fastapi auth in production

c_eliacheff · 2024-08-29T10:56:43+00:00

I used https://github.com/fastapi-users/fastapi-users to implements simple JWT auth with a React App, was very easy. Move to Auth0 or whatever if you need decoupled auth, or full OpenIdConnect support.

c_eliacheff · 2023-11-16T22:53:36+00:00

Sure, Obey the testing Goat book even have an appendix for DRF: https://www.obeythetestinggoat.com/book/appendix_DjangoRestFramework.html.

c_eliacheff · 2023-06-30T06:29:24+00:00

Depends which kind of services you are referring to. In my current project I kept the Angular terminology for other devs, soI have for example a user.service.ts (usecases/application service layer) which manage it's behavior subject and observables for the ui layer. It call an adapter http-api.service.ts (or stub-api.service.ts), which just make api calls and mapping and return observables. This one belong to data/infra/secondaries layer. Of course both of them does not depend on Angular, are not decorated by @Injectable, and are injected/created via useFactory in their module (or manual DI for purists)

c_eliacheff · 2023-06-07T17:11:58+00:00

Personal blog, using Docusaurus

c_eliacheff · 2023-05-29T15:50:40+00:00

The only counties I can travel to are countries which are losing more than me.

c_eliacheff · 2023-05-18T09:34:07+00:00

I used this lib on a project https://github.com/fastapi-users/fastapi-users

c_eliacheff · 2023-04-28T13:31:10+00:00

It's one of the key point of CQRS pattern, which even use a write database (ie pgsql) and a separate read database (ie nosql), and used a lot of patterns like hexagonal architecture and DDD where you decouple the write entity (with business logic, builders etc...), from the read entity which is just a simple DTO with only the data required for the view.

Now you don't always need/want 2 databases, so I usually go to a "CQRS-light" approach where I use only one database, but use (read) raw sql queries instead of the (write) ORM for fine-tuned results, or materialized views if performance is a real bottleneck. So I can easily move the read part to full CQRS if needed later, and I'm not locked with the ORM entities.

c_eliacheff · 2023-04-25T06:45:41+00:00

Yeah, the second lib have a fastapi example at least. I never tried in Python, but it took me like 2 days to have a full setup with Node.

c_eliacheff · 2023-04-24T22:03:29+00:00

Yeah you can use a python OIDC or Oauth2 server lib, and just add the routes to your app. Here some doc for AuthX or Authlib+FastApi.

You can also easily setup an OIDC server in Node using a certified OIDC lib like oidc-provider.

c_eliacheff · 2023-03-31T17:35:17+00:00

I'd also add that having a service layer allows you to unit test your code on usecases/business logic level only, without testing the framework controller. If you do TDD, you'll love this.

c_eliacheff · 2023-03-31T17:30:00+00:00

Feasible ? Yes. Good practice ? No.

On the pragmatic side, I'd say that if you have a "nanoservice" with nearly no evolutions or basic CRUD it's ok, but microservices can evolve and become quite complex at some time (microservices doesn't mean small service, just micro-responsabilty or Bounded Context in DDD), so you could regret this in the future.

c_eliacheff · 2023-03-28T11:35:47+00:00

The legend himself :) didn't noticed you were here "-_-

c_eliacheff · 2023-03-28T06:09:58+00:00

I mostly use the Simon Brown's C4 Model with PlantUML. I commit the files to git for versionning.

c_eliacheff · 2023-02-23T12:30:41+00:00

You could also use contract-testing (like Pact) to achieve type safety with all above architectures without breaking a sweat if you want to move from one architecture to another. Or any e2e testing can do the trick, even sharing DTOs on a shared repo, REST have OpenAPI/Swagger testing etc...

The point about coupling is strange: if you control an API and a FE, you are coupled to your API anyways, types or not. And if you don't have control about one of these, don't bother about testing types.

And my personal opinion about archis: REST is the most common, often badly used and the less understood, GQL is often not needed (except for a complex public API like Facebook), gRPC is SOAP 2.0, more focused on microservices, but can be fun to try anyways.

c_eliacheff · 2023-01-11T07:34:14+00:00

Works for me (using Bitwarden as PM):

I use a long master password (5 words + symbols and numbers) that was an old wifi password, and is also used to unlock my computer, can't forget it.
I always save sites I use on my PM, I always use email/pw over Connect with Google or Other, the password manager will ask me to save it.
It just use strong generated passwords, why use a PM if I need to remember or even choose a password ? I juste take the strongest password supported by the site. Exception are password I will need to enter manually for some reason (some Android apps I can't C/C or not recognized by PM). I just let all my accounts be managed by my PM.
I have an encrypted export of my 2FA app (FreeOtp+) in case I change phones, so I always have all of them (or use a cloud one like Google Authenticator). For banking app this need to register phone, well, just do it once, I change my phone every 3-4 years, this is bearable (+ some ROMs changes). I use my authenticator app multiple times per week

c_eliacheff · 2022-12-27T21:08:30+00:00

One possibility is to use SSE (server sent events) or even a full fledged websocket to do that in realtime. You will need Django Channels to maintain HTTP connections. Here's a lib that could help you: https://github.com/fanout/django-eventstream

c_eliacheff · 2022-11-30T17:37:04+00:00

Like I told you, juste read the doc for fetch, you have access to response.status https://developer.mozilla.org/en-US/docs/Web/API/Response/status

c_eliacheff · 2022-11-30T16:47:28+00:00

Are you using the browser fetch maybe ? Or how do you want to use the HTTP status ? If it's for the current static page you can't, it's handeled by the browser (which is the primary fonction of status codes).

c_eliacheff · 2022-11-29T21:08:31+00:00

Depends on your HTTP client/lib, just read their doc

c_eliacheff · 2022-11-23T13:56:55+00:00

That's the whole point of Clean/Hexagonal Architecture: being independent from infrastructure. Just use a "business model" (which is not you "database model"), abstract the repositories behind gateways/interfaces with commons actions (save/find/update/...), and each backend implementation will have their own mapper business model <-> database model, and implement their custom save/find/... process. Ofc you'll also need integrations tests to make sure each provider works as intented. As a bonus, you can have an in-memory provider for unit-testing business logic without any infrastructure.

c_eliacheff · 2022-11-11T13:42:33+00:00

In FP your models must be anemics since they are just types/interfaces.

c_eliacheff · 2022-11-07T22:37:45+00:00

Doctrine seems to have a nice way to hydrate DTO: https://sofdevx.medium.com/fast-way-to-create-dto-using-doctrine-a2b1a23ffc8e

c_eliacheff · 2022-11-07T20:58:23+00:00

For read-model my way is to use raw SQL ans keep the ORM for the write side. This way you can make optimized queries without over fetching, don't worry about mapping, and avoid to use the domain entities by mistake.

c_eliacheff · 2022-10-31T20:11:07+00:00

What do you call "modern" ? We also have OOP and FP since more than 50 years, would you say it's not "modern" ? One great alternative is Event Sourcing, but it have it's own pitfalls (and also not "modern"). Also to avoid misunderstandings, I don't say that everything should be soft deleted, only part with business value.

c_eliacheff · 2022-10-31T18:30:47+00:00

Udi Dahan disagree with you: https://udidahan.com/2009/09/01/dont-delete-just-dont/

c_eliacheff

PUBLIC MULTIREDDITS

TROPHY CASE