feat: add jwt authorization

Author: adiffpirate

Dockerfile

@@ -14,8 +14,11 @@ RUN pip install --upgrade pip && pip install -e '.[dev]'
 # Copy application code
 COPY . .
 
+# Required env vars
+ENV AUTH_JWT_SECRET_KEY=""
+
 # Expose port
 EXPOSE 8000
 
 # Run the application
-CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

Makefile

@@ -25,7 +25,7 @@ test:
 test-unit:
 	@echo "Running unit tests..."
 	docker build -t python-fastapi-example-oms-app:latest .
-	docker run --rm --tty python-fastapi-example-oms-app:latest python -m pytest tests/unit/ -v
+	docker run --rm --tty -e AUTH_JWT_SECRET_KEY=docker-unit-tests-key python-fastapi-example-oms-app:latest python -m pytest tests/unit/ -v
 
 test-integration:
 	$(MAKE) clean

app/core/auth.py

@@ -0,0 +1,81 @@
+import os
+
+import jwt
+from datetime import datetime, timedelta, timezone
+
+from fastapi import Header, HTTPException, status
+
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = 30
+
+
+def _get_secret_key() -> str:
+    """Return the JWT secret key from the environment variable."""
+    return os.environ["AUTH_JWT_SECRET_KEY"]
+
+
+def create_access_token(username: str) -> str:
+    """Create a JWT access token for the given username.
+
+    The token includes a 'sub' claim set to the username and an 'exp' claim
+    set to now + ACCESS_TOKEN_EXPIRE_MINUTES.
+
+    Args:
+        username: The username to encode in the token's 'sub' claim.
+
+    Returns:
+        A signed JWT string using HS256.
+    """
+    expire = datetime.now(timezone.utc) + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+    payload = {"sub": username, "exp": expire}
+    return jwt.encode(payload, _get_secret_key(), algorithm=ALGORITHM)
+
+
+def decode_access_token(token: str) -> str:
+    """Decode and validate a JWT access token, returning the username.
+
+    Raises HTTPException(401) for expired or invalid tokens with appropriate
+    error messages and WWW-Authenticate headers.
+
+    Args:
+        token: The JWT string to decode.
+
+    Returns:
+        The username from the token's 'sub' claim.
+
+    Raises:
+        HTTPException: 401 if the token is expired or invalid.
+    """
+    try:
+        payload = jwt.decode(token, _get_secret_key(), algorithms=[ALGORITHM])
+        return payload.get("sub")
+    except jwt.ExpiredSignatureError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has expired",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    except jwt.InvalidTokenError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+
+async def get_current_user(authorization: str | None = Header(default=None)):
+    """Extract and validate Bearer token. Returns username."""
+    if authorization is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authorization header required",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    prefix, _, token = authorization.partition(" ")
+    if prefix.lower() != "bearer" or not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authorization header",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return decode_access_token(token)

app/core/config.py

@@ -1,7 +1,21 @@
 import os
 
+
 class Settings:
     app_name: str = "OMS API"
     debug: bool = True
 
+    def __init__(self) -> None:
+        self.auth_jwt_secret_key = self._load_auth_jwt_secret_key()
+
+    @staticmethod
+    def _load_auth_jwt_secret_key() -> str:
+        key = os.environ.get("AUTH_JWT_SECRET_KEY")
+        if not key:
+            raise ValueError(
+                "AUTH_JWT_SECRET_KEY environment variable is required and must not be empty"
+            )
+        return key
+
+
 settings = Settings()

app/main.py

@@ -1,6 +1,8 @@
 from fastapi import FastAPI
 from app.api.router import api_router
 
+from app.core.config import settings  # imported for startup validation
+
 app = FastAPI()
 
 app.include_router(api_router)

app/modules/orders/routes.py

@@ -3,6 +3,7 @@
 
 from app.db.session import get_db
 from . import service, schemas, repository
+from app.core.auth import get_current_user
 
 router = APIRouter()
 
@@ -12,25 +13,41 @@ def get_orders_repository(db: Session = Depends(get_db)):
 
 
 @router.post("/", response_model=schemas.OrderRead)
-def create_order(payload: schemas.OrderCreate, repo: repository.OrderRepository = Depends(get_orders_repository)):
+def create_order(
+    payload: schemas.OrderCreate,
+    repo: repository.OrderRepository = Depends(get_orders_repository),
+    _user: str = Depends(get_current_user),
+):
     return service.create_order(repo, payload.item)
 
 
 @router.get("/{order_id}", response_model=schemas.OrderRead)
-def get_order(order_id: int, repo: repository.OrderRepository = Depends(get_orders_repository)):
+def get_order(
+    order_id: int,
+    repo: repository.OrderRepository = Depends(get_orders_repository),
+    _user: str = Depends(get_current_user),
+):
     try:
         return service.get_order(repo, order_id)
     except ValueError:
         raise HTTPException(status_code=404, detail="Order not found")
 
 
 @router.get("/", response_model=list[schemas.OrderRead])
-def list_orders(repo: repository.OrderRepository = Depends(get_orders_repository)):
+def list_orders(
+    repo: repository.OrderRepository = Depends(get_orders_repository),
+    _user: str = Depends(get_current_user),
+):
     return service.list_orders(repo)
 
 
 @router.put("/{order_id}", response_model=schemas.OrderRead)
-def update_order(order_id: int, payload: schemas.OrderUpdate, repo: repository.OrderRepository = Depends(get_orders_repository)):
+def update_order(
+    order_id: int,
+    payload: schemas.OrderUpdate,
+    repo: repository.OrderRepository = Depends(get_orders_repository),
+    _user: str = Depends(get_current_user),
+):
     try:
         updates = {k: v for k, v in payload.model_dump(exclude_unset=True).items()}
         return service.update_order(repo, order_id, **updates)
@@ -39,7 +56,11 @@ def update_order(order_id: int, payload: schemas.OrderUpdate, repo: repository.O
 
 
 @router.delete("/{order_id}", status_code=204)
-def delete_order(order_id: int, repo: repository.OrderRepository = Depends(get_orders_repository)):
+def delete_order(
+    order_id: int,
+    repo: repository.OrderRepository = Depends(get_orders_repository),
+    _user: str = Depends(get_current_user),
+):
     try:
         service.delete_order(repo, order_id)
     except ValueError:

app/modules/users/routes.py

@@ -3,6 +3,7 @@
 
 from app.db.session import get_db
 from . import service, schemas, repository
+from app.core.auth import create_access_token
 
 router = APIRouter()
 
@@ -27,7 +28,8 @@ def register_user(payload: schemas.UserCreate, repo: repository.UserRepository =
 @router.post("/login", response_model=schemas.UserToken)
 def login_user(payload: schemas.UserAuthenticate, repo: repository.UserRepository = Depends(get_users_repository)):
     user = service.authenticate_user(repo, payload.username, payload.password)
+    token = create_access_token(user.username)
     return schemas.UserToken(
-        access_token=f"fake-jwt-token-for-{user.username}",
+        access_token=token,
         token_type="bearer"
     )

docker-compose.yml

@@ -21,12 +21,12 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
-    environment:
-      DATABASE_URL: postgresql://postgres:postgres@postgres:5432/app
-      DEBUG: "true"
     depends_on:
       postgres:
         condition: service_healthy
+    environment:
+      DATABASE_URL: postgresql://postgres:postgres@postgres:5432/app
+      DEBUG: "true"
     command: alembic -c alembic.ini upgrade head
     networks:
       - app_network
@@ -35,14 +35,15 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
+    depends_on:
+      postgres:
+        condition: service_healthy
     ports:
       - "8000:8000"
     environment:
       DATABASE_URL: postgresql://postgres:postgres@postgres:5432/app
       DEBUG: "true"
-    depends_on:
-      postgres:
-        condition: service_healthy
+      AUTH_JWT_SECRET_KEY: test-secret-key-for-local-dev-only
     volumes:
       - .:/app
     command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload

pyproject.toml

@@ -9,11 +9,13 @@ dependencies = [
     "pydantic==2.13.3",
     "alembic==1.18.4",
     "bcrypt==4.0.1",
+    "PyJWT==2.10.1",
 ]
 
 [project.optional-dependencies]
 dev = [
     "pytest==9.0.3",
+    "pytest-asyncio==1.3.0",
     "httpx==0.28.1",
 ]
 
@@ -25,3 +27,4 @@ where = ["."]
 
 [tool.pytest.ini_options]
 pythonpath = ["."]
+asyncio_mode = "auto"