Bidda ka aiwatar da authentication (OAuth2/JWT)?

Question

Accepted Answer

FastAPI ya bayar da kayan aiki masu tsari (`OAuth2PasswordBearer`, security utilities) don aiwatar da authentication, wanda yawanci ake amfani da shi tare da **OAuth2 password flow tare da JWT tokens**. Tsarin ya haɗa tokenization (login) tare da dogaro wanda ya sallanta token a kan hanyoyi masu kariya.

## Sana'ar passwords da fitar JWT a lokacin login

```python
from passlib.context import CryptContext
from jose import jwt
from datetime import datetime, timedelta

pwd = CryptContext(schemes=["bcrypt"])    # secure password hashing

@app.post("/login")
def login(form: OAuth2PasswordRequestForm = Depends()):
    user = get_user(form.username)
    if not user or not pwd.verify(form.password, user.hashed_password):  # constant-time check
        raise HTTPException(401, "Invalid credentials")
    # issue a signed JWT containing the user identity + expiry
    token = jwt.encode(
        {"sub": user.username, "exp": datetime.utcnow() + timedelta(minutes=30)},
        SECRET_KEY, algorithm="HS256",
    )
    return {"access_token": token, "token_type": "bearer"}
```

Passwords suna **hashed** (bcrypt) — koda ba a ajiye su a sifili ba. Idan login ya zama daidai, an fitar da **JWT**: token da aka sassaura wanda yake daukar nuwancin ma'aikaci da jagora.

## Sallanta token a kan hanyoyi masu kariya (dogaro)

```python
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")   # extracts the Bearer token

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])   # verify signature + expiry
        username = payload.get("sub")
    except JWTError:
        raise HTTPException(401, "Invalid token")
    user = get_user(username)
    if not user:
        raise HTTPException(401, "User not found")
    return user

@app.get("/me")
def read_me(user: User = Depends(get_current_user)):     # PROTECTED — requires a valid token
    return user
```

`get_current_user` dogaro ya cire kuma ya **sallanta** JWT (signature + jagora), ya loda ma'aikaci, kuma an jera shi cikin gadaka masu kariya — kowane hanya da ta dogara ga shi ba ta buƙatar authentication ba.

## Authorization (roles/scopes)

```python
def require_admin(user: User = Depends(get_current_user)):
    if not user.is_admin:
        raise HTTPException(403, "Forbidden")     # authorization check
    return user
# OAuth2 SCOPES provide fine-grained permission control
```

## Dalilin da ya sa ya maɓa

Authentication yana da mahimmanci kuma **tsaro-mahimmanci** — kusan kowane API na gaske yana buƙatar kariyar hanyoyi, kuma yin kuskure game da auth yana haifar da ƙaƙƙarancin sa'o'i.

Ganewa daridar FastAPI yana mahimmanci: yana bayar da kayan aiki (`OAuth2PasswordBearer`, security utilities) don daidaitaccen **OAuth2-password-flow-with-JWT** tsarin, wanda ke amfani da karfinnar FastAPI a saniyya — login endpoint ya fitar da token da aka sassaura, kuma **`get_current_user` dogaro** ya sallanta shi, a tsada ya karya kowane hanya da ta dogara ga shi (tsarin authentication na FastAPI da aka sani).

Ayyuka da yawa suna da mahimmanci don samun daidai: **sana'ar passwords** (bcrypt, ba plaintext ba, tare da sallantawa na lokaci-daidai), **sassaura kuma sallanta JWTs** a madaidaici (signature + jagora validation), bambanta **authentication** (nawa ne ka) daga **authorization** (abin da za ka iya yi, ta hanyar role/scope checks), kuma ajiye key na sirri a aman.

Sanin yadda ake aiwatar da wannan tsarin a aman — tokenization, dogaro na sallanta, kuma authorization — shine mahimmancin san'a-matashi na jiya don gina aikace-aikacen FastAPI na aman, saboda auth shine duka a cikin gida kuma ya zama tushe na kusan kuskure lokacin da aka aiwatar da shi cikin kuskure.