# **User Authentication & Authorization System**

**Description:**

A production-ready system for secure user management with **Python**, **Flask**, **SQLite**, and **JWT**.

This system handles user registration, login, role-based access control, and secure API endpoints. It’s lightweight, easy to set up, and comes with both automated and manual testing options.

**Contents:**

1: Install dependencies

2: Configuration

3: Database models

4: Authentication logic

5: Flask app & routes

6: Start server (GET PUBLIC URL HERE)

7: Automated tests

8: Manual testing helper



# **Install dependencies:**

In [None]:
!pip install flask pyngrok PyJWT werkzeug requests -q


# **Configuration:**

In [None]:
import os
from datetime import timedelta

class Config:
    """Application configuration"""
    SECRET_KEY = 'colab-secret-key-change-in-production-123'
    JWT_ALGORITHM = 'HS256'
    JWT_EXPIRATION = timedelta(hours=24)
    DATABASE_PATH = 'auth_system.db'
    BCRYPT_LOG_ROUNDS = 12

# **Database models:**


In [None]:
import sqlite3
from werkzeug.security import generate_password_hash, check_password_hash

class Database:
    """Database handler"""

    @staticmethod
    def get_connection():
        """Get database connection"""
        conn = sqlite3.connect(Config.DATABASE_PATH, check_same_thread=False)
        conn.row_factory = sqlite3.Row
        return conn

    @staticmethod
    def init_db():
        """Initialize database with tables"""
        conn = Database.get_connection()

        # Create roles table
        conn.execute('''
            CREATE TABLE IF NOT EXISTS roles (
                id INTEGER PRIMARY KEY AUTOINCREMENT,
                name TEXT UNIQUE NOT NULL,
                description TEXT
            )
        ''')

        # Create permissions table
        conn.execute('''
            CREATE TABLE IF NOT EXISTS permissions (
                id INTEGER PRIMARY KEY AUTOINCREMENT,
                name TEXT UNIQUE NOT NULL,
                description TEXT
            )
        ''')

        # Create users table
        conn.execute('''
            CREATE TABLE IF NOT EXISTS users (
                id INTEGER PRIMARY KEY AUTOINCREMENT,
                username TEXT UNIQUE NOT NULL,
                email TEXT UNIQUE NOT NULL,
                password_hash TEXT NOT NULL,
                role_id INTEGER NOT NULL,
                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
                FOREIGN KEY (role_id) REFERENCES roles (id)
            )
        ''')

        # Create role_permissions junction table
        conn.execute('''
            CREATE TABLE IF NOT EXISTS role_permissions (
                role_id INTEGER,
                permission_id INTEGER,
                PRIMARY KEY (role_id, permission_id),
                FOREIGN KEY (role_id) REFERENCES roles (id),
                FOREIGN KEY (permission_id) REFERENCES permissions (id)
            )
        ''')

        # Insert default roles if they don't exist
        try:
            conn.execute("INSERT INTO roles (name, description) VALUES (?, ?)",
                       ('user', 'Regular user with basic permissions'))
            conn.execute("INSERT INTO roles (name, description) VALUES (?, ?)",
                       ('admin', 'Administrator with full permissions'))

            # Insert default permissions
            conn.execute("INSERT INTO permissions (name, description) VALUES (?, ?)",
                       ('read', 'Can read resources'))
            conn.execute("INSERT INTO permissions (name, description) VALUES (?, ?)",
                       ('write', 'Can create and update resources'))
            conn.execute("INSERT INTO permissions (name, description) VALUES (?, ?)",
                       ('delete', 'Can delete resources'))
            conn.execute("INSERT INTO permissions (name, description) VALUES (?, ?)",
                       ('admin', 'Full administrative access'))

            # Assign permissions to roles
            conn.execute("INSERT INTO role_permissions (role_id, permission_id) VALUES (1, 1)")
            conn.execute("INSERT INTO role_permissions (role_id, permission_id) VALUES (1, 2)")
            conn.execute("INSERT INTO role_permissions (role_id, permission_id) VALUES (2, 1)")
            conn.execute("INSERT INTO role_permissions (role_id, permission_id) VALUES (2, 2)")
            conn.execute("INSERT INTO role_permissions (role_id, permission_id) VALUES (2, 3)")
            conn.execute("INSERT INTO role_permissions (role_id, permission_id) VALUES (2, 4)")

            conn.commit()
        except sqlite3.IntegrityError:
            pass

        conn.close()

class User:
    """User model"""

    @staticmethod
    def create(username, email, password, role='user'):
        """Create a new user"""
        conn = Database.get_connection()

        role_row = conn.execute("SELECT id FROM roles WHERE name = ?", (role,)).fetchone()
        if not role_row:
            conn.close()
            raise ValueError(f"Role '{role}' does not exist")

        role_id = role_row['id']
        password_hash = generate_password_hash(password)

        try:
            cursor = conn.execute(
                "INSERT INTO users (username, email, password_hash, role_id) VALUES (?, ?, ?, ?)",
                (username, email, password_hash, role_id)
            )
            conn.commit()
            user_id = cursor.lastrowid
            user = User.get_by_id(user_id)
            conn.close()
            return user
        except sqlite3.IntegrityError:
            conn.close()
            raise ValueError("Username or email already exists")

    @staticmethod
    def get_by_email(email):
        """Get user by email"""
        conn = Database.get_connection()
        row = conn.execute(
            '''SELECT u.*, r.name as role_name
               FROM users u
               JOIN roles r ON u.role_id = r.id
               WHERE u.email = ?''',
            (email,)
        ).fetchone()
        conn.close()
        return dict(row) if row else None

    @staticmethod
    def get_by_id(user_id):
        """Get user by ID"""
        conn = Database.get_connection()
        row = conn.execute(
            '''SELECT u.*, r.name as role_name
               FROM users u
               JOIN roles r ON u.role_id = r.id
               WHERE u.id = ?''',
            (user_id,)
        ).fetchone()
        conn.close()
        return dict(row) if row else None

    @staticmethod
    def verify_password(user, password):
        """Verify user password"""
        return check_password_hash(user['password_hash'], password)

    @staticmethod
    def get_permissions(user_id):
        """Get user permissions"""
        conn = Database.get_connection()
        rows = conn.execute(
            '''SELECT p.name
               FROM permissions p
               JOIN role_permissions rp ON p.id = rp.permission_id
               JOIN users u ON u.role_id = rp.role_id
               WHERE u.id = ?''',
            (user_id,)
        ).fetchall()
        conn.close()
        return [row['name'] for row in rows]


# **Authentication Logic:**


In [None]:
import jwt
from datetime import datetime
from functools import wraps
from flask import request, jsonify

def generate_token(user):
    """Generate JWT token for user"""
    payload = {
        'user_id': user['id'],
        'email': user['email'],
        'role': user['role_name'],
        'exp': datetime.utcnow() + Config.JWT_EXPIRATION,
        'iat': datetime.utcnow()
    }

    token = jwt.encode(payload, Config.SECRET_KEY, algorithm=Config.JWT_ALGORITHM)
    return token

def decode_token(token):
    """Decode and validate JWT token"""
    try:
        payload = jwt.decode(token, Config.SECRET_KEY, algorithms=[Config.JWT_ALGORITHM])
        return payload
    except jwt.ExpiredSignatureError:
        return None
    except jwt.InvalidTokenError:
        return None

def get_token_from_header():
    """Extract token from Authorization header"""
    auth_header = request.headers.get('Authorization')
    if not auth_header:
        return None

    try:
        token = auth_header.split(' ')[1]
        return token
    except IndexError:
        return None

def login_required(f):
    """Decorator to protect routes requiring authentication"""
    @wraps(f)
    def decorated_function(*args, **kwargs):
        token = get_token_from_header()

        if not token:
            return jsonify({'error': 'Authentication required', 'message': 'No token provided'}), 401

        payload = decode_token(token)
        if not payload:
            return jsonify({'error': 'Authentication failed', 'message': 'Invalid or expired token'}), 401

        user = User.get_by_id(payload['user_id'])
        if not user:
            return jsonify({'error': 'User not found'}), 404

        request.current_user = user
        return f(*args, **kwargs)

    return decorated_function

def admin_required(f):
    """Decorator to protect routes requiring admin role"""
    @wraps(f)
    @login_required
    def decorated_function(*args, **kwargs):
        user = request.current_user

        if user['role_name'] != 'admin':
            return jsonify({
                'error': 'Access denied',
                'message': 'Admin privileges required'
            }), 403

        return f(*args, **kwargs)

    return decorated_function


# **Flask app & routes:**


In [None]:
from flask import Flask
import re

def validate_email(email):
    """Validate email format"""
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return re.match(pattern, email) is not None

def validate_password(password):
    """Validate password strength"""
    if len(password) < 8:
        return False, "Password must be at least 8 characters long"
    if not any(c.isupper() for c in password):
        return False, "Password must contain at least one uppercase letter"
    if not any(c.islower() for c in password):
        return False, "Password must contain at least one lowercase letter"
    if not any(c.isdigit() for c in password):
        return False, "Password must contain at least one digit"
    return True, ""

def create_app():
    """Create Flask application"""
    app = Flask(__name__)
    app.config.from_object(Config)

    # Initialize database
    Database.init_db()

    @app.route('/')
    def home():
        """Home endpoint"""
        return jsonify({
            'message': 'User Authentication & Authorization System',
            'version': '1.0.0 (Google Colab Edition)',
            'endpoints': {
                'POST /register': 'Register a new user',
                'POST /login': 'Login and get JWT token',
                'GET /users/me': 'Get current user info (requires authentication)',
                'GET /admin': 'Admin-only endpoint (requires admin role)'
            }
        })

    @app.route('/register', methods=['POST'])
    def register():
        """Register a new user"""
        data = request.get_json()

        if not data:
            return jsonify({'error': 'No data provided'}), 400

        username = data.get('username', '').strip()
        email = data.get('email', '').strip()
        password = data.get('password', '')
        role = data.get('role', 'user')

        if not username:
            return jsonify({'error': 'Username is required'}), 400
        if not email:
            return jsonify({'error': 'Email is required'}), 400
        if not password:
            return jsonify({'error': 'Password is required'}), 400

        if not validate_email(email):
            return jsonify({'error': 'Invalid email format'}), 400

        is_valid, message = validate_password(password)
        if not is_valid:
            return jsonify({'error': message}), 400

        if role not in ['user', 'admin']:
            return jsonify({'error': 'Invalid role. Must be "user" or "admin"'}), 400

        try:
            user = User.create(username, email, password, role)
            token = generate_token(user)

            return jsonify({
                'message': 'User registered successfully',
                'user': {
                    'id': user['id'],
                    'username': user['username'],
                    'email': user['email'],
                    'role': user['role_name']
                },
                'token': token
            }), 201
        except ValueError as e:
            return jsonify({'error': str(e)}), 400

    @app.route('/login', methods=['POST'])
    def login():
        """Login user"""
        data = request.get_json()

        if not data:
            return jsonify({'error': 'No data provided'}), 400

        email = data.get('email', '').strip()
        password = data.get('password', '')

        if not email or not password:
            return jsonify({'error': 'Email and password are required'}), 400

        user = User.get_by_email(email)
        if not user:
            return jsonify({'error': 'Invalid email or password'}), 401

        if not User.verify_password(user, password):
            return jsonify({'error': 'Invalid email or password'}), 401

        token = generate_token(user)

        return jsonify({
            'message': 'Login successful',
            'user': {
                'id': user['id'],
                'username': user['username'],
                'email': user['email'],
                'role': user['role_name']
            },
            'token': token
        }), 200

    @app.route('/users/me', methods=['GET'])
    @login_required
    def get_current_user():
        """Get current user info"""
        user = request.current_user
        permissions = User.get_permissions(user['id'])

        return jsonify({
            'user': {
                'id': user['id'],
                'username': user['username'],
                'email': user['email'],
                'role': user['role_name'],
                'permissions': permissions,
                'created_at': user['created_at']
            }
        }), 200

    @app.route('/admin', methods=['GET'])
    @admin_required
    def admin_endpoint():
        """Admin-only endpoint"""
        user = request.current_user

        return jsonify({
            'message': 'Welcome to the admin panel',
            'admin': {
                'id': user['id'],
                'username': user['username'],
                'email': user['email']
            },
            'access_level': 'full'
        }), 200

    return app


# **Start server (GET PUBLIC URL HERE):**

In [None]:
from pyngrok import ngrok
import threading

# Create Flask app
app = create_app()

# Set ngrok auth token
ngrok.set_auth_token("2ziogsZnboFUwEDalhfVoIXNHYg_2SqEcYMcg8dVSWVT8qoyM")

# Start ngrok tunnel
public_url = ngrok.connect(5000)
print('SERVER STARTED!')
print('=' * 60)
print(f'Public URL: {public_url}')
print('=' * 60)
print('\n Your API is now accessible at the URL above!')
print('Use this URL to test the endpoints\n')

# Run Flask in background thread
def run_flask():
    app.run(port=5000, use_reloader=False)

flask_thread = threading.Thread(target=run_flask)
flask_thread.daemon = True
flask_thread.start()

print('⏳ Server is running... Keep this cell running!\n')



SERVER STARTED!
Public URL: NgrokTunnel: "https://da093dd9b8d3.ngrok-free.app" -> "http://localhost:5000"

 Your API is now accessible at the URL above!
Use this URL to test the endpoints

⏳ Server is running... Keep this cell running!



# **Automated tests:**

In [None]:
import requests
import json

# Get the public URL (extract the actual URL string)
BASE_URL = public_url.public_url

print("TESTING AUTHENTICATION SYSTEM")
print("=" * 60)

# Test 1: Register a user
print("\n1️⃣ Registering a new user...")
register_data = {
    "username": "testuser",
    "email": "test@example.com",
    "password": "Test1234"
}
response = requests.post(f"{BASE_URL}/register", json=register_data)
print(f"Status: {response.status_code}")
print(f"Response: {json.dumps(response.json(), indent=2)}")

if response.status_code == 201:
    user_token = response.json()['token']
    print(f"\n✅ User registered! Token saved.")
else:
    print("❌ Registration failed!")
    user_token = None

# Test 2: Register an admin
print("\n2️⃣ Registering an admin user...")
admin_data = {
    "username": "admin",
    "email": "admin@example.com",
    "password": "Admin1234",
    "role": "admin"
}
response = requests.post(f"{BASE_URL}/register", json=admin_data)
print(f"Status: {response.status_code}")
print(f"Response: {json.dumps(response.json(), indent=2)}")

if response.status_code == 201:
    admin_token = response.json()['token']
    print(f"\n✅ Admin registered! Token saved.")
else:
    print("❌ Admin registration failed!")
    admin_token = None

# Test 3: Login
print("\n3️⃣ Testing login...")
login_data = {
    "email": "test@example.com",
    "password": "Test1234"
}
response = requests.post(f"{BASE_URL}/login", json=login_data)
print(f"Status: {response.status_code}")
print(f"Response: {json.dumps(response.json(), indent=2)}")

# Test 4: Get current user (protected route)
if user_token:
    print("\n4️⃣ Getting current user info (with auth)...")
    headers = {"Authorization": f"Bearer {user_token}"}
    response = requests.get(f"{BASE_URL}/users/me", headers=headers)
    print(f"Status: {response.status_code}")
    print(f"Response: {json.dumps(response.json(), indent=2)}")

# Test 5: Try accessing admin endpoint as regular user
if user_token:
    print("\n5️⃣ Trying to access admin endpoint as regular user...")
    headers = {"Authorization": f"Bearer {user_token}"}
    response = requests.get(f"{BASE_URL}/admin", headers=headers)
    print(f"Status: {response.status_code}")
    print(f"Response: {json.dumps(response.json(), indent=2)}")

# Test 6: Access admin endpoint as admin
if admin_token:
    print("\n6️⃣ Accessing admin endpoint as admin...")
    headers = {"Authorization": f"Bearer {admin_token}"}
    response = requests.get(f"{BASE_URL}/admin", headers=headers)
    print(f"Status: {response.status_code}")
    print(f"Response: {json.dumps(response.json(), indent=2)}")

print("\n" + "=" * 60)
print("✅ ALL TESTS COMPLETED!")
print("=" * 60)
print(f"\n You can now test manually using: {BASE_URL}")
print(" Save your tokens for authentication:")
if user_token:
    print(f"\n User Token:\n{user_token}")
if admin_token:
    print(f"\n Admin Token:\n{admin_token}")


TESTING AUTHENTICATION SYSTEM

1️⃣ Registering a new user...


  'exp': datetime.utcnow() + Config.JWT_EXPIRATION,
  'iat': datetime.utcnow()
INFO:werkzeug:127.0.0.1 - - [22/Oct/2025 19:42:34] "[35m[1mPOST /register HTTP/1.1[0m" 201 -


Status: 201
Response: {
  "message": "User registered successfully",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20iLCJyb2xlIjoidXNlciIsImV4cCI6MTc2MTI0ODU1NCwiaWF0IjoxNzYxMTYyMTU0fQ.bAIyNjqmhzdEosCD9IKCjR1lJH8yIUBD9ejeGyE1gsI",
  "user": {
    "email": "test@example.com",
    "id": 1,
    "role": "user",
    "username": "testuser"
  }
}

✅ User registered! Token saved.

2️⃣ Registering an admin user...


INFO:werkzeug:127.0.0.1 - - [22/Oct/2025 19:42:35] "[35m[1mPOST /register HTTP/1.1[0m" 201 -


Status: 201
Response: {
  "message": "User registered successfully",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6ImFkbWluIiwiZXhwIjoxNzYxMjQ4NTU1LCJpYXQiOjE3NjExNjIxNTV9.V6Fdeh4MsRzQWcjJbBh0UlnkcVASV6uadpS6o8RK0fg",
  "user": {
    "email": "admin@example.com",
    "id": 2,
    "role": "admin",
    "username": "admin"
  }
}

✅ Admin registered! Token saved.

3️⃣ Testing login...


INFO:werkzeug:127.0.0.1 - - [22/Oct/2025 19:42:35] "POST /login HTTP/1.1" 200 -


Status: 200
Response: {
  "message": "Login successful",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20iLCJyb2xlIjoidXNlciIsImV4cCI6MTc2MTI0ODU1NSwiaWF0IjoxNzYxMTYyMTU1fQ.i6kFt50SnJHSS-gqHqZpt_-n6Gv7XxD5MeKlB14YlJU",
  "user": {
    "email": "test@example.com",
    "id": 1,
    "role": "user",
    "username": "testuser"
  }
}

4️⃣ Getting current user info (with auth)...


INFO:werkzeug:127.0.0.1 - - [22/Oct/2025 19:42:36] "GET /users/me HTTP/1.1" 200 -


Status: 200
Response: {
  "user": {
    "created_at": "2025-10-22 19:42:34",
    "email": "test@example.com",
    "id": 1,
    "permissions": [
      "read",
      "write"
    ],
    "role": "user",
    "username": "testuser"
  }
}

5️⃣ Trying to access admin endpoint as regular user...


INFO:werkzeug:127.0.0.1 - - [22/Oct/2025 19:42:36] "[31m[1mGET /admin HTTP/1.1[0m" 403 -


Status: 403
Response: {
  "error": "Access denied",
  "message": "Admin privileges required"
}

6️⃣ Accessing admin endpoint as admin...


INFO:werkzeug:127.0.0.1 - - [22/Oct/2025 19:42:36] "GET /admin HTTP/1.1" 200 -


Status: 200
Response: {
  "access_level": "full",
  "admin": {
    "email": "admin@example.com",
    "id": 2,
    "username": "admin"
  },
  "message": "Welcome to the admin panel"
}

✅ ALL TESTS COMPLETED!

 You can now test manually using: https://da093dd9b8d3.ngrok-free.app
 Save your tokens for authentication:

 User Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20iLCJyb2xlIjoidXNlciIsImV4cCI6MTc2MTI0ODU1NCwiaWF0IjoxNzYxMTYyMTU0fQ.bAIyNjqmhzdEosCD9IKCjR1lJH8yIUBD9ejeGyE1gsI

 Admin Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6ImFkbWluIiwiZXhwIjoxNzYxMjQ4NTU1LCJpYXQiOjE3NjExNjIxNTV9.V6Fdeh4MsRzQWcjJbBh0UlnkcVASV6uadpS6o8RK0fg


# **Manual testing helper:**

In [None]:
def test_endpoint(method, endpoint, token=None, data=None):
    """Helper function to test endpoints manually"""
    url = f"{BASE_URL}{endpoint}"
    headers = {}

    if token:
        headers["Authorization"] = f"Bearer {token}"

    if method == "GET":
        response = requests.get(url, headers=headers)
    elif method == "POST":
        response = requests.post(url, json=data, headers=headers)

    print(f"\n{method} {endpoint}")
    print(f"Status: {response.status_code}")
    print(f"Response:\n{json.dumps(response.json(), indent=2)}")

    return response

# Example usage:
# test_endpoint("GET", "/", None)
# test_endpoint("POST", "/register", None, {"username": "john", "email": "john@test.com", "password": "Pass1234"})
# test_endpoint("GET", "/users/me", your_token_here)

print("✅ Helper function 'test_endpoint()' is ready to use!")
print("\nExample:")
print('test_endpoint("POST", "/login", None, {"email": "test@example.com", "password": "Test1234"})')

✅ Helper function 'test_endpoint()' is ready to use!

Example:
test_endpoint("POST", "/login", None, {"email": "test@example.com", "password": "Test1234"})
