Implement Authentication (Sign In/Sign Up) using Cookie-based JWTs

[hem210]

Description
We need to implement a simple cookie-based authentication system for the platform, allowing users to sign up and sign in. We will manage the access token using cookies to maintain session security. This will be done without OAuth or other third-party authentication providers.

Requirements:

1. JWT Token Management:

   • Use a single JWT access token stored securely in an HTTP-only cookie.
   • The token should contain user information (e.g., user ID) and have an expiration time (e.g., 2-3 days).

2. Authentication Flow:

   • Sign Up:
     • Endpoint to create a new user and securely hash the password before storing it.
     • Validate input to ensure email format and password strength.
   • Sign In:
     • Endpoint to authenticate users by validating their credentials (email and password).
     • Upon successful login, generate an access token and store it in an HTTP-only cookie.
   • Logout:
     • Endpoint to clear the authentication cookie, effectively logging the user out.

3. Database Changes:

   • Create a User table in the database to store user information.
   • Ensure unique constraints on the email field to prevent duplicate accounts.
   • Optionally, add an index on the email field for efficient lookups during sign-in.

4. Cookie Security:

   • Use HTTP-only and Secure flags to prevent client-side access to cookies.
   • Set the SameSite attribute to Lax or Strict to limit cross-site request usage.
   • Set the expiration of the cookie to match the JWT access token expiration.

5. Security Considerations:

   • Passwords must be hashed securely using a library like bcrypt.
   • Ensure the JWT token is signed and validated correctly using a secret key.
   • Implement token expiration and invalidation.

6. Error Handling & Logging:

   • Provide appropriate error responses for invalid credentials, expired tokens, and unauthorized access.
   • Log key authentication events like failed login attempts and token issues.

---

Files to create/change:

• src/api/routes/auth.py:
  Defines routes for sign up, sign in, and logout.

• src/api/models/user.py:
  Defines the user data model, including fields like email, hashed password, and creation time.

• src/api/schemas/auth.py:
  Pydantic schemas for validating sign-up and sign-in requests and responses.

• src/api/dependencies/auth.py:
  Middleware to extract and verify JWTs from cookies for authenticated routes.

• src/core/security.py:
  Contains helper functions for password hashing, token generation, and cookie management.

• Database Migrations:

  • Add a migration script for creating the users table.

---

Folder Structure to Follow:

src/
├── api/
│   ├── main.py
│   ├── routes/
│   │   └── auth.py
│   ├── models/
│   │   └── user.py
│   ├── schemas/
│   │   └── auth.py
│   ├── dependencies/
│   │   └── auth.py
│   └── core/
│       ├── config.py
│       └── security.py
├── migrations/
│   └── create_users_table.sql

---

Checklist:

• [ ] JWT-based cookie authentication implemented.
• [ ] Passwords are securely hashed using a library like bcrypt.
• [ ] Sign up route created for user registration.
• [ ] Sign in route created for user authentication and cookie setup.
• [ ] Logout route created to clear the authentication cookie.
• [ ] JWT access token is stored securely in HTTP-only cookies.
• [ ] Database migration added for creating the users table.
• [ ] Proper error handling and logging added.
• [ ] Folder structure follows the project standard.

---

Considerations:

• Follow RESTful API design principles.
• Ensure the use of secure cookies and properly handle JWT expiration.
• Utilize FastAPI’s dependency injection and cookie handling for managing authentication.
• Leverage FastAPI’s support for generating and validating JWT tokens with cookie integration.

[progGabo]

Hi, is this issue still available? I would like to work on it.