Is Your FastAPI Secure Enough to Handle Modern Authentication?

python

Is Your FastAPI Secure Enough to Handle Modern Authentication?

Layering Multiple Authentication Methods for FastAPI's Security Superiority

Nov 7, 2023

Is Your FastAPI Secure Enough to Handle Modern Authentication?

When diving into the world of APIs, one thing you can’t skimp on is security. FastAPI, famous for its speed and ease of use, also comes loaded with tools to handle API security. From OAuth and API keys to JWT (JSON Web Tokens), FastAPI can manage them all. Let’s get into how you can make your FastAPI application secure with these various authentication methods.

Starting off with API keys, they’re a tried-and-true method for authenticating requests. In FastAPI, you can use API keys in a pretty simple way—whether it’s passing them through headers, query parameters, or even cookies. Here’s a quick run-through on using them in headers.

from fastapi import FastAPI, HTTPException, Security
from fastapi.security.api_key import APIKeyHeader

app = FastAPI()

api_key_header = APIKeyHeader(name="Authorization", auto_error=False)

async def get_api_key(api_key_header: str = Security(api_key_header)):
    if api_key_header == "your_secret_api_key":
        return True
    else:
        raise HTTPException(status_code=403, detail="Could not validate credentials")

@app.get("/protected")
async def protected_route(api_key: bool = Depends(get_api_key)):
    return {"message": "Hello, authenticated user!"}

In this snippet, a function called get_api_key checks if the given API key matches the one you’re looking for. If it does, it lets the request go through; if not, an HTTP exception gets thrown.

Then there’s JWT, another hot method for authentication. JWT tokens come with a payload that you can verify and trust. FastAPI makes it easy to work with JWTs, providing the capabilities to authenticate users with these tokens.

from fastapi import FastAPI, HTTPException, Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from jose import jwt, JWTError
from pydantic import BaseModel

app = FastAPI()

class JWTBearer(HTTPBearer):
    def __init__(self, auto_error: bool = True):
        super(JWTBearer, self).__init__(auto_error=auto_error)

    async def __call__(self, request: Request):
        credentials: HTTPAuthorizationCredentials = await super(JWTBearer, self).__call__(request)
        if credentials:
            if not credentials.scheme == "Bearer":
                raise HTTPException(status_code=403, detail="Invalid authentication scheme.")
            if not self.verify_jwt(credentials.credentials):
                raise HTTPException(status_code=403, detail="Invalid token or expired token.")
            return credentials.credentials
        else:
            raise HTTPException(status_code=403, detail="Invalid authorization code.")

    def verify_jwt(self, jwtoken: str) -> bool:
        try:
            payload = jwt.decode(jwtoken, "your_secret_key", algorithms=["HS256"])
        except JWTError:
            payload = None
        return payload is not None

jwt_bearer = JWTBearer()

@app.get("/protected")
async def protected_route(token: str = Depends(jwt_bearer)):
    return {"message": "Hello, authenticated user!"}

This code extends FastAPI’s HTTPBearer class to verify JWT tokens. The verify_jwt function decodes the token and validates it.

There might be times when you need to support multiple types of authentication for the same endpoint—for instance, checking for an API key first, and if that fails, then checking a JWT token. Here’s how you can do it:

from fastapi import FastAPI, HTTPException, Depends, Security
from fastapi.security.api_key import APIKeyHeader
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from jose import jwt, JWTError

app = FastAPI()

api_key_header = APIKeyHeader(name="Authorization", auto_error=False)

class JWTBearer(HTTPBearer):
    def __init__(self, auto_error: bool = True):
        super(JWTBearer, self).__init__(auto_error=auto_error)

    async def __call__(self, request: Request):
        credentials: HTTPAuthorizationCredentials = await super(JWTBearer, self).__call__(request)
        if credentials:
            if not credentials.scheme == "Bearer":
                raise HTTPException(status_code=403, detail="Invalid authentication scheme.")
            if not self.verify_jwt(credentials.credentials):
                raise HTTPException(status_code=403, detail="Invalid token or expired token.")
            return credentials.credentials
        else:
            raise HTTPException(status_code=403, detail="Invalid authorization code.")

    def verify_jwt(self, jwtoken: str) -> bool:
        try:
            payload = jwt.decode(jwtoken, "your_secret_key", algorithms=["HS256"])
        except JWTError:
            payload = None
        return payload is not None

jwt_bearer = JWTBearer()

async def get_api_key(api_key_header: str = Security(api_key_header)):
    if api_key_header == "your_secret_api_key":
        return True
    else:
        return False

async def authenticate_request(request: Request):
    api_key_present = await get_api_key(api_key_header=request.headers.get("Authorization"))
    if api_key_present:
        return True
    else:
        credentials: HTTPAuthorizationCredentials = await jwt_bearer.__call__(request)
        if credentials:
            return True
        else:
            raise HTTPException(status_code=403, detail="Could not validate credentials")

@app.get("/protected")
async def protected_route(authenticated: bool = Depends(authenticate_request)):
    return {"message": "Hello, authenticated user!"}

In this example, authenticate_request first tries to find an API key. If it doesn’t, it checks for a JWT token. If either is valid, access is granted.

For an even more powerful option, there’s OAuth2. This method allows third-party apps limited access to user resources without sharing credentials. Here’s a basic example of how to set it up in FastAPI:

from fastapi import FastAPI, Depends, HTTPException
from fastapi.security import OAuth2PasswordBearer, OAuth2

app = FastAPI()

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

@app.get("/protected")
async def protected_route(token: str = Depends(oauth2_scheme)):
    return {"message": "Hello, authenticated user!"}

@app.post("/token")
async def login(username: str, password: str):
    # Here you would typically check the username and password against a database
    # For simplicity, we'll just return a token
    return {"access_token": "your_token", "token_type": "bearer"}

Using the OAuth2PasswordBearer class, users can authenticate with tokens. The login endpoint generates an access token that can be used to access protected routes.

FastAPI also shines by automatically integrating your security measures into OpenAPI documentation. This makes it possible for users to see and interact with the security schemes right in the docs UI.

from fastapi import FastAPI, Depends, HTTPException
from fastapi.security.api_key import APIKeyHeader
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials, OAuth2

app = FastAPI()

api_key_header = APIKeyHeader(name="Authorization", auto_error=False)

class JWTBearer(HTTPBearer):
    def __init__(self, auto_error: bool = True):
        super(JWTBearer, self).__init__(auto_error=auto_error)

    async def __call__(self, request: Request):
        # Implementation as before

jwt_bearer = JWTBearer()

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

@app.get("/protected")
async def protected_route(
    api_key: bool = Depends(get_api_key),
    token: str = Depends(jwt_bearer),
    oauth_token: str = Depends(oauth2_scheme)
):
    return {"message": "Hello, authenticated user!"}

app.security = [
    {"api_key": []},
    {"jwt": []},
    {"oauth2": []}
]

By specifying different security schemes, you make them visible and usable in OpenAPI documentation tools like Swagger UI or Redoc.

When it’s all said and done, handling multiple authentication methods in FastAPI is both powerful and straightforward. The framework’s built-in security tools and dependency injection system allow you to implement and mix various methods like API keys, JWT, and OAuth2 easily. This flexibility ensures that your API can serve different use cases and user preferences without compromising on security or documentation. Whether building a straightforward API or a massive enterprise application, FastAPI’s security features have got you covered.