|
1 | 1 | # FastAPI User Authentication |
2 | | -<h2 align="center"> |
3 | | - FastAPI User Authentication |
4 | | -</h2><p align="center"><em>Focuses on security and standardize code for the user authentication part.<em></p> |
5 | | -<p align="center"> |
6 | | - <a href="https://github.com/microsoftarchive/redis/releases" target="_blank">Redis</a> |
7 | | -</p> |
| 2 | +<p><em>Python and FastAPI for User Authentication module focuses on security and standard.</em></p> |
| 3 | + |
| 4 | +An open-source user authentication module for applications built with Python and FastAPI, designed to handle user registration, email verification, authentication, reset password, device detection, rate limiting, account lockout, IP blacklisting, and refresh token rotation. |
| 5 | + |
| 6 | +## Features |
| 7 | +- **User Registration**: Allows new users to create an account and verify with 6-digit code via email verification. |
| 8 | +- **User Authentication**: Enables users to log in securely using their credentials. |
| 9 | +- **Password Reset**: Facilitates password recovery and verify with 6-digit code via email verification. |
| 10 | +- **Device Limitation**: Allows users to log in on up to 5 devices per account, removing the oldest device upon exceeding the limit. |
| 11 | +- **Rate Limiting**: Restricts repeated requests within a defined period to prevent abuse. |
| 12 | +- **Account Lockout**: Temporarily locks user accounts after multiple failed login attempts. |
| 13 | +- **IP Blacklisting**: Blocks requests from specific IPs to enhance security. |
| 14 | +- **Refresh Token Rotation**: Provides secure, rotating access and refresh tokens for session management. |
| 15 | + |
| 16 | + |
| 17 | + |
| 18 | +## Table of Contents |
| 19 | +1. [Installation](#installation) |
| 20 | +2. [Configuration](#configuration) |
| 21 | +3. [Usage](#usage) |
| 22 | +4. [Project Structure](#project-structure) |
| 23 | +5. [Testing](#testing) |
| 24 | +6. [Contributing](#contributing) |
| 25 | +7. [License](#license) |
| 26 | + |
| 27 | +## Installation |
| 28 | +1. **Clone the Repository**: |
| 29 | + ```bash |
| 30 | + git clone https://github.com/VannySothea/fastapi-user-authentication.git |
| 31 | + cd fastapi-user-authentication |
| 32 | + ``` |
| 33 | +2. **Install Dependencies**: Make sure you have Python installed, then install required packages: |
| 34 | + ```bash |
| 35 | + pip install -r requirements.txt |
| 36 | + ``` |
| 37 | +3. **Setup Database**: Configure a database (e.g., PostgreSQL) for user authentication data storage. Update your .env file with the database URI. |
| 38 | + |
| 39 | +### Redis Setup |
| 40 | +This authentication module requires Redis for rate limiting, account lockout, and IP blacklisting features. Redis acts as a fast, in-memory database to manage these features efficiently. |
| 41 | + |
| 42 | +#### Installation Instructions |
| 43 | +To install Redis, follow the instructions for your operating system: |
| 44 | + |
| 45 | +- **macOS**: |
| 46 | + ```bash |
| 47 | + brew install redis |
| 48 | + ``` |
| 49 | + Then start Redis: |
| 50 | + ```bash |
| 51 | + brew services start redis |
| 52 | + ``` |
| 53 | + |
| 54 | +- **Linux** (Ubuntu/Debian): |
| 55 | + ```bash |
| 56 | + sudo apt update |
| 57 | + sudo apt install redis-server |
| 58 | + ``` |
| 59 | + To start the Redis service: |
| 60 | + ```bash |
| 61 | + sudo systemctl start redis |
| 62 | + sudo systemctl enable redis |
| 63 | + ``` |
| 64 | + |
| 65 | +- **Windows**: |
| 66 | + 1. Download the latest <a href="https://github.com/microsoftarchive/redis/releases" target="_blank">Redis release for Windows</a>. |
| 67 | + 2. Extract the downloaded file, then open the extracted folder in Command Prompt. |
| 68 | + 3. Run Redis with the following command: |
| 69 | + ```bash |
| 70 | + redis-server.exe |
| 71 | + ``` |
| 72 | + Or |
| 73 | + ```bash |
| 74 | + ./redis-server.exe |
| 75 | + ``` |
| 76 | + |
| 77 | +## Configuration |
| 78 | +You can configure database, email, rate limits, lockout settings, token secret, and other settings via environment variables or by modifying the `.env` file format. |
| 79 | + |
| 80 | +**Sample `.env` File**: |
| 81 | +```ini |
| 82 | +APP_NAME=APP_NAME |
| 83 | +COMPANY_NAME=COMPANY_NAME |
| 84 | +
|
| 85 | +FRONTEND_HOST=http://localhost:3000 #local host for frontend |
| 86 | +
|
| 87 | +JWT_ALGORITHM=HS256 |
| 88 | +ACCESS_TOKEN_EXPIRE_MINUTES=3 |
| 89 | +REFRESH_TOKEN_EXPIRE_MINUTES=25920 #18 days = 25920 minutes |
| 90 | +``` |
| 91 | + |
| 92 | +**Sample `.env.mail` File**: |
| 93 | +```ini |
| 94 | + |
| 95 | +MAIL_PASSWORD=REPLACE_THIS_WITH_YOUR_EMAIL_PASSWORD |
| 96 | +MAIL_PORT=EMAIL_PORT |
| 97 | +MAIL_SERVER=YOUR_EMAIL_SERVER |
| 98 | +MAIL_STARTTLS=True |
| 99 | +MAIL_SSL_TLS=False |
| 100 | +MAIL_DEBUG=True |
| 101 | + |
| 102 | +MAIL_FROM_NAME=APP_NAME |
| 103 | +USE_CREDENTIALS=True |
| 104 | +``` |
| 105 | + |
| 106 | +**Sample `.env.settings` File**: |
| 107 | +```ini |
| 108 | +DATABASE_HOSTNAME=localhost |
| 109 | +DATABASE_PORT=5432 |
| 110 | +DATABASE_USERNAME=postgres |
| 111 | +DATABASE_PASSWORD=YOUR_DATABASE_PASSWORD |
| 112 | +DATABASE_NAME=YOUR_DATABASE_NAME |
| 113 | +
|
| 114 | +# JWT Secret Key |
| 115 | +JWT_SECRET=355fa9f6f9c491417c53b701b26dd97df5825d4abd02957ce3bb1b9658593d9a |
| 116 | +
|
| 117 | +# App Secret Key |
| 118 | +SECRET_KEY=9a35f82513e1cdf2748afbd4681ff2eda8fc29a46df52cc8c4cdd561c0632400 |
| 119 | +``` |
| 120 | + |
| 121 | +**Sample `.env.lockout` File**: |
| 122 | +By using the value below, lockout will apply after the operation reach |
| 123 | +- Device: 5 failed in 3 minutes will lockout for 30 minutes |
| 124 | +- IP Address: 15 failed in 3 minutes will lockout for 3 hours |
| 125 | +```ini |
| 126 | +OPERATION_COOLDOWN_PERIOD=180 |
| 127 | +OPERATION_DEVICE_FAIL_LIMIT=5 |
| 128 | +OPERATION_DEVICE_LOCKOUT_PERIOD=1800 |
| 129 | +OPERATION_IP_FAIL_LIMIT=15 |
| 130 | +OPERATION_IP_LOCKOUT_PERIOD=10800 |
| 131 | +``` |
| 132 | + |
| 133 | +**Sample `.env.ratelimiting` File**: |
| 134 | +By using the value below, rate limit will apply after the operation reach |
| 135 | +- Device: 4 requests in 30 seconds will cooldown for 5 minutes |
| 136 | +- IP Address: 10 requests in 30 seconds will cooldown for 10 minutes |
| 137 | +```ini |
| 138 | +OPERATION_PERIOD=30 |
| 139 | +OPERATION_DEVICE_RATE_LIMIT=4 |
| 140 | +OPERATION_DEVICE_COOLDOWN=300 |
| 141 | +OPERATION_IP_RATE_LIMIT=10 |
| 142 | +OPERATION_IP_COOLDOWN=600 |
| 143 | +``` |
| 144 | + |
| 145 | +## Usage |
| 146 | +This module can be tested and used via Postman. Below is example of how to interact with the user authentication API using Postman. |
| 147 | + |
| 148 | +### Register a User |
| 149 | +**Endpoint**: `POST /user` |
| 150 | + |
| 151 | +- **URL**: `http://localhost:8000/user` |
| 152 | +- **Headers**: |
| 153 | + - Content-Type: application/json |
| 154 | + - device-id: `your_device_id_here` |
| 155 | +- **Body** (JSON): |
| 156 | + ```json |
| 157 | + { |
| 158 | + "user_name": "User Name", |
| 159 | + |
| 160 | + "password": "password", |
| 161 | + } |
| 162 | + ``` |
| 163 | + |
| 164 | + |
| 165 | + |
| 166 | +### Check Rate Limit and Account Lockout |
| 167 | +For routes that implement rate limiting and lockout, you can make requests to that endpoint multiple times to test the functionality. |
| 168 | + |
| 169 | +1. **Successful Login**: Make repeated requests with valid credentials to trigger rate limiting. |
| 170 | +2. **Failed Login Attempts**: Make repeated requests with invalid credentials to trigger lockout and rate limiting. |
0 commit comments