feat(api): login and authentication routes

- Remove fastapi-limiter, we will rate limit at load balancer level as
it is too hard to get fastapi-limiter to play nice with pytest.
- Wrote technical writeups on how the login flow and check for user
authentication status work

2024-03-23 14:53:33 -04:00

1.7 KiB

Raw Blame History

Backend Technical Write Up

Setup

Install pdm
Install dependencies with pdm sync
Run development backend with pdm run dev
Run tests with pdm run test

Setup for Development

run eval $(pdm venv activate in-project) to activate the virtual env.

Structure

Use FastAPI's router to organize different API routes
- member route for getting the current member/user
- todo route to create/read/update/delete todos
- token route for authentication (login/logout)
Separate folder for PostgreSQL migrations: Might need a better migration tool. Right now, alembic only works with SQLalchemy.
Use Pydantic data validation always

TODO list

Setup Docker image and k8s for the API: 3 containers: API, Redis and PostgreSQL.

Authentication notes

This API uses OAuth2 (an authorization framework) with JWTs as the format for access token.

When a user logs in and is granted an access token by an OAuth 2.0 server, the token is often a JWT. This token can then be sent with requests to access protected resources, and the server can verify the token's authenticity and permissions based on the JWT's contents.

The flow used was: Password flow but instead of username, we use the user's email instead
In the Oauth2 spec, the scope part is a string of permission(s)

Send a POST request to API route /token
If username and password are correct, create JWT for user
User logged in

Check authentication status

Send a GET request to API route /members/meo
If status code is 401: they are not authenticated
If status code is 200: they are authenticated and we can get the email and email_verified status

1.7 KiB Raw Blame History