Unatekelezaje uthibitishaji wa utambulisho (OAuth2/JWT)?

Question

Accepted Answer

FastAPI hutoa zana zilizojengwa ndani (`OAuth2PasswordBearer`, zana za usalama) za kutekeleza uthibitishaji wa utambulisho, kawaida ukitumia **OAuth2 password flow na JWT tokens**. Mfumo huchanganya utoaji wa token (kuingia) na dependency inayothibitisha token kwenye routes zilizolindwa.

## Kuhashisha nywila na kutoa JWT wakati wa kuingia

```python
from passlib.context import CryptContext
from jose import jwt
from datetime import datetime, timedelta

pwd = CryptContext(schemes=["bcrypt"])    # secure password hashing

@app.post("/login")
def login(form: OAuth2PasswordRequestForm = Depends()):
    user = get_user(form.username)
    if not user or not pwd.verify(form.password, user.hashed_password):  # constant-time check
        raise HTTPException(401, "Invalid credentials")
    # issue a signed JWT containing the user identity + expiry
    token = jwt.encode(
        {"sub": user.username, "exp": datetime.utcnow() + timedelta(minutes=30)},
        SECRET_KEY, algorithm="HS256",
    )
    return {"access_token": token, "token_type": "bearer"}
```

Nywila **hu-hashishwa** (bcrypt) — kamwe hazihifadhiwi kama maandishi wazi. Wakati wa kuingia kwa usahihi, **JWT** hutolewa: token iliyotiwa saini ikibeba utambulisho wa mtumiaji na muda wa kuisha.

## Kuthibitisha token kwenye routes zilizolindwa (dependency)

```python
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")   # extracts the Bearer token

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])   # verify signature + expiry
        username = payload.get("sub")
    except JWTError:
        raise HTTPException(401, "Invalid token")
    user = get_user(username)
    if not user:
        raise HTTPException(401, "User not found")
    return user

@app.get("/me")
def read_me(user: User = Depends(get_current_user)):     # PROTECTED — requires a valid token
    return user
```

Dependency ya `get_current_user` hutoa na **kuthibitisha** JWT (saini + muda wa kuisha), hupakia mtumiaji, na huingizwa kwenye endpoints zilizolindwa — route yoyote inayotegemea hiyo huhitaji uthibitishaji.

## Uidhinishaji (roles/scopes)

```python
def require_admin(user: User = Depends(get_current_user)):
    if not user.is_admin:
        raise HTTPException(403, "Forbidden")     # authorization check
    return user
# OAuth2 SCOPES provide fine-grained permission control
```

## Kwa nini ni muhimu

Uthibitishaji wa utambulisho ni wa lazima na **muhimu kwa usalama** — karibu kila API halisi inahitaji kulinda routes, na kufanya uthibitishaji vibaya huleta udhaifu mkubwa.

Kuelewa mbinu ya FastAPI ni muhimu: hutoa vipande vya kujenga (`OAuth2PasswordBearer`, zana za usalama) kwa mfumo wa kawaida wa **OAuth2-password-flow-na-JWT**, ambao kwa ustadi hutumia nguvu za FastAPI — endpoint ya kuingia hutoa token iliyotiwa saini, na **dependency ya `get_current_user`** huithibitisha, ikilinda kwa usafi route yoyote inayoitegemea (mfumo wa kawaida wa auth wa FastAPI).

Vipengele kadhaa ni muhimu kuvifanya sawa: **kuhashisha nywila** (bcrypt, kamwe si maandishi wazi, na uthibitisho wa muda-thabiti), **kutia saini na kuthibitisha JWTs** kwa usahihi (uthibitishaji wa saini + muda wa kuisha), kutofautisha **uthibitishaji wa utambulisho** (wewe ni nani) na **uidhinishaji** (unaweza kufanya nini, kupitia ukaguzi wa role/scope), na kuweka secret key salama.

Kujua jinsi ya kutekeleza mfumo huu kwa usalama — utoaji wa token, dependency ya uthibitishaji, na uidhinishaji — ni maarifa ya msingi ya kiwango cha senior kwa kujenga programu salama za FastAPI, kwa kuwa auth ni jambo lililoenea na chanzo cha mara kwa mara cha makosa hatari yanapotekelezwa vibaya.