FastAPI Authentication with JWT (JSON Web Tokens)
Вставка
- Опубліковано 19 сер 2024
- This tutorial will teach you how to create authentication in a FastAPI application using JSON Web Tokens.
Enjoy.
✨ FastAPI Website:
fastapi.tiango...
✨ JWT Website:
jwt.io
✨ Source Code:
github.com/Bek...
🔗 Social Media
--------------------------
Facebook : / bekbrace
Twitter : / bekbrace
Instagram : / bek_brace
DEV profile : ttps://dev.to/bekbrace
GitHub profile : github.com/Bek...
Website : bekbrace.com
Wooo, what a great great Video !!!!!, Excellent I do appreciate it !!!, I've been developing softWare for 40 years ( since I was 14 ), few videos like this one !!, and I've watched lots !!!
Thank you very much for such kind words 🙏🙂
Great tutorial man, no animation or crazy graphics, just intelligent man explaining programming! Hats off to you brother
Thank you very much
you are the FASTAPI king of youtube , man !!
hehe - Thanks for the compliment :)
@@BekBrace the truth ma man
Thanks Bek Brace for great tutorial, it was difficult for me as beginner, but I learned a few things too and will continue to learn fastapi because it's the best
Glad to hear that - thanks for watching
Friday night tutorial! Thank you Bek, great work
Thank you
@@BekBrace please can you make tutorial on FastAPI and machine learning?
@@marcus7387 sure, it’s doable 🙂
Amazing , thanks a lot I was waiting FastAPI, thank you for answering the request, you really deserve more views
Thank you
Wow, you already have an awesome tutorial on FastAPI Authentication. I am waiting for a tutorial on integrating it with Next Js [possible with Next Auth].
There will be :)
@@BekBrace Great! That tutorial will begin my renewed webdev journey with FastAPI and Next Js. Thanks for the efforts 😊
Это отличное видео! Всё чётко и подробно!
Огромное тебе спасибо, друг 🙏
Just subscribed. This helped me a lot. I can't thank you enough.
Love from Bangladesh.
Tha k you my friend, I appreciate your support to the channel
Awesome quality content as always, keep it up Bek ✨
Thanks so much Pawel 🙂 🙏
Amazing Tutorial. Crisp and Clear. Thank you !.
Thank you so much Mohamed - Happy Ramadan to you
@@BekBrace i just tried the same now. No hiccups, very easy to follow. Thanks again mate.
Happy Ramadan to you too.
Hey, Bek have just subscribed your channel for developing & learning software skiils,
I like your teaching skills that there is silent background music with your slowly teaching techniques & explanation + hands-on.
your videos on Django is on of the great Tutorial for me ...!
Thanks man...
Thank you! Stay sharp and good luck to your programming journey, man
Great video on FAST API. Loving it
Thank you so much, David
Thank you man,it was a nice one,really learnt and understood what i was working on
Thank you very much, my friend
great video Bek. Super clear to follow all the steps
Thank you very much, Chris 🙏
thanks! ur explanation is crystal clear!
Thank you very much 🙂
Great course, thank you Bek Brace
Thank You
Hello sir, thank you for great tutorial
can you please show in other video how to show this with a frontend framework instead of showing in postman or fastapi swagger ?
very good explanation, i believe you deserve more views. Regards from Pune, India
Thank you so much Avinash , your words mean a lot really. It’s an awesome idea, I can make a FastAPI Vue tutorial with JWT authentication - just added this to the three months plan for channels vids. Thanks 😊
@@BekBrace Thank you sir for responding. God bless you
keep going ! this was a really clean video !!
Thank you so much Yura !
Really great tutorial man! It helped me a lot. Thanks for the content
Good to hear my friend
Excellent, I enjoyed this video very much!
Thank you very much 🙏☺️ Always glad to receive such feedback 🙏
great video! as mentioned before by other people, the only issue with this, is the authorization at the end... you can simply type any key instead of the generated token, even a single character and it will grant you access to the Post method. How can we make sure the entered token is the same one we generated?
Yes that's the problem the route are not authenticated anyone can access it
Thanks for the tutorial. Sadly all tutorial about JWT and Authorization in general for FastAPI, leave out the part where you use the user-information in later calls.
Like adding the author of the blog-post in this example.
Great turtorial bro , keep it up ❤️❤️
Thank you 🙏
You have Done a Great Job
respect from Pakistan ❤
Thank you very much 🙏😊
Thank you so much for this, you gained a sub
Thank you so much my friend
just one word! Perfect!
Thank you very much
Easy clear and concise
Thank you very much
This is friggin AWESOME
Thank you so much 🙂🙏
Thank you!
You are very welcome 🙂
Thanks man!
Welcome :)
@@BekBrace can fastapi be integrated with another language ?
Thanks man, very helpful
You're very welcome
it is important to mention that on that category the fastest frameworks are around 6x faster than fastapi. But it is indeed fast enough and very fast for python. I have been working in companies migrating their services for fastapi from django and flask mainly
Oh 6x faster 😯 ? Thanks for the information, Johnnie.
interesting
Hi Johnnie, so you mean fastest framework in Java and Go etc. ?
@@erjiaxiao6577 yes... java, go, rust, c++ and even node frameworks are faster. But we are usually bounded by other factors when dealing with rest api backend servers. So that does not really become a decision factor. At least.
@@johnniefujita I see.. I check some benchmark and find that python nowadays could has its position with these contestants. good news for those who like python. thank you for the info!
hey i don't understand the use of Config class in Schemas, can you please explain the benefit of adding Config class in a Schema?
After finishing this video my login route doesnt work. But the signup works and I can POST new blog posts and get all and get one post works. I have a import error "Import jwt could not be resolved". I know this video is one year old but maybe you can assist with that.
I will do my best finding the solution 🙂
great course my friend
Thank you very much my friend
I enjoyed a lot. Thanks
Thank you, Ricardo!
This is super cool, thanks.
Thanks my friend
In the last step, does it give an error if I slightly change the token pasted? Also how can I read data from the token once inside a function?
Thank you so much!!!!
You're welcome 🤗
Great!
Thank you
JWTs have built-in expiration times. Why did you make a custom field? pyJWT will throw an exception for expired token.
I think I was trying to add more logic, but you’re right it would’ve been better to keep it simple and leave it to pyjwt to handle it 😁
Nice tutorial. There's one thing I didn't get: on def user_signup(user: UserSchema = Body(default=None)): - I tried it without the Boy default value, and it worked just the same. What's the use of the Body default value there?
Thanks in advance
Hey Yair thanks for your comment.
You can delete the default if you want to keep it simple with no extra arguments, that’s why you’ll have the same result; however if the userschema body is set to be a different default value, it will behave differently. I just put it to be visually clear if anyone wants to change the default value.
@@BekBrace so this helps me to set the default behavior, if no json is sent. Got it.
It’s doesn't work. It's getting access to post with random symbols instead token.
It should work, this is odd. Do you have an error message ?
Even if i post the wrong acces token in authorize , it still allows me to post.. what's wrong?
I had same issue and turns out we forgot to add verify_jwt in jwt_bearer file. Simply add an if statement below if not credentials statement.
Just check if not self.verify_jwt with credentials.credentials.
what is the differences between JWT, JOT and access token ?
I will wait for the answers pls. Thanks!
Hello my friend.
Sure.
JWT (JSON Web Token) and JOT (JSON Object Token) are both types of access tokens used for authorization and authentication, while access token is a more general term used for any token that grants access to a protected resource.
Great video! Thanks
I'm glad 🙂
Thanks. I have the 403 error at the last stage to test the JWT bearer. Can I see the source code somewhere?
Hi Kirby, thanks for commenting
Yes, I've added it in the description.
Here's the link: github.com/BekBrace/FASTAPI-and-JWT-Authentication
why you need to add Body(default = None) line 66 in 39:55 ? whats the purpose of that ?
Really nothing more than showing how a standard template. You can omit it and it will still work.
can you kindly cover refresh token and token blacklisting in another video?
Sure 😊
I found how to verify the correct token within this code
Thanks a lot! very helpfull, BUT, if I try this on postman, no matter what string I put on Authorization it will bypass security and let me post... I also added the retraint to be a token bearer to even list the penguins, tigers and stuff and it let me through
I am aware of the issue, once i have the time i will check out deeper and write the solution in the description - thanks for the heads-up though
thank you , follower
thank you for watching
how would u get user_id from the jwt in the controller?
Can you make video on different authentication for both user and admin, Where user authorized can only use [GET] method, while admin authorized can use all the method [crud] ?
Sure
Hi Bek, thanks fr ur lesson. very interesting and a very good speak! But i have an problem and can't find it. If i tried to enter the post with Dependencies, i get alwyas an Error: jwt_bearer.py", line 17, in __call__
raise credentials.credentials
TypeError: exceptions must derive from BaseException
What dependencies are you trying to post with ?
You miss this code in jwtBearer Class :
async def __call__(self, request: Request):
[...]
if credentials:
[....]
if not self.verify_jwt(credentials.credentials):
raise HTTPException(status_code=403, detail="Message here !")
return credentials.credentials
else:
raise HTTPException(status_code=403,detail="Message here !")
Cheers
Great video!
Say, why do you set Schema = Body() in some functions, what's that for?
For standardization purposes nothing more
How does the server tell client side that a user is logged in?
I have yet to see any tutorials about actual atheoriaztion and permissions in fastapi
You're welcome
How do You placed sample data "Tiger, Koala, etc. " , Is this a special addon for that functionality ?
But it's clear how i did it in the tutorial
Hello Sir, I got this error can u provide solution for this ----->JWT_SECRET = config("secret"), raise UndefinedValueError('{} not found. Declare it as envvar or define a default value.'.format(option))
decouple.UndefinedValueError: secret not found. Declare it as envvar or define a default value.
Ok, maybe you can download the source code and check out what went wrong? This way you will teach yourself while taking notes ☺️
I followed the tutorial but whenever I try to post data I get an error that token is invalid has anyone faced the same issue??
Very nice 👍 thanks for the good job
Thanks 🙏
What about authorization, please? Also how do you propagate the authentication and authorization to backend microservices?
How does fastAPI know to call the verify_jwt function on the handler? Is that some special baked in logic?
Exactly that
Thanks
Thank you!
Can anyone help me out.
I have one doubt suppose you have 2 users (student and admin)how to use the generated token during login, only for the student specified tag user I logged in and it's methods and that token should not be able to be used by the admin methods,
To perform operations on admin again we need to create token for that.
Hey!
You can try to implement role-based access control (RBAC) in your authentication and authorization system for the student and the admin, each of which will have separate tokens and permissions.
HI Bek Brace, this is an excellent tutorial. I am very new in using JWT authentication. Just want to know if there are any token refresh mechanism in pyjwt package? Or any other recommendation on the token refresh ? Thanks in advance!
Hey 😊👋 thanks for your comment
I'm pretty sure there are, I'm gonna check that and be back to you with an answer to your question
Thank you for your help! I will also study for it.
Hi Bek!
I am looking for "API KEYS"
You know, a key I can provide to customers to they communicate to the backend.
I need API keys to deduct credits from their account.
Is that the same API KEYS I am looking for? Where I just have to remove the Expiration?
I watch a video that API keys can be sniffed.. so I wonder if this is the same API key i am looking to implement
I'll look into this and get back to you
Tried multiple times but finally got the error: { "detail": "Invalid token or expired token." }
Oh sorry to hear that, but I can advise you to make sure that your JWT token you are using for authentication is valid and has not expired, make sure to generate a new token if the existing one has expired.
Thanks for the video. Is the code available anywhere? I could not get the token on user signup and not sure why. Would like to compare my code. Thanks!
Hey Jasen, thanks for commenting.
Yes, I've added the source code in the description.
Here's the link: github.com/BekBrace/FASTAPI-and-JWT-Authentication
Man can you give me your keyborad's name and great video
Thank you my friend.
Keyboard's name is Genesis Thor 300
hi bek,if i want to update user information using PUT method of a specific user,how can i use the token that was generated in login and user the same token in PUT method to represent that same user and update only the details of that specific user
Hey, thank you for this question :)
Actually, you can update user information using the PUT method for a specific user by the following:
1- Token-Based Authentication: Set up token-based authentication in your FastAPI application. When a user logs in successfully, generate a JWT token and return it to the client. The client should store this token securely.
2- Protect Routes: Protect the routes or endpoints that require authentication and user information updates. Only authenticated users with valid JWT tokens should be able to access these routes.
3- Client-Side: When making a PUT request to update user information, include the JWT token in the request header as an "Authorization" header with the "Bearer" prefix:
Authorization: Bearer
As far as thee Server-Side (FastAPI), you need to:
1- Authenticate the user: Verify that the provided JWT token is valid and decode it to extract the user's identity (usually the user's ID).
2- Authorize the update: Ensure that the user making the request has the necessary permissions to update the user information. Typically, users can only update their own information, so you should check if the user ID extracted from the token matches the user being updated.
3- Update the user information: If authentication and authorization checks pass, proceed to update the user's information in your database based on the data provided in the PUT request.
The api works even though it is not an issued token. I do not know the reason. why...??
It should work for reading [Get] verb, but not for writing [POST] - is that the case ?
@@BekBrace Both [post] and [get] are the same case.
It's a great tutorial, but... HOUSTON WE HAVE A PROBLEM =(( : when I added dependencies=[Depends(jwtBearer())]...
In my console I can read this error: TypeError: HTTPBearer.__init__() got an unexpected keyword argument 'auto_Error'... Could you help me please? Thanks a lot
Hey Gomez 👋 I’ll check it out and will be back to you with an answer to this issue
@@BekBrace thanks a lot my dear friend, you're the Best!!!
@@BekBrace write is small, auto_error = auto_Error
Sir How To Add Current User With Post as well like post : 1, title: snakes, text: they are cool, author: current_user
thanks alot 🌹🌹
You're welcome 😊
Thank you for the tutorial it was very good. What about put and delete requests ? Thank you
Thanks Jean
The same as we post, follow the same rules , and as for creating the routes you can check out my FastAPI course, you’ll find your answer there
@21.24 how come you are getting I'd 4 and 5 if you are posting Id 0?
Great question. The id 0 in the curl link doesn't necessarily mean the actual id number of the item added, it starts at 0 and increments based on previously added items, in this case as explained I've added cats twice, that's why the GET request showed it twice at I'd 4 and 5.
Can you help integrate this into a frontend framework like Svelte?
Don't have much experience with Svelte, sorry
How will I implement the register with a confirm password?
With a very simple conditional to check if the pass entered 2nd time == 1st time, then continue; else raiseerror (not identical password ) - that’s the main idea, I’m sure you can search for the syntax
@@BekBrace Ohhhhh I thought you're gonna have to create like a new schema/model with the confirmationPassword as its field. Thank youuuuu!
Can you do a video on the FastAPI Users package with Google Auth? I think having OAuth2 authentication is something people are really after because of its ease of use.
Yes, i will do that with oauth2 soon
@@BekBrace Awesome! Will be looking out for it.
Hello sir, thanks for great tutorial. I would like to ask you about jwtBearer Process. I applied your code in another project but the problem is which value I entered to jwtBearer is not important to authorize the endpoint. I would like to secure my public endpoint with verify_token. Also I created /login endpoint and after a username and password process for authenticate I can get access_token. As I mentioned in above, I would like to use this access_token to authorize in different public endpoints. Would you help me about it?
Sure i can help. you can use this access_token for auth in different public endpoints. How do you want to start?
I would like asking about I can secure with token the endpoints ok but the problem is instead of access_token with any value which I enter the authentication point I can authorize the endpoint. Normally I think I have to give an acces_token which I get from the login endpoint, after that I can be authorised the post method which is secured with token. So I confused about that how I could secure with only access_token not any value. Also I looked into source code of you shared, when I apply it to my project. I cannot authorize with access_token and any value
@@dogaada6619 simply add new field key value like role: admin, and a condition if its admin then allow.
Hi @BekBrace, I use this tutorial, but I can enter any string in the authorize window in FastAPI docs and it will accept it as a valid authentication. there must be an error somewhere in the video, could you please verify it
Ok
@@BekBrace Thank you, I copied it excatly, but I can enter any string, into the authorization window, even if it is not a JWT token, and I have access to all the protected routes
Pls how do we identify the authenticated user??
what do you mean by "identify" ?
@@BekBrace Like how do you get the authenticated users credenttials from the secured routes.
👏 👏 👏 👏 👏 👏
Thank you :)
can you help me doc about authen with social media
What’s happening ?
Link to github doesn't work
It is working fine
Strange. Now it works
37:46
?
Ok .. what ?
@@BekBrace sorry i should have added a ignore message.. these are just timestamps for my use
i wish it was more deep
It's as deep as it gets 😉
I just have two questions like why are we putting
1) why are we doing this decoded_token["expiry"] >= time.time()
2)Why are we returning the tokens via signJWT() method two times one time via signup and the other time via signup, can you explain that to me
Thanks for your questions, my friend.
Answering your questions:
1- The decodeJWT function takes the token and decodes it with the aid of the jwt module and then stores it in a decoded_token variable. So what we want is to return decoded_token if the expiry time is valid which is exactly the answer to your question, otherwise, we return None.
2- In signup, I returned signJWT only once not twice :
@app.post("/user/signup", tags=["user"])
async def create_user(user: UserSchema = Body(...)):
users.append(user)
return signJWT(user.email)
Thanks
Thank You