Focuses on security, performance, and standard.
FastAPI User Authentication: An open-source Python and FastAPI project for user authentication, designed to handle user authentication system with role-based access control (RBAC), scheduled jobs, device and IP address detection, rate limiting, account lockout, IP blacklisting, refresh token rotation, uses Alembic for database migrations to ensure smooth schema updates and more. It leverages Async SQLAlchemy for asynchronous database operations, allowing for improved performance and scalability in handling multiple concurrent requests.
- User Registration: Allows new users to create an account and verify with 6-digit code via email verification.
- User Authentication: Enables users to log in securely using their credentials.
- Password Reset: Facilitates password recovery and verify with 6-digit code via email verification.
- Device Limitation: Allows users to log in on up to specific number of devices per account (e.g., 5 devices log in on 1 account), removing the oldest device upon exceeding the limit.
- Refresh Token Rotation: Provides secure, rotating access and refresh tokens for session management.
- Role Base Access Control (RBAC): Permissions and access levels within the application
- Rate Limiting: Restricts repeated requests within a defined period to prevent abuse.
- Account Lockout: Temporarily locks user accounts after multiple failed login attempts.
- IP Blacklisting: Blocks requests from specific IPs to enhance security.
- Periodic Cleanup: Schedule background jobs for tasks like cleanup. This keeps the database clean and prevents it from growing uncontrollably.
- Temporary Storage: Store registration data in a temporary location (e.g., a separate database table) until the user verifies their email. Once verified, move the data to the main user table. This keeps the primary user table free from unverified accounts.
- Async SQLAlchemy: for asynchronous database operations, allowing for improved performance and scalability in handling multiple concurrent requests.
-
Clone the Repository:
git clone https://github.com/VannySothea/fastapi-user-authentication.git cd fastapi-user-authentication
-
Install Dependencies: Make sure you have Python installed, then install the required packages:
pip install -r requirements.txt
-
Setup Database: Configure a database (e.g., PostgreSQL) for user authentication data storage. Update your .env file with the database URI.
This authentication module requires Redis for rate limiting, account lockout, and IP blacklisting features. Redis acts as a fast, in-memory database to manage these features efficiently.
To install Redis, follow the instructions for your operating system:
-
macOS:
brew install redis
Then start Redis:
brew services start Redis
-
Linux (Ubuntu/Debian):
sudo apt update sudo apt install redis-server
To start the Redis service:
sudo systemctl start redis sudo systemctl enable redis
-
Windows:
-
Download the latest Redis release for Windows.
-
Extract the downloaded file, then open the extracted folder in Command Prompt.
-
Run Redis with the following command:
redis-server.exe
Or
./redis-server.exe
-
In app/config/role.py
def initialize_roles(session: Session):
print("Generating role")
roles = ["normal_user", "education_user", "business_user", "admin"]
for role_name in roles:
role = session.query(Role).filter_by(role_name=role_name).first()
if not role:
new_role = Role(role_name=role_name)
session.add(new_role)
session.commit()
In app/routes/user.py
auth_router = APIRouter(
prefix="/users",
tags=["Users"],
responses={404: {"description": "Not found"}},
dependencies=[Depends(oauth2_scheme), Depends(get_current_user)]
)
business_router = APIRouter(
prefix="/business",
tags=["Business"],
responses={404: {"description": "Not found"}},
dependencies=[Depends(oauth2_scheme), Depends(get_role_dependency(required_role="business_user"))]
)
admin_router = APIRouter(
prefix="/admin",
tags=["Admin"],
responses={404: {"description": "Not found"}},
dependencies=[Depends(oauth2_scheme), Depends(get_role_dependency(required_role="admin"))]
)
Start the background jobs scheduler
In app/main.py
from app.jobs.scheduler import start_scheduler, shutdown_scheduler
start_scheduler()
@app.on_event("shutdown")
def shutdown_event():
shutdown_scheduler()
You can configure database, email, rate limits, lockout settings, token secret, and other settings via environment variables or by modifying the .env
file format.
Sample .env
File:
APP_NAME=APP_NAME
COMPANY_NAME=COMPANY_NAME
FRONTEND_HOST=http://localhost:3000 #local host for frontend
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=3
REFRESH_TOKEN_EXPIRE_MINUTES=25920 #18 days = 25920 minutes
Note: Change base on your credentials
Sample .env.settings
File:
DATABASE_HOSTNAME=localhost
DATABASE_PORT=5432
DATABASE_USERNAME=postgres
DATABASE_PASSWORD=user
DATABASE_NAME=fastapi_user_authentication
# JWT Secret Key
JWT_SECRET=355fa9f6f9c491417c53b701b26dd97df5825d4abd02957ce3bb1b9658593d9a
# App Secret Key
SECRET_KEY=9a35f82513e1cdf2748afbd4681ff2eda8fc29a46df52cc8c4cdd561c0632400
Note: We highly encourage to use your own customized email address.
Sample .env.mail
File:
MAIL_USERNAME[email protected]
MAIL_PASSWORD=avvx yapu kbko nbzg
MAIL_PORT=587
MAIL_SERVER=smtp.gmail.com
MAIL_STARTTLS=True
MAIL_SSL_TLS=False
MAIL_DEBUG=True
MAIL_FROM[email protected]
MAIL_FROM_NAME=APP_NAME
USE_CREDENTIALS=True
Sample .env.ratelimiting
File:
By using the value below, the cooldown will apply after the operation exceed the limit
- Device: 4 requests in 30 seconds will cooldown for 5 minutes
- IP Address: 10 requests in 30 seconds will cooldown for 10 minutes
OPERATION_PERIOD=30
OPERATION_DEVICE_RATE_LIMIT=4
OPERATION_DEVICE_COOLDOWN=300
OPERATION_IP_RATE_LIMIT=10
OPERATION_IP_COOLDOWN=600
Sample .env.lockout
File:
By using the value below, lockout will apply after the operation exceed the limit
- Device: 5 failed in 3 minutes will lockout for 30 minutes
- IP Address: 15 failed in 3 minutes will lockout for 3 hours
OPERATION_COOLDOWN_PERIOD=180
OPERATION_DEVICE_FAIL_LIMIT=5
OPERATION_DEVICE_LOCKOUT_PERIOD=1800
OPERATION_IP_FAIL_LIMIT=15
OPERATION_IP_LOCKOUT_PERIOD=10800
To manage database schema changes, this project utilizes Alembic. Ensure you have Alembic installed and configured. You can run migrations with the following command:
alembic upgrade head
or
alembic revision --autogenerate -m "Your message here"
This module can be tested and used via Postman. Below is example of how to interact with the user authentication API using Postman.
Endpoint: POST /user
-
URL:
http://localhost:8000/user
-
Headers:
- Content-Type: application/json
- device-id:
your_device_id_here
-
Body (JSON):
{ "user_name": "User Name", "email": "[email protected]" "password": "password", }
To make it easier, you can use the provided Postman collection that includes all the requests for this user authentication module.
-
Download the Postman collection file from the link below:
-
Open Postman and click on "Import" in the top left corner.
-
Choose the downloaded collection file and click "Open."
-
The collection will appear in your Postman app, ready to use.
This application is configured to send emails from a dedicated account: [email protected]
. This account is specifically created for application use and utilizes an app password for secure authentication.
Note: It is perfectly fine to use your own customized email address.
If you use the provided account, you may want to read Email Usage.
For routes that implement rate limiting and lockout, you can make requests to that endpoint multiple times to test the functionality.
- Successful Login: Make repeated requests with valid credentials to trigger rate limiting.
- Failed Login Attempts: Make repeated requests with invalid credentials to trigger lockout and rate limiting.
When using the AsyncIOScheduler in a FastAPI application, special care is needed to avoid duplicate task execution in multi-worker environments. This issue arises because each worker process initializes its own instance of the scheduler, leading to multiple instances running simultaneously.
If you are deploying this project in a multi-worker environment (e.g., using Gunicorn or Uvicorn with multiple workers), be aware that the scheduler may cause duplicate execution of tasks. To address this, consider one of the following approaches:
-
Run the Scheduler as a Dedicated Process: Create a standalone script for the scheduler and run it separately from the main application.
-
Use a Distributed Lock: Implement a distributed lock mechanism (e.g., Redis-based locking) to ensure that only one instance of the scheduler executes tasks.
-
Configure the Scheduler for a Single Worker: Use process management tools to restrict the scheduler to a single-worker process.
Here’s an overview of the project directory structure:
fastapi-user-authentication/
├── .github/ # GitHub templates and settings
├── alembic/ # Database migrations
├── app/ # Main application code
│ ├── config/ # Configuration files (database, email, roles, security)
│ ├── jobs/ # Background tasks and schedulers
│ ├── models/ # Database models
│ ├── responses/ # API response schemas
│ ├── routes/ # API route handlers
│ ├── schemas/ # Pydantic schemas for validation
│ ├── services/ # Service logic (e.g., email, security)
│ ├── templates/ # Email templates
│ ├── utils/ # Utility functions
│ └── main.py # Entry point for starting the FastAPI application
├── env/ # Environment variables
├── .gitignore # Files and directories to be ignored by Git
├── CODE_OF_CONDUCT.md # Project Code of conduct documentation
├── CONTRUBUTING.md # Project contribution information
├── LICENSE # Project license
├── README.md # Project documentation
├── RELEASE_NOTES.md # Project Release notes
├── SECURITY.md # Project security vulnerabilities
├── alembic.ini # Alembic configuration
├── requirements.txt # Python dependencies
└── user_authentication_VannySothea.postman_collection # Postman API collection
Testing is planned for future updates. Contributions are welcome to help us implement a comprehensive testing suite for this project!
If you're interested in contributing, here are some ways you can help:
- Write Unit Tests: Help us create unit tests for existing features.
- Integration Tests: Consider writing integration tests to ensure components work together seamlessly.
- Test Documentation: Assist in documenting the testing process and how to run tests.
Feel free to open an issue or submit a pull request to discuss your contributions!
VannySothea/fastapi-user-authentication
is open source and free to use based on MIT License
and can be used for commercial purposes for free, but please clearly display the copyright information about VannySothea/fastapi-user-authentication in the display interface.
- This project is licensed under the MIT License. See the LICENSE file for details.
Please see SECURITY.md for details on reporting security vulnerabilities.
Please review the CODE_OF_CONDUCT.md file for community guidelines and best practices when contributing.
See RELEASE_NOTES.md for a detailed changelog of the project's versions.
Contributions are welcome! Please read CONTRIBUTING.md for details on how to contribute to this project.
Thanks to the following developers for their contributions to fastapi-user-authentication: