feat: add auth api

[manoelhc]

General Setup and Security Enhancements

• [X] Ensure HTTPS is enforced for all API communications to secure data in transit. https://github.com/manoelhc/test-actions/pull/61
• [ ] #62
• [ ] #63

User/Password Authentication

• [ ] #64
• [ ] #65
• [ ] Create authentication endpoints:
  • [ ] #66
  • [ ] #67
• [ ] Implement JWT (JSON Web Tokens) for session management:
  • [ ] #68
  • [ ] #69
• [ ] #70

TOTP (Google Authenticator)

• [ ] Add endpoint for enabling TOTP for an account:
  • [ ] #71
• [ ] Add endpoint for TOTP-based login:
  • [ ] #72
• [ ] Integrate a TOTP library to generate secrets and validate codes.

SSO with OAuth2 (Google, Facebook, GitHub)

• [ ] #73
• [ ] Implement OAuth2 flow for each provider:
  • [ ] #74
  • [ ] #75
• [ ] #76

Password Reset/Change

• [ ] Implement password reset functionality:
  • [ ] #77
  • [ ] #78
• [ ] Implement password change for logged-in users:
  • [ ] #79

Testing and Documentation

• [ ] Write unit and integration tests for all new endpoints and logic to ensure reliability and security.
• [ ] Document all new endpoints, including parameters, request/response formats, and error codes.
• [ ] Ensure API documentation is updated and accessible to developers.

Compliance and Security Review

• [ ] Perform a security audit to identify potential vulnerabilities in the authentication flow.
• [ ] Review compliance with relevant data protection regulations (e.g., GDPR, CCPA) concerning user data handling and privacy.

Update API Endpoints with JWT Authentication and RBAC

JWT Authentication Integration

• [ ] Install and Configure JWT Library:

  • [ ] Choose a JWT library compatible with FastAPI and install it.
  • [ ] Configure secret key, algorithm, and token expiration settings for JWT.

• [ ] Modify Authentication Endpoints:

  • [ ] Update /auth/login to issue JWT tokens upon successful authentication.
  • [ ] Implement token refresh mechanism, if necessary, at /auth/token/refresh.

• [ ] Secure API Endpoints:

  • [ ] Add JWT token verification to all existing endpoints. Ensure that requests to protected endpoints include a valid JWT.
  • [ ] Implement dependency injections in FastAPI routes to extract and verify JWT tokens.

Role-Based Access Control (RBAC) Implementation

• [ ] Define Roles and Permissions:

  • [ ] Identify different roles within your application (e.g., Admin, User, Guest).
  • [ ] Define permissions associated with each role (e.g., create user, view user, update user, delete user).

• [ ] Update Database Schema:

  • [ ] Add a roles table to store role definitions.
  • [ ] Add a user_roles join table to associate users with roles.
  • [ ] Modify existing user table or create a new table for storing permissions, if necessary.

• [ ] Update User Management Endpoints:

  • [ ] Modify user creation and update endpoints to handle role assignments.
  • [ ] Ensure role changes are properly authenticated and authorized.

• [ ] Enforce RBAC in API Endpoints:

  • [ ] Implement middleware or dependency functions to check user roles and permissions for each API endpoint.
  • [ ] Secure endpoints based on role permissions (e.g., only Admins can delete users).

Testing and Validation

• [ ] Unit Tests:

  • [ ] Write unit tests for new authentication logic, role management, and permission checks.
  • [ ] Ensure tests cover various scenarios including unauthorized access attempts and role permission enforcement.

• [ ] Integration Tests:

  • [ ] Create integration tests that simulate user flows through the authentication process and accessing protected endpoints with various roles.

Documentation and Deployment

• [ ] Update API Documentation:

  • [ ] Document the new authentication process, including how to obtain and use JWT tokens.
  • [ ] Update endpoint documentation to reflect role-based access control, specifying which roles can access or perform actions on each endpoint.

• [ ] Deploy Changes:

  • [ ] Perform a final security review of the changes.
  • [ ] Deploy the updated API to the staging environment for testing.
  • [ ] After thorough testing, deploy the changes to the production environment.