Kepiye carane nganakake autentikasi (OAuth2/JWT)?

Question

Accepted Answer

FastAPI nyedhiyakake alat bawaan (`OAuth2PasswordBearer`, security utilities) kanggo nganakake autentikasi, biasane nganggo **alur password OAuth2 karo token JWT**. Polane nggabungake penerbitan token (login) karo dependensi sing validasi token ing rute-rute sing ditangi.

## Hashing password lan penerbitan JWT nalika login

```python
from passlib.context import CryptContext
from jose import jwt
from datetime import datetime, timedelta

pwd = CryptContext(schemes=["bcrypt"])    # secure password hashing

@app.post("/login")
def login(form: OAuth2PasswordRequestForm = Depends()):
    user = get_user(form.username)
    if not user or not pwd.verify(form.password, user.hashed_password):  # constant-time check
        raise HTTPException(401, "Invalid credentials")
    # issue a signed JWT containing the user identity + expiry
    token = jwt.encode(
        {"sub": user.username, "exp": datetime.utcnow() + timedelta(minutes=30)},
        SECRET_KEY, algorithm="HS256",
    )
    return {"access_token": token, "token_type": "bearer"}
```

Password **di-hash** (bcrypt) — ora dijlentrehake ing plaintext. Nalika login sing sah, **JWT** diterbitake: token sing ditandatangani nawa identitas lan waluyen pangguna.

## Validasi token ing rute-rute sing ditangi (dependensi)

```python
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")   # extracts the Bearer token

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])   # verify signature + expiry
        username = payload.get("sub")
    except JWTError:
        raise HTTPException(401, "Invalid token")
    user = get_user(username)
    if not user:
        raise HTTPException(401, "User not found")
    return user

@app.get("/me")
def read_me(user: User = Depends(get_current_user)):     # PROTECTED — requires a valid token
    return user
```

Dependensi `get_current_user` ngetrak lan **verifikasi** JWT (signature + waluyen), muatake pangguna, lan disuntikake ing endpoint-endpoint sing ditangi — rute apa wae sing gantung ing iki merlokake autentikasi.

## Otorisasi (role/scope)

```python
def require_admin(user: User = Depends(get_current_user)):
    if not user.is_admin:
        raise HTTPException(403, "Forbidden")     # authorization check
    return user
# OAuth2 SCOPES provide fine-grained permission control
```

## Saperlu apa iki

Autentikasi penting lan **kritikal kanggo keamanan** — meh kabeh API nyata kudu nglindhungi rute, lan kesalahan autentikasi nyebabake kerentanan serius.

Paham cara FastAPI nglakoni iki penting: nyedhiyakake blok-blok bangun (`OAuth2PasswordBearer`, security utilities) kanggo pola standar **OAuth2-password-flow-with-JWT**, sing nganggo kekuwatan FastAPI kanthi elegan — endpoint login nenerbitake token sing ditandatangani, lan **dependensi `get_current_user`** validasi iku, lindhingi kanthi resik rute apa wae sing gantung ing iku (pola autentikasi idiomatik FastAPI).

Saperangan aspek kritis kudu dianakake kanthi bener: **hashing password** (bcrypt, ora plaintext, karo verifikasi waktu konstan), **signing lan verifikasi JWT** kanthi bener (signature + validasi waluyen), beda-bedakake **autentikasi** (sapa sampeyan) karo **otorisasi** (apa sing bisa sampeyan gawe, liwat cek role/scope), lan njaga kunci rahasia tetep aman.

Ngerti carane nganakake pola iki kanthi aman — penerbitan token, dependensi validasi, lan otorisasi — kasunyatan pengetahuan tingkat senior kanggo nggawe aplikasi FastAPI sing aman, amarga autentikasi ana ing mana-mana lan sumber kesalahan berbahaya sing asring tadi nalika ditindakake ora bener.