8. Authentication & Authorisation
8.1 Approach: No AWS — FastAPI-Native JWT
We use FastAPI’s built-in security utilities plus standard Python libraries so there is no dependency on AWS (e.g. no Cognito).
8.2 Recommended Stack
| Component | Library | Purpose |
|---|---|---|
| Password hashing | passlib with bcrypt | Hash passwords before storing; verify on login. |
| JWT creation/verification | python-jose[cryptography] or PyJWT | Issue access (and optionally refresh) tokens; verify on each request. |
| FastAPI integration | OAuth2PasswordBearer, Depends() | Token extraction and dependency for “current user”. |
8.3 Installation (Backend)
pip install "python-jose[cryptography]" passlib[bcrypt] python-multipart
# or: PyJWT instead of python-jose if preferred
8.4 Flow (Summary)
- Register: POST
/auth/registerwith email, password, role → hash password → store user → return success (or + tokens). - Login: POST
/auth/login(or/token) with email + password → verify password → return access token (and optionally refresh token). - Protected routes: Client sends
Authorization: Bearer <access_token>; FastAPI dependency validates JWT and loads user. - Refresh (optional): POST
/auth/refreshwith refresh token → return new access token. - Password reset: POST
/auth/forgot-password→ send email with signed link → GET/POST reset page → set new password.
8.5 Security Practices
- Store only hashed passwords (bcrypt).
- Access token: short-lived (e.g. 15–60 minutes).
- Refresh token: longer-lived (e.g. 7 days), stored in DB or allowlist if you want revocation.
- Use HTTPS only in production.
- Keep JWT secret in environment variables; never in code.