d63fc9b68d
- Phone number authentication with OTP verification - Email/password authentication with secure bcrypt hashing - Third-party OAuth login support for Google and Apple - JWT token-based authentication system - Rate limiting for OTP requests (5/minute) - SQLite database with SQLAlchemy ORM - Comprehensive user model with multiple auth providers - Alembic database migrations setup - API documentation with Swagger/OpenAPI - Health check and system endpoints - Environment configuration with security best practices - Code quality with Ruff linting and formatting Features: - POST /auth/request-otp - Request OTP for phone authentication - POST /auth/verify-otp - Verify OTP and get access token - POST /auth/signup-email - Email signup with password - POST /auth/login-email - Email login authentication - POST /auth/login-google - Google OAuth integration - POST /auth/login-apple - Apple OAuth integration - GET /user/me - Get current authenticated user info - GET / - API information and documentation links - GET /health - Application health check
5.2 KiB
5.2 KiB
Enviodeck Authentication API
A FastAPI backend API for the Enviodeck mobile app with comprehensive user authentication features including phone number OTP, email/password, and third-party OAuth (Google/Apple) authentication.
Features
- Phone Number Authentication: OTP-based login via SMS
- Email/Password Authentication: Traditional signup and login
- Third-Party Authentication: Google and Apple OAuth integration
- JWT Token-based Authentication: Secure session management
- Rate Limiting: Protection against OTP abuse
- SQLite Database: Lightweight, embedded database
- API Documentation: Auto-generated Swagger/OpenAPI docs
Tech Stack
- Framework: FastAPI
- Database: SQLite with SQLAlchemy ORM
- Authentication: JWT tokens with python-jose
- Password Hashing: bcrypt via passlib
- Rate Limiting: slowapi
- Migrations: Alembic
- Code Quality: Ruff for linting
API Endpoints
Authentication
POST /auth/request-otp- Request OTP for phone numberPOST /auth/verify-otp- Verify OTP and get access tokenPOST /auth/signup-email- Sign up with email/passwordPOST /auth/login-email- Login with email/passwordPOST /auth/login-google- Login with Google OAuthPOST /auth/login-apple- Login with Apple OAuth
User Management
GET /user/me- Get current user information
System
GET /- API informationGET /health- Health check endpointGET /docs- Swagger UI documentationGET /redoc- ReDoc documentation
Installation & Setup
-
Install Dependencies
pip install -r requirements.txt -
Environment Configuration
cp .env.example .env # Edit .env with your configuration values -
Database Setup
# Run migrations to create database tables alembic upgrade head -
Start the Server
uvicorn main:app --reload --host 0.0.0.0 --port 8000
Environment Variables
The following environment variables need to be configured:
Required
JWT_SECRET_KEY: Secret key for JWT token generation (change in production!)
Optional (for full functionality)
REDIS_URL: Redis connection URL for OTP storage (defaults to mock implementation)GOOGLE_CLIENT_ID: Google OAuth client IDGOOGLE_CLIENT_SECRET: Google OAuth client secretAPPLE_CLIENT_ID: Apple OAuth client IDAPPLE_CLIENT_SECRET: Apple OAuth client secretTWILIO_ACCOUNT_SID: Twilio account SID for SMSTWILIO_AUTH_TOKEN: Twilio auth tokenTWILIO_PHONE_NUMBER: Twilio phone number for sending SMS
Database Schema
User Model
id: Primary keyphone_number: Unique phone number (nullable)email: Unique email address (nullable)name: User's name (optional)password_hash: Hashed password for email authauth_provider: Enum (PHONE, EMAIL, GOOGLE, APPLE)is_active: User account statusis_verified: Phone/email verification statuscreated_at: Account creation timestampupdated_at: Last update timestamp
API Usage Examples
Phone Authentication Flow
# 1. Request OTP
curl -X POST "http://localhost:8000/auth/request-otp" \
-H "Content-Type: application/json" \
-d '{"phone_number": "+1234567890"}'
# 2. Verify OTP
curl -X POST "http://localhost:8000/auth/verify-otp" \
-H "Content-Type: application/json" \
-d '{"phone_number": "+1234567890", "otp": "123456"}'
Email Authentication
# Sign up
curl -X POST "http://localhost:8000/auth/signup-email" \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "password123", "name": "John Doe"}'
# Login
curl -X POST "http://localhost:8000/auth/login-email" \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "password123"}'
Accessing Protected Endpoints
# Get current user info
curl -X GET "http://localhost:8000/user/me" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Security Features
- Password Hashing: Secure bcrypt hashing for email authentication
- JWT Tokens: Stateless authentication with configurable expiration
- Rate Limiting: OTP requests limited to 5 per minute per IP
- OTP Security: 6-digit codes with 5-minute expiration and attempt limits
- CORS: Configured for cross-origin requests
Development
Code Quality
# Run linting and auto-fix
ruff check . --fix
ruff format .
Database Migrations
# Create new migration
alembic revision --autogenerate -m "description"
# Apply migrations
alembic upgrade head
# Rollback migration
alembic downgrade -1
Production Deployment
- Security: Change the
JWT_SECRET_KEYto a strong, random value - Database: Consider migrating to PostgreSQL for production
- Redis: Set up Redis instance for OTP storage
- SMS Service: Configure Twilio or alternative SMS provider
- OAuth: Set up Google and Apple OAuth applications
- HTTPS: Enable SSL/TLS encryption
- Rate Limiting: Consider more sophisticated rate limiting strategies
Testing
Access the interactive API documentation at:
- Swagger UI: http://localhost:8000/docs
- ReDoc: http://localhost:8000/redoc
License
This project is licensed under the MIT License.