# Auth Basics Lab

In this lab, you'll learn the fundamentals of API authentication and how to manage sensitive configuration using environment variables.

**What you'll learn:**
- Why authentication matters
- Using environment variables for secrets
- Implementing API key authentication
- Introduction to token-based authentication

**Prerequisites:**
- Completed the FastAPI CRUD lab
- Basic understanding of HTTP headers

**Time:** ~30 minutes

---

## Part 1: Why Authentication?

Without authentication, anyone can:
- Read all your data
- Create fake data
- Delete everything
- Impersonate users

Authentication answers: **"Who are you?"**

Authorization answers: **"What are you allowed to do?"**

### Common Authentication Methods

| Method | How it works | Best for |
|--------|--------------|----------|
| **API Key** | Secret key in header/query | Simple APIs, server-to-server |
| **Bearer Token** | Token in Authorization header | User authentication |
| **OAuth 2.0** | Token exchange protocol | Third-party integrations |
| **Session/Cookie** | Server-stored session | Traditional web apps |

In this lab, we'll implement API key authentication (simplest) and introduce bearer tokens.

---

## Part 2: Environment Variables

**Never put secrets directly in your code!**

```python
# ❌ BAD - Secret in code (will end up in Git)
API_KEY = "super-secret-key-123"

# ✅ GOOD - Secret from environment
API_KEY = os.getenv("API_KEY")
```

### Why Environment Variables?

1. **Security** — Secrets don't end up in Git
2. **Flexibility** — Different values for dev/staging/production
3. **Separation** — Code and configuration are separate

### Setting Environment Variables

**Option 1: Terminal (temporary)**

```bash
# Linux/Mac
export API_KEY="my-secret-key"

# Windows (PowerShell)
$env:API_KEY = "my-secret-key"

# Windows (CMD)
set API_KEY=my-secret-key
```

**Option 2: .env file (recommended for development)**

Create a `.env` file:
```
API_KEY=my-secret-key
DATABASE_URL=sqlite:///./app.db
DEBUG=true
```

**Important:** Add `.env` to your `.gitignore`!

---

## Part 3: Using python-dotenv

The `python-dotenv` library loads `.env` files automatically.

### Install it:

```bash
pip install python-dotenv
```

### Create `.env` file:

```
API_KEY=my-super-secret-api-key-12345
APP_NAME=Task API
DEBUG=true
```

### Create `.env.example` (for documentation):

```
API_KEY=your-api-key-here
APP_NAME=Task API
DEBUG=false
```

This file shows what variables are needed without revealing actual secrets.

### Load in Python:

```python
import os
from dotenv import load_dotenv

# Load .env file
load_dotenv()

# Access variables
API_KEY = os.getenv("API_KEY")
APP_NAME = os.getenv("APP_NAME", "Default App Name")  # With default
DEBUG = os.getenv("DEBUG", "false").lower() == "true"  # Convert to bool

print(f"App: {APP_NAME}")
print(f"Debug mode: {DEBUG}")
print(f"API Key loaded: {API_KEY is not None}")
```

---

## Part 4: API Key Authentication

Let's add API key authentication to our Task API.

### Update `main.py`:

```python
import os
from dotenv import load_dotenv
from fastapi import FastAPI, HTTPException, Depends, Header
from pydantic import BaseModel
from typing import Optional

# Load environment variables
load_dotenv()

API_KEY = os.getenv("API_KEY")
if not API_KEY:
    raise ValueError("API_KEY environment variable is required")

app = FastAPI(title="Task API with Auth")

# --- Authentication ---

def verify_api_key(x_api_key: str = Header(...)):
    """
    Dependency that verifies the API key from request header.
    
    Usage: Include X-API-Key header in requests
    """
    if x_api_key != API_KEY:
        raise HTTPException(
            status_code=401,
            detail="Invalid API key"
        )
    return x_api_key
```

### Apply to Endpoints:

```python
# Public endpoint - no auth required
@app.get("/")
def read_root():
    return {"message": "Welcome! Use /docs to see available endpoints."}

# Protected endpoint - requires API key
@app.get("/tasks", dependencies=[Depends(verify_api_key)])
def list_tasks():
    return list(tasks_db.values())

# Another protected endpoint
@app.post("/tasks", dependencies=[Depends(verify_api_key)])
def create_task(task: TaskCreate):
    # ... create task
    pass
```

### Test it:

```bash
# Without API key (should fail with 401)
curl http://localhost:8000/tasks

# With API key (should work)
curl http://localhost:8000/tasks \
  -H "X-API-Key: my-super-secret-api-key-12345"
```

---

## Part 5: FastAPI Dependencies

Dependencies are a powerful FastAPI feature. They let you:
- Share logic across endpoints
- Run code before the endpoint function
- Inject values into endpoints

### How Dependencies Work:

```python
from fastapi import Depends

def get_current_user(x_api_key: str = Header(...)):
    """Dependency that returns the current user"""
    # In a real app, you'd look up the user by their API key
    if x_api_key == API_KEY:
        return {"user_id": 1, "username": "admin"}
    raise HTTPException(status_code=401, detail="Invalid key")

@app.get("/me")
def read_current_user(user: dict = Depends(get_current_user)):
    """The dependency runs first, then the result is passed to 'user'"""
    return user
```

### Apply Auth to All Endpoints:

Instead of adding `dependencies=[Depends(...)]` to every endpoint, you can apply it globally:

```python
from fastapi import APIRouter

# Create a router with auth dependency
protected_router = APIRouter(
    prefix="/api",
    dependencies=[Depends(verify_api_key)]
)

@protected_router.get("/tasks")
def list_tasks():
    return list(tasks_db.values())

@protected_router.post("/tasks")
def create_task(task: TaskCreate):
    # ...
    pass

# Include the router in the app
app.include_router(protected_router)
```

---

## Part 6: Bearer Token Authentication

For user authentication, bearer tokens are more common than API keys.

### How Bearer Tokens Work:

1. User logs in with username/password
2. Server returns a token (like a temporary pass)
3. User includes token in subsequent requests
4. Server validates the token

```
POST /login
{"username": "jane", "password": "secret"}
         │
         ▼
{"access_token": "eyJhbGciOiJIUzI1NiIs..."}
         │
         ▼
GET /tasks
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
```

### Simple Bearer Token Example:

```python
from fastapi import Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

security = HTTPBearer()

def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
    """
    Verify the bearer token.
    In a real app, you'd decode a JWT or look up the token in a database.
    """
    token = credentials.credentials
    
    # Simple example: just check if token exists
    # In reality, you'd validate a JWT or check a database
    if token != "valid-token-123":
        raise HTTPException(status_code=401, detail="Invalid token")
    
    return {"user_id": 1, "username": "jane"}

@app.get("/protected")
def protected_route(user: dict = Depends(verify_token)):
    return {"message": f"Hello, {user['username']}!"}
```

### Test it:

```bash
# With bearer token
curl http://localhost:8000/protected \
  -H "Authorization: Bearer valid-token-123"
```

---

## Part 7: Complete Example

Here's a complete example with API key authentication:

```python
import os
from dotenv import load_dotenv
from fastapi import FastAPI, HTTPException, Depends, Header
from pydantic import BaseModel
from typing import Optional

# Load environment variables
load_dotenv()

API_KEY = os.getenv("API_KEY", "dev-key-for-testing")

app = FastAPI(title="Task API with Auth")

# --- Models ---

class TaskCreate(BaseModel):
    title: str
    description: Optional[str] = None

class Task(BaseModel):
    id: int
    title: str
    description: Optional[str] = None
    completed: bool = False

# --- Database ---

tasks_db: dict[int, dict] = {}
next_id = 1

# --- Authentication ---

def verify_api_key(x_api_key: str = Header(..., description="API key for authentication")):
    if x_api_key != API_KEY:
        raise HTTPException(status_code=401, detail="Invalid API key")
    return x_api_key

# --- Endpoints ---

@app.get("/")
def read_root():
    """Public endpoint - no auth required"""
    return {"message": "Welcome to Task API", "docs": "/docs"}

@app.get("/tasks", response_model=list[Task])
def list_tasks(api_key: str = Depends(verify_api_key)):
    """List all tasks (requires API key)"""
    return list(tasks_db.values())

@app.post("/tasks", response_model=Task, status_code=201)
def create_task(task: TaskCreate, api_key: str = Depends(verify_api_key)):
    """Create a new task (requires API key)"""
    global next_id
    new_task = {
        "id": next_id,
        "title": task.title,
        "description": task.description,
        "completed": False
    }
    tasks_db[next_id] = new_task
    next_id += 1
    return new_task

@app.delete("/tasks/{task_id}", status_code=204)
def delete_task(task_id: int, api_key: str = Depends(verify_api_key)):
    """Delete a task (requires API key)"""
    if task_id not in tasks_db:
        raise HTTPException(status_code=404, detail="Task not found")
    del tasks_db[task_id]
    return None
```

---

## Part 8: Security Best Practices

### Do:

✅ Store secrets in environment variables  
✅ Add `.env` to `.gitignore`  
✅ Provide `.env.example` for documentation  
✅ Use HTTPS in production  
✅ Validate and sanitize all input  
✅ Return generic error messages (don't leak info)  

### Don't:

❌ Hardcode secrets in code  
❌ Commit `.env` files to Git  
❌ Put API keys in URLs (they get logged)  
❌ Return detailed error messages to users  
❌ Use weak or predictable keys  

### Example `.gitignore`:

```
# Environment variables
.env
.env.local
.env.*.local

# Python
__pycache__/
*.pyc
venv/

# IDE
.vscode/
.idea/
```

---

## Summary

| Concept | What it does |
|---------|-------------|
| **Environment variables** | Store configuration outside code |
| **python-dotenv** | Load `.env` files automatically |
| **API Key auth** | Simple authentication using a secret key |
| **Bearer Token auth** | Token-based authentication for users |
| **FastAPI Dependencies** | Share logic across endpoints |

### Key Files:

- `.env` — Your secrets (never commit!)
- `.env.example` — Template showing required variables
- `.gitignore` — Excludes `.env` from Git

---

## Exercises

1. **Add multiple API keys** — Support multiple valid API keys (e.g., different keys for different users)

2. **Rate limiting concept** — Think about how you'd limit requests per API key (don't implement, just plan)

3. **Login endpoint** — Create a `/login` endpoint that accepts username/password and returns a token

---

## Next Steps

Continue to the **[SQLite Lab](./sqlite_lab.ipynb)** to add database persistence to your API.