DEV Community: Rohan The latest articles on DEV Community by Rohan (@rohanshiva). https://dev.to/rohanshiva https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F613210%2F5534b8cb-5eb9-4ac0-b3a3-e477744a177f.png DEV Community: Rohan https://dev.to/rohanshiva en Get started with FastAPI JWT authentication – Part 2 Rohan Thu, 22 Apr 2021 14:52:59 +0000 https://dev.to/deta/get-started-with-fastapi-jwt-authentication-part-2-18ok https://dev.to/deta/get-started-with-fastapi-jwt-authentication-part-2-18ok <p>This is the second of a <a href="https://dev.to/deta/deta-fastapi-jwt-auth-part-1-4c82">two part</a> series on implementing authorization in a FastAPI application using Deta. In the previous article, we learned a bit about JWT, set up the project, and finished the building blocks of authorization logic. In this article, let's implement the logic, and deploy our app on Deta micros! <a href="https://github.com/rohanshiva/Deta-FastAPI-JWT-Auth-Blog">The full code is available here.</a> </p> <h2> Implementing the auth logic </h2> <p>Before we implement the auth logic, let's create a data model for login and signup details. </p> <p>In <code>user_model.py</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="k">class</span> <span class="nc">AuthModel</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> </code></pre> </div> <p>This model represents the data that we can expect from the client when they hit <code>/login</code> or <code>/signup</code> endpoints.</p> <p>Update the <code>main.py</code> , with the following import statements<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">auth</span> <span class="kn">import</span> <span class="n">Auth</span> <span class="kn">from</span> <span class="nn">user_model</span> <span class="kn">import</span> <span class="n">AuthModel</span> <span class="kn">from</span> <span class="nn">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">Security</span> <span class="kn">from</span> <span class="nn">fastapi.security</span> <span class="kn">import</span> <span class="n">HTTPAuthorizationCredentials</span><span class="p">,</span> <span class="n">HTTPBearer</span> </code></pre> </div> <p>Also, we will create an <code>auth_handler</code> to access the logic from the <code>Auth</code> class. We will use <code>security</code> in our protected endpoints to access the token from the request header.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">security</span> <span class="o">=</span> <span class="n">HTTPBearer</span><span class="p">()</span> <span class="n">auth_handler</span> <span class="o">=</span> <span class="n">Auth</span><span class="p">()</span> </code></pre> </div> <p>Here is the code for <code>/signup</code> endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">'/signup'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">signup</span><span class="p">(</span><span class="n">user_details</span><span class="p">:</span> <span class="n">AuthModel</span><span class="p">):</span> <span class="k">if</span> <span class="n">users_db</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">username</span><span class="p">)</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">:</span> <span class="k">return</span> <span class="s">'Account already exists'</span> <span class="k">try</span><span class="p">:</span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">encode_password</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="p">{</span><span class="s">'key'</span><span class="p">:</span> <span class="n">user_details</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="s">'password'</span><span class="p">:</span> <span class="n">hashed_password</span><span class="p">}</span> <span class="k">return</span> <span class="n">users_db</span><span class="p">.</span><span class="n">put</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="n">error_msg</span> <span class="o">=</span> <span class="s">'Failed to signup user'</span> <span class="k">return</span> <span class="n">error_msg</span> </code></pre> </div> <p>In this function we are checking if a user with the username already exists in our <code>users_db</code>. If so, we can simply return a message indicating that the account already exists. If the user doesn't already exists we can hash the password using the <code>encode_password</code> function from <code>auth.py</code> and store the user in <code>users_db</code>. In case of any errors while adding the user to the base, we can return a failure message. </p> <p><code>/login</code> endpoint is pretty simple. This also takes in the argument <code>user_details</code> , which has the username and password.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">'/login'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">user_details</span><span class="p">:</span> <span class="n">AuthModel</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">users_db</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">username</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">):</span> <span class="k">return</span> <span class="n">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s">'Invalid username'</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="ow">not</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">verify_password</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">password</span><span class="p">,</span> <span class="n">user</span><span class="p">[</span><span class="s">'password'</span><span class="p">])):</span> <span class="k">return</span> <span class="n">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s">'Invalid password'</span><span class="p">)</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">encode_token</span><span class="p">(</span><span class="n">user</span><span class="p">[</span><span class="s">'key'</span><span class="p">])</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">encode_refresh_token</span><span class="p">(</span><span class="n">user</span><span class="p">[</span><span class="s">'key'</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span><span class="s">'access_token'</span><span class="p">:</span> <span class="n">access_token</span><span class="p">,</span> <span class="s">'refresh_token'</span><span class="p">:</span> <span class="n">refresh_token</span><span class="p">}</span> </code></pre> </div> <p>If the account with the username doesn't exist, or if the hashed password in the <code>users_db</code> doesn't match the input password we can simply raise an <code>HTTPException</code>. Otherwise, we can return <code>access_token</code> and <code>refresh_token</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">'/secret'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secret_data</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="n">Security</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="k">if</span><span class="p">(</span><span class="n">auth_handler</span><span class="p">.</span><span class="n">decode_token</span><span class="p">(</span><span class="n">token</span><span class="p">)):</span> <span class="k">return</span> <span class="s">'Top Secret data only authorized users can access this info'</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'/notsecret'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">not_secret_data</span><span class="p">():</span> <span class="k">return</span> <span class="s">'Not secret data'</span> </code></pre> </div> <p>The <code>/secret</code> endpoint only returns the "Secret Data" if the token argument is valid. However, if the token is invalid or an expired token, then <code>decode_token</code> raises a <code>HTTPException</code>. The token is usually passed in the request header as <code>Authorization: Bearer &lt;token&gt;</code>. Therefore, to get the token we can wrap the input <code>credentials</code> around <code>HTTPAuthorizationCredentials</code> tag. Now we can access the token from the request header in <code>credentials.credentials</code>. </p> <p>The <code>/not_secret</code> endpoint is an example of an unprotected endpoint, which doesn't require any authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'/refresh_token'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">refresh_token</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="n">Security</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="n">new_token</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">refresh_token</span><span class="p">(</span><span class="n">refresh_token</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="s">'access_token'</span><span class="p">:</span> <span class="n">new_token</span><span class="p">}</span> </code></pre> </div> <p><code>/refresh_token</code> endpoint is also pretty simple, it receives a refresh token which is then passed onto the the function from auth logic to get a new token. </p> <p>Here is a look at <code>main.py</code> at the end:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">Security</span> <span class="kn">from</span> <span class="nn">fastapi.security</span> <span class="kn">import</span> <span class="n">HTTPAuthorizationCredentials</span><span class="p">,</span> <span class="n">HTTPBearer</span> <span class="kn">from</span> <span class="nn">auth</span> <span class="kn">import</span> <span class="n">Auth</span> <span class="kn">from</span> <span class="nn">deta</span> <span class="kn">import</span> <span class="n">Deta</span> <span class="kn">from</span> <span class="nn">user_model</span> <span class="kn">import</span> <span class="n">AuthModel</span> <span class="n">deta</span> <span class="o">=</span> <span class="n">Deta</span><span class="p">()</span> <span class="n">users_db</span> <span class="o">=</span> <span class="n">deta</span><span class="p">.</span><span class="n">Base</span><span class="p">(</span><span class="s">'users'</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="n">FastAPI</span><span class="p">()</span> <span class="n">security</span> <span class="o">=</span> <span class="n">HTTPBearer</span><span class="p">()</span> <span class="n">auth_handler</span> <span class="o">=</span> <span class="n">Auth</span><span class="p">()</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">'/signup'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">signup</span><span class="p">(</span><span class="n">user_details</span><span class="p">:</span> <span class="n">AuthModel</span><span class="p">):</span> <span class="k">if</span> <span class="n">users_db</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">username</span><span class="p">)</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">:</span> <span class="k">return</span> <span class="s">'Account already exists'</span> <span class="k">try</span><span class="p">:</span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">encode_password</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="p">{</span><span class="s">'key'</span><span class="p">:</span> <span class="n">user_details</span><span class="p">.</span><span class="n">username</span><span class="p">,</span> <span class="s">'password'</span><span class="p">:</span> <span class="n">hashed_password</span><span class="p">}</span> <span class="k">return</span> <span class="n">users_db</span><span class="p">.</span><span class="n">put</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="n">error_msg</span> <span class="o">=</span> <span class="s">'Failed to signup user'</span> <span class="k">return</span> <span class="n">error_msg</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">'/login'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">user_details</span><span class="p">:</span> <span class="n">AuthModel</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">users_db</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">username</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">):</span> <span class="k">return</span> <span class="n">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s">'Invalid username'</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="ow">not</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">verify_password</span><span class="p">(</span><span class="n">user_details</span><span class="p">.</span><span class="n">password</span><span class="p">,</span> <span class="n">user</span><span class="p">[</span><span class="s">'password'</span><span class="p">])):</span> <span class="k">return</span> <span class="n">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="s">'Invalid password'</span><span class="p">)</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">encode_token</span><span class="p">(</span><span class="n">user</span><span class="p">[</span><span class="s">'key'</span><span class="p">])</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">encode_refresh_token</span><span class="p">(</span><span class="n">user</span><span class="p">[</span><span class="s">'key'</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span><span class="s">'access_token'</span><span class="p">:</span> <span class="n">access_token</span><span class="p">,</span> <span class="s">'refresh_token'</span><span class="p">:</span> <span class="n">refresh_token</span><span class="p">}</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'/refresh_token'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">refresh_token</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="n">Security</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="n">new_token</span> <span class="o">=</span> <span class="n">auth_handler</span><span class="p">.</span><span class="n">refresh_token</span><span class="p">(</span><span class="n">refresh_token</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="s">'access_token'</span><span class="p">:</span> <span class="n">new_token</span><span class="p">}</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">'/secret'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secret_data</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="n">Security</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="k">if</span><span class="p">(</span><span class="n">auth_handler</span><span class="p">.</span><span class="n">decode_token</span><span class="p">(</span><span class="n">token</span><span class="p">)):</span> <span class="k">return</span> <span class="s">'Top Secret data only authorized users can access this info'</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'/notsecret'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">not_secret_data</span><span class="p">():</span> <span class="k">return</span> <span class="s">'Not secret data'</span> </code></pre> </div> <p>To test the app, go to the terminal in the same directory and run <code>uvicorn main:app</code>, you can then go <code>/docs</code> on the local endpoint (for me it was <a href="http://127.0.0.1:8000/docs"><code>http://127.0.0.1:8000/docs</code></a>) to test the application.</p> <p><code>/signup</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">curl</span><span class="w"> </span><span class="err">-X</span><span class="w"> </span><span class="err">'POST'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">'http://</span><span class="mf">127.0</span><span class="err">.</span><span class="mf">0.1</span><span class="err">:</span><span class="mi">8000</span><span class="err">/signup'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'accept:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'Content-Type:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-d</span><span class="w"> </span><span class="err">'</span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"flyingsponge"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SpongePassword"</span><span class="w"> </span><span class="p">}</span><span class="err">'</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="err">Body</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"flyingsponge"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$2b$12$Ml66gTN0j4sAOkoDJ1aKnOmP0ye1FBNNk1QzEt0/6LgemgOUj469e"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>/login</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">curl</span><span class="w"> </span><span class="err">-X</span><span class="w"> </span><span class="err">'POST'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">'http://</span><span class="mf">127.0</span><span class="err">.</span><span class="mf">0.1</span><span class="err">:</span><span class="mi">8000</span><span class="err">/login'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'accept:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'Content-Type:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-d</span><span class="w"> </span><span class="err">'</span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"flyingsponge"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SpongePassword"</span><span class="w"> </span><span class="p">}</span><span class="err">'</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="err">Body</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MTkwMTY4MzgsImlhdCI6MTYxOTAxNTAzOCwic3ViIjoiZmx5aW5nc3BvbmdlIn0.XnPaDwmj30M3vMOaPUOrqESIBNx0mctbjNW5jY8hIjQ"</span><span class="p">,</span><span class="w"> </span><span class="nl">"refresh_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MTkwNTEwMzgsImlhdCI6MTYxOTAxNTAzOCwic3ViIjoiZmx5aW5nc3BvbmdlIn0.Pm68HQFM6NwUxnEjFUxxTiOYT3KBqchD_e2g0LfP5Co"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>/secret</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">curl</span> <span class="o">-</span><span class="n">X</span> <span class="s">'POST'</span> \ <span class="s">'http://127.0.0.1:8000/secret'</span> \ <span class="o">-</span><span class="n">H</span> <span class="s">'accept: application/json'</span> \ <span class="o">-</span><span class="n">H</span> <span class="s">'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MTkwMTY2MTIsImlhdCI6MTYxOTAxNDgxMiwic3ViIjoicmFta2kifQ.U8fUN1x1Gz18f7oA_y7Z9DE-1FIH9Ps0sDilwORvmI8'</span> \ <span class="o">-</span><span class="n">d</span> <span class="s">''</span> <span class="n">Response</span> <span class="n">body</span> <span class="s">"Top Secret data only authorized users can access this info"</span> </code></pre> </div> <p><code>/notsecret</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">curl</span><span class="w"> </span><span class="err">-X</span><span class="w"> </span><span class="err">'GET'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">'http://</span><span class="mf">127.0</span><span class="err">.</span><span class="mf">0.1</span><span class="err">:</span><span class="mi">8000</span><span class="err">/notsecret'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'accept:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="err">Body</span><span class="w"> </span><span class="s2">"Not secret data"</span><span class="w"> </span></code></pre> </div> <p><code>/secret</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">curl</span><span class="w"> </span><span class="err">-X</span><span class="w"> </span><span class="err">'POST'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">'http://</span><span class="mf">127.0</span><span class="err">.</span><span class="mf">0.1</span><span class="err">:</span><span class="mi">8000</span><span class="err">/secret'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'accept:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'Authorization:</span><span class="w"> </span><span class="err">Bearer</span><span class="w"> </span><span class="err">eyJ</span><span class="mi">0</span><span class="err">eXAiOiJKV</span><span class="mi">1</span><span class="err">QiLCJhbGciOiJIUzI</span><span class="mi">1</span><span class="err">NiJ</span><span class="mi">9</span><span class="err">.eyJleHAiOjE</span><span class="mi">2</span><span class="err">MTg</span><span class="mi">5</span><span class="err">MzU</span><span class="mi">3</span><span class="err">MzcsImlhdCI</span><span class="mi">6</span><span class="err">MTYxODkzNTY</span><span class="mi">3</span><span class="err">Nywic</span><span class="mi">3</span><span class="err">ViIjoicm</span><span class="mi">9</span><span class="err">oYW</span><span class="mi">4</span><span class="err">ifQ.dja</span><span class="mi">0E6</span><span class="err">SUaZfEvYVKySjLE</span><span class="mi">9</span><span class="err">OLXOtob</span><span class="mi">5</span><span class="err">pjpy</span><span class="mi">3</span><span class="err">R_rlCD</span><span class="mi">7</span><span class="err">c'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-d</span><span class="w"> </span><span class="err">''</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="err">Body</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Token expired"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now that the token is expired, let's get a new one</p> <p><code>/refresh_token</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">curl</span><span class="w"> </span><span class="err">-X</span><span class="w"> </span><span class="err">'GET'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">'http://</span><span class="mf">127.0</span><span class="err">.</span><span class="mf">0.1</span><span class="err">:</span><span class="mi">8000</span><span class="err">/refresh_token'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'accept:</span><span class="w"> </span><span class="err">application/json'</span><span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="err">-H</span><span class="w"> </span><span class="err">'Authorization:</span><span class="w"> </span><span class="err">Bearer</span><span class="w"> </span><span class="err">eyJ</span><span class="mi">0</span><span class="err">eXAiOiJKV</span><span class="mi">1</span><span class="err">QiLCJhbGciOiJIUzI</span><span class="mi">1</span><span class="err">NiJ</span><span class="mi">9</span><span class="err">.eyJleHAiOjE</span><span class="mi">2</span><span class="err">MTkwNTA</span><span class="mi">3</span><span class="err">NzYsImlhdCI</span><span class="mi">6</span><span class="err">MTYxOTAxNDc</span><span class="mi">3</span><span class="err">Niwic</span><span class="mi">3</span><span class="err">ViIjoicmFta</span><span class="mi">2</span><span class="err">kifQ.</span><span class="mi">2</span><span class="err">J</span><span class="mi">0</span><span class="err">O</span><span class="mi">4</span><span class="err">RKwEcABxe</span><span class="mi">6</span><span class="err">hEX</span><span class="mi">7</span><span class="err">ZshMo</span><span class="mi">66</span><span class="err">J</span><span class="mi">6</span><span class="err">D</span><span class="mi">0</span><span class="err">dD</span><span class="mi">6</span><span class="err">-hYeFLBFGg'</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="err">Body</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MTkwMTY2MTIsImlhdCI6MTYxOTAxNDgxMiwic3ViIjoicmFta2kifQ.U8fUN1x1Gz18f7oA_y7Z9DE-1FIH9Ps0sDilwORvmI8"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Deploy on Deta micros </h2> <p>Before we begin, make sure to <a href="https://docs.deta.sh/docs/cli/install">install the Deta CLI.</a> After installing, run the following commands in the same directory to deploy our app on Deta micros.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">deta</span><span class="w"> </span><span class="err">login</span><span class="w"> </span></code></pre> </div> <p>We also need to add a <code>.env</code> file with the secret.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>APP_SECRET_STRING=SECRET_STRING </code></pre> </div> <p>Now we need to update our micro by doing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">deta</span> <span class="n">new</span> <span class="n">deta</span> <span class="n">update</span> <span class="o">-</span><span class="n">e</span> <span class="p">.</span><span class="n">env</span> <span class="n">deta</span> <span class="n">deploy</span> <span class="n">deta</span> <span class="n">visor</span> <span class="n">disable</span> </code></pre> </div> <h2> Summary </h2> <p>Our simple FastAPI application with JWT auth is now ready! As you can probably tell, we are not doing anything "secret" with our authorization. This article is just a template for implementing authorization. You can build on this template to build a fullstack application that relies on authorization. <a href="https://github.com/rohanshiva/Deta-FastAPI-JWT-Auth-Blog">The full code is available here.</a> </p> <p><a href="https://dev.to/deta/deta-fastapi-jwt-auth-part-1-4c82">Link to the first article!</a></p> python fastapi deta jwt Get started with FastAPI JWT authentication – Part 1 Rohan Mon, 12 Apr 2021 23:26:56 +0000 https://dev.to/deta/deta-fastapi-jwt-auth-part-1-4c82 https://dev.to/deta/deta-fastapi-jwt-auth-part-1-4c82 <p>This is the first of a <a href="https://dev.to/deta/get-started-with-fastapi-jwt-authentication-part-2-18ok">two part</a> series on implementing authorization in a FastAPI application using Deta. In this article, we will learn about JWT tokens, set up the project, and build the auth logic. In the next article, we will implement the auth logic in a FastAPI application. <a href="https://github.com/rohanshiva/Deta-FastAPI-JWT-Auth-Blog" rel="noopener noreferrer">The full code is available here.</a> </p> <h2> Introduction </h2> <p>Implementing authorization can be useful, as it provides the client access to a specific set of functions, actions, data, etc. Consider an e-commerce website, you would want to make sure users are authorized before they can look at items in the cart. Another example is a chat application where only the owner has the right to add/remove people. </p> <p>JWT (or JSON web tokens) are simply base64 strings that encode some information about the client. These tokens are signed using a secret key or a public/private key. We will implement the former method. Essentially, when the client is logged in, the server sends back a response with a signed token. Subsequently, the client can send requests to the server with the token as a header to access authorized routes, data, functions etc. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F20916697%2F114433979-15e32f80-9b88-11eb-8bd9-a4bfb5f3b56c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F20916697%2F114433979-15e32f80-9b88-11eb-8bd9-a4bfb5f3b56c.png" alt="image"></a></p> <p><strong>Let's get started</strong></p> <h2> Agenda </h2> <ul> <li>Setup</li> <li>FastAPI app skeleton + Auth logic</li> </ul> <h2> Setup </h2> <h3> Tools </h3> <ul> <li> <a href="https://fastapi.tiangolo.com/" rel="noopener noreferrer">FastAPI</a>: we are using FastAPI to build the application</li> <li>Deta Base (Base) : database for our application</li> <li>Deta Micro: host our application</li> <li> <code>pyjwt</code>: library for encoding and decoding JWT tokens</li> <li> <code>passlib[bcrypt]</code>: password hashing library</li> </ul> <h3> Install </h3> <p>To get started, create a folder for this project <code>fastapi-jwt</code> , and create a <code>requirements.txt</code> file with the following lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">deta</span> <span class="n">fastapi</span> <span class="n">uvicorn</span> <span class="n">pyjwt</span> <span class="n">passlib</span><span class="p">[</span><span class="n">bcrypt</span><span class="p">]</span> </code></pre> </div> <p>Run the following command to install the libraries </p> <p><code>pip install -r requirements.txt</code></p> <p>Before we begin with the project we also need to get a Deta project key to use with Deta Base. We are using Base to store user account information such as username and hashed password. </p> <p>To do that, navigate to the <a href="https://web.deta.sh/" rel="noopener noreferrer">Deta Console </a>then click on the arrow on the top left.<br> If you don't already have a Deta account, <a href="https://web.deta.sh/" rel="noopener noreferrer">create one for free</a>. Once you confirm your email, Deta will automatically generate a Project Key, this is the one we need, copy it and store it securely.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F20916697%2F114434048-2dbab380-9b88-11eb-8839-22bebae709ed.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F20916697%2F114434048-2dbab380-9b88-11eb-8839-22bebae709ed.png" alt="image"></a></p> <p>Create a new project and make sure to save the key in a secure place!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F20916697%2F114434122-40cd8380-9b88-11eb-8ddc-7045ce5756ba.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F20916697%2F114434122-40cd8380-9b88-11eb-8ddc-7045ce5756ba.png" alt="image"></a></p> <p>Add the key to your environment variables like this <code>DETA_PROJECT_KEY=YOUR_COPIED_PROJECT_KEY</code></p> <p>That's it for the setup, we have everything we need to get rolling. Let's go!</p> <h2> FastAPI app skeleton and Auth logic </h2> <p>Here is how our folder structure will look like at the end:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="err">fastapi-jwt/</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="err">main.py</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="err">auth.py</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="err">user_model.py</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="err">requirements.txt</span><span class="w"> </span></code></pre> </div> <p>In <code>main.py</code> , let's set up our FastAPI application, Deta Base, and skeletons for all the endpoints.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">deta</span> <span class="kn">import</span> <span class="n">Deta</span> <span class="n">deta</span> <span class="o">=</span> <span class="nc">Deta</span><span class="p">()</span> <span class="n">users_db</span> <span class="o">=</span> <span class="n">deta</span><span class="p">.</span><span class="nc">Base</span><span class="p">(</span><span class="sh">'</span><span class="s">users</span><span class="sh">'</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">'</span><span class="s">/signup</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">signup</span><span class="p">():</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Sign up endpoint</span><span class="sh">'</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">'</span><span class="s">/login</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Login user endpoint</span><span class="sh">'</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">'</span><span class="s">/refresh_token</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">refresh_token</span><span class="p">():</span> <span class="k">return</span> <span class="sh">'</span><span class="s">New token</span><span class="sh">'</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">'</span><span class="s">/secret</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secret_data</span><span class="p">():</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Secret data</span><span class="sh">'</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">'</span><span class="s">/notsecret</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">not_secret_data</span><span class="p">():</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Not secret data</span><span class="sh">'</span> </code></pre> </div> <p><code>users_db</code> is our base where we store the account's hashed password. The schema for <code>users</code> will look like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="p">{</span> <span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="c1"># username </span> <span class="n">encoded_password</span><span class="p">:</span> <span class="nb">str</span> <span class="p">}</span> </code></pre> </div> <p>Now let's head over to <code>auth.py</code>, to handle the authentication logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="c1"># used for encoding and decoding jwt tokens </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span> <span class="c1"># used to handle error handling </span><span class="kn">from</span> <span class="n">passlib.context</span> <span class="kn">import</span> <span class="n">CryptContext</span> <span class="c1"># used for hashing the password </span><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="c1"># used to handle expiry time for tokens </span> <span class="k">class</span> <span class="nc">Auth</span><span class="p">():</span> <span class="n">hasher</span><span class="o">=</span> <span class="nc">CryptContext</span><span class="p">(</span><span class="n">schemes</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">bcrypt</span><span class="sh">'</span><span class="p">])</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_SECRET_STRING</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encode_password</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">hasher</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_password</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">encoded_password</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">hasher</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="n">encoded_password</span><span class="p">)</span> </code></pre> </div> <p>So far, we just imported all the tools from the libraries, and we created the <code>Auth</code> class with two functions. We don't want to store the plain text password in our <code>users</code> Base. Therefore, we can use the <code>encode_password</code> function to encode the password using the <code>passlib['bcrypt']</code> library. We can store this encoded password in our <code>users_db</code> base when the user makes an account. </p> <p>We also have another function <code>verify_password</code> which checks if the plain password and the encoded password from <code>users_db</code> match. This can be useful to verify user in the <code>/login</code> endpoint. </p> <p>Notice that we get the variable <code>secret</code> from our environment, make sure to generate a long secure string and store it in your environment variables under the name <code>APP_SECRET_STRING</code>.</p> <p>Now that we have a way to verify passwords, and hash passwords, it is time to handle the logic for encoding and decoding JSON web tokens. The tokens are the essence of auth logic. </p> <p>Inside the <code>Auth</code> class, add the following functions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="k">def</span> <span class="nf">encode_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">username</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">minutes</span><span class="o">=</span><span class="mi">30</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sub</span><span class="sh">'</span> <span class="p">:</span> <span class="n">username</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">decode_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">token</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="nf">if </span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">):</span> <span class="k">return</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">sub</span><span class="sh">'</span><span class="p">]</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Scope for the token is invalid</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Token expired</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Invalid token</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>The <code>encode_token</code> function takes a username as a parameter and uses <code>pyjwt</code> to create an <code>access_token</code>. We are using <code>timedelta</code> to set the expiry of the token for 30 mins. The scope parameter can be used to verify that the client uses an <code>access_token</code>. We can use this function inside the <code>/login</code> endpoint, and return a token to the client.</p> <p><code>decode_token</code> takes a token as a parameter, and attempts to decode it using the <code>secret</code>. If there are any errors like expired token or an invalid token, we can simply raise an <code>HTTPException</code>. Otherwise, we can return the username. This will be helpful to us when the client interacts with protected data, functions, etc. We can use this function to simply verify if they have access to the response. </p> <p>When the token expires, the application forces the user to login. To avoid this, we can create two tokens <code>access_token</code> and <code>refresh_token</code> when the user logins. The refresh token usually has a longer expiry time than the <code>access_token</code>, and will only be used to create a new token. Everytime the <code>access_token</code> expires, the client sends a request to the server to create a new <code>access_token</code> using the <code>refresh_token</code>. If the <code>refresh_token</code> expires then the client will be forced to login. </p> <p>We need two more function to handle the <code>refresh_token</code> logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="k">def</span> <span class="nf">encode_refresh_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">username</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">hours</span><span class="o">=</span><span class="mi">10</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sub</span><span class="sh">'</span> <span class="p">:</span> <span class="n">username</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">refresh_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">refresh_token</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="nf">if </span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">sub</span><span class="sh">'</span><span class="p">]</span> <span class="n">new_token</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">encode_token</span><span class="p">(</span><span class="n">username</span><span class="p">)</span> <span class="k">return</span> <span class="n">new_token</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Invalid scope for token</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Refresh token expired</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Invalid refresh token</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>As you can tell, we are setting the expiry time of the <code>refresh_token</code> to be 10 hours which is more than the <code>access_token</code>. Plus, we are simply using <code>refresh_token</code> to create a new <code>access_token</code>. The <code>scope</code> parameter from JWT token ensures that the <code>refresh_token</code> is used only for creating new tokens, and <code>access_token</code> is used only for interacting with protected endpoints. </p> <p>That is all we need for the auth logic! Here is what the file looks like at the end:</p> <p><code>auth.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="c1"># used for encoding and decoding jwt tokens </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span> <span class="c1"># used to handle error handling </span><span class="kn">from</span> <span class="n">passlib.context</span> <span class="kn">import</span> <span class="n">CryptContext</span> <span class="c1"># used for hashing the password </span><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="c1"># used to handle expiry time for tokens </span> <span class="k">class</span> <span class="nc">Auth</span><span class="p">():</span> <span class="n">hasher</span><span class="o">=</span> <span class="nc">CryptContext</span><span class="p">(</span><span class="n">schemes</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">bcrypt</span><span class="sh">'</span><span class="p">])</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_SECRET_STRING</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encode_password</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">hasher</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_password</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">encoded_password</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">hasher</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="n">encoded_password</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encode_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">username</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">minutes</span><span class="o">=</span><span class="mi">30</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sub</span><span class="sh">'</span> <span class="p">:</span> <span class="n">username</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">decode_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">token</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="nf">if </span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">):</span> <span class="k">return</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">sub</span><span class="sh">'</span><span class="p">]</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Scope for the token is invalid</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Token expired</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Invalid token</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encode_refresh_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">username</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">exp</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">hours</span><span class="o">=</span><span class="mi">10</span><span class="p">),</span> <span class="sh">'</span><span class="s">iat</span><span class="sh">'</span> <span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">(),</span> <span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sub</span><span class="sh">'</span> <span class="p">:</span> <span class="n">username</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="n">payload</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">refresh_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">refresh_token</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">secret</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">HS256</span><span class="sh">'</span><span class="p">])</span> <span class="nf">if </span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">refresh_token</span><span class="sh">'</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">payload</span><span class="p">[</span><span class="sh">'</span><span class="s">sub</span><span class="sh">'</span><span class="p">]</span> <span class="n">new_token</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">encode_token</span><span class="p">(</span><span class="n">username</span><span class="p">)</span> <span class="k">return</span> <span class="n">new_token</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Invalid scope for token</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">ExpiredSignatureError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Refresh token expired</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">InvalidTokenError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">'</span><span class="s">Invalid refresh token</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p><a href="https://dev.to/deta/get-started-with-fastapi-jwt-authentication-part-2-18ok">In the next article</a>, we will implement the logic in a FastAPI application and deploy our app on Deta micros! <a href="https://github.com/rohanshiva/Deta-FastAPI-JWT-Auth-Blog" rel="noopener noreferrer">The full code is available here.</a></p>