diff --git a/README.md b/README.md index e8acfba..3aaf834 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,85 @@ -# FastAPI Application +# User Authentication Service -This is a FastAPI application bootstrapped by BackendIM, the AI-powered backend generation platform. +A FastAPI-based service for user authentication and management. + +## Features + +- User registration and account management +- Secure password handling with bcrypt hashing +- JWT-based authentication +- Protected API endpoints +- SQLite database with SQLAlchemy ORM +- Database migrations with Alembic + +## Project Structure + +``` +├── alembic/ # Database migration files +│ └── versions/ # Migration version files +├── app/ # Application code +│ ├── middleware/ # Middleware components +│ ├── models/ # SQLAlchemy models +│ ├── routers/ # API routes +│ ├── utils/ # Utility functions +│ ├── database.py # Database connection setup +│ ├── models.py # SQLAlchemy models +│ └── schemas.py # Pydantic schemas +├── alembic.ini # Alembic configuration +├── main.py # Application entry point +└── requirements.txt # Project dependencies +``` + +## API Endpoints + +### Authentication + +- `POST /auth/token` - OAuth2 token endpoint (form-based) +- `POST /auth/login` - Login endpoint (JSON-based) + +### Users + +- `POST /users/` - Register a new user +- `GET /users/me` - Get current user information +- `GET /users/` - Get list of users +- `GET /users/{user_id}` - Get a specific user by ID + +### Health Check + +- `GET /health` - Health check endpoint + +## Installation + +1. Clone the repository +2. Install dependencies: + ``` + pip install -r requirements.txt + ``` + +3. Run the application: + ``` + uvicorn main:app --reload + ``` + +4. Access the API documentation at `http://localhost:8000/docs` + +## Database + +The application uses SQLite as the database with SQLAlchemy ORM. Database migrations are managed with Alembic. + +### Creating a Migration + +```bash +alembic revision --autogenerate -m "description" +``` + +### Running Migrations + +```bash +alembic upgrade head +``` + +## Security + +- Passwords are hashed using bcrypt +- Authentication is handled using JWT tokens +- Protected routes require a valid JWT token \ No newline at end of file diff --git a/alembic.ini b/alembic.ini new file mode 100644 index 0000000..922bc72 --- /dev/null +++ b/alembic.ini @@ -0,0 +1,84 @@ +# A generic, single database configuration. + +[alembic] +# path to migration scripts +script_location = alembic + +# template used to generate migration files +# file_template = %%(rev)s_%%(slug)s + +# timezone to use when rendering the date +# within the migration file as well as the filename. +# string value is passed to dateutil.tz.gettz() +# leave blank for localtime +# timezone = + +# max length of characters to apply to the +# "slug" field +# truncate_slug_length = 40 + +# set to 'true' to run the environment during +# the 'revision' command, regardless of autogenerate +# revision_environment = false + +# set to 'true' to allow .pyc and .pyo files without +# a source .py file to be detected as revisions in the +# versions/ directory +# sourceless = false + +# version location specification; this defaults +# to alembic/versions. When using multiple version +# directories, initial revisions must be specified with --version-path +# version_locations = %(here)s/bar %(here)s/bat alembic/versions + +# the output encoding used when revision files +# are written from script.py.mako +# output_encoding = utf-8 + +sqlalchemy.url = sqlite:////app/storage/db/db.sqlite + +[post_write_hooks] +# post_write_hooks defines scripts or Python functions that are run +# on newly generated revision scripts. See the documentation for further +# detail and examples + +# format using "black" - use the console_scripts runner, against the "black" entrypoint +# hooks=black +# black.type=console_scripts +# black.entrypoint=black +# black.options=-l 79 + +# Logging configuration +[loggers] +keys = root,sqlalchemy,alembic + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = INFO +handlers = console +qualname = + +[logger_sqlalchemy] +level = WARN +handlers = +qualname = sqlalchemy.engine + +[logger_alembic] +level = INFO +handlers = +qualname = alembic + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(levelname)-5.5s [%(name)s] %(message)s +datefmt = %H:%M:%S \ No newline at end of file diff --git a/alembic/README b/alembic/README new file mode 100644 index 0000000..81ed4a5 --- /dev/null +++ b/alembic/README @@ -0,0 +1 @@ +Generic single-database configuration with an async engine. \ No newline at end of file diff --git a/alembic/env.py b/alembic/env.py new file mode 100644 index 0000000..2b200f3 --- /dev/null +++ b/alembic/env.py @@ -0,0 +1,82 @@ +from logging.config import fileConfig + +from sqlalchemy import engine_from_config +from sqlalchemy import pool + +from alembic import context + +# this is the Alembic Config object, which provides +# access to the values within the .ini file in use. +config = context.config + +# Interpret the config file for Python logging. +# This line sets up loggers basically. +fileConfig(config.config_file_name) + +# add your model's MetaData object here +# for 'autogenerate' support +# from myapp import mymodel +# target_metadata = mymodel.Base.metadata +import sys +import os +sys.path.insert(0, os.path.dirname(os.path.dirname(__file__))) + +from app.models import Base +target_metadata = Base.metadata + +# other values from the config, defined by the needs of env.py, +# can be acquired: +# my_important_option = config.get_main_option("my_important_option") +# ... etc. + + +def run_migrations_offline(): + """Run migrations in 'offline' mode. + + This configures the context with just a URL + and not an Engine, though an Engine is acceptable + here as well. By skipping the Engine creation + we don't even need a DBAPI to be available. + + Calls to context.execute() here emit the given string to the + script output. + + """ + url = config.get_main_option("sqlalchemy.url") + context.configure( + url=url, + target_metadata=target_metadata, + literal_binds=True, + dialect_opts={"paramstyle": "named"}, + ) + + with context.begin_transaction(): + context.run_migrations() + + +def run_migrations_online(): + """Run migrations in 'online' mode. + + In this scenario we need to create an Engine + and associate a connection with the context. + + """ + connectable = engine_from_config( + config.get_section(config.config_ini_section), + prefix="sqlalchemy.", + poolclass=pool.NullPool, + ) + + with connectable.connect() as connection: + context.configure( + connection=connection, target_metadata=target_metadata + ) + + with context.begin_transaction(): + context.run_migrations() + + +if context.is_offline_mode(): + run_migrations_offline() +else: + run_migrations_online() \ No newline at end of file diff --git a/alembic/script.py.mako b/alembic/script.py.mako new file mode 100644 index 0000000..1e4564e --- /dev/null +++ b/alembic/script.py.mako @@ -0,0 +1,24 @@ +"""${message} + +Revision ID: ${up_revision} +Revises: ${down_revision | comma,n} +Create Date: ${create_date} + +""" +from alembic import op +import sqlalchemy as sa +${imports if imports else ""} + +# revision identifiers, used by Alembic. +revision = ${repr(up_revision)} +down_revision = ${repr(down_revision)} +branch_labels = ${repr(branch_labels)} +depends_on = ${repr(depends_on)} + + +def upgrade(): + ${upgrades if upgrades else "pass"} + + +def downgrade(): + ${downgrades if downgrades else "pass"} \ No newline at end of file diff --git a/alembic/versions/34cbb67a51c3_create_users_table.py b/alembic/versions/34cbb67a51c3_create_users_table.py new file mode 100644 index 0000000..028f186 --- /dev/null +++ b/alembic/versions/34cbb67a51c3_create_users_table.py @@ -0,0 +1,39 @@ +"""create users table + +Revision ID: 34cbb67a51c3 +Revises: +Create Date: 2025-05-13 00:00:00.000000 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '34cbb67a51c3' +down_revision = None +branch_labels = None +depends_on = None + + +def upgrade(): + op.create_table('users', + sa.Column('id', sa.Integer(), nullable=False), + sa.Column('email', sa.String(), nullable=True), + sa.Column('username', sa.String(), nullable=True), + sa.Column('hashed_password', sa.String(), nullable=True), + sa.Column('is_active', sa.Boolean(), nullable=True, default=True), + sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True), + sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True), + sa.PrimaryKeyConstraint('id') + ) + op.create_index(op.f('ix_users_email'), 'users', ['email'], unique=True) + op.create_index(op.f('ix_users_id'), 'users', ['id'], unique=False) + op.create_index(op.f('ix_users_username'), 'users', ['username'], unique=True) + + +def downgrade(): + op.drop_index(op.f('ix_users_username'), table_name='users') + op.drop_index(op.f('ix_users_id'), table_name='users') + op.drop_index(op.f('ix_users_email'), table_name='users') + op.drop_table('users') \ No newline at end of file diff --git a/app/__init__.py b/app/__init__.py new file mode 100644 index 0000000..f993ef0 --- /dev/null +++ b/app/__init__.py @@ -0,0 +1 @@ +# This file is intentionally left empty to mark the directory as a Python package \ No newline at end of file diff --git a/app/database.py b/app/database.py new file mode 100644 index 0000000..a2702c3 --- /dev/null +++ b/app/database.py @@ -0,0 +1,31 @@ +from sqlalchemy import create_engine +from sqlalchemy.ext.declarative import declarative_base +from sqlalchemy.orm import sessionmaker +from pathlib import Path + +# Create database directory +DB_DIR = Path("/app") / "storage" / "db" +DB_DIR.mkdir(parents=True, exist_ok=True) + +# Database URL +SQLALCHEMY_DATABASE_URL = f"sqlite:///{DB_DIR}/db.sqlite" + +# Create SQLAlchemy engine +engine = create_engine( + SQLALCHEMY_DATABASE_URL, + connect_args={"check_same_thread": False} +) + +# Create SessionLocal class +SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine) + +# Create Base class +Base = declarative_base() + +# Dependency +def get_db(): + db = SessionLocal() + try: + yield db + finally: + db.close() \ No newline at end of file diff --git a/app/middleware/__init__.py b/app/middleware/__init__.py new file mode 100644 index 0000000..f993ef0 --- /dev/null +++ b/app/middleware/__init__.py @@ -0,0 +1 @@ +# This file is intentionally left empty to mark the directory as a Python package \ No newline at end of file diff --git a/app/middleware/jwt_middleware.py b/app/middleware/jwt_middleware.py new file mode 100644 index 0000000..ceb15ad --- /dev/null +++ b/app/middleware/jwt_middleware.py @@ -0,0 +1,83 @@ +from fastapi import Request, HTTPException, status +from fastapi.responses import JSONResponse +from app.utils.auth import decode_token +from app.database import SessionLocal +from app.models import User +from starlette.datastructures import Headers +import re + + +PUBLIC_PATHS = [ + r'^/docs$', + r'^/redoc$', + r'^/openapi.json$', + r'^/auth/token$', + r'^/auth/login$', + r'^/users/$', + r'^/health$', +] + + +async def get_current_user(token: str): + """ + Get the current user from a JWT token + """ + payload = decode_token(token) + + db = SessionLocal() + try: + user = db.query(User).filter(User.username == payload["username"]).first() + if user is None: + raise HTTPException(status_code=404, detail="User not found") + return user + finally: + db.close() + + +async def verify_token(request: Request, call_next): + """ + Middleware to verify JWT tokens + """ + # Check if the path is public + path = request.url.path + for pattern in PUBLIC_PATHS: + if re.match(pattern, path): + return await call_next(request) + + # Get the Authorization header + auth_header = request.headers.get("Authorization") + if not auth_header: + return JSONResponse( + status_code=status.HTTP_401_UNAUTHORIZED, + content={"detail": "Not authenticated"}, + headers={"WWW-Authenticate": "Bearer"}, + ) + + # Extract the token + try: + scheme, token = auth_header.split() + if scheme.lower() != "bearer": + return JSONResponse( + status_code=status.HTTP_401_UNAUTHORIZED, + content={"detail": "Invalid authentication scheme"}, + headers={"WWW-Authenticate": "Bearer"}, + ) + except ValueError: + return JSONResponse( + status_code=status.HTTP_401_UNAUTHORIZED, + content={"detail": "Invalid token format"}, + headers={"WWW-Authenticate": "Bearer"}, + ) + + # Verify the token and get the current user + try: + user = await get_current_user(token) + # Add the user to the request state + request.state.user = user + return await call_next(request) + except HTTPException as e: + return JSONResponse( + status_code=e.status_code, + content={"detail": e.detail}, + headers=e.headers, + ) \ No newline at end of file diff --git a/app/models.py b/app/models.py new file mode 100644 index 0000000..93217ee --- /dev/null +++ b/app/models.py @@ -0,0 +1,15 @@ +from sqlalchemy import Boolean, Column, Integer, String, DateTime +from sqlalchemy.sql import func +from app.database import Base + + +class User(Base): + __tablename__ = "users" + + id = Column(Integer, primary_key=True, index=True) + email = Column(String, unique=True, index=True) + username = Column(String, unique=True, index=True) + hashed_password = Column(String) + is_active = Column(Boolean, default=True) + created_at = Column(DateTime(timezone=True), server_default=func.now()) + updated_at = Column(DateTime(timezone=True), onupdate=func.now()) \ No newline at end of file diff --git a/app/routers/__init__.py b/app/routers/__init__.py new file mode 100644 index 0000000..f993ef0 --- /dev/null +++ b/app/routers/__init__.py @@ -0,0 +1 @@ +# This file is intentionally left empty to mark the directory as a Python package \ No newline at end of file diff --git a/app/routers/auth.py b/app/routers/auth.py new file mode 100644 index 0000000..0027eb5 --- /dev/null +++ b/app/routers/auth.py @@ -0,0 +1,85 @@ +from fastapi import APIRouter, Depends, HTTPException, status +from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm +from sqlalchemy.orm import Session +from datetime import timedelta +from app import models, schemas +from app.database import get_db +from app.utils.auth import ( + verify_password, + create_access_token, + ACCESS_TOKEN_EXPIRE_MINUTES, +) + +router = APIRouter( + prefix="/auth", + tags=["authentication"], + responses={401: {"description": "Unauthorized"}}, +) + +oauth2_scheme = OAuth2PasswordBearer(tokenUrl="auth/token") + + +def authenticate_user(username: str, password: str, db: Session): + """ + Authenticate a user with username and password + """ + user = db.query(models.User).filter(models.User.username == username).first() + + if not user: + return False + + if not verify_password(password, user.hashed_password): + return False + + return user + + +@router.post("/token", response_model=schemas.Token) +async def login_for_access_token( + form_data: OAuth2PasswordRequestForm = Depends(), + db: Session = Depends(get_db) +): + """ + OAuth2 compatible token login, returns an access token + """ + user = authenticate_user(form_data.username, form_data.password, db) + + if not user: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Incorrect username or password", + headers={"WWW-Authenticate": "Bearer"}, + ) + + access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) + access_token = create_access_token( + data={"sub": user.username, "user_id": user.id}, + expires_delta=access_token_expires, + ) + + return {"access_token": access_token, "token_type": "bearer"} + + +@router.post("/login", response_model=schemas.Token) +async def login( + login_data: schemas.LoginRequest, + db: Session = Depends(get_db) +): + """ + Regular login endpoint, returns an access token + """ + user = authenticate_user(login_data.username, login_data.password, db) + + if not user: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Incorrect username or password", + ) + + access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) + access_token = create_access_token( + data={"sub": user.username, "user_id": user.id}, + expires_delta=access_token_expires, + ) + + return {"access_token": access_token, "token_type": "bearer"} \ No newline at end of file diff --git a/app/routers/users.py b/app/routers/users.py new file mode 100644 index 0000000..3d93253 --- /dev/null +++ b/app/routers/users.py @@ -0,0 +1,76 @@ +from fastapi import APIRouter, Depends, HTTPException, status, Request +from sqlalchemy.orm import Session +from app import models, schemas +from app.database import get_db +from app.utils.auth import get_password_hash +from typing import List + +router = APIRouter( + prefix="/users", + tags=["users"], + responses={404: {"description": "Not found"}}, +) + + +@router.post("/", response_model=schemas.UserResponse, status_code=status.HTTP_201_CREATED) +def create_user(user: schemas.UserCreate, db: Session = Depends(get_db)): + """ + Register a new user + """ + # Check if username exists + db_user_by_username = db.query(models.User).filter(models.User.username == user.username).first() + if db_user_by_username: + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail="Username already registered" + ) + + # Check if email exists + db_user_by_email = db.query(models.User).filter(models.User.email == user.email).first() + if db_user_by_email: + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail="Email already registered" + ) + + # Create new user + hashed_password = get_password_hash(user.password) + db_user = models.User( + email=user.email, + username=user.username, + hashed_password=hashed_password + ) + + db.add(db_user) + db.commit() + db.refresh(db_user) + + return db_user + + +@router.get("/me", response_model=schemas.UserResponse) +def read_users_me(request: Request): + """ + Get current user information + """ + return request.state.user + + +@router.get("/", response_model=List[schemas.UserResponse]) +def read_users(skip: int = 0, limit: int = 100, db: Session = Depends(get_db)): + """ + Get list of users + """ + users = db.query(models.User).offset(skip).limit(limit).all() + return users + + +@router.get("/{user_id}", response_model=schemas.UserResponse) +def read_user(user_id: int, db: Session = Depends(get_db)): + """ + Get a specific user by ID + """ + db_user = db.query(models.User).filter(models.User.id == user_id).first() + if db_user is None: + raise HTTPException(status_code=404, detail="User not found") + return db_user \ No newline at end of file diff --git a/app/schemas.py b/app/schemas.py new file mode 100644 index 0000000..efb566d --- /dev/null +++ b/app/schemas.py @@ -0,0 +1,37 @@ +from pydantic import BaseModel, EmailStr, Field +from typing import Optional +from datetime import datetime + + +class UserBase(BaseModel): + email: EmailStr + username: str + + +class UserCreate(UserBase): + password: str = Field(..., min_length=8) + + +class UserResponse(UserBase): + id: int + is_active: bool + created_at: datetime + updated_at: Optional[datetime] = None + + class Config: + from_attributes = True + + +class Token(BaseModel): + access_token: str + token_type: str + + +class TokenData(BaseModel): + username: Optional[str] = None + user_id: Optional[int] = None + + +class LoginRequest(BaseModel): + username: str + password: str \ No newline at end of file diff --git a/app/utils/__init__.py b/app/utils/__init__.py new file mode 100644 index 0000000..f993ef0 --- /dev/null +++ b/app/utils/__init__.py @@ -0,0 +1 @@ +# This file is intentionally left empty to mark the directory as a Python package \ No newline at end of file diff --git a/app/utils/auth.py b/app/utils/auth.py new file mode 100644 index 0000000..14c3541 --- /dev/null +++ b/app/utils/auth.py @@ -0,0 +1,62 @@ +from datetime import datetime, timedelta +from typing import Optional +from jose import JWTError, jwt +from passlib.context import CryptContext +from fastapi import HTTPException, status + +# JWT settings +SECRET_KEY = "YOUR_SECRET_KEY" # In production, use a secure environment variable +ALGORITHM = "HS256" +ACCESS_TOKEN_EXPIRE_MINUTES = 30 + +# Password context for hashing +pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") + + +def verify_password(plain_password, hashed_password): + """Verify a password against a hash""" + return pwd_context.verify(plain_password, hashed_password) + + +def get_password_hash(password): + """Generate a hash from a password""" + return pwd_context.hash(password) + + +def create_access_token(data: dict, expires_delta: Optional[timedelta] = None): + """Create a JWT access token""" + to_encode = data.copy() + + if expires_delta: + expire = datetime.utcnow() + expires_delta + else: + expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) + + to_encode.update({"exp": expire}) + encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) + + return encoded_jwt + + +def decode_token(token: str): + """Decode and validate a JWT token""" + try: + payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) + username = payload.get("sub") + user_id = payload.get("user_id") + + if username is None: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Invalid authentication credentials", + headers={"WWW-Authenticate": "Bearer"}, + ) + + return {"username": username, "user_id": user_id} + + except JWTError: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Invalid authentication credentials", + headers={"WWW-Authenticate": "Bearer"}, + ) \ No newline at end of file diff --git a/main.py b/main.py new file mode 100644 index 0000000..baedfe2 --- /dev/null +++ b/main.py @@ -0,0 +1,34 @@ +from fastapi import FastAPI +from app import models +from app.database import engine +from app.routers import auth, users +from app.middleware import jwt_middleware +from pathlib import Path + +# Create database tables +models.Base.metadata.create_all(bind=engine) + +app = FastAPI( + title="User Authentication Service", + description="A service for user authentication and management", + version="0.1.0", +) + +# Add middleware +app.middleware("http")(jwt_middleware.verify_token) + +# Include routers +app.include_router(auth.router) +app.include_router(users.router) + +@app.get("/health", tags=["Health"]) +async def health_check(): + """ + Health check endpoint that returns the service status + """ + return {"status": "healthy"} + + +if __name__ == "__main__": + import uvicorn + uvicorn.run("main:app", host="0.0.0.0", port=8000, reload=True) \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..39a129f --- /dev/null +++ b/requirements.txt @@ -0,0 +1,9 @@ +fastapi==0.105.0 +uvicorn==0.24.0 +sqlalchemy==2.0.23 +alembic==1.12.1 +pydantic==2.5.2 +python-jose==3.3.0 +passlib==1.7.4 +python-multipart==0.0.6 +bcrypt==4.0.1 \ No newline at end of file