## **Flask-RESTX Authentication**

This lesson provides examples of implementing  
1. **Basic Authentication**
2.  **Token-Based Authentication**
3.  **JWT   Authentication**  


It incorporates  **Role-Based Authorization** to restrict access to endpoints based on user roles. Finally, it demonstrates how to  combine these methods, complete with Swagger documentation for each endpoint.  

---

In [None]:
%pip install flask --break-system-packages
%pip install flask-restx  --break-system-packages
%pip install flask flask-sqlalchemy   --break-system-packages
%pip install  mysql-connector-python --break-system-packages


## **1. Basic Authentication with Role-Based Access**

Basic authentication involves sending the username and password with each request (encoded in Base64). Role-based access control ensures only users with the appropriate role can access specific endpoints.


Basic Authentication is a simple method for enforcing access control. The client sends the username and password in the `Authorization` header of each HTTP request. These credentials are encoded using Base64 but are not encrypted. Therefore, it is recommended to use Basic Authentication only over HTTPS.

**How it works:**
- The client includes an `Authorization` header in the format `Basic <Base64(username:password)>`.
- The server decodes and verifies the credentials.
- If valid, the server processes the request; otherwise, it rejects it with a `401 Unauthorized` status.

- The client includes an `Authorization` header in the format `Basic <Base64(username:password)>`.
- The server decodes and verifies the credentials.
- If valid, the server processes the request; otherwise, it rejects it with a `401 Unauthorized` status.

---
## **Illustration of Request and Response:**
### Request  
    ```http
        GET /basic-user HTTP/1.1
        Host: example.com
        HEADER:
            Authorization: Basic dXNlcjpwYXNzd29yZA==
    ```
### Response (Success)    
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```

### Response (Unauthorized)  
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid credentials"
        }
    ```

---

**Advantages:**
- Simple to implement.
- No need for additional infrastructure.

**Disadvantages:**
- Credentials are sent with every request, increasing the risk of exposure.
- Base64 encoding is not secure.
- No support for token revocation.
 

In [None]:
import base64
from http import HTTPStatus # encryption schema
from flask import Flask, request, g  # Import Flask, request, and g object 
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from functools import wraps  # Import wraps for decorators
from enum import Enum  # Import Enum for user roles
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_51"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False

api = Api(
    app,
    title="Basic Auth API",
    version="1.0",
    description="Basic Authentication Example with Role-Based Access",
    authorizations={
        'basic': {
            'type': 'basic',
            'description': "Basic Authentication - Provide `username:password` in Base64."
        }
    }
)

# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)

# Enum for User roles
class UserRole(Enum):
    ADMIN = 'admin'
    USER = 'user'
    GUEST = 'guest'
    
# Database Model for User
class User(db.Model):
    __tablename__ = 'users'

    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role
    
    # Method to set the password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)
        
    # Method to check password
    def check_password(self, password) -> bool:
        return check_password_hash(self.password_hash, password)
    
# Create all database tables
with app.app_context():
    db.create_all()

    with app.app_context():
        if not User.query.filter_by(username='kahse').first():
            admin_user = User(username='kahse', role= UserRole.ADMIN.value) # username= 'kahse', role='kahse', password = None
            admin_user.set_password('kahsepassword') # username= 'kahse', role='adnub', password = 'xxxxxxxxxx'
            db.session.add(admin_user)
            
        if not User.query.filter_by(username='adam').first():
            regular_user = User(username='adam', role= UserRole.USER.value) # username= 'adam', role='user', password = None
            regular_user.set_password('adampassword') # username= 'user', role='user', password = 'xxxxxxxxxx'
            db.session.add(regular_user)
            
        if not User.query.filter_by(username='haile').first():
            guest_user = User(username='haile', role= UserRole.GUEST.value) # username= 'haile', role='guest', password = None
            guest_user.set_password('hailepassword') # username= 'user', role='guest', password = 'xxxxxxxxxx'
            db.session.add(guest_user)
            
        db.session.commit()
        
# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")

# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for Basic Authentication
basic_auth_model = auth_ns.model('BasicAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})


# Decorator for Basic Authentication with role-based access
def basic_auth_required(allowed_roles: list[UserRole]):
    # Outer decorator function
    def decorator(func):
        @wraps(func)  # Preserve the original function's metadata
        # Inner decorator function
        def wrapper(*args, **kwargs):
            auth_header = request.headers.get('Authorization') #   `Basic dXNlcjpwYXNzd29yZA==` or None
            
            if not auth_header: # If no authorization header is present
                response_data = {"message": "Authorization header is missing"}
                response_status_code = HTTPStatus.UNAUTHORIZED
                
                return response_data, response_status_code
            
            if auth_header.startswith('Basic '): # Check if the header starts with 'Basic ' meaning if the authentication typ is basic 
                try:
                        
                    """  
                    base64_credentials_meta = `Basic dXNlcjpwYXNzd29yZA==`.split(' ')
                    base64_credentials_meta = [
                        'Basic',
                        'dXNlcjpwYXNzd29yZA=='
                    ]
                    base64_credentials = base64_credentials_meta[1] # 'dXNlcjpwYXNzd29yZA=='
                    """
                    base64_credentials_meta = auth_header.split(' ') # `Basic dXNlcjpwYXNzd29yZA==` => [ 'Basic', 'dXNlcjpwYXNzd29yZA==']
                    base64_credentials = base64_credentials_meta[1]  # base64_credentials = dXNlcjpwYXNzd29yZA==` 
                    credentials = base64.b64decode(base64_credentials).decode('utf-8') # 'dXNlcjpwYXNzd29yZA==' => `'some username':'some hashed password'`
                    provided_username, provided_password = credentials.split(":") # ['some username', 'some hashed password']
                    user = User.query.filter_by(username=provided_username).first() # User(username='some username', password='some hashed password', role='some role') or None
                    
                    if not user or not user.check_password(provided_password): # If user does not exist or password is incorrect
                        response_data = {"message": "Invalid credentials"}
                        response_status_code = HTTPStatus.UNAUTHORIZED
                        
                        return response_data, response_status_code
                    """ 
                    allowed_roles = [
                        UserRole.ADMIN,
                        UserRole.User,
                        UserRole.Guest,
                    ] # list of enum
                    UserRole.ADMIN.value
                    allowed_roles_str = [role.value for role in allowed_roles]
                    
                    user.role = 'admin' | 'user' | 'guest'
                    
                    allowed_roles_str= []
                    1st loop
                    role = UserRole.ADMIN
                    str_val = role.value = 'admin'
                    allowed_roles_str.append(str_val) = ['admin']
                    
                    2nd loop
                    role = UserRole.User
                    str_val = role.value = 'user'
                    allowed_roles_str.append(str_val) = ['admin', 'user']
                    
                    3rd loop
                    role = UserRole.GUEST
                    str_val = role.value = 'guest'
                    allowed_roles_str.append(str_val) = ['admin', 'user', 'guest']
                    
                    allowed_roles_str = [
                        'admin',
                        'user',
                        'guest',
                    ]
                    """
                    if user.role not in [role.value for role in allowed_roles]:
                        response_data = {"message": "Access forbidden: Insufficient permissions"}
                        response_status_code = HTTPStatus.FORBIDDEN
                        
                        return response_data, response_status_code
                    g.current_user = {'username': user.username, "role": user.role}
                    
                    return func(*args, **kwargs)
                except Exception as e:
                    response_data = {"message": f"Basic Authentication error: {str(e)}"}
                    response_status_code = HTTPStatus.UNAUTHORIZED
                    
                    return response_data, response_status_code
 
        return wrapper
    return decorator

# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(HTTPStatus.CREATED, 'User Registered Successfully')
    @auth_ns.response(HTTPStatus.CONFLICT, 'Username already exists')
    def post(self)-> tuple[dict, int]:
        # data = request.json  # Get the JSON data from the request
        # data = request.get_json()  # Get the JSON data from the request
        data = api.payload  # Get the JSON data from the request or 
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            response_data = {"message": "Username already exists"}
            response_status_code = HTTPStatus.CONFLICT
            
            return response_data, response_status_code

        
        # Create a new user
        user = User(username=username, role=UserRole.USER.value) # User(username=username, role=UserRole.USER.value, password=None) 
        user.set_password(password)  # Set the user's password User(username=username, role=UserRole.USER.value, password='****') 
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session
        
        response_data = {"message": "User registered successfully"}
        response_status_code = HTTPStatus.CONFLICT
            
        return response_data, response_status_code


# Endpoint for admin access with Basic Authentication
@auth_ns.route('/basic-admin')
class BasicAdmin(Resource):
    
    @auth_ns.doc(security='basic')
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code

# Endpoint for user access with Basic Authentication
@auth_ns.route('/basic-user')
class BasicUser(Resource):
    
    @auth_ns.doc(security='basic')
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code
# Endpoint for guest access with Basic Authentication
@auth_ns.route('/basic-guest')
class BasicGuest(Resource):
    
    @auth_ns.doc(security='basic')
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN, UserRole.GUEST])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code

# Run the Flask application
run_simple("localhost", 5000, app)

In [None]:
credentials_string = "some_user:some_password"
credentials =  credentials_string.split(":") 

display(credentials)
username, password = credentials
display(username)

### **2. Token-Based Authentication**

Token-Based Authentication involves issuing a token to the client upon successful login. The client must include this token in the `Authorization` header of subsequent requests. The token acts as a unique identifier for the client.

**How it works:**
- The client sends login credentials to a dedicated endpoint (e.g., `/login`).
- The server verifies the credentials and generates a token.
- The client includes the token in the `Authorization` header in the format `Token <your_token>` for each request.
- The server verifies the token to authenticate the client.

**Advantages:**
- Tokens are independent of credentials, so passwords are not sent repeatedly.
- Tokens can have a short lifespan, improving security.
- Easy integration with APIs.

**Disadvantages:**
- Tokens must be securely stored on the client side.
- Revoking tokens can be complex without a centralized store.

---
## **Illustration of Request and Response:**

### Login Request
    ```http
        POST /login HTTP/1.1
        Host: example.com
        Content-Type: application/json

        {
        "username": "user",
        "password": "password"
        }
    ```
### Login Response
    ```http
        HTTP/1.1 200 OK
        {
        "access_token": "abc123xyz"
        }
    ```
### Accessing a Protected Route
    ```http
        GET /token-user HTTP/1.1
        Host: example.com
        Authorization: Token abc123xyz
    ```
### Response (Success)
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```
### Response (Invalid Token)
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid or expired token"
        }
    ```

---

In [None]:
import base64
from http import HTTPStatus # encryption schema
from flask import Flask, request, g  # Import Flask, request, and g object 
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from functools import wraps  # Import wraps for decorators
import secrets  # Import secrets for generating secure tokens
from datetime import datetime, timedelta, timezone  # Import datetime and timedelta for token expiration
from enum import Enum  # Import Enum for user roles
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_52"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False

api = Api(
    app,
    title="Basic Auth API",
    version="1.0",
    description="Basic Authentication Example with Role-Based Access",
    authorizations={
        'basic': {
            'type': 'basic',
            'description': "Basic Authentication - Provide `username:password` in Base64."
        }, 
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        }
    }
)

# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)

# Enum for User roles
class UserRole(Enum):
    ADMIN = 'admin'
    USER = 'user'
    GUEST = 'guest'
    
# Database Model for User
class User(db.Model):
    __tablename__ = 'users'

    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role
    
    # Method to set the password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)
        
    # Method to check password
    def check_password(self, password) -> bool:
        return check_password_hash(self.password_hash, password)
    
# Database Model for Token
class Token(db.Model):
    __tablename__ = 'tokens'
    
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    token = db.Column(db.String(512), unique=True, nullable=False)  # Unique token
    expires_at = db.Column(db.DateTime, nullable=False)  # Token expiration time
    user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)  # Foreign key to User model
    user = db.relationship('User', backref=db.backref('tokens', lazy=True))  # Relationship to User model | eager do in parallel, lazy do in sequence

    
# Create all database tables
with app.app_context():
    db.create_all()

    with app.app_context():
        if not User.query.filter_by(username='kahse').first():
            admin_user = User(username='kahse', role= UserRole.ADMIN.value) # username= 'kahse', role='admin', password = None
            admin_user.set_password('kahsepassword') # username= 'kahse', role='admin', password = 'xxxxxxxxxx'
            
            db.session.add(admin_user)
            db.session.commit()
            
            # Create token for admin user
            admin_token = secrets.token_hex(32) # Generate a 64-character hexadecimal token "0-9A-F"
            token_entry = Token(token=admin_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=admin_user.id) # 10:00pm tomorrow timedelta(days=1) = 10:00pm | utc = universal time ...c
            
            db.session.add(token_entry)
            db.session.commit()
            
        if not User.query.filter_by(username='adam').first():
            regular_user = User(username='adam', role= UserRole.USER.value) # username= 'adam', role='user', password = None
            regular_user.set_password('adampassword') # username= 'user', role='user', password = 'xxxxxxxxxx'
            
            db.session.add(regular_user)
            db.session.commit()
            
            # Create token for admin user
            user_token = secrets.token_hex(32) # Generate a 64-character hexadecimal token "0-9A-F"
            token_entry = Token(token=user_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=regular_user.id) # 10:00pm tomorrow timedelta(days=1) = 10:00pm | utc = universal time ...c
            
            db.session.add(token_entry)
            db.session.commit()
            
        if not User.query.filter_by(username='haile').first():
            guest_user = User(username='haile', role= UserRole.GUEST.value) # username= 'haile', role='guest', password = None
            guest_user.set_password('hailepassword') # username= 'user', role='guest', password = 'xxxxxxxxxx'
            
            db.session.add(guest_user)
            db.session.commit()
            
            # Create token for admin user
            guest_token = secrets.token_hex(32) # Generate a 64-character hexadecimal token "0-9A-F"
            token_entry = Token(token=guest_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=guest_user.id) # 10:00pm tomorrow timedelta(days=1) = 10:00pm | utc = universal time ...c
            
            db.session.add(token_entry)
            db.session.commit()
        
# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")

# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for Basic Authentication
basic_auth_model = auth_ns.model('BasicAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})


# Decorator for Basic Authentication with role-based access
def basic_auth_required(allowed_roles: list[UserRole]):
    # Outer decorator function
    def decorator(func):
        @wraps(func)  # Preserve the original function's metadata
        # Inner decorator function
        def wrapper(*args, **kwargs):
            auth_header = request.headers.get('Authorization') #   `Basic dXNlcjpwYXNzd29yZA==` or None
            
            if not auth_header: # If no authorization header is present
                response_data = {"message": "Authorization header is missing"}
                response_status_code = HTTPStatus.UNAUTHORIZED
                
                return response_data, response_status_code
            
            
            # Handle Basic Authentication
            if auth_header.startswith('Basic '): # Check if the header starts with 'Basic ' meaning if the authentication typ is basic 
                try:
                        
                    """  
                    base64_credentials_meta = `Basic dXNlcjpwYXNzd29yZA==`.split(' ')
                    base64_credentials_meta = [
                        'Basic',
                        'dXNlcjpwYXNzd29yZA=='
                    ]
                    base64_credentials = base64_credentials_meta[1] # 'dXNlcjpwYXNzd29yZA=='
                    """
                    base64_credentials_meta = auth_header.split(' ') # `Basic dXNlcjpwYXNzd29yZA==` => [ 'Basic', 'dXNlcjpwYXNzd29yZA==']
                    base64_credentials = base64_credentials_meta[1]  # base64_credentials = dXNlcjpwYXNzd29yZA==` 
                    credentials = base64.b64decode(base64_credentials).decode('utf-8') # 'dXNlcjpwYXNzd29yZA==' => `'some username':'some hashed password'`
                    provided_username, provided_password = credentials.split(":") # ['some username', 'some hashed password']
                    user = User.query.filter_by(username=provided_username).first() # User(username='some username', password='some hashed password', role='some role') or None
                    
                    if not user or not user.check_password(provided_password): # If user does not exist or password is incorrect
                        response_data = {"message": "Invalid credentials"}
                        response_status_code = HTTPStatus.UNAUTHORIZED
                        
                        return response_data, response_status_code
                    """ 
                    allowed_roles = [
                        UserRole.ADMIN,
                        UserRole.User,
                        UserRole.Guest,
                    ] # list of enum
                    UserRole.ADMIN.value
                    allowed_roles_str = [role.value for role in allowed_roles]
                    
                    user.role = 'admin' | 'user' | 'guest'
                    
                    allowed_roles_str= []
                    1st loop
                    role = UserRole.ADMIN
                    str_val = role.value = 'admin'
                    allowed_roles_str.append(str_val) = ['admin']
                    
                    2nd loop
                    role = UserRole.User
                    str_val = role.value = 'user'
                    allowed_roles_str.append(str_val) = ['admin', 'user']
                    
                    3rd loop
                    role = UserRole.GUEST
                    str_val = role.value = 'guest'
                    allowed_roles_str.append(str_val) = ['admin', 'user', 'guest']
                    
                    allowed_roles_str = [
                        'admin',
                        'user',
                        'guest',
                    ]
                    """
                    if user.role not in [role.value for role in allowed_roles]:
                        response_data = {"message": "Access forbidden: Insufficient permissions"}
                        response_status_code = HTTPStatus.FORBIDDEN
                        
                        return response_data, response_status_code
                    g.current_user = {'username': user.username, "role": user.role}
                    
                    return func(*args, **kwargs)
                except Exception as e:
                    response_data = {"message": f"Basic Authentication error: {str(e)}"}
                    response_status_code = HTTPStatus.UNAUTHORIZED
                    
                    return response_data, response_status_code
            
            # Handle Token Authentication
            elif auth_header.startswith('Token '): # Check if the header starts with 'Token '
                # Token ...asdfasf.. 
                token_meta = auth_header.split(' ') # ["Token", "some token"]
                user_token = token_meta[1]  # Extract the token from the header token = "some token"
                try: 
                    # Query the token from the database
                    token_entry = Token.query.filter_by(token=user_token).first() # result Token(....) or None
                    
                    if not token_entry: # if token_entry is None | if token_entry == None
                        response_data = {"message": "Invalid or expired token"}
                        response_status_code = HTTPStatus.UNAUTHORIZED
                    
                        return response_data, response_status_code
                    
                    # Ensure both datetimes are timezone-aware for comparison
                    current_time = datetime.now(timezone.utc)
                    expires_at = token_entry.expires_at
                    
                    if expires_at.tzinfo is None: # If expires_at is naive, assume it is in UTC | tzinfo = TIMEZONE INFORMATION
                        expires_at = expires_at.replace(tzinfo=timezone.utc)
                    
                    if expires_at < current_time: # Check if token is expired
                        response_data = {"message": "User associated with token not found"}
                        response_status_code = HTTPStatus.NOT_FOUND
                    
                        return response_data, response_status_code
                    
                    # Query the user associated with the token
                    user = User.query.filter_by(id=token_entry.user_id).first() # result User(....) or None
                    
                    if not user: # if user is None | if user == None
                        response_data =  {"message": "User associated with token not found"}
                        response_status_code = HTTPStatus.NOT_FOUND
                    
                        return response_data, response_status_code
                    
                    # Check if the user's role is allowed
                    if user.role not in [role.value for role in allowed_roles]: # Compare user.role (string) with allowed_roles (list of strings)
                        response_data = {"message": "Access forbidden: Insufficient permissions"}
                        response_status_code = HTTPStatus.FORBIDDEN
                    
                        return response_data, response_status_code
                    
                    # Attach user information to the request context
                    g.current_user = {"username": user.username, "role": user.role}
                    
                    return func(*args, **kwargs)  # Call the original function
                        
                except Exception as e:
                    response_data = {"message": f"Token Authentication error: {str(e)}"}
                    response_status_code = HTTPStatus.UNAUTHORIZED
                    
                    return response_data, response_status_code
                    
        return wrapper
    return decorator

# Endpoint for user login
@auth_ns.route('/get_token')
class LoginToken(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self)-> tuple[dict, int]:
        data = api.payload 
        u_username = data["username"]
        u_password = data["password"]

        # Verify user credentials
        user = User.query.filter_by(username=u_username).first() # User(...) or None
        
        if not user or not user.check_password(password=u_password): # If user does not exist or password is incorrect
            response_data = {"message": "Invalid username or password"}
            response_status_code = HTTPStatus.UNAUTHORIZED
            
            return response_data, response_status_code

    
        # Retrieve token for the user
        token_entry = Token.query.filter_by(user_id=user.id).first()
        
        print("token_entry")
        # Ensure both datetimes are timezone-aware for comparison
        current_time = datetime.now(timezone.utc)
        expires_at = token_entry.expires_at
        
        if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
            expires_at = expires_at.replace(tzinfo=timezone.utc)
        
        if expires_at < current_time:  # Check if token is expired
            response_data = {"message": "User associated with token not found"}
            response_status_code = HTTPStatus.UNAUTHORIZED
        
            return response_data, response_status_code
            
        response_data = {"token": f"Token {token_entry.token}"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code
    
# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(HTTPStatus.CREATED, 'User Registered Successfully')
    @auth_ns.response(HTTPStatus.CONFLICT, 'Username already exists')
    def post(self)-> tuple[dict, int]:
        # data = request.json  # Get the JSON data from the request
        # data = request.get_json()  # Get the JSON data from the request
        data = api.payload  # Get the JSON data from the request or 
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            response_data = {"message": "Username already exists"}
            response_status_code = HTTPStatus.CONFLICT
            
            return response_data, response_status_code

        
        # Create a new user
        user = User(username=username, role=UserRole.USER.value) # User(username=username, role=UserRole.USER.value, password=None) 
        user.set_password(password)  # Set the user's password User(username=username, role=UserRole.USER.value, password='****') 
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session
        
        response_data = {"message": "User registered successfully"}
        response_status_code = HTTPStatus.CONFLICT
            
        return response_data, response_status_code


# Endpoint for admin access with Basic Authentication
@auth_ns.route('/admin')
class BasicAdmin(Resource):
    
    @auth_ns.doc(security=['basic', 'apiKey'])
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code

# Endpoint for user access with Basic Authentication
@auth_ns.route('/user')
class BasicUser(Resource):
    
    @auth_ns.doc(security=['basic', 'apiKey'])
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code
# Endpoint for guest access with Basic Authentication
@auth_ns.route('/guest')
class BasicGuest(Resource):
    
    @auth_ns.doc(security=['basic', 'apiKey'])
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN, UserRole.GUEST])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code

# Run the Flask application
run_simple("localhost", 5000, app)

### **3. JWT Authentication**

JSON Web Tokens (JWTs) are a compact and self-contained way to securely transmit information between parties. A JWT is a string consisting of three parts: Header, Payload, and Signature. The token is signed using a secret key or a public/private key pair.

**How it works:**
- The client sends login credentials to a `/login` endpoint.
- The server verifies the credentials and generates a JWT, which includes claims (e.g., user identity and roles).
- The client includes the token in the `Authorization` header in the format `Bearer <JWT>` for each request.
- The server verifies the token and extracts the claims to authenticate the client.

**Advantages:**
- Tokens are self-contained, meaning the server does not need to store session information.
- JWTs can include additional metadata (e.g., roles, permissions).
- Works well for distributed systems.

**Disadvantages:**
- Revoking or invalidating JWTs before their expiration is challenging.
- The payload is Base64-encoded and not encrypted, so sensitive information should not be included.

---
## **Illustration of Request and Response:**

### Login Request  
    ```http
        POST /login HTTP/1.1
        Host: example.com
        Content-Type: application/json

        {
        "username": "user",
        "password": "password"
        }

    ```
### Login Response  
    ```http
        HTTP/1.1 200 OK
        {
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciJ9.qwerty123"
        }

    ```
### Accessing a Protected Route  
    ```http
        GET /jwt-user HTTP/1.1
        Host: example.com
        Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciJ9.qwerty123

    ```
### Response (Success)
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```

### Response (Invalid Token)
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid token"
        }
    ```

---

In [None]:
import base64
from http import HTTPStatus
import json # encryption schema
from flask import Flask, request, g  # Import Flask, request, and g object 
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, get_jwt_identity, verify_jwt_in_request  # Import JWT utilities
from functools import wraps  # Import wraps for decorators
import secrets  # Import secrets for generating secure tokens
from datetime import datetime, timedelta, timezone  # Import datetime and timedelta for token expiration
from enum import Enum  # Import Enum for user roles
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_52"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
# Set the secret key for JWT
app.config['JWT_SECRET_KEY'] = 'your_secret_key'

api = Api(
    app,
    title="Basic Auth API",
    version="1.0",
    description="Basic Authentication Example with Role-Based Access",
    authorizations={
        'basic': {
            'type': 'basic',
            'description': "Basic Authentication - Provide `username:password` in Base64."
        }, 
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        },
        'jwt': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "JWT Authentication - Use `Bearer <JWT>` in the header."
            
        }
    }
)

# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)

# Initialize JWTManager with Flask app
jwt = JWTManager(app)

# Enum for User roles
class UserRole(Enum):
    ADMIN = 'admin'
    USER = 'user'
    GUEST = 'guest'
    
# Database Model for User
class User(db.Model):
    __tablename__ = 'users'

    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role
    
    # Method to set the password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)
        
    # Method to check password
    def check_password(self, password) -> bool:
        return check_password_hash(self.password_hash, password)
    
# Database Model for Token
class Token(db.Model):
    __tablename__ = 'tokens'
    
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    token = db.Column(db.String(512), unique=True, nullable=False)  # Unique token
    expires_at = db.Column(db.DateTime, nullable=False)  # Token expiration time
    user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)  # Foreign key to User model
    user = db.relationship('User', backref=db.backref('tokens', lazy=True))  # Relationship to User model | eager do in parallel, lazy do in sequence

    
# Create all database tables
with app.app_context():
    db.create_all()

    with app.app_context():
        if not User.query.filter_by(username='kahse').first():
            admin_user = User(username='kahse', role= UserRole.ADMIN.value) # username= 'kahse', role='kahse', password = None
            admin_user.set_password('kahsepassword') # username= 'kahse', role='kahse', password = 'xxxxxxxxxx'
            
            db.session.add(admin_user)
            db.session.commit()
            
            # Create token for admin user
            admin_token = secrets.token_hex(32) # Generate a 64-character hexadecimal token "0-9A-F"
            token_entry = Token(token=admin_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=admin_user.id) # 10:00pm tomorrow timedelta(days=1) = 10:00pm | utc = universal time ...c
            
            db.session.add(token_entry)
            db.session.commit()
            
        if not User.query.filter_by(username='adam').first():
            regular_user = User(username='adam', role= UserRole.USER.value) # username= 'adam', role='adam', password = None
            regular_user.set_password('adampassword') # username= 'user', role='adam', password = 'xxxxxxxxxx'
            
            db.session.add(regular_user)
            db.session.commit()
            
            # Create token for admin user
            user_token = secrets.token_hex(32) # Generate a 64-character hexadecimal token "0-9A-F"
            token_entry = Token(token=user_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=regular_user.id) # 10:00pm tomorrow timedelta(days=1) = 10:00pm | utc = universal time ...c
            
            db.session.add(token_entry)
            db.session.commit()
            
        if not User.query.filter_by(username='haile').first():
            guest_user = User(username='haile', role= UserRole.GUEST.value) # username= 'haile', role='haile', password = None
            guest_user.set_password('hailepassword') # username= 'user', role='adam', password = 'xxxxxxxxxx'
            
            db.session.add(guest_user)
            db.session.commit()
            
            # Create token for admin user
            guest_token = secrets.token_hex(32) # Generate a 64-character hexadecimal token "0-9A-F"
            token_entry = Token(token=guest_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=guest_user.id) # 10:00pm tomorrow timedelta(days=1) = 10:00pm | utc = universal time ...c
            
            db.session.add(token_entry)
            db.session.commit()
        
# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")

# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for Basic Authentication
basic_auth_model = auth_ns.model('BasicAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})


# Decorator for Basic Authentication with role-based access
def basic_auth_required(allowed_roles: list[UserRole]):
    # Outer decorator function
    def decorator(func):
        @wraps(func)  # Preserve the original function's metadata
        # Inner decorator function
        def wrapper(*args, **kwargs):
            auth_header = request.headers.get('Authorization') #   `Basic dXNlcjpwYXNzd29yZA==` or None
            
            if not auth_header: # If no authorization header is present
                response_data = {"message": "Authorization header is missing"}
                response_status_code = HTTPStatus.UNAUTHORIZED
                
                return response_data, response_status_code
            
            
            # Handle Basic Authentication
            if auth_header.startswith('Basic '): # Check if the header starts with 'Basic ' meaning if the authentication typ is basic 
                try:
                        
                    """  
                    base64_credentials_meta = `Basic dXNlcjpwYXNzd29yZA==`.split(' ')
                    base64_credentials_meta = [
                        'Basic',
                        'dXNlcjpwYXNzd29yZA=='
                    ]
                    base64_credentials = base64_credentials_meta[1] # 'dXNlcjpwYXNzd29yZA=='
                    """
                    base64_credentials_meta = auth_header.split(' ') # `Basic dXNlcjpwYXNzd29yZA==` => [ 'Basic', 'dXNlcjpwYXNzd29yZA==']
                    base64_credentials = base64_credentials_meta[1]  # base64_credentials = dXNlcjpwYXNzd29yZA==` 
                    credentials = base64.b64decode(base64_credentials).decode('utf-8') # 'dXNlcjpwYXNzd29yZA==' => `'some username':'some hashed password'`
                    provided_username, provided_password = credentials.split(":") # ['some username', 'some hashed password']
                    user = User.query.filter_by(username=provided_username).first() # User(username='some username', password='some hashed password', role='some role') or None
                    
                    if not user or not user.check_password(provided_password): # If user does not exist or password is incorrect
                        response_data = {"message": "Invalid credentials"}
                        response_status_code = HTTPStatus.UNAUTHORIZED
                        
                        return response_data, response_status_code
                    """ 
                    allowed_roles = [
                        UserRole.ADMIN,
                        UserRole.User,
                        UserRole.Guest,
                    ] # list of enum
                    UserRole.ADMIN.value
                    allowed_roles_str = [role.value for role in allowed_roles]
                    
                    user.role = 'admin' | 'user' | 'guest'
                    
                    allowed_roles_str= []
                    1st loop
                    role = UserRole.ADMIN
                    str_val = role.value = 'admin'
                    allowed_roles_str.append(str_val) = ['admin']
                    
                    2nd loop
                    role = UserRole.User
                    str_val = role.value = 'user'
                    allowed_roles_str.append(str_val) = ['admin', 'user']
                    
                    3rd loop
                    role = UserRole.GUEST
                    str_val = role.value = 'guest'
                    allowed_roles_str.append(str_val) = ['admin', 'user', 'guest']
                    
                    allowed_roles_str = [
                        'admin',
                        'user',
                        'guest',
                    ]
                    """
                    if user.role not in [role.value for role in allowed_roles]:
                        response_data = {"message": "Access forbidden: Insufficient permissions"}
                        response_status_code = HTTPStatus.FORBIDDEN
                        
                        return response_data, response_status_code
                    g.current_user = {'username': user.username, "role": user.role}
                    
                    return func(*args, **kwargs)
                except Exception as e:
                    response_data = {"message": f"Basic Authentication error: {str(e)}"}
                    response_status_code = HTTPStatus.UNAUTHORIZED
                    
                    return response_data, response_status_code
            
            # Handle Token Authentication
            elif auth_header.startswith('Token '): # Check if the header starts with 'Token '
                # Token ...asdfasf.. 
                token_meta = auth_header.split(' ') # ["Token", "some token"]
                user_token = token_meta[1]  # Extract the token from the header token = "some token"
                try: 
                    # Query the token from the database
                    token_entry = Token.query.filter_by(token=user_token).first() # result Token(....) or None
                    
                    if not token_entry: # if token_entry is None | if token_entry == None
                        response_data = {"message": "Invalid or expired token"}
                        response_status_code = HTTPStatus.UNAUTHORIZED
                    
                        return response_data, response_status_code
                    
                    # Ensure both datetimes are timezone-aware for comparison
                    current_time = datetime.now(timezone.utc)
                    expires_at = token_entry.expires_at
                    
                    if expires_at.tzinfo is None: # If expires_at is naive, assume it is in UTC | tzinfo = TIMEZONE INFORMATION
                        expires_at = expires_at.replace(tzinfo=timezone.utc)
                    
                    if expires_at < current_time: # Check if token is expired
                        response_data = {"message": "User associated with token not found"}
                        response_status_code = HTTPStatus.NOT_FOUND
                    
                        return response_data, response_status_code
                    
                    # Query the user associated with the token
                    user = User.query.filter_by(id=token_entry.user_id).first() # result User(....) or None
                    
                    if not user: # if user is None | if user == None
                        response_data =  {"message": "User associated with token not found"}
                        response_status_code = HTTPStatus.NOT_FOUND
                    
                        return response_data, response_status_code
                    
                    # Check if the user's role is allowed
                    if user.role not in [role.value for role in allowed_roles]: # Compare user.role (string) with allowed_roles (list of strings)
                        response_data = {"message": "Access forbidden: Insufficient permissions"}
                        response_status_code = HTTPStatus.FORBIDDEN
                    
                        return response_data, response_status_code
                    
                    # Attach user information to the request context
                    g.current_user = {"username": user.username, "role": user.role}
                    
                    return func(*args, **kwargs)  # Call the original function
                        
                except Exception as e:
                    response_data = {"message": f"Token Authentication error: {str(e)}"}
                    response_status_code = HTTPStatus.UNAUTHORIZED
                    
                    return response_data, response_status_code
                
            # Handle JWT/Bearer Token Authentication
            elif auth_header.startswith('Bearer '): # Check if the header starts with 'Bearer '
                try:
                    token = auth_header.split(' ')[1]  # Extract the token from the header
                    if len(token.split('.')) != 3:  # Check if the token has the correct format
                        response_data = {"message": "JWT Authentication error: Not enough segments"}
                        response_status_code = HTTPStatus.UNAUTHORIZED
                        
                        return response_data, response_status_code
                    
                    verify_jwt_in_request()  # Verify the JWT in the request  # Authorization Bearer ........ if not there it will throw exception
                    """ 
                    get_jwt_identity retrieves the decrypted stored user info from the jwt_identity store
                    """
                    user = json.loads(get_jwt_identity())  # Parse JSON string user_identity: {'username': 'admin', 'role': 'admin' .... except password} => encrypted asfdasfdasfas2234sdfaasdfas
                    user_name = user.get('username') # Extract the username from the token | username or None
                    user_role = user.get('role') # Extract the role from the token | role or None
                    
                    print(f"user_name {user_name}")
                    print(f"user_role {user_role}")
                    
                    if user_role not in [role.value for role in allowed_roles]:  # Check if the user's role is allowed
                        response_data = {"message": "Access forbidden: Insufficient permissions"}
                        response_status_code = HTTPStatus.FORBIDDEN
                        
                        return response_data, response_status_code
                    
                    # Attach user information to the request context
                    g.current_user = {"username": user_name, "role": user_role}
                    
                    return func(*args, **kwargs)  # Call the original function
                except Exception as e:
                    response_data = {"message": f"JWT Authentication error: {str(e)}"}
                    print(response_data)
                    response_status_code = HTTPStatus.UNAUTHORIZED
                    
                    return response_data, response_status_code  # Return 401 Unauthorized if the method is not supported
            else:
                response_data = {"message": "Unsupported authentication method"}
                response_status_code = HTTPStatus.UNAUTHORIZED
                     
        return wrapper
    return decorator


# Endpoint for user jwt login
@auth_ns.route('/get_jwt_token')
class JWTLogin(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self) -> tuple[dict, int]:
        data = api.payload 
        u_username = data["username"]
        u_password = data["password"]

        # Verify user credentials
        user = User.query.filter_by(username=u_username).first() # User(...) or None
        
        if not user or not user.check_password(password=u_password): # If user does not exist or password is incorrect
            response_data = {"message": "Invalid username or password"}
            response_status_code = HTTPStatus.UNAUTHORIZED
            
            return response_data, response_status_code
        
        # Create a JWT token
        user_data = json.dumps({"username": user.username, "role": user.role}) # '{\"username\": user.username, \"role\': user.role}'
        """ 
        user_data = json.dumps({"username": user.username, "role": user.role}) => '{\"username\": user.username, \"role\': user.role}'
        
        jwt_identity_store => is in memory token stor of jwt
        when  create_access_token(identity=user_data)   is executed two thing happen
        1. user_data is encrypted to some token  which can be decrypted to '{\"username\": user.username, \"role\': user.role}' e.g. asfd alsfdj;sdafw24234asdff
        2. the token is stored in jwt_identity_store eg. jwt_identity_store["asfd alsfdj;sdafw24234asdff"]
        
        if some one supplied the token for login
        "asfd alsfdj;sdafw24234asdff" will be decrypted '{\"username\": user.username, \"role\': user.role}'
        """
        expires = timedelta(days=1)

        token  = create_access_token(identity=user_data, expires_delta=expires)   # '{\"username\": user.username, \"role\': user.role}'
        
        response_data = {"access_token": f"Bearer {token}"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code
        

# Endpoint for user token login
@auth_ns.route('/get_token')
class LoginToken(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self)-> tuple[dict, int]:
        data = api.payload 
        u_username = data["username"]
        u_password = data["password"]

        # Verify user credentials
        user = User.query.filter_by(username=u_username).first() # User(...) or None
        
        if not user or not user.check_password(password=u_password): # If user does not exist or password is incorrect
            response_data = {"message": "Invalid username or password"}
            response_status_code = HTTPStatus.UNAUTHORIZED
            
            return response_data, response_status_code

    
        # Retrieve token for the user
        token_entry = Token.query.filter_by(user_id=user.id).first()
        
        print("token_entry")
        # Ensure both datetimes are timezone-aware for comparison
        current_time = datetime.now(timezone.utc)
        expires_at = token_entry.expires_at
        
        if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
            expires_at = expires_at.replace(tzinfo=timezone.utc)
        
        if expires_at < current_time:  # Check if token is expired
            response_data = {"message": "User associated with token not found"}
            response_status_code = HTTPStatus.UNAUTHORIZED
        
            return response_data, response_status_code
            
        response_data = {"token": f"Token {token_entry.token}"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code
    
# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(HTTPStatus.CREATED, 'User Registered Successfully')
    @auth_ns.response(HTTPStatus.CONFLICT, 'Username already exists')
    def post(self)-> tuple[dict, int]:
        # data = request.json  # Get the JSON data from the request
        # data = request.get_json()  # Get the JSON data from the request
        data = api.payload  # Get the JSON data from the request or 
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            response_data = {"message": "Username already exists"}
            response_status_code = HTTPStatus.CONFLICT
            
            return response_data, response_status_code

        
        # Create a new user
        user = User(username=username, role=UserRole.USER.value) # User(username=username, role=UserRole.USER.value, password=None) 
        user.set_password(password)  # Set the user's password User(username=username, role=UserRole.USER.value, password='****') 
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session
        
        response_data = {"message": "User registered successfully"}
        response_status_code = HTTPStatus.CONFLICT
            
        return response_data, response_status_code


# Endpoint for admin access with Basic Authentication
@auth_ns.route('/admin')
class BasicAdmin(Resource):
    
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code

# Endpoint for user access with Basic Authentication
@auth_ns.route('/user')
class BasicUser(Resource):
    
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code
# Endpoint for guest access with Basic Authentication
@auth_ns.route('/guest')
class BasicGuest(Resource):
    
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @auth_ns.response(HTTPStatus.OK, 'Access Granted')
    @auth_ns.response(HTTPStatus.UNAUTHORIZED, 'Unauthorized')
    @auth_ns.response(HTTPStatus.FORBIDDEN, "Forbidden")
    @basic_auth_required([UserRole.ADMIN, UserRole.GUEST])
    def get(self)-> tuple[dict, int]:
        response_data =  {"message": f"Welcome, {g.current_user['username']}!"}
        response_status_code = HTTPStatus.OK
        
        return response_data, response_status_code

# Run the Flask application
run_simple("localhost", 5000, app)