How to Implement JWT-Based Authentication in FastAPI

Alright, folks, let’s dive into the wonders of securing your FastAPI application using JWT-based authentication. Trust me, understanding and implementing these steps will give your API the robust shield it needs to keep unauthorized users at bay. So, let’s get rolling!

What’s the Deal With JWT Authentication?

Before jumping into the nitty-gritty, let’s get a grip on what JWT - JSON Web Tokens - is all about. Think of JWTs as compact, URL-safe bundles of claims (like a tiny treasure chest), signed digitally to ensure they’re trustworthy. When working with FastAPI, JWTs are your go-to for identifying users. They do this by verifying the token that’s sent along in the Authorization header of every request. Pretty cool, right?

Setting Up Your FastAPI Project

First off, you need a basic FastAPI setup. It’s like laying the foundation before building your house.

from fastapi import FastAPI

app = FastAPI()

Boom! You’ve got yourself a FastAPI application. Now, let’s add some layers to that foundation.

User Model and Authentication Service

We need a user model to keep track of our app’s users. Think of it as a digital profile card that stores usernames and (hashed) passwords. Here’s a quick and simple model using Pydantic for data validation.

from pydantic import BaseModel

class User(BaseModel):
    username: str
    password: str

Now, let’s set up the authentication service. This is where the magic happens - passwords get hashed and JWT tokens get generated. You’ll need pyjwt for token encoding and passlib for hashing passwords.

pip install pyjwt passlib

Check out how we define the authentication functions:

from fastapi.security import OAuth2PasswordBearer
import jwt
from passlib.context import CryptContext

SECRET_KEY = "your-secret-key"
ALGORITHM = "HS256"
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

# This is just a fake user database for illustration
fake_users_db = {
    "user1": {
        "username": "user1",
        "password": "$2b$12$AQyHPwd7p1s.GQvax/A3ve5wMey6NZuDXW1/FVhDpi8s/MV/Fo1LC", # hashed password: 'password1'
        "disabled": False,
    },
}

def authenticate_user(username: str, password: str):
    user = fake_users_db.get(username)
    if not user or not pwd_context.verify(password, user["password"]):
        return False
    return user

def create_access_token(data: dict):
    encoded_jwt = jwt.encode(data, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise HTTPException(status_code=401, detail="Invalid authentication credentials")
        token_data = {"username": username}
    except jwt.JWTError:
        raise HTTPException(status_code=401, detail="Invalid authentication credentials")
    return token_data

Securing Routes with JWT Bearer Authentication

Now, let’s create a custom HTTPBearer class to ensure that JWT tokens are properly checked in the Authorization header.

from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from fastapi import Request, HTTPException

class JWTBearer(HTTPBearer):
    def __init__(self, auto_error: bool = True):
        super(JWTBearer, self).__init__(auto_error=auto_error)

    async def __call__(self, request: Request):
        credentials: HTTPAuthorizationCredentials = await super(JWTBearer, self).__call__(request)
        if credentials:
            if not credentials.scheme == "Bearer":
                raise HTTPException(status_code=403, detail="Invalid authentication scheme.")
            if not self.verify_jwt(credentials.credentials):
                raise HTTPException(status_code=403, detail="Invalid token or expired token.")
            return credentials.credentials
        else:
            raise HTTPException(status_code=403, detail="Invalid authorization code.")

    def verify_jwt(self, jwtoken: str) -> bool:
        isTokenValid: bool = False
        try:
            payload = jwt.decode(jwtoken, SECRET_KEY, algorithms=[ALGORITHM])
        except:
            payload = None
        if payload:
            isTokenValid = True
        return isTokenValid

Guarding Your Routes

Let’s use the JWTBearer class to secure our API routes with ease. It’s like hiring a bouncer to check everyone’s credentials before they enter the club.

from fastapi import Depends

jwt_bearer = JWTBearer()

@app.get("/protected", dependencies=[Depends(jwt_bearer)])
async def protected_route():
    return {"message": "Hello, authenticated user!"}

Token Generation and User Authentication Endpoints

Here’s the heart of our system – the endpoint where users provide their credentials and receive a shiny new JWT token in return.

from fastapi.security import OAuth2PasswordRequestForm

@app.post("/token")
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    user = authenticate_user(form_data.username, form_data.password)
    if not user:
        raise HTTPException(status_code=401, detail="Incorrect username or password")
    access_token = create_access_token(data={"sub": user["username"]})
    return {"access_token": access_token, "token_type": "bearer"}

Try It Out!

To ensure everything is working smoothly, let’s test the secure API.

1. Get a Token using a POST request:

   curl -X 'POST' \
   'http://localhost:8000/token' \
   -H 'accept: application/json' \
   -H 'Content-Type: application/x-www-form-urlencoded' \
   -d 'grant_type=password&username=user1&password=password1'
   

2. Access the Protected Route using the obtained token:

   curl -X 'GET' \
   'http://localhost:8000/protected' \
   -H 'accept: application/json' \
   -H 'Authorization: Bearer your-obtained-token'
   

Best Practices for Security

Alright, you’re almost a security pro! But here are a few tips to take your API security to the next level:

• Keep Your Secret Key Safe: The secret key is like your application’s lifeline. Store it securely and consider rotating it periodically.
• Hash Passwords Smartly: Always hash passwords before storing them. Algorithms like bcrypt are your best friends here.
• Implement Rate Limiting: Protect your authentication endpoints from brute-force attacks by implementing rate limiting.
• Regular Security Audits: Regularly check for security vulnerabilities and stay up-to-date with the latest security trends.

Implementing these steps ensures your FastAPI application is not just cool but also super secure. JWT-based authentication is the key to making sure your API endpoints only allow access to those who truly belong. Happy coding and stay secure!