Hey everyone! I'm 14 years old and I've just created my first authentication system using Python with FastAPI, SQLAlchemy, and PostgreSQL for the database. It's a basic auth system where users log in at the /login endpoint by entering their email and password. If the credentials match an entry in the database's User table, a random UUID is generated and stored along with the user's email in a sessions_store table. This UUID acts as a session token, and it's returned to the user with a success status. The session is set to expire after 24 hours. When the user attempts to access a protected API, they send the token in the request header as Authorization: Bearer {token}. I'd really appreciate any feedback or suggestions!
5 Answers
You're on the right track with stateful token auth! To enhance security, consider tracking the status of tokens to mark them as active or revoked when a user logs out. Instead of UUIDs, you could use a secure random string, and don't forget to hash any tokens before storing them to protect against potential leaks.
This is impressive for a 14-year-old! Nice work! One suggestion is to look into using JWT tokens for authorization. Also, be cautious with email address unverified accounts, as it’s easy for someone to create fake accounts without verification. It can be tricky, but implementing an email verification system would improve the security of your app.
Totally get you! Email verification is crucial to prevent spam accounts.
Make sure your HTTP communication is secure. Are you relying on HTTPS alone to protect against attacks? There’s a lot to consider when it comes to security for your system.
I’m not entirely sure about that. Can you give me some tips on how to make it more secure?
Awesome job on your tech choices! I recommend using JWT tokens for the session management between your client and API. And remember not to store sensitive information in the token. Consider using a decorator for your authenticated endpoints; it helps keep track of which endpoints require login.
Great tip! Using decorators would definitely simplify the code for checking authentication.
Just a quick note, please ensure you're hashing passwords before storing them in the database. I was worried when I read that. It's good to hear you already use bcrypt for that!
Absolutely! I’ve got that covered; I just save the password hash.
That makes sense! Hashing the tokens adds another layer of security.