neo-neo-todo/backend/README.md

# Backend Technical Write Up

## Setup

- Install `pdm`
- Install dependencies with `pdm sync`
- Run development backend with `pdm run dev`
- Run tests with `pdm run test`

### Setup for Development

- run `eval $(pdm venv activate in-project)` to activate the virtual env.

## Structure

- Use FastAPI's `router` to organize different API routes
  - `member` route for getting the current member/user
  - `todo` route to create/read/update/delete todos
  - `token` route for authentication (login/logout)
- Separate folder for PostgreSQL migrations: Might need a better migration tool. Right now, `alembic` only works with SQLalchemy.
- Use Pydantic data validation always

## TODO list

- [ ] Setup Docker image and k8s for the API: 3 containers: API, Redis and PostgreSQL.

## Authentication notes

This API uses OAuth2 (an authorization framework) with JWTs as the format for access token.

When a user logs in and is granted an access token by an OAuth 2.0 server, the token is often a JWT. This token can then be sent with requests to access protected resources, and the server can verify the token's authenticity and permissions based on the JWT's contents.

- The flow used was: Password flow but instead of username, we use the user's email instead
- In the Oauth2 spec, the `scope` part is a string of permission(s)

### Sign up flow TODO

### Login flow

- Send a POST request to API route /token
- If username and password are correct, create JWT for user
- User logged in

### Check authentication status

- Send a GET request to API route /members/meo
- If status code is 401: they are not authenticated
- If status code is 200: they are authenticated and we can get the email and email_verified status