 of 3 in my FastAPI journey. Follow for:</em></p> <ul> <li><em>Part 2: Development &amp; Implementation</em></li> <li><em>Part 3: Testing, Deployment &amp; Results</em></li> </ul> <p><em>Find me on:</em></p> <ul> <li><em>LinkedIn: [<a href="https://www.linkedin.com/in/ravigupta97/" rel="noopener noreferrer">https://www.linkedin.com/in/ravigupta97/</a>]</em></li> <li><em>GitHub: [<a href="https://github.com/ravigupta97" rel="noopener noreferrer">https://github.com/ravigupta97</a>]</em></li> </ul> <p><strong>#FastAPI #Python #Backend #WebDevelopment #Learning #API #SoftwareEngineering</strong></p> fastapi python backend api