101591 Views
79842 Views
45596 Views
44332 Views
40991 Views
33419 Views
Raspberry Pi Time machine
Now Ad-Free
Guiding Light
Sync Files on your Pis, with Syncthing
NextCloud
Buddy Jr.
Introduction to FreeCAD for Beginners
Building a Robot Arm with Raspberry Pi and PCA9685
Building User Authentication for Static Sites with FastAPI
Mastering Pydantic for Robust Data Validation
Mastering Markdown for Documentation with Jekyll
Introduction to Rust
KevsRobots Learning Platform
77% Percent Complete
By Kevin McAleer, 3 Minutes
After implementing registration and login functionalities, the next step is to secure your API endpoints. By requiring a valid JWT token for access, you can ensure that only authenticated users can perform certain actions.
JWT tokens are a secure way to transmit information between parties as a JSON object. In the context of authentication, they are used to verify that the person making a request to your API is indeed who they claim to be.
To secure an endpoint, we’ll use FastAPI’s dependency injection system to create a dependency that extracts and verifies the JWT token from the request headers.
First, we need a function that will extract the token from the request, decode it, and verify its validity.
from fastapi import HTTPException, Depends, Security from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials from jose import jwt, JWTError from sqlalchemy.orm import Session from .database import get_db from . import models security = HTTPBearer() def get_current_user(token: HTTPAuthorizationCredentials = Security(security), db: Session = Depends(get_db)): try: payload = jwt.decode(token.credentials, SECRET_KEY, algorithms=[ALGORITHM]) email: str = payload.get("sub") if email is None: raise HTTPException(status_code=401, detail="Invalid authentication credentials") user = db.query(models.User).filter(models.User.email == email).first() if user is None: raise HTTPException(status_code=401, detail="User not found") return user except JWTError: raise HTTPException(status_code=401, detail="Invalid token")
Now, let’s use our get_current_user dependency to secure an endpoint. This example shows how to create an endpoint that returns user profile information only if the user is authenticated.
get_current_user
@app.get("/users/me/") def read_user_me(current_user: models.User = Depends(get_current_user)): return current_user
It’s important to note that JWT tokens cannot be “revoked” like traditional session tokens since they are stateless. However, you can implement token expiry or use a server-side blacklist for tokens that should no longer be valid.
You’ve learned how to secure API endpoints using JWT tokens, an essential aspect of building secure web applications. This method allows you to control access to your API, ensuring that only authenticated users can access sensitive information or perform certain actions.
Experiment with securing another endpoint in your application, perhaps one that modifies data. Reflect on how the security requirements might differ between read and write operations, and how you can use JWT tokens to enforce these requirements.
< Previous Next >