User management authentiation
Project description
Basic User Management Project
This package is a ready to use user authentication and autorization managment system, Using FastAPI, PostgreSQL, and AWS Cognito JWT based authentication.
Install Package
pip install ofry-fasatpi-auth-cognito
pip install "git+https://github.com/tech1919/fastapi-auth-cognito.git"
Configure Environment
Configure .env
file:
USERS_DATABASE_URL=postgres://username:password@host:port/database_name
COGNITO_REGION=
COGNITO_POOL_ID=
Add the auth router to the FastAPI app
import:
from auth.router import auth_router
from fastapi import FastAPI
define the app:
app = FastAPI(
title = "API's name"
)
include the auth router:
app.include_router(router = auth_router , prefix="/auth")
This router comes with a built in auth configuration for every route.
Add authentication dependency
import:
from auth.permission import PermissionCheck
add authentication and permission check to a route:
@router.get("/secure",
description="this route is an example for a secure route",
dependencies=[Depends(PermissionCheck(statements=["resource:action"]))],)
async def secure() -> bool:
return { "message" : "You have access" }
another way of adding authentication and permission dependency to a group of routes:
# example
app.include_router(router=users.router , prefix="/users" , dependencies=[Depends(PermissionCheck(statements=["resource:action"]))])
# by adding this dependency, now every route
# expect a JWT that can be authenticaded with the JWKS from AWS Cognito
if a request that was sent to this route, contain in the headers:
{
"Authorization" : "Bearer some.json.webtoken"
}
than, the route will check first if this is an authenticated one comes from the AWS Cognito UserPool, as specified in the relevant environment variable COGNITO_POOL_ID
. in this specific example , the route will also return the jwt cresentials as decoded from the JWT. this variable has this structure:
{
"jwt_token": "the original JWT string",
"header": {
"kid": "NkMpoZmqv4UBEWkN/yCvN/W2rSFnHRswDa6PjiyAUuc=",
"alg": "RS256"
},
"claims": {
"sub": "ec108666-34f7-4224-9ba7-89afe5aa6202",
"cognito:groups": [
"DEVELOPER"
],
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_JA8KShbIm",
"version": 2,
"client_id": "7hn1v7k92bq9thva39l0floorm",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin openid profile",
"auth_time": 1671202410,
"exp": 1671206010,
"iat": 1671202410,
"jti": "7e97bdaf-b074-4bc4-931b-cb50d72482ea",
"username": "username string"
},
"signature": "the jwt signature string",
"message": "some string"
}
So there is a lot of information here about the user who sent the request and with which you can later decide what is displayed in the client
Handle Resources
For checking a user's permissions there is a class called PermissionCheck
. This class depend on the authentication method so by adding this as a dependency to a certain route, it automaticly check the JWT authentication and user's permissions.
Every route in the API that depends on this class will be obliged to perform authentication with the JWT sent to it, and then search the database according to the groups that appear in the JWT's payload under cognito:groups
for all the roles associated with this group.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ofry-fasatpi-auth-cognito-0.0.4.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5c6d193e078e5ab51c2faa7d2d5b837f45a06dc5146e76fb809977e02abffa23 |
|
MD5 | 9eb9cf945d36a6d5c316d595aa334b72 |
|
BLAKE2b-256 | 0d972bb898b59b77960eade4f83f65663d88ee4ea45dc59b8f885019723abe99 |
Hashes for ofry_fasatpi_auth_cognito-0.0.4-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e4a78ae193d6652e1adea59afb2ba5cabe3d35f6466176d32e2a6b95de2f4545 |
|
MD5 | d4d99e57b37082d0d7724b0e8c29464c |
|
BLAKE2b-256 | 17910e2620b7499714e963bf42a8e87e6b9e4f641a8a7025a3bac8fd397ebf53 |