Quick no BS FastAPI template, with Google signin that can be used with any frontend (App, Website etc).
Project Structure:
Database
(Everthing is going to be in db folder) Install sqlalchemy for database operations. We will use sqllite. create a file db/database.py and paste below code:
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
from sqlalchemy.ext.declarative import declarative_base
import logging
logging.basicConfig()
logging.getLogger('sqlalchemy.engine').setLevel(logging.INFO)
URL_DATABASE = "sqlite:///./test.db"
engine = create_engine(URL_DATABASE)
SessionLocal = sessionmaker(autoflush=False, bind=engine)
Base = declarative_base()
# Dependency to get DB session
def get_db():
db = SessionLocal()
try:
yield db
finally:
db.close()
Create db/models.py (for all the tables)
import uuid
from sqlalchemy import Boolean, Column, DateTime, ForeignKey, Integer, String
from sqlalchemy.orm import relationship
from datetime import datetime
from db.database import Base
# User Model
class User(Base):
__tablename__ = "users"
id = Column(String, primary_key=True, default=lambda: str(uuid.uuid4()))
display_name = Column(String, nullable=False)
profile_pic = Column(String, nullable=True)
email = Column(String, unique=True, nullable=False, index=True)
created_at = Column(DateTime, default=datetime.utcnow)
active = Column(Boolean, default=True)
Create db/dto.py (For data transfer objects)
from pydantic import BaseModel
from typing import List, Optional
from datetime import datetime
# Base Models
class UserBase(BaseModel):
display_name: str
profile_pic: Optional[str] = None
email: str
active: bool
# Models for creating resources (input validation)
class UserCreate(UserBase):
pass
class UserRead(UserBase):
id: str
created_at: datetime
class Config:
orm_mode = True # enabling automatic serialization of database objects.
from_attributes=True
Create db/repositories/user_repository.py
from sqlalchemy.orm import Session
from db.model import User
def find_user_by_email(db: Session, email: str) -> User | None:
return db.query(User).filter(User.email == email).first()
def create_user(db: Session, email: str, display_name: str, profile_pic: str = None, active: bool = True) -> User:
new_user = User(email=email, display_name=display_name, active=active, profile_pic=profile_pic)
db.add(new_user)
db.commit()
db.refresh(new_user)
return new_user
Business Logics:
Create services/user_service.py
from db.repositories import user_repository
from sqlalchemy.orm import Session
from db.dto import UserCreate
from db.model import User
from fastapi import Depends
from db.database import get_db
def create_new_user_from_googleauth(user: UserCreate, db: Session) -> User:
existing_user = user_repository.find_user_by_email(db, user.email)
#return the user if already exists
if existing_user is not None:
print("user already exists")
return existing_user
# create new user if does not exists and return it
new_user = user_repository.create_user(db, email=user.email, display_name=user.display_name, active=user.active, profile_pic=user.profile_pic)
return new_user
Create routes/user_router.py
from fastapi import APIRouter, Request, Depends
from db.repositories import user_repository
from sqlalchemy.orm import Session
from db.database import get_db
router = APIRouter()
@router.get("/")
async def hello():
return {"msg": "Hello from User router"}
@router.get("/protected")
async def protected(req: Request):
return {"msg": "Protected route", "user": req.state.user}
@router.get("/me")
async def me(req: Request, db: Session = Depends(get_db)):
user = user_repository.find_user_by_email(db=db, email=req.state.user['email'])
return {"msg": "Success", "data": user}
Authentication
Go to Google Cloud console and get the OAuth client credentials for Web App, add http://localhost:8000/auth/callback/google in redirect URIs and paste them in the .env file as follows along with some other environment variables that we will use:
GOOGLE_CLIENT_ID=<....>
GOOGLE_CLIENT_SECRET=<....>
GOOGLE_REDIRECT_URI=http://localhost:8000/auth/callback/google
ACCESS_TOKEN_EXPIRE_MINUTES=60
JWT_SECRET=my_secret_key_for_whatthepov
ALGORITHM=HS256
In production you have to change the GOOGLE_REDIRECT_URI accordingly.
Create routes/auth_router.py
from fastapi import APIRouter, Depends
from sqlalchemy.orm import Session
from fastapi.security import OAuth2PasswordBearer
import requests
from jose import jwt
from db.database import get_db
from db.repositories import user_repository
from services import user_service
from db.dto import UserCreate
import datetime
from datetime import timedelta
from dotenv import load_dotenv
import os
load_dotenv()
router = APIRouter()
GOOGLE_CLIENT_ID = os.getenv('GOOGLE_CLIENT_ID')
GOOGLE_CLIENT_SECRET = os.getenv('GOOGLE_CLIENT_SECRET')
GOOGLE_REDIRECT_URI = "http://localhost:8000/auth/callback/google"
ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 24 * 30 # 1 month
JWT_SECRET = os.getenv('JWT_SECRET')
@router.get("/login/google")
async def login_google():
return {
"url": f"https://accounts.google.com/o/oauth2/auth?response_type=code&client_id={GOOGLE_CLIENT_ID}&redirect_uri={GOOGLE_REDIRECT_URI}&scope=openid%20profile%20email&access_type=offline"
}
@router.get("/callback/google")
async def auth_google(code: str, db: Session = Depends(get_db)):
print("here")
code = code.split(" ")[1].strip()
print("code", code)
token_url = "https://accounts.google.com/o/oauth2/token"
data = {
"code": code,
"client_id": GOOGLE_CLIENT_ID,
"client_secret": GOOGLE_CLIENT_SECRET,
"redirect_uri": GOOGLE_REDIRECT_URI,
"grant_type": "authorization_code",
}
response = requests.post(token_url, data=data)
access_token = response.json().get("access_token")
user_info = requests.get("https://www.googleapis.com/oauth2/v1/userinfo", headers={"Authorization": f"Bearer {access_token}"})
user_info = dict(user_info.json())
print(user_info)
user = UserCreate(display_name=user_info['name'], active=True, email=user_info['email'], profile_pic=user_info['picture'])
db_user = user_service.create_new_user_from_googleauth(user=user, db=db)
print("user created")
access_token_expiry = datetime.datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
jwt_token = jwt.encode({"sub": db_user.email, "exp": access_token_expiry}, JWT_SECRET, algorithm="HS256")
return {
"success": True,
"token": jwt_token
}
Create middlewares/auth_middleware.py
from fastapi import Depends, HTTPException, status, Request, Response
from jose import JWTError, jwt
from dotenv import load_dotenv
import os
load_dotenv()
JWT_SECRET = os.getenv('JWT_SECRET')
ALGORITHM = os.getenv('ALGORITHM')
async def get_current_user(token: str):
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, JWT_SECRET, algorithms=[ALGORITHM])
email: str = payload.get("sub")
if email is None:
raise credentials_exception
token_data = {"email": email}
except JWTError:
raise credentials_exception
return token_data
async def authenticate(request: Request, call_next):
try:
token = request.headers.get("Authorization", None)
if not token:
raise HTTPException(status_code=401, detail="Authorization header is missing")
current_user = await get_current_user(token.split(" ")[-1].strip())
request.state.user = current_user
except HTTPException as e:
return Response(status_code=401)
response = await call_next(request)
return response
Now in main.py
from fastapi import FastAPI, Request
from db.database import engine, Base
from routes import user_router, auth_router
from middlewares.auth_middleware import authenticate
import re
# create tables in database
Base.metadata.create_all(bind=engine)
app = FastAPI()
PROTECTED_ROUTES = [
{'path': r'^/user/protected$', 'method': 'GET'},
{'path': r'^/user/me$', 'method': 'GET'},
]
@app.middleware("http")
async def authenticate_request(request: Request, call_next):
for route in PROTECTED_ROUTES:
if re.match(route['path'], request.url.path) and route['method'] == request.method:
return await authenticate(request, call_next)
return await call_next(request)
# routers
app.include_router(auth_router.router, prefix="/auth", tags=["Auth"])
app.include_router(user_router.router, prefix="/user", tags=['Users'])
@app.get("/")
async def hello():
return {"msg": "Hello From Whatthepov API"}
To make any route protected, use the PROTECTED_ROUTES list.
Flow: User first logs in using the link provided by the route (if logging in from website)
auth/login/google
After successfull login, the authorization token is sent to
auth/callback/google
where it creates a new user if does not exist and then creates a jwt token with the users email and sends it back to frontend to access protected routes. For App frontends, we can login inside the app, get the token and send it to the above route directly (skipping the auth/login/google part).
Every request is intercepted by authenticate_request function in main.py and it checks whether it is protected or not and sends it to auth_middleware.authenticate function where the token is validated and the user email is added to the request object in
request.state.user = { 'email':"...."}
so that all the protected routes knows who is the current user trying to access the route using request.state.user
That's it, similarly you can impliment in Spring boot, django, nodejs etc. Hope it will give you a quick start in your upcoming project in FastAPI.
END