# Part V: Security and Authentication

## Chapter 11: Security Fundamentals

Security is not a feature you add at the end of development—it is a foundational requirement that must be integrated from the very beginning. FastAPI provides robust, standards-based security tools that leverage OpenAPI specifications, making it straightforward to implement authentication and authorization while maintaining clear, interactive documentation. This chapter covers the essential security schemes available in OpenAPI, implements HTTP Basic authentication, and establishes secure password handling practices that form the bedrock of any production API.

---

### 11.1 Security Schemes in OpenAPI: API Keys, HTTP Basic, OAuth2

OpenAPI (formerly Swagger) defines standard ways to describe security mechanisms for your API. FastAPI integrates these schemes directly into your application, automatically generating the interactive documentation UI with lock icons and authorization forms.

#### Understanding Security Schemes

Security schemes define **how** clients authenticate with your API. OpenAPI supports four main types:

```
┌─────────────────────────────────────────────────────────────────┐
│                    OpenAPI Security Schemes                      │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  1. HTTP Authentication Schemes                                │
│     ├── Basic (username:password in Base64)                     │
│     └── Bearer (token in Authorization header)                  │
│                                                                  │
│  2. API Keys                                                     │
│     ├── Header (X-API-Key: secret123)                         │
│     ├── Query Parameter (?api_key=secret123)                    │
│     └── Cookie (Cookie: api_key=secret123)                      │
│                                                                  │
│  3. OAuth2                                                       │
│     ├── Password (Resource Owner Password Credentials)          │
│     ├── Implicit (Legacy - not recommended)                     │
│     ├── Client Credentials (Machine-to-machine)                  │
│     └── Authorization Code (Most secure for users)               │
│                                                                  │
│  4. OpenID Connect Discovery                                    │
│     └── Discovery URL for OIDC providers                        │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘
```

#### API Key Authentication

API keys are simple tokens passed in headers, query strings, or cookies. They are suitable for service-to-service communication or simple client authentication.

```python
# api_key_security.py
from fastapi import FastAPI, Security, HTTPException, status, Depends
from fastapi.security import APIKeyHeader, APIKeyQuery, APIKeyCookie
from typing import Optional

app = FastAPI(
    title="API Key Authentication Demo",
    description="Demonstrates API key security schemes",
)

# Define security schemes
api_key_header = APIKeyHeader(
    name="X-API-Key",
    auto_error=False,  # Don't auto-error so we can check multiple sources
    description="API key passed in header",
)

api_key_query = APIKeyQuery(
    name="api_key",
    auto_error=False,
    description="API key passed as query parameter",
)

api_key_cookie = APIKeyCookie(
    name="api_key",
    auto_error=False,
    description="API key passed in cookie",
)

# In production, use environment variables or secrets manager
API_KEYS = {
    "prod-key-12345": "service_account",
    "dev-key-67890": "developer",
}


async def verify_api_key(
    header_key: Optional[str] = Security(api_key_header),
    query_key: Optional[str] = Security(api_key_query),
    cookie_key: Optional[str] = Security(api_key_cookie),
) -> str:
    """
    Verify API key from any source (header, query, or cookie).
    
    Priority: Header > Query > Cookie
    
    Returns:
        str: The API key if valid
        
    Raises:
        HTTPException: 403 if key is missing or invalid
    """
    # Check sources in priority order
    api_key = header_key or query_key or cookie_key
    
    if not api_key:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="API key required. Pass via X-API-Key header, "
                   "api_key query parameter, or api_key cookie.",
        )
    
    if api_key not in API_KEYS:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Invalid API key",
        )
    
    return api_key


@app.get("/protected", dependencies=[Depends(verify_api_key)])
async def protected_endpoint():
    """
    Endpoint protected by API key.
    
    Try it:
    - Header: curl -H "X-API-Key: prod-key-12345" http://localhost:8000/protected
    - Query: curl "http://localhost:8000/protected?api_key=prod-key-12345"
    """
    return {"message": "You have access!", "tier": API_KEYS.get("prod-key-12345")}


@app.get("/public")
async def public_endpoint():
    """Public endpoint requiring no authentication."""
    return {"message": "Public data"}


# Advanced: API key with role checking
async def verify_admin_key(api_key: str = Security(verify_api_key)) -> str:
    """
    Verify API key and check if it has admin privileges.
    """
    role = API_KEYS.get(api_key)
    if role != "admin":
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Admin access required",
        )
    return api_key


@app.get("/admin-only", dependencies=[Depends(verify_admin_key)])
async def admin_endpoint():
    """Endpoint requiring admin API key."""
    return {"message": "Admin access granted", "sensitive_data": "..."}
```

**Industry Standard:** API keys should be passed in headers (not query strings) for production use. Query parameters may appear in server logs and browser history, creating security vulnerabilities.

#### HTTP Bearer Token Scheme

Bearer tokens are the standard for modern token-based authentication (including JWT):

```python
# bearer_scheme.py
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

app = FastAPI()

# HTTPBearer expects: Authorization: Bearer <token>
security_bearer = HTTPBearer(
    scheme_name="JWT",
    description="Enter JWT token",
    auto_error=True,
)

async def verify_token(
    credentials: HTTPAuthorizationCredentials = Depends(security_bearer)
) -> str:
    """
    Verify Bearer token from Authorization header.
    
    Expected format:
    Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
    """
    token = credentials.credentials
    
    # In real app: verify JWT signature, check expiration, etc.
    if not token.startswith("valid_"):  # Simplified check
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid or expired token",
            headers={"WWW-Authenticate": "Bearer"},
        )
    
    return token


@app.get("/secure")
async def secure_endpoint(token: str = Depends(verify_token)):
    """Endpoint requiring valid Bearer token."""
    return {"message": "Secure data", "token_prefix": token[:10]}


# Optional authentication (public endpoint with optional login)
async def optional_token(
    credentials: Optional[HTTPAuthorizationCredentials] = Depends(
        HTTPBearer(auto_error=False)
    )
) -> Optional[str]:
    """Allow access with or without token."""
    if credentials:
        return credentials.credentials
    return None


@app.get("/optional")
async def optional_endpoint(token: Optional[str] = Depends(optional_token)):
    """Works with or without authentication."""
    if token:
        return {"message": "Authenticated data", "user": "user123"}
    return {"message": "Public data", "user": None}
```

#### OAuth2 Schemes Overview

OAuth2 is the industry standard for authorization. FastAPI provides utilities for the most common flows:

```python
# oauth2_schemes.py
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import (
    OAuth2PasswordBearer,
    OAuth2AuthorizationCodeBearer,
    OAuth2ClientCredentials,
)
from typing import Optional

app = FastAPI()

# OAuth2 Password Flow (for first-party apps)
# Token URL is where clients POST username/password to get token
oauth2_scheme = OAuth2PasswordBearer(
    tokenUrl="token",
    scheme_name="OAuth2Password",
    description="OAuth2 Password flow. Use /token endpoint to get JWT.",
)

# OAuth2 Authorization Code Flow (for third-party apps)
oauth2_authorization_code = OAuth2AuthorizationCodeBearer(
    authorizationUrl="https://auth.example.com/authorize",
    tokenUrl="https://auth.example.com/token",
    refreshUrl="https://auth.example.com/refresh",
    scheme_name="OAuth2AuthorizationCode",
)

# OAuth2 Client Credentials (for machine-to-machine)
oauth2_client_credentials = OAuth2ClientCredentials(
    tokenUrl="token",
    scheme_name="OAuth2ClientCredentials",
)


async def get_current_user(token: str = Depends(oauth2_scheme)) -> dict:
    """
    Validate OAuth2 token and return user info.
    
    In production:
    1. Verify JWT signature
    2. Check expiration
    3. Query database for user
    4. Check if token is revoked
    """
    # Mock validation
    if token != "valid_access_token":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid authentication credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )
    
    return {"username": "alice", "id": "user123", "scopes": ["read", "write"]}


@app.get("/users/me", response_model=dict)
async def read_users_me(current_user: dict = Depends(get_current_user)):
    """Get current authenticated user."""
    return current_user


@app.get("/items/")
async def read_items(current_user: dict = Depends(get_current_user)):
    """Read items (requires authentication)."""
    return [{"item_id": "123", "owner": current_user["username"]}]
```

**OpenAPI Integration:** When you use these security schemes, FastAPI automatically adds a "Authorize" button to `/docs`. Users can enter credentials there, and FastAPI will include them in subsequent requests.

---

### 11.2 HTTPBasic: Implementing Simple Authentication

HTTP Basic Authentication is the simplest form of authentication, defined in RFC 7617. While not suitable for production user-facing applications (OAuth2 is preferred), it is useful for internal tools, admin panels, and service-to-service communication in trusted networks.

#### How HTTP Basic Works

```
┌─────────────────────────────────────────────────────────────────┐
│                  HTTP Basic Authentication Flow                  │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Client                                                          │
│    │                                                             │
│    │  1. Request without credentials                             │
│    │──────────────────────────────────────────▶│                │
│    │                                             │                │
│    │  2. 401 Unauthorized                       │                │
│    │     WWW-Authenticate: Basic realm="Secure"   │                │
│    │◀─────────────────────────────────────────────│                │
│    │                                             │                │
│    │  3. Request with Authorization header        │                │
│    │     Authorization: Basic base64(user:pass)   │                │
│    │──────────────────────────────────────────▶│                │
│    │                                             │                │
│    │  4. 200 OK with protected resource          │                │
│    │◀─────────────────────────────────────────────│                │
│    │                                             │                │
│                                                                  │
│  Note: Credentials are Base64 encoded (not encrypted).          │
│        HTTPS is MANDATORY for Basic Auth.                       │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘
```

#### Implementing HTTP Basic in FastAPI

```python
# http_basic_auth.py
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
import secrets  # For secure string comparison

app = FastAPI(
    title="HTTP Basic Auth Demo",
    description="Simple username/password authentication",
)

# Create security scheme
security = HTTPBasic(
    scheme_name="BasicAuth",
    description="Enter username and password",
    auto_error=True,  # Automatically return 401 if credentials missing
)

# In-memory user database (use real database in production)
# Passwords should be hashed (shown in next section)
USERS_DB = {
    "alice": "wonderland123",
    "bob": "builder456",
    "admin": "supersecret",  # Never store plaintext in production!
}


def verify_credentials(credentials: HTTPBasicCredentials) -> str:
    """
    Verify username and password against database.
    
    Args:
        credentials: HTTPBasicCredentials with username and password
        
    Returns:
        str: Username if valid
        
    Raises:
        HTTPException: 401 if invalid
    """
    username = credentials.username
    password = credentials.password
    
    # Check if user exists
    if username not in USERS_DB:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    
    # Secure password comparison (timing attack resistant)
    # secrets.compare_digest compares strings in constant time
    stored_password = USERS_DB[username]
    if not secrets.compare_digest(password, stored_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    
    return username


@app.get("/protected")
async def protected_route(
    credentials: HTTPBasicCredentials = Depends(security)
):
    """
    Protected endpoint using HTTP Basic Auth.
    
    In Swagger UI (/docs):
    1. Click "Authorize" button
    2. Enter username and password
    3. All subsequent requests include Authorization header
    
    Headers sent:
    Authorization: Basic YWxpY2U6d29uZGVybGFuZDEyMw==
    (Base64 encoded "alice:wonderland123")
    """
    username = verify_credentials(credentials)
    
    return {
        "message": f"Hello, {username}!",
        "authenticated": True,
        "scheme": "HTTP Basic",
    }


@app.get("/admin")
async def admin_only(
    credentials: HTTPBasicCredentials = Depends(security)
):
    """Admin-only endpoint with additional role check."""
    username = verify_credentials(credentials)
    
    if username != "admin":
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Admin access required",
        )
    
    return {
        "message": "Welcome to admin panel",
        "user": username,
        "level": "administrator",
    }


# Dependency for reusable auth
async def get_current_user_basic(
    credentials: HTTPBasicCredentials = Depends(security)
) -> str:
    """Reusable dependency for HTTP Basic auth."""
    return verify_credentials(credentials)


@app.get("/profile")
async def user_profile(username: str = Depends(get_current_user_basic)):
    """Get user profile using reusable auth dependency."""
    return {
        "username": username,
        "email": f"{username}@example.com",
        "role": "user" if username != "admin" else "administrator",
    }
```

#### HTTP Basic with Database Integration

```python
# http_basic_with_db.py
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
from passlib.context import CryptContext  # For password hashing
import secrets

from app.database import get_db  # Your database dependency
from app.models import User  # Your SQLAlchemy model

app = FastAPI()
security =HTTPBasic(auto_error=True)

# Password hashing context (explained in detail in next section)
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


async def verify_credentials_db(
    credentials: HTTPBasicCredentials,
    db: AsyncSession = Depends(get_db)
) -> User:
    """
    Verify credentials against database with proper password hashing.
    
    This is the production-ready approach:
    1. Query user from database
    2. Verify password using secure hashing
    3. Return user object for use in endpoint
    """
    # Query user from database
    result = await db.execute(
        select(User).where(User.username == credentials.username)
    )
    user = result.scalar_one_or_none()
    
    # Verify user exists
    if not user:
        # Use constant-time comparison to prevent timing attacks
        # Even if user doesn't exist, we still hash to prevent timing leaks
        pwd_context.verify(credentials.password, "dummy_hash_for_timing")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    
    # Verify password using secure comparison
    if not pwd_context.verify(credentials.password, user.hashed_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    
    # Check if user is active
    if not user.is_active:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="User account is disabled",
        )
    
    return user


@app.get("/secure-data")
async def get_secure_data(
    current_user: User = Depends(verify_credentials_db)
):
    """
    Endpoint that returns user-specific data from database.
    
    The current_user is the full database model, so we have
    access to all user properties (id, email, roles, etc.)
    """
    return {
        "message": f"Hello {current_user.username}",
        "user_id": str(current_user.id),
        "email": current_user.email,
        "created_at": user.created_at.isoformat(),
    }
```

**Key Security Considerations for HTTP Basic:**

1. **HTTPS is Mandatory**: Credentials are Base64 encoded (easily decoded), not encrypted. Without HTTPS, credentials are sent in plaintext.
2. **Timing Attack Prevention**: Use `secrets.compare_digest()` or `pwd_context.verify()` instead of `==` for string comparison.
3. **Constant-Time Database Queries**: Even when user doesn't exist, perform a dummy hash to prevent attackers from determining valid usernames via timing analysis.
4. **Realm Attribute**: The `WWW-Authenticate: Basic realm="..."` header helps browsers cache credentials per realm.

---

### 11.3 Password Hashing: Using `passlib` or `bcrypt` Securely

Storing passwords in plaintext is a critical security vulnerability. Industry standards require hashing passwords using slow, salted, one-way hash functions designed specifically for passwords.

#### Understanding Password Hashing

```
┌─────────────────────────────────────────────────────────────────┐
│              Why Plaintext Passwords Are Dangerous               │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Scenario: Database Breach                                     │
│                                                                  │
│  Plaintext Storage:                                              │
│  ┌──────────┬──────────┐                                        │
│  │ Username │ Password │  Attacker sees actual passwords         │
│  ├──────────┼──────────┤  Users often reuse passwords           │
│  │ alice    │ wonder123│  → Attacker can access other sites     │
│  │ bob      │ builder1 │                                        │
│  └──────────┴──────────┘                                        │
│                                                                  │
│  Hashed Storage (bcrypt):                                        │
│  ┌──────────┬──────────────────────────────────────────────┐    │
│  │ Username │ Hashed Password                               │    │
│  ├──────────┼──────────────────────────────────────────────┤    │
│  │ alice    │ $2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/  │    │
│  │          │ XWJ2efFPxNDN8BeCGo7uG                         │    │
│  ├──────────┼──────────────────────────────────────────────┤    │
│  │ bob      │ $2b$12$5rOJ7pPqXUvLwBj8KHNQ9uI3vFzE6dR...    │    │
│  └──────────┴──────────────────────────────────────────────┘    │
│                                                                  │
│  bcrypt properties:                                              │
│  - One-way: Cannot reverse to get original password            │
│  - Salted: Same password produces different hashes               │
│  - Slow: Intentionally computationally expensive                 │
│  - Adaptive: Can increase cost factor as computers get faster    │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘
```

#### Implementing Password Hashing with Passlib

```python
# password_hashing.py
from passlib.context import CryptContext
from fastapi import FastAPI, HTTPException, status
import time

app = FastAPI(title="Password Hashing Demo")

# Configure password hashing context
# bcrypt is the recommended algorithm for new applications
pwd_context = CryptContext(
    schemes=["bcrypt"],
    deprecated="auto",
    
    # bcrypt-specific options
    bcrypt__rounds=12,  # Cost factor (4-31). Higher = slower but more secure
                        # 12 is good default (takes ~250ms on modern hardware)
    
    # Optional: Add additional schemes for backwards compatibility
    # schemes=["bcrypt", "argon2", "scrypt"],
)

# Example: Hashing and verifying passwords
@app.post("/auth/hash-example")
async def demonstrate_hashing(password: str):
    """
    Demonstrate password hashing and verification.
    
    NEVER expose this in production - for educational purposes only.
    """
    # Hash the password
    start_time = time.time()
    hashed = pwd_context.hash(password)
    hash_time = time.time() - start_time
    
    # Verify the password
    start_time = time.time()
    is_valid = pwd_context.verify(password, hashed)
    verify_time = time.time() - start_time
    
    # Try wrong password
    is_invalid = pwd_context.verify("wrong_password", hashed)
    
    return {
        "original_password": password,
        "hashed_password": hashed,
        "hash_time_ms": round(hash_time * 1000, 2),
        "verify_time_ms": round(verify_time * 1000, 2),
        "correct_password_valid": is_valid,
        "wrong_password_valid": is_invalid,
        "hash_length": len(hashed),
    }
```

#### Complete Authentication System with Hashing

```python
# secure_auth_system.py
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from passlib.context import CryptContext
from pydantic import BaseModel, Field, field_validator
from datetime import datetime
from typing import Optional
import secrets
import re

app = FastAPI(title="Secure Authentication System")

# Password hashing configuration
pwd_context = CryptContext(
    schemes=["bcrypt"],
    deprecated="auto",
    bcrypt__rounds=12,
)

# Security scheme
security = HTTPBasic(auto_error=True)


# === DATA MODELS ===

class UserCreate(BaseModel):
    """Model for creating new users with password validation."""
    username: str = Field(..., min_length=3, max_length=50, pattern=r"^[a-zA-Z0-9_]+$")
    email: str = Field(..., pattern=r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$")
    password: str = Field(..., min_length=8)
    
    @field_validator("password")
    @classmethod
    def validate_password_strength(cls, v: str) -> str:
        """
        Validate password meets security requirements.
        
        Requirements:
        - At least 8 characters
        - At least one uppercase letter
        - At least one lowercase letter
        - At least one digit
        - At least one special character
        """
        if len(v) < 8:
            raise ValueError("Password must be at least 8 characters")
        
        if not re.search(r"[A-Z]", v):
            raise ValueError("Password must contain at least one uppercase letter")
        
        if not re.search(r"[a-z]", v):
            raise ValueError("Password must contain at least one lowercase letter")
        
        if not re.search(r"\d", v):
            raise ValueError("Password must contain at least one digit")
        
        if not re.search(r"[!@#$%^&*(),.?\":{}|<>]", v):
            raise ValueError("Password must contain at least one special character")
        
        return v


class UserResponse(BaseModel):
    """Safe user response model (excludes password)."""
    username: str
    email: str
    created_at: datetime
    is_active: bool


class UserInDB(BaseModel):
    """Internal user representation with hashed password."""
    username: str
    email: str
    hashed_password: str
    created_at: datetime
    is_active: bool = True


# === IN-MEMORY DATABASE (use real database in production) ===

fake_users_db: dict[str, UserInDB] = {}


# === UTILITY FUNCTIONS ===

def hash_password(password: str) -> str:
    """
    Hash a plaintext password using bcrypt.
    
    Args:
        password: Plaintext password to hash
        
    Returns:
        str: bcrypt hash string
    """
    return pwd_context.hash(password)


def verify_password(plain_password: str, hashed_password: str) -> bool:
    """
    Verify a plaintext password against a hash.
    
    Uses constant-time comparison to prevent timing attacks.
    
    Args:
        plain_password: Password from user input
        hashed_password: Stored hash from database
        
    Returns:
        bool: True if password matches, False otherwise
    """
    return pwd_context.verify(plain_password, hashed_password)


def authenticate_user(username: str, password: str) -> Optional[UserInDB]:
    """
    Authenticate user by username and password.
    
    Args:
        username: Username to look up
        password: Plaintext password to verify
        
    Returns:
        UserInDB if authentication succeeds, None otherwise
    """
    user = fake_users_db.get(username)
    if not user:
        return None
    if not verify_password(password, user.hashed_password):
        return None
    return user


# === API ENDPOINTS ===

@app.post("/auth/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
async def register_user(user_data: UserCreate):
    """
    Register a new user with secure password hashing.
    
    Steps:
    1. Validate username uniqueness
    2. Hash password with bcrypt
    3. Store user (with hash, never plaintext password)
    """
    # Check if user exists
    if user_data.username in fake_users_db:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Username already registered",
        )
    
    # Check if email exists (in real app, query by email)
    for user in fake_users_db.values():
        if user.email == user_data.email:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="Email already registered",
            )
    
    # Hash the password (NEVER store plaintext)
    hashed_password = hash_password(user_data.password)
    
    # Create user
    new_user = UserInDB(
        username=user_data.username,
        email=user_data.email,
        hashed_password=hashed_password,
        created_at=datetime.utcnow(),
    )
    
    # Save to database
    fake_users_db[user_data.username] = new_user
    
    # Return user data (without password)
    return UserResponse(
        username=new_user.username,
        email=new_user.email,
        created_at=new_user.created_at,
        is_active=new_user.is_active,
    )


@app.get("/auth/login")
async def login(credentials: HTTPBasicCredentials = Depends(security)):
    """
    Authenticate user with HTTP Basic and return success message.
    
    In production, this would return a JWT token (covered in next chapter).
    """
    user = authenticate_user(credentials.username, credentials.password)
    
    if not user:
        # Generic error message to prevent username enumeration
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid authentication credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    
    if not user.is_active:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="User account is disabled",
        )
    
    return {
        "message": "Authentication successful",
        "username": user.username,
        "email": user.email,
        "note": "In production, return JWT token here",
    }


@app.get("/auth/me", response_model=UserResponse)
async def get_current_user(credentials: HTTPBasicCredentials = Depends(security)):
    """Get current authenticated user's information."""
    user = authenticate_user(credentials.username, credentials.password)
    
    if not user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid authentication credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    
    return UserResponse(
        username=user.username,
        email=user.email,
        created_at=user.created_at,
        is_active=user.is_active,
    )


@app.post("/auth/change-password")
async def change_password(
    old_password: str,
    new_password: str,
    credentials: HTTPBasicCredentials = Depends(security),
):
    """
    Change user password with verification of old password.
    
    Security considerations:
    1. Verify old password first
    2. Validate new password strength
    3. Hash new password immediately
    4. Invalidate existing sessions/tokens
    """
    user = authenticate_user(credentials.username, credentials.password)
    
    if not user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
        )
    
    # Verify old password matches
    if not verify_password(old_password, user.hashed_password):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Old password is incorrect",
        )
    
    # Validate new password (reuse validation logic)
    try:
        UserCreate.validate_password_strength(new_password)
    except ValueError as e:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=str(e),
        )
    
    # Hash and update
    user.hashed_password = hash_password(new_password)
    
    # In production: Invalidate all existing tokens/sessions here
    
    return {"message": "Password updated successfully"}


# Security endpoint to demonstrate timing attack prevention
@app.post("/auth/timing-demo")
async def timing_attack_demo(username: str, password: str):
    """
    Educational endpoint to demonstrate why timing matters.
    
    If we used '==' for comparison, attackers could measure
    response times to determine valid usernames.
    """
    # Secure approach (constant time)
    user = fake_users_db.get(username)
    if user:
        # This takes constant time regardless of password correctness
        pwd_context.verify(password, user.hashed_password)
    else:
        # Still perform hash to prevent timing leaks
        pwd_context.verify(password, "$2b$12$dummy.hash.for.timing.prevention")
    
    # Always return same error to prevent enumeration
    raise HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Invalid credentials",
    )
```

#### Password Security Best Practices

```python
# password_security_checklist.py
"""
Password Security Checklist for Production Applications

1. HASHING REQUIREMENTS
   ✓ Use bcrypt, Argon2, or scrypt (NOT MD5, SHA1, SHA256)
   ✓ Cost factor minimum 10-12 for bcrypt (adjust as hardware improves)
   ✓ Unique salt per password (handled automatically by modern libraries)
   
2. PASSWORD COMPLEXITY
   ✓ Minimum 8 characters (12+ recommended)
   ✓ Require mixed case, digits, and symbols
   ✓ Check against common password lists (haveibeenpwned API)
   ✓ Prevent password reuse (check against previous hashes)
   
3. STORAGE SECURITY
   ✓ Never log passwords (even in error logs)
   ✓ Never store in session data
   ✓ Encrypt database at rest
   ✓ Separate auth database from application database if possible
   
4. OPERATIONAL SECURITY
   ✓ Rate limit authentication attempts (prevent brute force)
   ✓ Implement account lockout after failed attempts
   ✓ Monitor for unusual login patterns
   ✓ Force password rotation after suspected breach
   
5. USER EXPERIENCE
   ✓ Provide clear password requirements upfront
   ✓ Use strength indicators during registration
   ✓ Allow password managers (don't disable paste)
   ✓ Implement secure password reset flows
"""

from fastapi import Request
from slowapi import Limiter
from slowapi.util import get_remote_address

# Rate limiting to prevent brute force
limiter = Limiter(key_func=get_remote_address)

@app.post("/auth/login")
@limiter.limit("5/minute")  # Max 5 attempts per minute per IP
async def login_rate_limited(request: Request, credentials: HTTPBasicCredentials = Depends(security)):
    """Login endpoint with brute force protection."""
    # ... authentication logic
    pass
```

---

### Summary

In this chapter, you learned the foundational security concepts for FastAPI applications:

1. **Security Schemes**: Understanding OpenAPI security schemes including API Keys (header, query, cookie), HTTP Bearer tokens, and OAuth2 flows. FastAPI automatically integrates these into interactive documentation.

2. **HTTP Basic Authentication**: Implementing simple username/password authentication using `HTTPBasic`, with proper error handling, timing attack prevention using `secrets.compare_digest()`, and integration with databases.

3. **Password Hashing**: Using `passlib` with `bcrypt` for secure password storage, including password strength validation, secure verification, and protection against timing attacks.

**Key Takeaways:**
- Never store plaintext passwords—always hash with bcrypt or Argon2
- Use HTTPS for all authentication endpoints
- Implement rate limiting to prevent brute force attacks
- Use constant-time comparison functions to prevent timing attacks
- Return generic error messages to prevent user enumeration

---

### What's Next?

**Chapter 12: OAuth2 and JWT** will cover:
- **OAuth2 Password Flow**: Implementing token-based authentication using FastAPI's built-in OAuth2 utilities
- **JSON Web Tokens (JWT)**: Generating and validating stateless authentication tokens with expiration and refresh mechanisms
- **Dependency-Based Auth**: Creating reusable `Depends()` patterns for protecting routes
- **Current User Pattern**: Extracting and validating the authenticated user in endpoint dependencies
- **Role-Based Access Control (RBAC)**: Implementing scopes and permissions for fine-grained authorization

This next chapter builds on the hashing fundamentals you've learned here to implement modern, scalable authentication suitable for production APIs and single-page applications.