# Part VI: Database Integration

## Chapter 13: SQL Databases with SQLAlchemy

Modern APIs require persistent data storage, and SQL databases remain the backbone of production applications. FastAPI's async nature pairs perfectly with SQLAlchemy 2.0's async capabilities, allowing you to perform database operations without blocking the event loop. This chapter covers the complete integration of async SQLAlchemy with FastAPI, from connection pooling to complex relationships, while maintaining the authentication patterns established in previous chapters.

---

### 13.1 Async SQLAlchemy: Setting Up Async Engines and Sessions

SQLAlchemy 2.0 introduced first-class async support using `asyncio`. Unlike the synchronous version that blocks the event loop, async SQLAlchemy allows your API to handle other requests while waiting for database operations.

#### Understanding Async vs Sync Database Access

```
┌─────────────────────────────────────────────────────────────────┐
│           Synchronous vs Asynchronous Database Access             │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Synchronous (Blocking):                                         │
│  ┌─────────┐    ┌──────────┐    ┌─────────┐                      │
│  │ Request │───▶│ DB Query │───▶│ Response│                      │
│  │   #1    │    │ (wait)   │    │         │                      │
│  └─────────┘    └──────────┘    └─────────┘                      │
│       │              │                 │                         │
│       │              │ (Blocked)       │                         │
│       │              ▼                 │                         │
│  ┌─────────┐    ┌──────────┐    ┌─────────┐                      │
│  │ Request │───▶│   Wait   │───▶│  Later  │                      │
│  │   #2    │    │ (blocked)│    │         │                      │
│  └─────────┘    └──────────┘    └─────────┘                      │
│                                                                  │
│  Asynchronous (Non-blocking):                                   │
│  ┌─────────┐    ┌──────────┐    ┌─────────┐                      │
│  │ Request │───▶│ DB Query │───▶│ Response│                      │
│  │   #1    │    │ (await)  │    │         │                      │
│  └─────────┘    └──────────┘    └─────────┘                      │
│       │              │                 │                         │
│       │              │ (Event Loop     │                         │
│       │              │  switches)      │                         │
│       ▼              ▼                 ▼                         │
│  ┌─────────┐    ┌──────────┐    ┌─────────┐                      │
│  │ Request │───▶│ Process  │───▶│ DB Query│                      │
│  │   #2    │    │ Logic    │    │ (await) │                      │
│  └─────────┘    └──────────┘    └─────────┘                      │
│                                                                  │
│  Benefits:                                                       │
│  - Handle 1000s of concurrent connections                        │
│  - No blocking during I/O waits                                  │
│  - Better resource utilization                                   │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘
```

#### Complete Async SQLAlchemy Setup

```python
# database.py - Core database configuration
from sqlalchemy.ext.asyncio import (
    create_async_engine,
    AsyncSession,
    async_sessionmaker,
    AsyncAttrs,
)
from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
from sqlalchemy import String, DateTime, ForeignKey, select, func
from datetime import datetime
from typing import AsyncGenerator, Optional
import logging

logger = logging.getLogger(__name__)

# Base class for all models
class Base(AsyncAttrs, DeclarativeBase):
    """
    Base class for all SQLAlchemy models.
    
    AsyncAttrs provides async attribute access for relationships.
    DeclarativeBase is the SQLAlchemy 2.0 base class.
    """
    pass


# Database URL for async PostgreSQL
# Format: postgresql+asyncpg://user:password@host:port/database
# For SQLite: sqlite+aiosqlite:///./app.db
DATABASE_URL = "postgresql+asyncpg://user:password@localhost:5432/fastapi_db"

# Create async engine
# The engine is the entry point to the database
engine = create_async_engine(
    DATABASE_URL,
    # Connection pool settings
    pool_size=5,              # Keep 5 connections ready
    max_overflow=10,          # Allow 10 additional temporary connections
    pool_timeout=30,          # Wait up to 30 seconds for available connection
    pool_recycle=1800,        # Recycle connections after 30 minutes
    
    # Echo SQL queries for debugging (disable in production)
    echo=False,
    
    # Use asyncio future mode for better performance
    future=True,
)

# Create session factory
# async_sessionmaker creates AsyncSession instances
AsyncSessionLocal = async_sessionmaker(
    engine,
    class_=AsyncSession,
    expire_on_commit=False,   # Don't expire objects after commit
    autoflush=False,          # Don't auto-flush before queries
)


# Dependency to get DB session
async def get_db() -> AsyncGenerator[AsyncSession, None]:
    """
    FastAPI dependency that provides a database session.
    
    Usage:
        @app.get("/items")
        async def get_items(db: AsyncSession = Depends(get_db)):
            ...
    
    Yields:
        AsyncSession: Database session with automatic cleanup
    
    Notes:
        - Session is automatically closed after request
        - Commits must be done explicitly in endpoint
        - Rollback on unhandled exceptions
    """
    async with AsyncSessionLocal() as session:
        try:
            yield session
            # Commit if no exceptions (optional - usually commit in endpoint)
            # await session.commit()
        except Exception:
            # Rollback on any exception
            await session.rollback()
            raise
        finally:
            # Always close session
            await session.close()


# Lifespan context for startup/shutdown
from contextlib import asynccontextmanager
from fastapi import FastAPI

@asynccontextmanager
async def lifespan(app: FastAPI):
    """
    Application lifespan handler for database.
    
    Creates tables on startup (for dev only - use Alembic in production).
    Disposes engine on shutdown.
    """
    # Startup: Create tables
    async with engine.begin() as conn:
        # await conn.run_sync(Base.metadata.create_all)
        pass  # Use Alembic migrations in production
    
    logger.info("Database engine initialized")
    
    yield  # Application runs here
    
    # Shutdown: Close connections
    await engine.dispose()
    logger.info("Database connections closed")
```

**Key Configuration Details:**

1. **`create_async_engine`**: Creates an async-aware connection pool. The `pool_size` and `max_overflow` control how many database connections are maintained. This is crucial for performance—too few connections cause bottlenecks, too many overwhelm the database.

2. **`async_sessionmaker`**: Factory for creating `AsyncSession` instances. `expire_on_commit=False` keeps objects usable after committing, which is essential for returning created objects in API responses.

3. **`get_db` dependency**: The `yield` pattern creates a context manager. FastAPI automatically handles the generator, ensuring cleanup happens even if exceptions occur.

#### SQLAlchemy 2.0 Model Definition

```python
# models.py - SQLAlchemy 2.0 style models
from sqlalchemy import String, DateTime, Text, Boolean, ForeignKey, Index
from sqlalchemy.orm import Mapped, mapped_column, relationship
from sqlalchemy.sql import func
from datetime import datetime
from typing import Optional, List
import uuid

from app.database import Base


class User(Base):
    """
    User model with SQLAlchemy 2.0 mapped_column syntax.
    
    SQLAlchemy 2.0 uses Python type hints with Mapped[] for explicit typing.
    """
    __tablename__ = "users"
    
    # Primary key with UUID
    id: Mapped[str] = mapped_column(
        String(36),
        primary_key=True,
        default=lambda: str(uuid.uuid4())
    )
    
    # Required fields
    username: Mapped[str] = mapped_column(
        String(50),
        unique=True,
        index=True,
        nullable=False,
        comment="Unique username for login"
    )
    
    email: Mapped[str] = mapped_column(
        String(255),
        unique=True,
        index=True,
        nullable=False
    )
    
    # Hashed password (never store plaintext)
    hashed_password: Mapped[str] = mapped_column(
        String(255),
        nullable=False
    )
    
    # Optional fields
    full_name: Mapped[Optional[str]] = mapped_column(
        String(100),
        nullable=True
    )
    
    # Boolean with default
    is_active: Mapped[bool] = mapped_column(
        Boolean,
        default=True,
        nullable=False
    )
    
    is_superuser: Mapped[bool] = mapped_column(
        Boolean,
        default=False,
        nullable=False
    )
    
    # Timestamps with database defaults
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
        nullable=False
    )
    
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
        onupdate=func.now(),
        nullable=False
    )
    
    # Relationships
    # "items" refers to the Item model's user attribute
    items: Mapped[List["Item"]] = relationship(
        back_populates="owner",
        cascade="all, delete-orphan",  # Delete items when user deleted
        lazy="selectin",  # Load strategy
    )
    
    # String representation
    def __repr__(self) -> str:
        return f"<User(id={self.id}, username={self.username})>"


class Item(Base):
    """Item model belonging to a user."""
    __tablename__ = "items"
    
    id: Mapped[str] = mapped_column(
        String(36),
        primary_key=True,
        default=lambda: str(uuid.uuid4())
    )
    
    title: Mapped[str] = mapped_column(
        String(100),
        nullable=False,
        index=True
    )
    
    description: Mapped[Optional[str]] = mapped_column(
        Text,
        nullable=True
    )
    
    # Foreign key with cascade
    owner_id: Mapped[str] = mapped_column(
        ForeignKey("users.id", ondelete="CASCADE"),
        nullable=False,
        index=True
    )
    
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        server_default=func.now(),
        nullable=False
    )
    
    # Relationship back to user
    owner: Mapped["User"] = relationship(back_populates="items")
    
    # Table indexes for performance
    __table_args__ = (
        Index('ix_items_owner_title', 'owner_id', 'title'),
    )
    
    def __repr__(self) -> str:
        return f"<Item(id={self.id}, title={self.title})>"
```

**SQLAlchemy 2.0 Syntax Explained:**

- **`Mapped[type]`**: Explicit type annotation indicating this is a mapped column. This enables IDE autocomplete and type checking.
- **`mapped_column()`**: Configuration for the column (constraints, defaults, indexes).
- **`relationship()`**: Defines ORM relationships. `back_populates` creates bidirectional navigation (user.items and item.owner).
- **`lazy="selectin"`**: Loading strategy that uses a second SELECT to load relationships, efficient for async code.

---

### 13.2 Dependency Injection for DB Sessions: Managing Connections Per Request

Proper session management is critical for performance and data integrity. FastAPI's dependency injection makes it straightforward to provide database sessions to endpoints while ensuring proper cleanup.

#### The Session Lifecycle Pattern

```python
# dependencies.py - Database dependencies
from fastapi import Depends, HTTPException, status
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
from typing import Annotated

from app.database import get_db, AsyncSessionLocal
from app.models import User

# Type alias for dependency injection
DBSession = Annotated[AsyncSession, Depends(get_db)]


async def get_db_strict() -> AsyncSession:
    """
    Alternative dependency that doesn't use generators.
    
    Useful when you need explicit control over session lifecycle.
    """
    session = AsyncSessionLocal()
    try:
        return session
    finally:
        # Note: Caller must close this session
        pass


# User retrieval dependency
async def get_user_by_id(
    user_id: str,
    db: AsyncSession
) -> User:
    """
    Retrieve user by ID with proper error handling.
    
    Args:
        user_id: UUID string of user
        db: Database session
    
    Returns:
        User: User model instance
    
    Raises:
        HTTPException: 404 if user not found
    """
    result = await db.execute(
        select(User).where(User.id == user_id)
    )
    user = result.scalar_one_or_none()
    
    if not user:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"User with id {user_id} not found"
        )
    
    return user


# Current user with database (combining auth + DB)
from app.auth import get_current_user_token  # From Chapter 12

async def get_current_active_user_db(
    token: Annotated[str, Depends(get_current_user_token)],
    db: DBSession
) -> User:
    """
    Get current user from database using JWT token.
    
    This combines authentication from Chapter 12 with database access.
    """
    from jose import jwt
    from app.config import SECRET_KEY, ALGORITHM
    
    # Decode token to get user ID
    payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
    user_id: str = payload.get("sub")
    
    if not user_id:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token"
        )
    
    # Query database for fresh user data
    result = await db.execute(
        select(User).where(User.id == user_id)
    )
    user = result.scalar_one_or_none()
    
    if not user:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="User not found"
        )
    
    if not user.is_active:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Inactive user"
        )
    
    return user


# Type alias for current user dependency
CurrentUser = Annotated[User, Depends(get_current_active_user_db)]
```

#### Transaction Management in Endpoints

```python
# transactions.py - Proper transaction handling
from fastapi import APIRouter, HTTPException, status
from sqlalchemy.exc import IntegrityError
from sqlalchemy import select

router = APIRouter()

@router.post("/users/", status_code=status.HTTP_201_CREATED)
async def create_user(
    user_data: UserCreate,
    db: DBSession
):
    """
    Create user with proper transaction handling.
    
    Explicit transaction control:
    1. Check if user exists (no transaction yet)
    2. Create user object
    3. Add to session
    4. Commit explicitly
    5. Refresh to get DB-generated values
    """
    # Check for existing user
    existing = await db.execute(
        select(User).where(
            (User.email == user_data.email) | 
            (User.username == user_data.username)
        )
    )
    if existing.scalar_one_or_none():
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="User with this email or username already exists"
        )
    
    # Hash password (from Chapter 11)
    from passlib.context import CryptContext
    pwd_context = CryptContext(schemes=["bcrypt"])
    
    # Create user
    db_user = User(
        username=user_data.username,
        email=user_data.email,
        hashed_password=pwd_context.hash(user_data.password),
        full_name=user_data.full_name,
        is_active=True
    )
    
    # Add to session
    db.add(db_user)
    
    try:
        # Commit transaction
        await db.commit()
        
        # Refresh to get generated fields (created_at, id)
        await db.refresh(db_user)
        
    except IntegrityError as e:
        # Rollback on integrity error (race condition)
        await db.rollback()
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=f"Database integrity error: {str(e)}"
        )
    
    return db_user


@router.post("/transfer")
async def transfer_ownership(
    item_id: str,
    new_owner_id: str,
    db: DBSession,
    current_user: CurrentUser
):
    """
    Complex transaction with multiple operations.
    
    All operations succeed or fail together (ACID).
    """
    # Start explicit transaction block (optional but clear)
    async with db.begin():
        # Get item with lock (FOR UPDATE prevents race conditions)
        result = await db.execute(
            select(Item)
            .where(Item.id == item_id)
            .with_for_update()  # Row-level lock
        )
        item = result.scalar_one_or_none()
        
        if not item:
            raise HTTPException(status_code=404, detail="Item not found")
        
        if item.owner_id != current_user.id and not current_user.is_superuser:
            raise HTTPException(status_code=403, detail="Not authorized")
        
        # Verify new owner exists
        new_owner = await db.execute(
            select(User).where(User.id == new_owner_id)
        )
        if not new_owner.scalar_one_or_none():
            raise HTTPException(status_code=404, detail="New owner not found")
        
        # Update owner
        item.owner_id = new_owner_id
        
        # Log the transfer (in same transaction)
        log = TransferLog(
            item_id=item_id,
            from_user_id=current_user.id,
            to_user_id=new_owner_id,
            transferred_at=datetime.utcnow()
        )
        db.add(log)
        
        # Transaction commits automatically at end of 'async with' block
        # Or rolls back if exception occurs
    
    return {"message": "Transfer successful", "item_id": item_id}
```

**Transaction Best Practices:**

1. **Explicit Commits**: Call `await db.commit()` explicitly in endpoints so you control when data is persisted.
2. **Rollback on Error**: The `get_db` dependency handles rollback on exceptions, but explicit rollback in `except` blocks is clearer.
3. **Row Locking**: Use `.with_for_update()` when reading data that will be immediately updated to prevent race conditions.
4. **Begin Blocks**: Use `async with db.begin():` for complex transactions that must be atomic.

---

### 13.3 CRUD Operations: Creating, Reading, Updating, and Deleting Data

CRUD (Create, Read, Update, Delete) operations form the core of API development. With async SQLAlchemy, these operations use the `select()`, `add()`, and `delete()` functions rather than the legacy `query()` interface.

#### Complete CRUD Implementation

```python
# crud_operations.py
from fastapi import APIRouter, HTTPException, status, Query
from sqlalchemy import select, update, delete, func
from sqlalchemy.orm import selectinload
from typing import List, Optional

router = APIRouter(prefix="/items", tags=["items"])

# CREATE
@router.post("/", response_model=ItemResponse, status_code=201)
async def create_item(
    item: ItemCreate,
    db: DBSession,
    current_user: CurrentUser
):
    """
    Create a new item for the current user.
    
    Demonstrates:
    - Creating ORM instance from Pydantic model
    - Adding to session
    - Committing and refreshing
    """
    # Create ORM instance
    db_item = Item(
        title=item.title,
        description=item.description,
        owner_id=current_user.id
    )
    
    # Add to session (pending insert)
    db.add(db_item)
    
    # Commit to database
    await db.commit()
    
    # Refresh to load relationships and defaults
    await db.refresh(db_item)
    
    return db_item


# READ (Single)
@router.get("/{item_id}", response_model=ItemWithOwner)
async def get_item(
    item_id: str,
    db: DBSession,
    current_user: CurrentUser
):
    """
    Get single item by ID with owner information.
    
    Demonstrates:
    - Select with join (eager loading)
    - Permission checking
    """
    # Eager load owner relationship to avoid N+1 query
    result = await db.execute(
        select(Item)
        .options(selectinload(Item.owner))  # Load owner in same query
        .where(Item.id == item_id)
    )
    item = result.scalar_one_or_none()
    
    if not item:
        raise HTTPException(status_code=404, detail="Item not found")
    
    # Check permissions (owner or superuser)
    if item.owner_id != current_user.id and not current_user.is_superuser:
        raise HTTPException(status_code=403, detail="Not authorized")
    
    return item


# READ (List with Pagination)
@router.get("/", response_model=PaginatedItems)
async def list_items(
    db: DBSession,
    current_user: CurrentUser,
    skip: int = Query(0, ge=0, description="Number of records to skip"),
    limit: int = Query(10, ge=1, le=100, description="Max records to return"),
    search: Optional[str] = Query(None, description="Search in title"),
    owner_only: bool = Query(False, description="Only show current user's items")
):
    """
    List items with pagination, search, and filtering.
    
    Demonstrates:
    - Complex query building
    - Count query for pagination
    - Conditional filters
    """
    # Base query
    query = select(Item).options(selectinload(Item.owner))
    
    # Apply filters
    if owner_only:
        query = query.where(Item.owner_id == current_user.id)
    elif not current_user.is_superuser:
        # Non-superusers see public items + their own
        query = query.where(
            (Item.owner_id == current_user.id) | (Item.is_public == True)
        )
    
    if search:
        query = query.where(Item.title.ilike(f"%{search}%"))
    
    # Get total count for pagination metadata
    count_query = select(func.count()).select_from(query.subquery())
    total_result = await db.execute(count_query)
    total = total_result.scalar()
    
    # Apply pagination
    query = query.offset(skip).limit(limit)
    
    # Order by creation date
    query = query.order_by(Item.created_at.desc())
    
    # Execute
    result = await db.execute(query)
    items = result.scalars().all()
    
    return {
        "items": items,
        "total": total,
        "skip": skip,
        "limit": limit
    }


# UPDATE (Partial)
@router.patch("/{item_id}", response_model=ItemResponse)
async def update_item(
    item_id: str,
    item_update: ItemUpdate,  # Pydantic model with optional fields
    db: DBSession,
    current_user: CurrentUser
):
    """
    Partial update of item (PATCH semantics).
    
    Demonstrates:
    - Selective field updates
    - Checking ownership before update
    - Optimistic concurrency (optional)
    """
    # Get item
    result = await db.execute(
        select(Item).where(Item.id == item_id)
    )
    db_item = result.scalar_one_or_none()
    
    if not db_item:
        raise HTTPException(status_code=404, detail="Item not found")
    
    # Check ownership
    if db_item.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="Not authorized to update")
    
    # Update only provided fields
    update_data = item_update.model_dump(exclude_unset=True)
    
    for field, value in update_data.items():
        setattr(db_item, field, value)
    
    # Update the updated_at timestamp
    db_item.updated_at = datetime.utcnow()
    
    # Commit
    await db.commit()
    await db.refresh(db_item)
    
    return db_item


# UPDATE (Full Replace)
@router.put("/{item_id}", response_model=ItemResponse)
async def replace_item(
    item_id: str,
    item_data: ItemCreate,  # All fields required
    db: DBSession,
    current_user: CurrentUser
):
    """
    Full replacement of item (PUT semantics).
    
    Replaces entire resource, resetting unspecified fields to defaults.
    """
    result = await db.execute(
        select(Item).where(Item.id == item_id)
    )
    db_item = result.scalar_one_or_none()
    
    if not db_item:
        raise HTTPException(status_code=404, detail="Item not found")
    
    if db_item.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="Not authorized")
    
    # Replace all fields
    db_item.title = item_data.title
    db_item.description = item_data.description
    # owner_id remains the same (transfer is separate operation)
    
    await db.commit()
    await db.refresh(db_item)
    
    return db_item


# DELETE
@router.delete("/{item_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_item(
    item_id: str,
    db: DBSession,
    current_user: CurrentUser
):
    """
    Delete item by ID.
    
    Demonstrates:
    - Delete query execution
    - Checking ownership
    - Cascade behavior (defined in model)
    """
    # Check existence and ownership
    result = await db.execute(
        select(Item).where(Item.id == item_id)
    )
    item = result.scalar_one_or_none()
    
    if not item:
        raise HTTPException(status_code=404, detail="Item not found")
    
    if item.owner_id != current_user.id and not current_user.is_superuser:
        raise HTTPException(status_code=403, detail="Not authorized")
    
    # Delete
    await db.execute(
        delete(Item).where(Item.id == item_id)
    )
    await db.commit()
    
    return None  # 204 No Content


# BULK OPERATIONS
@router.post("/bulk", status_code=201)
async def create_items_bulk(
    items: List[ItemCreate],
    db: DBSession,
    current_user: CurrentUser
):
    """
    Bulk create items efficiently.
    
    Demonstrates:
    - Bulk insert optimization
    - Single commit for multiple records
    """
    db_items = [
        Item(
            title=item.title,
            description=item.description,
            owner_id=current_user.id
        )
        for item in items
    ]
    
    # Add all at once
    db.add_all(db_items)
    await db.commit()
    
    # Refresh all (optional, has performance cost)
    for item in db_items:
        await db.refresh(item)
    
    return {"created": len(db_items), "items": db_items}
```

---

### 13.4 Relationships: Handling Foreign Keys and Relationships in API Responses

SQLAlchemy relationships allow you to navigate between tables (e.g., user.items or item.owner). However, improper loading causes the "N+1 query problem" where one query becomes many.

#### Solving the N+1 Problem

```
┌─────────────────────────────────────────────────────────────────┐
│                    The N+1 Query Problem                         │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Scenario: Fetch 100 items with their owners                   │
│                                                                  │
│  WITHOUT Eager Loading (N+1):                                  │
│  1. SELECT * FROM items LIMIT 100;        -- 1 query            │
│  2. SELECT * FROM users WHERE id=1;       -- +1                 │
│  3. SELECT * FROM users WHERE id=2;       -- +1                 │
│  ...                                                             │
│  101. SELECT * FROM users WHERE id=100;  -- Total: 101 queries  │
│                                                                  │
│  WITH Eager Loading (selectinload):                              │
│  1. SELECT * FROM items LIMIT 100;        -- 1 query            │
│  2. SELECT * FROM users WHERE id IN (1,2,3...100); -- 1 query    │
│                                                                  │
│  Total: 2 queries vs 101 queries                               │
│                                                                  │
│  Async SQLAlchemy 2.0 Loading Strategies:                        │
│  - selectinload(): Best for async, loads in separate query      │
│  - joinedload(): JOIN in single query (can duplicate rows)        │
│  - lazyload(): Loads on access (avoid in async)                  │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘
```

#### Relationship Loading Strategies

```python
# relationships.py - Proper relationship handling
from sqlalchemy.orm import selectinload, joinedload
from sqlalchemy import select
from fastapi import APIRouter

router = APIRouter()

@router.get("/users/with-items")
async def get_users_with_items(
    db: DBSession,
    current_user: CurrentUser
):
    """
    Get users with their items using selectinload.
    
    selectinload is optimal for async because:
    - Doesn't interfere with LIMIT/OFFSET
    - Loads relationships in separate query
    - Works well with async sessions
    """
    result = await db.execute(
        select(User)
        .options(
            selectinload(User.items)  # Eager load items relationship
        )
        .where(User.is_active == True)
    )
    users = result.scalars().all()
    
    return users


@router.get("/items/with-owner")
async def get_items_with_owner(db: DBSession):
    """
    Get items with owner info using joinedload.
    
    joinedload uses JOIN - good for many-to-one relationships
    but can duplicate rows with one-to-many.
    """
    result = await db.execute(
        select(Item)
        .options(
            joinedload(Item.owner)  # JOIN users table
        )
        .limit(100)
    )
    items = result.scalars().unique().all()  # .unique() deduplicates
    
    return items


@router.get("/users/detailed")
async def get_users_detailed(db: DBSession):
    """
    Complex nested loading.
    
    Load users with items, and each item's tags.
    """
    from sqlalchemy.orm import subqueryload
    
    result = await db.execute(
        select(User)
        .options(
            selectinload(User.items)
            .selectinload(Item.tags)  # Nested relationship
        )
    )
    users = result.scalars().all()
    
    return users


# Handling circular references in Pydantic models
from pydantic import BaseModel, ConfigDict
from typing import List, Optional

class ItemBase(BaseModel):
    """Base Item schema."""
    title: str
    description: Optional[str]
    model_config = ConfigDict(from_attributes=True)

class ItemResponse(ItemBase):
    """Item with ID."""
    id: str
    owner_id: str
    
    class Config:
        from_attributes = True

class UserResponse(BaseModel):
    """User with items."""
    id: str
    username: str
    email: str
    items: List[ItemResponse] = []  # Nested relationship
    
    class Config:
        from_attributes = True


# Recursive relationships (e.g., comments with replies)
class Comment(Base):
    """Comment with self-referential relationship."""
    __tablename__ = "comments"
    
    id: Mapped[str] = mapped_column(primary_key=True)
    content: Mapped[str] = mapped_column(Text)
    parent_id: Mapped[Optional[str]] = mapped_column(
        ForeignKey("comments.id"),
        nullable=True
    )
    
    # Self-referential relationship
    replies: Mapped[List["Comment"]] = relationship(
        back_populates="parent",
        lazy="selectin"
    )
    parent: Mapped[Optional["Comment"]] = relationship(
        back_populates="replies",
        remote_side=[id]  # Points to same table
    )
```

---

### 13.5 Database Integration: Combining Authentication with Database

Integrating the JWT authentication from Chapter 12 with SQLAlchemy models creates a production-ready authentication system.

#### Complete Integration Example

```python
# auth_integration.py - Complete auth + database setup
from fastapi import APIRouter, Depends, HTTPException, status
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
from datetime import timedelta
from jose import JWTError, jwt

from app.database import get_db
from app.models import User
from app.schemas import UserCreate, UserResponse, Token
from app.config import SECRET_KEY, ALGORITHM, ACCESS_TOKEN_EXPIRE_MINUTES
from app.auth import (
    verify_password,
    get_password_hash,
    create_access_token,
    oauth2_scheme
)

router = APIRouter(prefix="/auth", tags=["authentication"])

@router.post("/register", response_model=UserResponse, status_code=201)
async def register(
    user_data: UserCreate,
    db: AsyncSession = Depends(get_db)
):
    """
    Register new user with database storage.
    
    1. Check for existing user
    2. Hash password
    3. Create user in DB
    4. Return user (without password)
    """
    # Check existing
    result = await db.execute(
        select(User).where(
            (User.email == user_data.email) | 
            (User.username == user_data.username)
        )
    )
    if result.scalar_one_or_none():
        raise HTTPException(
            status_code=400,
            detail="User already exists"
        )
    
    # Create user
    db_user = User(
        username=user_data.username,
        email=user_data.email,
        hashed_password=get_password_hash(user_data.password),
        full_name=user_data.full_name,
        is_active=True
    )
    
    db.add(db_user)
    await db.commit()
    await db.refresh(db_user)
    
    return db_user


@router.post("/token", response_model=Token)
async def login(
    form_data: OAuth2PasswordRequestForm = Depends(),
    db: AsyncSession = Depends(get_db)
):
    """
    OAuth2 login endpoint with database validation.
    
    Validates credentials against database and returns JWT.
    """
    # Find user by username
    result = await db.execute(
        select(User).where(User.username == form_data.username)
    )
    user = result.scalar_one_or_none()
    
    # Verify credentials
    if not user or not verify_password(form_data.password, user.hashed_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    
    if not user.is_active:
        raise HTTPException(
            status_code=400,
            detail="Inactive user"
        )
    
    # Create token
    access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    access_token = create_access_token(
        data={"sub": str(user.id)},  # Use user ID as subject
        expires_delta=access_token_expires
    )
    
    return {
        "access_token": access_token,
        "token_type": "bearer"
    }


async def get_current_user(
    token: str = Depends(oauth2_scheme),
    db: AsyncSession = Depends(get_db)
) -> User:
    """
    Dependency to get current user from JWT and database.
    
    Used to protect endpoints.
    """
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        user_id: str = payload.get("sub")
        if user_id is None:
            raise credentials_exception
    except JWTError:
        raise credentials_exception
    
    # Fetch fresh user data from database
    result = await db.execute(
        select(User).where(User.id == user_id)
    )
    user = result.scalar_one_or_none()
    
    if user is None:
        raise credentials_exception
    
    return user


async def get_current_active_user(
    current_user: User = Depends(get_current_user)
) -> User:
    """Verify user is active."""
    if not current_user.is_active:
        raise HTTPException(status_code=400, detail="Inactive user")
    return current_user


# Protected routes using database-backed auth
@router.get("/me", response_model=UserResponse)
async def read_users_me(
    current_user: User = Depends(get_current_active_user)
):
    """Get current authenticated user from database."""
    return current_user


@router.put("/me", response_model=UserResponse)
async def update_user_me(
    user_update: UserUpdate,
    current_user: User = Depends(get_current_active_user),
    db: AsyncSession = Depends(get_db)
):
    """Update current user in database."""
    for field, value in user_update.model_dump(exclude_unset=True).items():
        setattr(current_user, field, value)
    
    await db.commit()
    await db.refresh(current_user)
    return current_user
```

---

### Summary

In this chapter, you integrated SQL databases with FastAPI using async SQLAlchemy:

1. **Async SQLAlchemy Setup**: Configured `create_async_engine` with connection pooling, created `AsyncSession` factory, and established the `get_db` dependency for automatic session lifecycle management.

2. **Dependency Injection**: Implemented `Depends(get_db)` pattern providing database sessions to endpoints with automatic rollback on exceptions and proper connection cleanup.

3. **CRUD Operations**: Mastered SQLAlchemy 2.0 syntax using `select()`, `add()`, `commit()`, and `refresh()` for create/read/update/delete operations, including bulk operations and pagination.

4. **Relationships**: Solved the N+1 query problem using `selectinload()` and `joinedload()` for eager loading, handled self-referential relationships, and managed circular references in Pydantic schemas.

5. **Auth Integration**: Combined JWT authentication from Chapter 12 with database queries, creating dependencies that validate tokens and fetch fresh user data from PostgreSQL.

**Production Checklist:**
- Use Alembic for migrations (not `create_all`)
- Set `pool_size` based on expected load (typically 5-20)
- Always use eager loading (`selectinload`) for relationships
- Commit explicitly in endpoints
- Use `expire_on_commit=False` for returning created objects

---

### What's Next?

**Chapter 14: NoSQL and ORMs** will cover:
- **MongoDB with Motor/Beanie**: Async MongoDB integration using Beanie ODM for document-based storage
- **SQLModel**: Using Tiangolo's SQLModel that combines Pydantic and SQLAlchemy for less boilerplate
- **Migrations**: Using Alembic for database schema evolution and version control
- **Hybrid Architectures**: Combining SQL and NoSQL databases for different data needs (e.g., PostgreSQL for transactions, Redis for caching, MongoDB for logs)

This next chapter expands your database toolkit beyond relational SQL to handle diverse data requirements in modern applications.

<div style='width:100%; display:flex; justify-content:space-between; align-items:center; margin: 1em 0;'>
  <a href='../5. security_and_authentication/12. oauth2_and_jwt.ipynb' style='font-weight:bold; font-size:1.05em;'>&larr; Previous</a>
  <a href='../TOC.md' style='font-weight:bold; font-size:1.05em; text-align:center;'>Table of Contents</a>
  <a href='14. nosql_and_orms.ipynb' style='font-weight:bold; font-size:1.05em;'>Next &rarr;</a>
</div>
