# Part IV: Structuring Large Applications

## Chapter 9: Project Architecture

As your FastAPI application grows beyond a few endpoints, maintaining everything in a single `main.py` file becomes unsustainable. A well-structured architecture improves code organization, maintainability, testability, and team collaboration. This chapter teaches you industry-standard patterns for structuring production-ready FastAPI applications.

---

### 9.1 Modularization: Breaking the App into Multiple Files

The first step in scaling your application is splitting it into logical modules. This improves organization, enables parallel development, and makes your codebase more maintainable.

#### The Problem with Single-File Applications

```python
# ❌ BAD: Everything in main.py (1000+ lines)
# main.py
from fastapi import FastAPI, Depends, HTTPException
from pydantic import BaseModel
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
# ... hundreds of imports ...

app = FastAPI()

# Database setup (50+ lines)
engine = create_engine("postgresql://...")
SessionLocal = sessionmaker(...)

# Models (100+ lines)
class User(Base): ...
class Item(Base): ...

# Pydantic schemas (100+ lines)
class UserCreate(BaseModel): ...
class UserResponse(BaseModel): ...
class ItemCreate(BaseModel): ...
class ItemResponse(BaseModel): ...

# Dependencies (50+ lines)
def get_db(): ...

# Routes - Users (150+ lines)
@app.post("/users")
async def create_user(): ...
@app.get("/users/{user_id}")
async def get_user(): ...
# ... more user routes ...

# Routes - Items (150+ lines)
@app.post("/items")
async def create_item(): ...
@app.get("/items/{item_id}")
async def get_item(): ...
# ... more item routes ...

# Routes - Orders (150+ lines)
# ... more routes ...

# Authentication logic (100+ lines)
# Middleware (50+ lines)
# Utility functions (50+ lines)
```

#### Recommended Project Structure

```
fastapi-app/
├── app/
│   ├── __init__.py
│   ├── main.py              # Application entry point
│   ├── config.py            # Configuration settings
│   ├── dependencies.py      # Shared dependencies
│   │
│   ├── api/                 # API layer
│   │   ├── __init__.py
│   │   ├── v1/              # API version 1
│   │   │   ├── __init__.py
│   │   │   ├── router.py    # Aggregates all v1 routers
│   │   │   └── endpoints/   # Endpoint modules
│   │   │       ├── __init__.py
│   │   │       ├── users.py
│   │   │       ├── items.py
│   │   │       └── auth.py
│   │   └── deps.py          # API-specific dependencies
│   │
│   ├── core/                # Core functionality
│   │   ├── __init__.py
│   │   ├── config.py        # Settings and configuration
│   │   ├── security.py      # Authentication, JWT, hashing
│   │   └── exceptions.py    # Custom exceptions
│   │
│   ├── models/              # Database models (ORM)
│   │   ├── __init__.py
│   │   ├── base.py          # Base model class
│   │   ├── user.py
│   │   └── item.py
│   │
│   ├── schemas/             # Pydantic models
│   │   ├── __init__.py
│   │   ├── user.py
│   │   ├── item.py
│   │   └── common.py        # Shared schemas
│   │
│   ├── services/            # Business logic layer
│   │   ├── __init__.py
│   │   ├── user_service.py
│   │   └── item_service.py
│   │
│   ├── repositories/        # Data access layer
│   │   ├── __init__.py
│   │   ├── base.py          # Base repository
│   │   ├── user_repo.py
│   │   └── item_repo.py
│   │
│   ├── db/                  # Database configuration
│   │   ├── __init__.py
│   │   ├── session.py       # Database session management
│   │   └── init_db.py       # Database initialization
│   │
│   └── utils/               # Utility functions
│       ├── __init__.py
│       └── helpers.py
│
├── tests/                   # Test suite
│   ├── __init__.py
│   ├── conftest.py          # Pytest fixtures
│   ├── test_api/
│   │   ├── __init__.py
│   │   ├── test_users.py
│   │   └── test_items.py
│   └── test_services/
│       ├── __init__.py
│       └── test_user_service.py
│
├── alembic/                 # Database migrations
│   ├── versions/
│   └── env.py
│
├── .env                     # Environment variables
├── .env.example             # Example environment file
├── pyproject.toml           # Project configuration
├── alembic.ini              # Alembic configuration
├── docker-compose.yml       # Docker composition
├── Dockerfile               # Container definition
└── README.md                # Project documentation
```

#### Implementing the Structure

Let's build out each component:

**1. Configuration (`app/core/config.py`)**

```python
# app/core/config.py
from functools import lru_cache
from typing import Annotated

from pydantic import Field
from pydantic_settings import BaseSettings, SettingsConfigDict


class Settings(BaseSettings):
    """Application settings loaded from environment variables."""

    model_config = SettingsConfigDict(
        env_file=".env",
        env_file_encoding="utf-8",
        case_sensitive=False,
        extra="ignore",
    )

    # Application
    app_name: str = "FastAPI Application"
    app_version: str = "1.0.0"
    debug: bool = False
    environment: str = "development"

    # API
    api_v1_prefix: str = "/api/v1"

    # Database
    database_url: str = Field(
        default="postgresql+asyncpg://postgres:password@localhost:5432/app_db",
        description="Database connection URL",
    )
    database_pool_size: int = 5
    database_max_overflow: int = 10

    # Security
    secret_key: str = Field(
        default="change-me-in-production",
        min_length=32,
    )
    algorithm: str = "HS256"
    access_token_expire_minutes: int = 30

    # CORS
    allowed_origins: list[str] = Field(
        default_factory=lambda: ["http://localhost:3000"]
    )

    @field_validator("allowed_origins", mode="before")
    @classmethod
    def parse_cors_origins(cls, v: str | list[str]) -> list[str]:
        if isinstance(v, str):
            return [origin.strip() for origin in v.split(",")]
        return v


@lru_cache
def get_settings() -> Settings:
    """Get cached settings instance."""
    return Settings()


# Type alias for dependency injection
SettingsDep = Annotated[Settings, "depends"]
```

**2. Database Session (`app/db/session.py`)**

```python
# app/db/session.py
from typing import AsyncGenerator

from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine, async_sessionmaker
from sqlalchemy.orm import declarative_base

from app.core.config import get_settings

settings = get_settings()

# Create async engine
engine = create_async_engine(
    settings.database_url,
    pool_size=settings.database_pool_size,
    max_overflow=settings.database_max_overflow,
    echo=settings.debug,  # Log SQL queries in debug mode
)

# Create async session factory
AsyncSessionLocal = async_sessionmaker(
    engine,
    class_=AsyncSession,
    expire_on_commit=False,
    autocommit=False,
    autoflush=False,
)

# Base class for models
Base = declarative_base()


async def get_db() -> AsyncGenerator[AsyncSession, None]:
    """
    Dependency that provides an async database session.
    Ensures proper cleanup after request completion.
    """
    async with AsyncSessionLocal() as session:
        try:
            yield session
            await session.commit()
        except Exception:
            await session.rollback()
            raise
        finally:
            await session.close()
```

**3. Base Models (`app/models/base.py`)**

```python
# app/models/base.py
from datetime import datetime
from sqlalchemy import Column, Integer, DateTime
from sqlalchemy.orm import as_declarative, declared_attr


@as_declarative()
class Base:
    """Base model class with common fields and methods."""

    id = Column(Integer, primary_key=True, index=True)
    created_at = Column(DateTime, default=datetime.utcnow, nullable=False)
    updated_at = Column(
        DateTime,
        default=datetime.utcnow,
        onupdate=datetime.utcnow,
        nullable=False,
    )

    # Generate table name from class name
    @declared_attr.directive
    def __tablename__(cls) -> str:
        return cls.__name__.lower() + "s"

    def to_dict(self) -> dict:
        """Convert model to dictionary."""
        return {
            column.name: getattr(self, column.name)
            for column in self.__table__.columns
        }
```

**4. User Model (`app/models/user.py`)**

```python
# app/models/user.py
from sqlalchemy import Column, String, Boolean
from sqlalchemy.orm import relationship

from app.models.base import Base


class User(Base):
    """User database model."""

    __tablename__ = "users"

    username = Column(String(50), unique=True, index=True, nullable=False)
    email = Column(String(255), unique=True, index=True, nullable=False)
    hashed_password = Column(String(255), nullable=False)
    is_active = Column(Boolean, default=True, nullable=False)
    is_superuser = Column(Boolean, default=False, nullable=False)
    full_name = Column(String(100), nullable=True)

    # Relationships
    items = relationship("Item", back_populates="owner", lazy="selectin")

    def __repr__(self) -> str:
        return f"<User(id={self.id}, username='{self.username}')>"
```

**5. Item Model (`app/models/item.py`)**

```python
# app/models/item.py
from sqlalchemy import Column, String, Float, Integer, ForeignKey, Boolean
from sqlalchemy.orm import relationship

from app.models.base import Base


class Item(Base):
    """Item database model."""

    __tablename__ = "items"

    name = Column(String(200), nullable=False, index=True)
    description = Column(String(1000), nullable=True)
    price = Column(Float, nullable=False)
    stock = Column(Integer, default=0, nullable=False)
    is_available = Column(Boolean, default=True, nullable=False)
    owner_id = Column(Integer, ForeignKey("users.id"), nullable=False)

    # Relationships
    owner = relationship("User", back_populates="items")

    def __repr__(self) -> str:
        return f"<Item(id={self.id}, name='{self.name}', price={self.price})>"
```

**6. Pydantic Schemas (`app/schemas/user.py`)**

```python
# app/schemas/user.py
from datetime import datetime
from typing import Annotated

from pydantic import BaseModel, EmailStr, Field, ConfigDict


class UserBase(BaseModel):
    """Base user schema with shared fields."""

    username: Annotated[str, Field(min_length=3, max_length=50)]
    email: EmailStr
    full_name: Annotated[str | None, Field(max_length=100)] = None


class UserCreate(UserBase):
    """Schema for creating a new user."""

    password: Annotated[str, Field(min_length=8, max_length=128)]


class UserUpdate(BaseModel):
    """Schema for updating a user."""

    email: EmailStr | None = None
    full_name: str | None = None
    password: str | None = None


class UserResponse(UserBase):
    """Schema for user responses."""

    model_config = ConfigDict(from_attributes=True)

    id: int
    is_active: bool
    is_superuser: bool
    created_at: datetime
    updated_at: datetime


class UserInDB(UserResponse):
    """Schema for user with database fields."""

    hashed_password: str


class UserList(BaseModel):
    """Schema for paginated user list."""

    users: list[UserResponse]
    total: int
    page: int
    page_size: int
```

**7. Item Schemas (`app/schemas/item.py`)**

```python
# app/schemas/item.py
from datetime import datetime
from typing import Annotated

from pydantic import BaseModel, Field, ConfigDict


class ItemBase(BaseModel):
    """Base item schema with shared fields."""

    name: Annotated[str, Field(min_length=1, max_length=200)]
    description: Annotated[str | None, Field(max_length=1000)] = None
    price: Annotated[float, Field(gt=0)]
    stock: Annotated[int, Field(ge=0)] = 0


class ItemCreate(ItemBase):
    """Schema for creating a new item."""

    pass


class ItemUpdate(BaseModel):
    """Schema for updating an item."""

    name: str | None = None
    description: str | None = None
    price: float | None = None
    stock: int | None = None
    is_available: bool | None = None


class ItemResponse(ItemBase):
    """Schema for item responses."""

    model_config = ConfigDict(from_attributes=True)

    id: int
    is_available: bool
    owner_id: int
    created_at: datetime
    updated_at: datetime


class ItemList(BaseModel):
    """Schema for paginated item list."""

    items: list[ItemResponse]
    total: int
    page: int
    page_size: int


class ItemWithOwner(ItemResponse):
    """Item response with owner information."""

    owner: "UserResponse"
```

---

### 9.2 `APIRouter`: Creating Mini-Applications and Mounting Them

FastAPI's `APIRouter` allows you to group related endpoints into reusable modules. Each router is like a mini-application that can be mounted into the main app.

#### Understanding APIRouter

```python
# app/api/v1/endpoints/users.py
from typing import Annotated

from fastapi import APIRouter, Depends, HTTPException, status
from sqlalchemy.ext.asyncio import AsyncSession

from app.db.session import get_db
from app.schemas.user import UserCreate, UserResponse, UserUpdate, UserList
from app.services.user_service import UserService

router = APIRouter(prefix="/users", tags=["users"])


@router.post(
    "/",
    response_model=UserResponse,
    status_code=status.HTTP_201_CREATED,
    summary="Create a new user",
)
async def create_user(
    user_data: UserCreate,
    db: AsyncSession = Depends(get_db),
):
    """
    Create a new user account.
    
    - **username**: Unique username (3-50 characters)
    - **email**: Valid email address
    - **password**: Minimum 8 characters
    """
    service = UserService(db)
    user = await service.create_user(user_data)
    return user


@router.get(
    "/{user_id}",
    response_model=UserResponse,
    summary="Get user by ID",
)
async def get_user(
    user_id: int,
    db: AsyncSession = Depends(get_db),
):
    """Retrieve a specific user by their ID."""
    service = UserService(db)
    user = await service.get_by_id(user_id)
    if not user:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"User {user_id} not found",
        )
    return user


@router.get(
    "/",
    response_model=UserList,
    summary="List users",
)
async def list_users(
    skip: int = 0,
    limit: int = 10,
    db: AsyncSession = Depends(get_db),
):
    """List all users with pagination."""
    service = UserService(db)
    users = await service.get_all(skip=skip, limit=limit)
    total = await service.count()
    return UserList(
        users=users,
        total=total,
        page=skip // limit + 1,
        page_size=limit,
    )


@router.patch(
    "/{user_id}",
    response_model=UserResponse,
    summary="Update user",
)
async def update_user(
    user_id: int,
    user_data: UserUpdate,
    db: AsyncSession = Depends(get_db),
):
    """Update a user's information."""
    service = UserService(db)
    user = await service.update(user_id, user_data)
    if not user:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"User {user_id} not found",
        )
    return user


@router.delete(
    "/{user_id}",
    status_code=status.HTTP_204_NO_CONTENT,
    summary="Delete user",
)
async def delete_user(
    user_id: int,
    db: AsyncSession = Depends(get_db),
):
    """Delete a user account."""
    service = UserService(db)
    deleted = await service.delete(user_id)
    if not deleted:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"User {user_id} not found",
        )
```

#### Items Router

```python
# app/api/v1/endpoints/items.py
from typing import Annotated

from fastapi import APIRouter, Depends, HTTPException, status, Query
from sqlalchemy.ext.asyncio import AsyncSession

from app.db.session import get_db
from app.schemas.item import ItemCreate, ItemResponse, ItemUpdate, ItemList
from app.services.item_service import ItemService
from app.api.deps import get_current_user

router = APIRouter(prefix="/items", tags=["items"])


@router.post(
    "/",
    response_model=ItemResponse,
    status_code=status.HTTP_201_CREATED,
)
async def create_item(
    item_data: ItemCreate,
    db: AsyncSession = Depends(get_db),
    current_user = Depends(get_current_user),
):
    """Create a new item (requires authentication)."""
    service = ItemService(db)
    item = await service.create_item(item_data, owner_id=current_user.id)
    return item


@router.get("/", response_model=ItemList)
async def list_items(
    skip: int = Query(default=0, ge=0),
    limit: int = Query(default=10, ge=1, le=100),
    category: str | None = None,
    min_price: float | None = None,
    max_price: float | None = None,
    db: AsyncSession = Depends(get_db),
):
    """List items with optional filters."""
    service = ItemService(db)
    items, total = await service.search(
        skip=skip,
        limit=limit,
        category=category,
        min_price=min_price,
        max_price=max_price,
    )
    return ItemList(
        items=items,
        total=total,
        page=skip // limit + 1,
        page_size=limit,
    )


@router.get("/{item_id}", response_model=ItemResponse)
async def get_item(
    item_id: int,
    db: AsyncSession = Depends(get_db),
):
    """Get a specific item by ID."""
    service = ItemService(db)
    item = await service.get_by_id(item_id)
    if not item:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"Item {item_id} not found",
        )
    return item


@router.put("/{item_id}", response_model=ItemResponse)
async def update_item(
    item_id: int,
    item_data: ItemUpdate,
    db: AsyncSession = Depends(get_db),
    current_user = Depends(get_current_user),
):
    """Update an item (owner only)."""
    service = ItemService(db)
    item = await service.get_by_id(item_id)
    
    if not item:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"Item {item_id} not found",
        )
    
    if item.owner_id != current_user.id:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Not authorized to update this item",
        )
    
    updated_item = await service.update(item_id, item_data)
    return updated_item


@router.delete("/{item_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_item(
    item_id: int,
    db: AsyncSession = Depends(get_db),
    current_user = Depends(get_current_user),
):
    """Delete an item (owner only)."""
    service = ItemService(db)
    item = await service.get_by_id(item_id)
    
    if not item:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail=f"Item {item_id} not found",
        )
    
    if item.owner_id != current_user.id and not current_user.is_superuser:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Not authorized to delete this item",
        )
    
    await service.delete(item_id)
```

#### Aggregating Routers

```python
# app/api/v1/router.py
from fastapi import APIRouter

from app.api.v1.endpoints import users, items, auth

api_router = APIRouter()

# Include all endpoint routers
api_router.include_router(users.router)
api_router.include_router(items.router)
api_router.include_router(auth.router, prefix="/auth", tags=["authentication"])
```

```python
# app/api/v1/endpoints/auth.py
from datetime import timedelta
from typing import Annotated

from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordRequestForm
from sqlalchemy.ext.asyncio import AsyncSession

from app.core.config import get_settings
from app.core.security import create_access_token, verify_password
from app.db.session import get_db
from app.schemas.user import UserResponse
from app.services.user_service import UserService
from app.api.deps import get_current_user

router = APIRouter()
settings = get_settings()


@router.post("/login")
async def login(
    form_data: OAuth2PasswordRequestForm = Depends(),
    db: AsyncSession = Depends(get_db),
):
    """
    OAuth2 compatible token login.
    Returns an access token for authentication.
    """
    service = UserService(db)
    user = await service.get_by_username(form_data.username)
    
    if not user or not verify_password(form_data.password, user.hashed_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    
    if not user.is_active:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Inactive user",
        )
    
    access_token = create_access_token(
        data={"sub": user.username},
        expires_delta=timedelta(minutes=settings.access_token_expire_minutes),
    )
    
    return {
        "access_token": access_token,
        "token_type": "bearer",
    }


@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
async def register(
    username: str,
    email: str,
    password: str,
    db: AsyncSession = Depends(get_db),
):
    """Register a new user account."""
    from app.schemas.user import UserCreate
    
    service = UserService(db)
    
    # Check if username exists
    if await service.get_by_username(username):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Username already registered",
        )
    
    # Check if email exists
    if await service.get_by_email(email):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Email already registered",
        )
    
    user_data = UserCreate(username=username, email=email, password=password)
    user = await service.create_user(user_data)
    return user


@router.get("/me", response_model=UserResponse)
async def get_current_user_info(current_user = Depends(get_current_user)):
    """Get current authenticated user information."""
    return current_user
```

#### API Dependencies (`app/api/deps.py`)

```python
# app/api/deps.py
from typing import Annotated

from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer
from jose import JWTError, jwt
from sqlalchemy.ext.asyncio import AsyncSession

from app.core.config import get_settings
from app.core.security import ALGORITHM
from app.db.session import get_db
from app.services.user_service import UserService

settings = get_settings()

oauth2_scheme = OAuth2PasswordBearer(tokenUrl=f"{settings.api_v1_prefix}/auth/login")


async def get_current_user(
    token: Annotated[str, Depends(oauth2_scheme)],
    db: AsyncSession = Depends(get_db),
):
    """
    Dependency that extracts and validates the current user from JWT token.
    """
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    
    try:
        payload = jwt.decode(token, settings.secret_key, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception
    except JWTError:
        raise credentials_exception
    
    service = UserService(db)
    user = await service.get_by_username(username)
    
    if user is None:
        raise credentials_exception
    
    return user


async def get_current_active_user(
    current_user = Depends(get_current_user),
):
    """Dependency that ensures the user is active."""
    if not current_user.is_active:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="Inactive user",
        )
    return current_user


async def get_current_superuser(
    current_user = Depends(get_current_active_user),
):
    """Dependency that ensures the user is a superuser."""
    if not current_user.is_superuser:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Not enough permissions",
        )
    return current_user


# Type aliases for clean function signatures
CurrentUser = Annotated["User", Depends(get_current_active_user)]
Superuser = Annotated["User", Depends(get_current_superuser)]
```

#### Main Application (`app/main.py`)

```python
# app/main.py
from contextlib import asynccontextmanager

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

from app.core.config import get_settings
from app.api.v1.router import api_router
from app.db.session import engine, Base

settings = get_settings()


@asynccontextmanager
async def lifespan(app: FastAPI):
    """
    Lifespan context manager for startup and shutdown events.
    """
    # Startup: Create database tables
    async with engine.begin() as conn:
        await conn.run_sync(Base.metadata.create_all)
    
    yield
    
    # Shutdown: Cleanup resources
    await engine.dispose()


def create_application() -> FastAPI:
    """Create and configure the FastAPI application."""
    app = FastAPI(
        title=settings.app_name,
        version=settings.app_version,
        description="A production-ready FastAPI application",
        openapi_url=f"{settings.api_v1_prefix}/openapi.json",
        docs_url=f"{settings.api_v1_prefix}/docs",
        redoc_url=f"{settings.api_v1_prefix}/redoc",
        lifespan=lifespan,
    )
    
    # CORS middleware
    app.add_middleware(
        CORSMiddleware,
        allow_origins=settings.allowed_origins,
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
    )
    
    # Include API router
    app.include_router(api_router, prefix=settings.api_v1_prefix)
    
    return app


app = create_application()


@app.get("/health")
async def health_check():
    """Health check endpoint."""
    return {"status": "healthy", "version": settings.app_version}
```

---

### 9.3 The "Service-Repository" Pattern: Separating Business Logic from Route Logic

The **Service-Repository pattern** separates your application into distinct layers, each with a specific responsibility:

1. **API Layer (Routes)**: Handles HTTP requests/responses, validation, and authentication
2. **Service Layer**: Contains business logic and orchestrates operations
3. **Repository Layer**: Handles data access and database operations
4. **Model Layer**: Defines data structures (ORM models and Pydantic schemas)

```
┌─────────────────────────────────────────────────────────────┐
│                      Request Flow                            │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
│  │   Client    │───▶│  API Layer  │───▶│  Service    │      │
│  │  (Request)  │    │  (Router)   │    │  Layer      │      │
│  └─────────────┘    └─────────────┘    └──────┬──────┘      │
│                                                │              │
│                                                ▼              │
│                                         ┌─────────────┐      │
│                                         │ Repository  │      │
│                                         │  Layer      │      │
│                                         └──────┬──────┘      │
│                                                │              │
│                                                ▼              │
│                                         ┌─────────────┐      │
│                                         │  Database   │      │
│                                         │  (Data)     │      │
│                                         └─────────────┘      │
│                                                              │
└─────────────────────────────────────────────────────────────┘
```

#### Base Repository (`app/repositories/base.py`)

```python
# app/repositories/base.py
from typing import Generic, TypeVar, Type, Optional, List, Any

from sqlalchemy import select, func
from sqlalchemy.ext.asyncio import AsyncSession

from app.models.base import Base

ModelType = TypeVar("ModelType", bound=Base)


class BaseRepository(Generic[ModelType]):
    """
    Base repository providing common CRUD operations.
    All specific repositories inherit from this class.
    """

    def __init__(self, model: Type[ModelType], session: AsyncSession):
        self.model = model
        self.session = session

    async def create(self, obj_in: dict) -> ModelType:
        """Create a new record."""
        db_obj = self.model(**obj_in)
        self.session.add(db_obj)
        await self.session.flush()
        await self.session.refresh(db_obj)
        return db_obj

    async def get_by_id(self, id: int) -> Optional[ModelType]:
        """Get a record by ID."""
        result = await self.session.execute(
            select(self.model).where(self.model.id == id)
        )
        return result.scalar_one_or_none()

    async def get_all(
        self,
        skip: int = 0,
        limit: int = 100,
    ) -> List[ModelType]:
        """Get all records with pagination."""
        result = await self.session.execute(
            select(self.model).offset(skip).limit(limit)
        )
        return result.scalars().all()

    async def update(
        self,
        id: int,
        obj_in: dict,
    ) -> Optional[ModelType]:
        """Update a record."""
        db_obj = await self.get_by_id(id)
        if db_obj is None:
            return None

        for field, value in obj_in.items():
            if value is not None:
                setattr(db_obj, field, value)

        await self.session.flush()
        await self.session.refresh(db_obj)
        return db_obj

    async def delete(self, id: int) -> bool:
        """Delete a record."""
        db_obj = await self.get_by_id(id)
        if db_obj is None:
            return False

        await self.session.delete(db_obj)
        await self.session.flush()
        return True

    async def count(self) -> int:
        """Count all records."""
        result = await self.session.execute(
            select(func.count()).select_from(self.model)
        )
        return result.scalar_one()

    async def exists(self, id: int) -> bool:
        """Check if a record exists."""
        result = await self.session.execute(
            select(self.model.id).where(self.model.id == id)
        )
        return result.scalar_one_or_none() is not None
```

#### User Repository (`app/repositories/user_repo.py`)

```python
# app/repositories/user_repo.py
from typing import Optional

from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.models.user import User
from app.repositories.base import BaseRepository


class UserRepository(BaseRepository[User]):
    """Repository for User model operations."""

    def __init__(self, session: AsyncSession):
        super().__init__(User, session)

    async def get_by_username(self, username: str) -> Optional[User]:
        """Get user by username."""
        result = await self.session.execute(
            select(User).where(User.username == username)
        )
        return result.scalar_one_or_none()

    async def get_by_email(self, email: str) -> Optional[User]:
        """Get user by email."""
        result = await self.session.execute(
            select(User).where(User.email == email)
        )
        return result.scalar_one_or_none()

    async def username_exists(self, username: str) -> bool:
        """Check if username already exists."""
        result = await self.session.execute(
            select(User.id).where(User.username == username)
        )
        return result.scalar_one_or_none() is not None

    async def email_exists(self, email: str) -> bool:
        """Check if email already exists."""
        result = await self.session.execute(
            select(User.id).where(User.email == email)
        )
        return result.scalar_one_or_none() is not None

    async def get_active_users(self, skip: int = 0, limit: int = 100) -> list[User]:
        """Get all active users."""
        result = await self.session.execute(
            select(User).where(User.is_active == True).offset(skip).limit(limit)
        )
        return result.scalars().all()
```

#### Item Repository (`app/repositories/item_repo.py`)

```python
# app/repositories/item_repo.py
from typing import Optional
from sqlalchemy import select, and_
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy.orm import selectinload

from app.models.item import Item
from app.repositories.base import BaseRepository


class ItemRepository(BaseRepository[Item]):
    """Repository for Item model operations."""

    def __init__(self, session: AsyncSession):
        super().__init__(Item, session)

    async def get_by_id_with_owner(self, item_id: int) -> Optional[Item]:
        """Get item by ID with owner relationship loaded."""
        result = await self.session.execute(
            select(Item)
            .options(selectinload(Item.owner))
            .where(Item.id == item_id)
        )
        return result.scalar_one_or_none()

    async def get_by_owner(
        self,
        owner_id: int,
        skip: int = 0,
        limit: int = 100,
    ) -> list[Item]:
        """Get all items belonging to a specific owner."""
        result = await self.session.execute(
            select(Item)
            .where(Item.owner_id == owner_id)
            .offset(skip)
            .limit(limit)
        )
        return result.scalars().all()

    async def search(
        self,
        skip: int = 0,
        limit: int = 100,
        name: str | None = None,
        category: str | None = None,
        min_price: float | None = None,
        max_price: float | None = None,
        in_stock_only: bool = False,
    ) -> tuple[list[Item], int]:
        """Search items with filters."""
        filters = []

        if name:
            filters.append(Item.name.ilike(f"%{name}%"))
        if category:
            filters.append(Item.category == category)
        if min_price is not None:
            filters.append(Item.price >= min_price)
        if max_price is not None:
            filters.append(Item.price <= max_price)
        if in_stock_only:
            filters.append(Item.stock > 0)

        # Build query
        query = select(Item)
        if filters:
            query = query.where(and_(*filters))

        # Get total count
        count_query = select(Item.id)
        if filters:
            count_query = count_query.where(and_(*filters))
        count_result = await self.session.execute(count_query)
        total = len(count_result.all())

        # Get paginated results
        result = await self.session.execute(
            query.offset(skip).limit(limit)
        )
        items = result.scalars().all()

        return items, total

    async def update_stock(self, item_id: int, quantity: int) -> Optional[Item]:
        """Update item stock (for purchases)."""
        item = await self.get_by_id(item_id)
        if item is None:
            return None

        item.stock = max(0, item.stock - quantity)
        item.is_available = item.stock > 0

        await self.session.flush()
        await self.session.refresh(item)
        return item
```

#### User Service (`app/services/user_service.py`)

```python
# app/services/user_service.py
from typing import Optional

from sqlalchemy.ext.asyncio import AsyncSession

from app.models.user import User
from app.repositories.user_repo import UserRepository
from app.schemas.user import UserCreate, UserUpdate
from app.core.security import get_password_hash


class UserService:
    """
    Service layer for user business logic.
    Orchestrates repository calls and applies business rules.
    """

    def __init__(self, session: AsyncSession):
        self.session = session
        self.repository = UserRepository(session)

    async def create_user(self, user_data: UserCreate) -> User:
        """
        Create a new user with hashed password.
        
        Business rules:
        - Username must be unique
        - Email must be unique
        - Password must be hashed
        """
        # Check for existing username
        if await self.repository.username_exists(user_data.username):
            raise ValueError(f"Username '{user_data.username}' already exists")

        # Check for existing email
        if await self.repository.email_exists(user_data.email):
            raise ValueError(f"Email '{user_data.email}' already registered")

        # Create user with hashed password
        user_dict = user_data.model_dump()
        user_dict["hashed_password"] = get_password_hash(user_dict.pop("password"))

        return await self.repository.create(user_dict)

    async def get_by_id(self, user_id: int) -> Optional[User]:
        """Get user by ID."""
        return await self.repository.get_by_id(user_id)

    async def get_by_username(self, username: str) -> Optional[User]:
        """Get user by username."""
        return await self.repository.get_by_username(username)

    async def get_by_email(self, email: str) -> Optional[User]:
        """Get user by email."""
        return await self.repository.get_by_email(email)

    async def get_all(self, skip: int = 0, limit: int = 100) -> list[User]:
        """Get all users with pagination."""
        return await self.repository.get_all(skip=skip, limit=limit)

    async def update(self, user_id: int, user_data: UserUpdate) -> Optional[User]:
        """
        Update user information.
        
        Business rules:
        - Cannot update to an existing email
        - Password must be hashed if provided
        """
        # Check if user exists
        user = await self.repository.get_by_id(user_id)
        if not user:
            return None

        update_dict = user_data.model_dump(exclude_unset=True)

        # Handle password update
        if "password" in update_dict and update_dict["password"]:
            update_dict["hashed_password"] = get_password_hash(update_dict.pop("password"))
        elif "password" in update_dict:
            del update_dict["password"]

        # Check email uniqueness if changing email
        if "email" in update_dict and update_dict["email"] != user.email:
            if await self.repository.email_exists(update_dict["email"]):
                raise ValueError(f"Email '{update_dict['email']}' already registered")

        return await self.repository.update(user_id, update_dict)

    async def delete(self, user_id: int) -> bool:
        """Delete a user."""
        return await self.repository.delete(user_id)

    async def count(self) -> int:
        """Count total users."""
        return await self.repository.count()

    async def activate(self, user_id: int) -> Optional[User]:
        """Activate a user account."""
        return await self.repository.update(user_id, {"is_active": True})

    async def deactivate(self, user_id: int) -> Optional[User]:
        """Deactivate a user account."""
        return await self.repository.update(user_id, {"is_active": False})
```

#### Item Service (`app/services/item_service.py`)

```python
# app/services/item_service.py
from typing import Optional

from sqlalchemy.ext.asyncio import AsyncSession

from app.models.item import Item
from app.repositories.item_repo import ItemRepository
from app.schemas.item import ItemCreate, ItemUpdate


class ItemService:
    """
    Service layer for item business logic.
    Handles item creation, updates, and complex queries.
    """

    def __init__(self, session: AsyncSession):
        self.session = session
        self.repository = ItemRepository(session)

    async def create_item(
        self,
        item_data: ItemCreate,
        owner_id: int,
    ) -> Item:
        """
        Create a new item.
        
        Business rules:
        - Set availability based on stock
        - Associate with owner
        """
        item_dict = item_data.model_dump()
        item_dict["owner_id"] = owner_id
        item_dict["is_available"] = item_data.stock > 0

        return await self.repository.create(item_dict)

    async def get_by_id(self, item_id: int) -> Optional[Item]:
        """Get item by ID."""
        return await self.repository.get_by_id(item_id)

    async def get_by_id_with_owner(self, item_id: int) -> Optional[Item]:
        """Get item with owner information loaded."""
        return await self.repository.get_by_id_with_owner(item_id)

    async def get_all(self, skip: int = 0, limit: int = 100) -> list[Item]:
        """Get all items with pagination."""
        return await self.repository.get_all(skip=skip, limit=limit)

    async def get_by_owner(
        self,
        owner_id: int,
        skip: int = 0,
        limit: int = 100,
    ) -> list[Item]:
        """Get items belonging to a specific owner."""
        return await self.repository.get_by_owner(owner_id, skip=skip, limit=limit)

    async def search(
        self,
        skip: int = 0,
        limit: int = 100,
        name: str | None = None,
        category: str | None = None,
        min_price: float | None = None,
        max_price: float | None = None,
    ) -> tuple[list[Item], int]:
        """Search items with filters."""
        return await self.repository.search(
            skip=skip,
            limit=limit,
            name=name,
            category=category,
            min_price=min_price,
            max_price=max_price,
        )

    async def update(
        self,
        item_id: int,
        item_data: ItemUpdate,
    ) -> Optional[Item]:
        """
        Update an item.
        
        Business rules:
        - Update availability based on stock
        """
        update_dict = item_data.model_dump(exclude_unset=True)

        # Update availability if stock changes
        if "stock" in update_dict:
            update_dict["is_available"] = update_dict["stock"] > 0

        return await self.repository.update(item_id, update_dict)

    async def delete(self, item_id: int) -> bool:
        """Delete an item."""
        return await self.repository.delete(item_id)

    async def update_stock(
        self,
        item_id: int,
        quantity: int,
    ) -> Optional[Item]:
        """
        Update item stock (e.g., after purchase).
        
        Business rules:
        - Stock cannot go below 0
        - Update availability if stock reaches 0
        """
        item = await self.repository.get_by_id(item_id)
        if not item:
            return None

        if item.stock < quantity:
            raise ValueError(f"Insufficient stock. Available: {item.stock}")

        return await self.repository.update_stock(item_id, quantity)

    async def check_availability(self, item_id: int, quantity: int) -> bool:
        """Check if an item has sufficient stock."""
        item = await self.repository.get_by_id(item_id)
        if not item:
            return False
        return item.stock >= quantity and item.is_available
```

---

### 9.4 Configuration Management: Centralizing Settings

Centralized configuration management is essential for maintaining different settings across environments (development, staging, production).

#### Core Security Module (`app/core/security.py`)

```python
# app/core/security.py
from datetime import datetime, timedelta
from typing import Any

from jose import jwt
from passlib.context import CryptContext

from app.core.config import get_settings

settings = get_settings()

# Password hashing context
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

ALGORITHM = settings.algorithm


def verify_password(plain_password: str, hashed_password: str) -> bool:
    """Verify a plain password against a hashed password."""
    return pwd_context.verify(plain_password, hashed_password)


def get_password_hash(password: str) -> str:
    """Hash a password."""
    return pwd_context.hash(password)


def create_access_token(
    data: dict[str, Any],
    expires_delta: timedelta | None = None,
) -> str:
    """
    Create a JWT access token.
    
    Args:
        data: Payload data to encode in the token
        expires_delta: Optional custom expiration time
    
    Returns:
        Encoded JWT token string
    """
    to_encode = data.copy()
    
    if expires_delta:
        expire = datetime.utcnow() + expires_delta
    else:
        expire = datetime.utcnow() + timedelta(
            minutes=settings.access_token_expire_minutes
        )
    
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(
        to_encode,
        settings.secret_key,
        algorithm=ALGORITHM,
    )
    
    return encoded_jwt


def decode_access_token(token: str) -> dict[str, Any] | None:
    """
    Decode and validate a JWT access token.
    
    Args:
        token: JWT token string
    
    Returns:
        Decoded payload or None if invalid
    """
    try:
        payload = jwt.decode(
            token,
            settings.secret_key,
            algorithms=[ALGORITHM],
        )
        return payload
    except jwt.JWTError:
        return None
```

#### Custom Exceptions (`app/core/exceptions.py`)

```python
# app/core/exceptions.py
from fastapi import HTTPException, status


class AppException(Exception):
    """
    Base exception for application-specific errors.
    Can be caught and converted to HTTP responses.
    """

    def __init__(
        self,
        status_code: int,
        code: str,
        message: str,
        details: dict | None = None,
    ):
        self.status_code = status_code
        self.code = code
        self.message = message
        self.details = details
        super().__init__(self.message)


class NotFoundError(AppException):
    """Resource not found."""

    def __init__(self, resource: str, identifier: int | str):
        super().__init__(
            status_code=status.HTTP_404_NOT_FOUND,
            code="NOT_FOUND",
            message=f"{resource} with id '{identifier}' not found",
        )


class DuplicateError(AppException):
    """Duplicate resource error."""

    def __init__(self, field: str, value: str):
        super().__init__(
            status_code=status.HTTP_409_CONFLICT,
            code="DUPLICATE",
            message=f"{field} '{value}' already exists",
            details={"field": field, "value": value},
        )


class AuthenticationError(AppException):
    """Authentication failed."""

    def __init__(self, message: str = "Could not validate credentials"):
        super().__init__(
            status_code=status.HTTP_401_UNAUTHORIZED,
            code="AUTHENTICATION_ERROR",
            message=message,
        )


class AuthorizationError(AppException):
    """Authorization failed (insufficient permissions)."""

    def __init__(self, message: str = "Not enough permissions"):
        super().__init__(
            status_code=status.HTTP_403_FORBIDDEN,
            code="AUTHORIZATION_ERROR",
            message=message,
        )


class ValidationError(AppException):
    """Validation error."""

    def __init__(self, message: str, details: dict | None = None):
        super().__init__(
            status_code=status.HTTP_400_BAD_REQUEST,
            code="VALIDATION_ERROR",
            message=message,
            details=details,
        )
```

#### Environment-Specific Configuration

```.env.example
# Application
APP_NAME="FastAPI Application"
APP_VERSION="1.0.0"
DEBUG=false
ENVIRONMENT=development

# API
API_V1_PREFIX=/api/v1

# Database
DATABASE_URL=postgresql+asyncpg://postgres:password@localhost:5432/app_db
DATABASE_POOL_SIZE=5
DATABASE_MAX_OVERFLOW=10

# Security
SECRET_KEY=your-super-secret-key-change-in-production-at-least-32-chars
ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=30

# CORS
ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080
```

```.env.development
# Development environment
DEBUG=true
ENVIRONMENT=development
DATABASE_URL=postgresql+asyncpg://postgres:password@localhost:5432/app_dev
```

```.env.production
# Production environment
DEBUG=false
ENVIRONMENT=production
DATABASE_URL=postgresql+asyncpg://user:password@prod-db:5432/app_prod
SECRET_KEY=production-secret-key-from-aws-secrets-manager
ALLOWED_ORIGINS=https://example.com,https://api.example.com
```

#### Complete Application Entry Point

```python
# app/main.py (Complete version)
from contextlib import asynccontextmanager
from typing import AsyncGenerator

from fastapi import FastAPI, Request, status
from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import JSONResponse

from app.core.config import get_settings
from app.core.exceptions import AppException
from app.api.v1.router import api_router
from app.db.session import engine, Base

settings = get_settings()


@asynccontextmanager
async def lifespan(app: FastAPI) -> AsyncGenerator:
    """
    Application lifespan manager.
    Handles startup and shutdown events.
    """
    # Startup
    print(f"Starting {settings.app_name} v{settings.app_version}")
    print(f"Environment: {settings.environment}")
    
    # Create database tables (in development)
    if settings.environment == "development":
        async with engine.begin() as conn:
            await conn.run_sync(Base.metadata.create_all)
    
    yield
    
    # Shutdown
    print("Shutting down application...")
    await engine.dispose()


def create_application() -> FastAPI:
    """Create and configure the FastAPI application."""
    app = FastAPI(
        title=settings.app_name,
        version=settings.app_version,
        description="""
## FastAPI Production Application

A production-ready FastAPI application with:

* **Authentication**: JWT-based authentication
* **Authorization**: Role-based access control
* **Database**: PostgreSQL with SQLAlchemy async
* **Validation**: Pydantic models for all inputs
* **Documentation**: Auto-generated OpenAPI docs

### Getting Started

1. Register a user account via `/api/v1/auth/register`
2. Login to get an access token via `/api/v1/auth/login`
3. Use the token in the `Authorization: Bearer <token>` header
        """,
        openapi_url=f"{settings.api_v1_prefix}/openapi.json",
        docs_url=f"{settings.api_v1_prefix}/docs",
        redoc_url=f"{settings.api_v1_prefix}/redoc",
        lifespan=lifespan,
    )
    
    # CORS middleware
    app.add_middleware(
        CORSMiddleware,
        allow_origins=settings.allowed_origins,
        allow_credentials=True,
        allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
        allow_headers=["*"],
        expose_headers=["X-Total-Count", "X-Page", "X-Page-Size"],
    )
    
    # Include API router
    app.include_router(api_router, prefix=settings.api_v1_prefix)
    
    # Exception handlers
    @app.exception_handler(AppException)
    async def app_exception_handler(request: Request, exc: AppException):
        """Handle application-specific exceptions."""
        return JSONResponse(
            status_code=exc.status_code,
            content={
                "code": exc.code,
                "message": exc.message,
                "details": exc.details,
            },
        )
    
    # Health check endpoint
    @app.get("/health", tags=["health"])
    async def health_check():
        """Health check endpoint for monitoring."""
        return {
            "status": "healthy",
            "version": settings.app_version,
            "environment": settings.environment,
        }
    
    # Readiness check endpoint
    @app.get("/ready", tags=["health"])
    async def readiness_check():
        """Readiness check for Kubernetes/container orchestration."""
        try:
            # Test database connection
            async with engine.connect() as conn:
                await conn.execute("SELECT 1")
            return {"status": "ready", "database": "connected"}
        except Exception as e:
            return JSONResponse(
                status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
                content={"status": "not ready", "error": str(e)},
            )
    
    return app


app = create_application()


if __name__ == "__main__":
    import uvicorn
    
    uvicorn.run(
        "app.main:app",
        host="0.0.0.0",
        port=8000,
        reload=settings.debug,
    )
```

---

### Summary

In this chapter, you've learned how to structure large FastAPI applications:

1. **Modularization**: Breaking the app into logical modules with a clear directory structure.

2. **APIRouter**: Creating reusable router modules and mounting them into the main application.

3. **Service-Repository Pattern**: Separating business logic (Services) from data access (Repositories) for clean, maintainable code.

4. **Configuration Management**: Centralizing settings with `pydantic-settings` and environment-specific configuration files.

---

### Exercises

1. **Modularize an Existing App**: Take a single-file FastAPI application and restructure it using the patterns from this chapter.

2. **Add a New Feature**: Implement a "Comments" feature with:
   - `Comment` model
   - `CommentRepository` and `CommentService`
   - `comments` router with CRUD endpoints
   - Proper relationship with `User` and `Item` models

3. **Environment Configuration**: Set up environment-specific configuration for:
   - Development (local SQLite database)
   - Testing (in-memory database)
   - Production (PostgreSQL with connection pooling)

4. **Error Handling**: Extend the exception handling to:
   - Log all exceptions
   - Send alerts for 5xx errors
   - Return consistent error responses

---

### What's Next?

**Chapter 10: Middleware and Events** will explore:
- Understanding middleware basics and request interception
- Built-in middleware: CORS, GZip, Trusted Host, HTTPS Redirect
- Creating custom middleware classes
- Lifespan events for startup and shutdown logic

