# Core Authentication Utilities

> Simple, transparent authentication utilities for FastHTML applications

In [None]:
#| default_exp auth

In [None]:
#| hide
from nbdev.showdoc import *

In [None]:
#| export
import bcrypt
import secrets
from typing import Optional, Dict, Any
from functools import wraps

### Important Note on bcrypt

bcrypt has a maximum password length of 72 bytes. Passwords longer than this are silently truncated. If you need to support longer passwords, consider hashing the password with SHA-256 first, then passing the hash to bcrypt.

## Password Hashing

Launch Kit provides simple utilities for secure password hashing using bcrypt. These functions are transparent and composable - you can see exactly what they do and use them however you need.

In [None]:
#| export
def hash_password(password: str) -> str:
    """Hash a password using bcrypt with a cost factor of 12.
    
    Args:
        password: Plain text password to hash
        
    Returns:
        Hashed password as a string for database storage
    """
    # Cost factor of 12 is recommended for 2024
    # This takes ~250ms on modern hardware
    salt = bcrypt.gensalt(rounds=12)
    hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
    return hashed.decode('utf-8')

In [None]:
#| export
def verify_password(password: str, hashed: str) -> bool:
    """Verify a password against a bcrypt hash.
    
    Uses timing-safe comparison to prevent timing attacks.
    
    Args:
        password: Plain text password to verify
        hashed: Bcrypt hash from the database
        
    Returns:
        True if password matches, False otherwise
    """
    try:
        return bcrypt.checkpw(
            password.encode('utf-8'), 
            hashed.encode('utf-8')
        )
    except (ValueError, TypeError):
        # Invalid hash format
        return False

### Example Usage

Here's how you use these password utilities in your FastHTML application:

In [None]:
# Hash a password when user signs up
password = "secure_password123"
hashed = hash_password(password)
print(f"Hashed password: {hashed}")

# Verify password when user logs in
is_valid = verify_password(password, hashed)
print(f"Password valid: {is_valid}")

# Test with wrong password
wrong_password = "wrong_password"
is_valid = verify_password(wrong_password, hashed)
print(f"Wrong password valid: {is_valid}")

## Session Management

These utilities work with FastHTML's session system to manage user authentication state.

In [None]:
#| export
def user_auth_before(req, sess):
    """Beforeware function to check authentication status.
    
    Checks if user is authenticated by looking for 'auth' key in session.
    If authenticated, loads user data into the session.
    
    Args:
        req: FastHTML request object
        sess: FastHTML session object
        
    Usage:
        beforeware = Beforeware(
            user_auth_before,
            skip=['/auth/login', '/auth/signup', '/static/.*']
        )
    """
    # Check if user is authenticated
    if 'auth' in sess and sess.get('auth'):
        # User is authenticated, ensure user data is in session
        if 'user' not in sess:
            # In a real app, you'd fetch from database here
            # For now, we'll just ensure the structure exists
            user_id = sess.get('user_id')
            if user_id:
                # This is where you'd load user from database
                # sess['user'] = get_user_by_id(user_id)
                pass
    else:
        # Clear any stale user data if not authenticated
        sess.pop('user', None)
        sess.pop('user_id', None)

In [None]:
#| export
def get_user_from_session(sess) -> Optional[Dict[str, Any]]:
    """Extract user data from session.
    
    Args:
        sess: FastHTML session object
        
    Returns:
        User dictionary if authenticated, None otherwise
    """
    if sess.get('auth') and 'user' in sess:
        return sess['user']
    return None

## Authentication Tokens

For remember-me functionality and API authentication, we provide simple token utilities.

In [None]:
#| export
def create_auth_token(user_id: int) -> str:
    """Create a secure authentication token for a user.
    
    Args:
        user_id: ID of the user to create token for
        
    Returns:
        Secure random token string
        
    Note:
        In production, you'd store this token in your database
        with an expiration date and associate it with the user.
    """
    # Generate a secure random token
    token = secrets.token_urlsafe(32)
    # In a real app, you'd store: token -> user_id mapping in database
    return f"{user_id}:{token}"

In [None]:
#| export
def verify_auth_token(token: str) -> Optional[int]:
    """Verify an authentication token and return the user ID.
    
    Args:
        token: Authentication token to verify
        
    Returns:
        User ID if token is valid, None otherwise
        
    Note:
        In production, you'd look up this token in your database
        and check expiration.
    """
    try:
        # Simple parsing for demo - in production, look up in database
        parts = token.split(':', 1)
        if len(parts) == 2:
            user_id = int(parts[0])
            # In real app: verify token exists in DB and not expired
            return user_id
    except (ValueError, TypeError):
        pass
    return None

### Token Example

In [None]:
# Create a token for user ID 123
token = create_auth_token(123)
print(f"Auth token: {token}")

# Verify the token
user_id = verify_auth_token(token)
print(f"Verified user ID: {user_id}")

# Test with invalid token
invalid_token = "invalid_token"
user_id = verify_auth_token(invalid_token)
print(f"Invalid token result: {user_id}")

## Best Practices and Security Guidelines

### Password Security
- **Minimum Requirements**: Enforce at least 8 characters, ideally 12+
- **Complexity**: Require a mix of uppercase, lowercase, numbers, and special characters
- **Common Passwords**: Check against common password lists
- **Password History**: Prevent reuse of recent passwords
- **Account Lockout**: Implement after multiple failed attempts

### Session Security
- **Secure Cookies**: Always use `secure=True` and `httponly=True` in production
- **Session Timeout**: Implement idle and absolute timeouts
- **Session Rotation**: Regenerate session ID after login
- **CSRF Protection**: Use the CSRF middleware (coming in Phase 1)

### Token Security
- **Storage**: Never store tokens in plain text
- **Expiration**: Always set and enforce expiration times
- **Rotation**: Implement token rotation for long-lived sessions
- **Revocation**: Provide ability to revoke tokens

### General Security
- **HTTPS**: Always use HTTPS in production
- **Rate Limiting**: Implement on authentication endpoints
- **Logging**: Log authentication events (success/failure)
- **2FA**: Consider implementing two-factor authentication

## Security Considerations

When using these authentication utilities:

1. **Password Requirements**: Implement minimum password requirements in your application
2. **Rate Limiting**: Use the rate limiting middleware to prevent brute force attacks
3. **Session Security**: Configure secure session cookies in production
4. **Token Storage**: Store auth tokens in a database with expiration times
5. **HTTPS Only**: Always use HTTPS in production to protect credentials in transit

## Integration with FastHTML

Here's a complete example of how to use these utilities in a FastHTML app:

```python
from fasthtml.common import *
from launch_kit.auth import hash_password, verify_password, user_auth_before

app, rt = fast_app()

# Set up authentication beforeware
beforeware = Beforeware(
    user_auth_before,
    skip=['/auth/login', '/auth/signup', '/static/.*']
)

@rt('/auth/signup')
def post(email: str, password: str, sess):
    # Hash the password
    hashed = hash_password(password)
    
    # Save user to database (pseudo-code)
    # user = create_user(email=email, password=hashed)
    
    # Set session
    sess['auth'] = True
    sess['user_id'] = user.id
    sess['user'] = {'id': user.id, 'email': email}
    
    return RedirectResponse('/')

@rt('/auth/login')
def post(email: str, password: str, sess):
    # Get user from database (pseudo-code)
    # user = get_user_by_email(email)
    
    if user and verify_password(password, user.password):
        # Login successful
        sess['auth'] = True
        sess['user_id'] = user.id
        sess['user'] = {'id': user.id, 'email': email}
        return RedirectResponse('/')
    else:
        # Login failed
        return "Invalid credentials", 401
```

These utilities are designed to be simple and transparent. You can see exactly what they do and modify them to fit your needs.

## Testing

In [None]:
#| hide
# Test password hashing
test_password = "test_password_123!"
hashed = hash_password(test_password)

# Ensure hash is different from password
assert hashed != test_password
assert len(hashed) == 60  # bcrypt hashes are always 60 chars
assert hashed.startswith('$2b$')  # bcrypt prefix

# Test password verification
assert verify_password(test_password, hashed) == True
assert verify_password("wrong_password", hashed) == False

# Test with empty password
empty_hash = hash_password("")
assert verify_password("", empty_hash) == True
assert verify_password("not_empty", empty_hash) == False

# Test invalid hash handling
assert verify_password("any_password", "invalid_hash") == False
assert verify_password("any_password", "") == False

print("✓ Password hashing tests passed")

In [None]:
#| hide
# Test token creation and verification
user_id = 42
token = create_auth_token(user_id)

# Token should contain user ID and random part
assert ':' in token
assert token.startswith(f"{user_id}:")

# Verify token returns correct user ID
verified_id = verify_auth_token(token)
assert verified_id == user_id

# Test invalid tokens
assert verify_auth_token("invalid") is None
assert verify_auth_token("") is None
assert verify_auth_token("no_colon") is None
assert verify_auth_token("not_a_number:token") is None

print("✓ Token tests passed")

In [None]:
#| hide
# Test session utilities
mock_sess = {}

# Test get_user_from_session with no auth
assert get_user_from_session(mock_sess) is None

# Test with auth but no user
mock_sess['auth'] = True
assert get_user_from_session(mock_sess) is None

# Test with auth and user
mock_sess['user'] = {'id': 1, 'email': 'test@example.com'}
user = get_user_from_session(mock_sess)
assert user is not None
assert user['id'] == 1
assert user['email'] == 'test@example.com'

# Test user_auth_before
mock_req = None  # Not used in our implementation
test_sess = {'auth': True, 'user_id': 123}
user_auth_before(mock_req, test_sess)
# Should preserve auth and user_id
assert test_sess.get('auth') == True
assert test_sess.get('user_id') == 123

# Test cleanup when not authenticated
test_sess = {'user': 'stale_data', 'user_id': 999}
user_auth_before(mock_req, test_sess)
# Should clean up stale data
assert 'user' not in test_sess
assert 'user_id' not in test_sess

print("✓ Session management tests passed")

In [ ]:
#| hide
# Test concurrent access patterns (simulated)
print("Testing thread safety simulation...")

# Test multiple password operations
passwords = ["pass1", "pass2", "pass3", "pass4", "pass5"]
hashes = [hash_password(p) for p in passwords]

# Verify all hashes are unique
assert len(set(hashes)) == len(hashes), "Hashes should be unique"

# Verify all passwords match their respective hashes
for pwd, hsh in zip(passwords, hashes):
    assert verify_password(pwd, hsh) == True
    # And don't match others
    for other_hash in hashes:
        if other_hash != hsh:
            assert verify_password(pwd, other_hash) == False

print("✓ Concurrent access simulation passed")

In [ ]:
#| hide
# Test edge cases for password hashing
print("Testing edge cases...")

# Test with very long password (bcrypt truncates at 72 bytes)
long_password = "a" * 100  # Changed from 1000 to avoid bcrypt truncation
long_hash = hash_password(long_password)
assert verify_password(long_password, long_hash) == True
# Test that a different password doesn't match
assert verify_password("b" * 100, long_hash) == False

# Test with special characters
special_password = "!@#$%^&*()_+-=[]{}|;':\",./<>?`~"
special_hash = hash_password(special_password)
assert verify_password(special_password, special_hash) == True

# Test with unicode characters
unicode_password = "пароль密码パスワード🔐"
unicode_hash = hash_password(unicode_password)
assert verify_password(unicode_password, unicode_hash) == True

# Test with None/null handling (should raise AttributeError)
try:
    hash_password(None)
    assert False, "Should have raised AttributeError"
except AttributeError:
    pass

# Test corrupted hash
assert verify_password("test", "$2b$12$corrupted") == False
assert verify_password("test", "not_a_bcrypt_hash") == False

print("✓ Edge case tests passed")

In [None]:
#| hide
import nbdev; nbdev.nbdev_export()

## Performance Benchmarks

Understanding the performance characteristics of authentication operations is crucial for capacity planning.

In [ ]:
#| hide
# Comprehensive performance benchmarks
import time
import statistics

print("Running performance benchmarks...")

# Benchmark password hashing with different cost factors
def benchmark_cost_factor(cost):
    times = []
    for _ in range(3):
        start = time.time()
        salt = bcrypt.gensalt(rounds=cost)
        bcrypt.hashpw(b"benchmark_password", salt)
        times.append(time.time() - start)
    return statistics.mean(times)

print("\nPassword hashing performance by cost factor:")
for cost in [10, 11, 12, 13, 14]:
    avg_time = benchmark_cost_factor(cost)
    print(f"  Cost {cost}: {avg_time:.3f}s (recommended: {'Yes' if 0.1 <= avg_time <= 0.5 else 'No'})")

# Benchmark verification
print("\nPassword verification performance:")
test_hash = hash_password("benchmark_password")
verify_times = []
for _ in range(10):
    start = time.time()
    verify_password("benchmark_password", test_hash)
    verify_times.append(time.time() - start)

avg_verify = statistics.mean(verify_times)
print(f"  Average verification time: {avg_verify:.3f}s")
print(f"  Verifications per second: {1/avg_verify:.0f}")

# Token operations benchmark
print("\nToken operations performance:")
token_create_times = []
token_verify_times = []

for i in range(100):
    start = time.time()
    token = create_auth_token(i)
    token_create_times.append(time.time() - start)
    
    start = time.time()
    verify_auth_token(token)
    token_verify_times.append(time.time() - start)

print(f"  Token creation: {statistics.mean(token_create_times)*1000:.3f}ms")
print(f"  Token verification: {statistics.mean(token_verify_times)*1000:.3f}ms")
print(f"  Operations per second: {1/statistics.mean(token_create_times):.0f}")

print("\n✓ Performance benchmarks completed")