## **Flask-RESTX Authentication**

This lesson provides examples of implementing  
1. **Basic Authentication**
2.  **Token-Based Authentication**
3.  **JWT   Authentication**  


It incorporates  **Role-Based Authorization** to restrict access to endpoints based on user roles. Finally, it demonstrates how to  combine these methods, complete with Swagger documentation for each endpoint.  

---

In [None]:
%pip install flask --break-system-packages
%pip install flask-restx  --break-system-packages
%pip install flask flask-sqlalchemy   --break-system-packages
%pip install  mysql-connector-python --break-system-packages


## **1. Basic Authentication with Role-Based Access**

Basic authentication involves sending the username and password with each request (encoded in Base64). Role-based access control ensures only users with the appropriate role can access specific endpoints.


Basic Authentication is a simple method for enforcing access control. The client sends the username and password in the `Authorization` header of each HTTP request. These credentials are encoded using Base64 but are not encrypted. Therefore, it is recommended to use Basic Authentication only over HTTPS.

**How it works:**
- The client includes an `Authorization` header in the format `Basic <Base64(username:password)>`.
- The server decodes and verifies the credentials.
- If valid, the server processes the request; otherwise, it rejects it with a `401 Unauthorized` status.

- The client includes an `Authorization` header in the format `Basic <Base64(username:password)>`.
- The server decodes and verifies the credentials.
- If valid, the server processes the request; otherwise, it rejects it with a `401 Unauthorized` status.

---
## **Illustration of Request and Response:**
### Request  
    ```http
        GET /basic-user HTTP/1.1
        Host: example.com
        Authorization: Basic dXNlcjpwYXNzd29yZA==
    ```
### Response (Success)    
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```

### Response (Unauthorized)  
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid credentials"
        }
    ```

---

**Advantages:**
- Simple to implement.
- No need for additional infrastructure.

**Disadvantages:**
- Credentials are sent with every request, increasing the risk of exposure.
- Base64 encoding is not secure.
- No support for token revocation.
 

In [None]:
from flask import Flask, request, g  # Import Flask, request, and g object
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from datetime import datetime, timedelta, timezone  # Import datetime and timedelta for token expiration
from enum import Enum  # Import Enum for user roles
import secrets  # Import secrets for generating secure tokens
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_42"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
# Initialize Flask-RESTx API with metadata
api = Api(
    app,
    title="Token Auth API",
    version="1.0",
    description="Token-Based Authentication Example with Role-Based Access",
    authorizations={
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        }
    },
)
# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Model for User
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role

    # Method to set password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    # Method to check password
    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

# Database Model for Token
class Token(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    token = db.Column(db.String(512), unique=True, nullable=False)  # Unique token
    expires_at = db.Column(db.DateTime, nullable=False)  # Token expiration time
    user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False)  # Foreign key to User model
    user = db.relationship('User', backref=db.backref('tokens', lazy=True))  # Relationship to User model

# Create all database tables and add initial users with tokens
with app.app_context():
    db.create_all()

    # Check if users already exist to avoid duplication
    if not User.query.filter_by(username="admin").first():
        admin_user = User(username="admin", role=UserRole.ADMIN.value)
        admin_user.set_password("adminpassword")
        db.session.add(admin_user)
        db.session.commit()
        # Create token for admin user
        admin_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=admin_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=admin_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"Admin Token: {admin_token}")

    if not User.query.filter_by(username="user").first():
        regular_user = User(username="user", role=UserRole.USER.value)
        regular_user.set_password("userpassword")
        db.session.add(regular_user)
        db.session.commit()
        # Create token for regular user
        user_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=user_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=regular_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"User Token: {user_token}")

    if not User.query.filter_by(username="guest").first():
        guest_user = User(username="guest", role=UserRole.GUEST.value)
        guest_user.set_password("guestpassword")
        db.session.add(guest_user)
        db.session.commit()
        # Create token for guest user
        guest_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=guest_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=guest_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"Guest Token: {guest_token}")
 
 
# Decorator for Token Authentication with role-based access
def token_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)  # Preserve the original function's metadata
        def decorated(*args, **kwargs):
            # Retrieve Authorization header
            auth_header = request.headers.get('Authorization')
            if not auth_header:  # If no authorization header is present
                return {"message": "Authorization header is missing"}, 401  # Return 401 Unauthorized
            
            # Handle Token Authentication
            elif auth_header.startswith('Token '):  # Check if the header starts with 'Token '
                token = auth_header.split(' ')[1]  # Extract the token from the header
                try:
                    # Query the token from the database
                    token_entry = Token.query.filter_by(token=token).first()
                    if not token_entry:
                        return {"message": "Invalid or expired token"}, 401  # Token not found
                    
                    # Ensure both datetimes are timezone-aware for comparison
                    current_time = datetime.now(timezone.utc)
                    expires_at = token_entry.expires_at

                    if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
                        expires_at = expires_at.replace(tzinfo=timezone.utc)

                    if expires_at < current_time:  # Check if token is expired
                        return {"message": "Invalid or expired token"}, 401

                    # Query the user associated with the token
                    user = User.query.filter_by(id=token_entry.user_id).first()
                    if not user:  # If user does not exist
                        return {"message": "User associated with token not found"}, 404  # Return 404 Not Found

                    # Check if the user's role is allowed
                    if user.role not in [role.value for role in allowed_roles]:  # Compare user.role (string) with allowed_roles (list of strings)
                        return {"message": "Access forbidden: Insufficient permissions"}, 403  # Return 403 Forbidden

                    # Attach user information to the request context
                    g.current_user = {"username": user.username, "role": user.role}
                    return f(*args, **kwargs)  # Call the original function
                except Exception as e:  # Handle any exceptions that occur
                    return {"message": f"Token Authentication error: {str(e)}"}, 401  # Return 401 Unauthorized with error message
            else:
                return {"message": "Unsupported authentication method"}, 401  # Return 401 Unauthorized if the method is not supported
        return decorated  # Return the decorated function
    return decorator  # Return the decorator function

# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")
# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for Token Authentication
token_auth_model = auth_ns.model('TokenAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

# Endpoint for user login
@auth_ns.route('/get_token')
class LoginToken(Resource):
    @auth_ns.expect(token_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Verify user credentials
        user = User.query.filter_by(username=username).first()
        if not user or not user.check_password(password):  # If user does not exist or password is incorrect
            return {"message": "Invalid username or password"}, 401  # Return 401 Unauthorized

        # Retrieve token for the user
        token_entry = Token.query.filter_by(user_id=user.id).first()

        # Ensure both datetimes are timezone-aware for comparison
        current_time = datetime.now(timezone.utc)
        expires_at = token_entry.expires_at
        
        if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
            expires_at = expires_at.replace(tzinfo=timezone.utc)
        if expires_at < current_time:  # Check if token is expired
            return {"message": "Invalid or expired token"}, 401

        return {"token": f"Token {token_entry.token}"}, 200  # Return the token


# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(token_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400  # Return 400 Bad Request

        # Create a new user
        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)  # Set the user's password
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session

        return {"message": "User registered successfully"}, 201  # Return 201 Created

# Endpoint for admin access with Token Authentication
@auth_ns.route('/token-admin')
class TokenAdmin(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.ADMIN])
    def get(self):
        return {"message": f"Welcome Admin, {g.current_user['username']}!"}

# Endpoint for user access with Token Authentication
@auth_ns.route('/token-user')
class TokenUser(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.USER])
    def get(self):
        return {"message": f"Welcome User, {g.current_user['username']}!"}

# Endpoint for guest access with Token Authentication
@auth_ns.route('/token-guest')
class TokenGuest(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.GUEST])
    def get(self):
        return {"message": f"Welcome Guest, {g.current_user['username']}!"}

# Run the Flask application
run_simple("localhost", 5000, app)

### **2. Token-Based Authentication**

Token-Based Authentication involves issuing a token to the client upon successful login. The client must include this token in the `Authorization` header of subsequent requests. The token acts as a unique identifier for the client.

**How it works:**
- The client sends login credentials to a dedicated endpoint (e.g., `/login`).
- The server verifies the credentials and generates a token.
- The client includes the token in the `Authorization` header in the format `Token <your_token>` for each request.
- The server verifies the token to authenticate the client.

**Advantages:**
- Tokens are independent of credentials, so passwords are not sent repeatedly.
- Tokens can have a short lifespan, improving security.
- Easy integration with APIs.

**Disadvantages:**
- Tokens must be securely stored on the client side.
- Revoking tokens can be complex without a centralized store.

---
## **Illustration of Request and Response:**

### Login Request
    ```http
        POST /login HTTP/1.1
        Host: example.com
        Content-Type: application/json

        {
        "username": "user",
        "password": "password"
        }
    ```
### Login Response
    ```http
        HTTP/1.1 200 OK
        {
        "access_token": "abc123xyz"
        }
    ```
### Accessing a Protected Route
    ```http
        GET /token-user HTTP/1.1
        Host: example.com
        Authorization: Token abc123xyz
    ```
### Response (Success)
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```
### Response (Invalid Token)
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid or expired token"
        }
    ```

---

In [None]:
from flask import Flask, request, g  # Import Flask, request, and g object
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from datetime import datetime, timedelta, timezone  # Import datetime and timedelta for token expiration
from enum import Enum  # Import Enum for user roles
import secrets  # Import secrets for generating secure tokens
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_42"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
# Initialize Flask-RESTx API with metadata
api = Api(
    app,
    title="Token Auth API",
    version="1.0",
    description="Token-Based Authentication Example with Role-Based Access",
    authorizations={
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        }
    },
)
# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Model for User
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role

    # Method to set password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    # Method to check password
    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

# Database Model for Token
class Token(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    token = db.Column(db.String(512), unique=True, nullable=False)  # Unique token
    expires_at = db.Column(db.DateTime, nullable=False)  # Token expiration time
    user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False)  # Foreign key to User model
    user = db.relationship('User', backref=db.backref('tokens', lazy=True))  # Relationship to User model

# Create all database tables and add initial users with tokens
with app.app_context():
    db.create_all()

    # Check if users already exist to avoid duplication
    if not User.query.filter_by(username="admin").first():
        admin_user = User(username="admin", role=UserRole.ADMIN.value)
        admin_user.set_password("adminpassword")
        db.session.add(admin_user)
        db.session.commit()
        # Create token for admin user
        admin_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=admin_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=admin_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"Admin Token: {admin_token}")

    if not User.query.filter_by(username="user").first():
        regular_user = User(username="user", role=UserRole.USER.value)
        regular_user.set_password("userpassword")
        db.session.add(regular_user)
        db.session.commit()
        # Create token for regular user
        user_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=user_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=regular_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"User Token: {user_token}")

    if not User.query.filter_by(username="guest").first():
        guest_user = User(username="guest", role=UserRole.GUEST.value)
        guest_user.set_password("guestpassword")
        db.session.add(guest_user)
        db.session.commit()
        # Create token for guest user
        guest_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=guest_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=guest_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"Guest Token: {guest_token}")
 
 
# Decorator for Token Authentication with role-based access
def token_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)  # Preserve the original function's metadata
        def decorated(*args, **kwargs):
            # Retrieve Authorization header
            auth_header = request.headers.get('Authorization')
            if not auth_header:  # If no authorization header is present
                return {"message": "Authorization header is missing"}, 401  # Return 401 Unauthorized
            
            # Handle Token Authentication
            elif auth_header.startswith('Token '):  # Check if the header starts with 'Token '
                token = auth_header.split(' ')[1]  # Extract the token from the header
                try:
                    # Query the token from the database
                    token_entry = Token.query.filter_by(token=token).first()
                    if not token_entry:
                        return {"message": "Invalid or expired token"}, 401  # Token not found
                    
                    # Ensure both datetimes are timezone-aware for comparison
                    current_time = datetime.now(timezone.utc)
                    expires_at = token_entry.expires_at

                    if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
                        expires_at = expires_at.replace(tzinfo=timezone.utc)

                    if expires_at < current_time:  # Check if token is expired
                        return {"message": "Invalid or expired token"}, 401

                    # Query the user associated with the token
                    user = User.query.filter_by(id=token_entry.user_id).first()
                    if not user:  # If user does not exist
                        return {"message": "User associated with token not found"}, 404  # Return 404 Not Found

                    # Check if the user's role is allowed
                    if user.role not in [role.value for role in allowed_roles]:  # Compare user.role (string) with allowed_roles (list of strings)
                        return {"message": "Access forbidden: Insufficient permissions"}, 403  # Return 403 Forbidden

                    # Attach user information to the request context
                    g.current_user = {"username": user.username, "role": user.role}
                    return f(*args, **kwargs)  # Call the original function
                except Exception as e:  # Handle any exceptions that occur
                    return {"message": f"Token Authentication error: {str(e)}"}, 401  # Return 401 Unauthorized with error message
            else:
                return {"message": "Unsupported authentication method"}, 401  # Return 401 Unauthorized if the method is not supported
        return decorated  # Return the decorated function
    return decorator  # Return the decorator function

# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")
# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for Token Authentication
token_auth_model = auth_ns.model('TokenAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

# Endpoint for user login
@auth_ns.route('/get_token')
class LoginToken(Resource):
    @auth_ns.expect(token_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Verify user credentials
        user = User.query.filter_by(username=username).first()
        if not user or not user.check_password(password):  # If user does not exist or password is incorrect
            return {"message": "Invalid username or password"}, 401  # Return 401 Unauthorized

        # Retrieve token for the user
        token_entry = Token.query.filter_by(user_id=user.id).first()

        # Ensure both datetimes are timezone-aware for comparison
        current_time = datetime.now(timezone.utc)
        expires_at = token_entry.expires_at
        
        if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
            expires_at = expires_at.replace(tzinfo=timezone.utc)
        if expires_at < current_time:  # Check if token is expired
            return {"message": "Invalid or expired token"}, 401

        return {"token": f"Token {token_entry.token}"}, 200  # Return the token


# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(token_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400  # Return 400 Bad Request

        # Create a new user
        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)  # Set the user's password
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session

        return {"message": "User registered successfully"}, 201  # Return 201 Created

# Endpoint for admin access with Token Authentication
@auth_ns.route('/token-admin')
class TokenAdmin(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.ADMIN])
    def get(self):
        return {"message": f"Welcome Admin, {g.current_user['username']}!"}

# Endpoint for user access with Token Authentication
@auth_ns.route('/token-user')
class TokenUser(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.USER])
    def get(self):
        return {"message": f"Welcome User, {g.current_user['username']}!"}

# Endpoint for guest access with Token Authentication
@auth_ns.route('/token-guest')
class TokenGuest(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.GUEST])
    def get(self):
        return {"message": f"Welcome Guest, {g.current_user['username']}!"}

# Run the Flask application
run_simple("localhost", 5000, app)

### **3. JWT Authentication**

JSON Web Tokens (JWTs) are a compact and self-contained way to securely transmit information between parties. A JWT is a string consisting of three parts: Header, Payload, and Signature. The token is signed using a secret key or a public/private key pair.

**How it works:**
- The client sends login credentials to a `/login` endpoint.
- The server verifies the credentials and generates a JWT, which includes claims (e.g., user identity and roles).
- The client includes the token in the `Authorization` header in the format `Bearer <JWT>` for each request.
- The server verifies the token and extracts the claims to authenticate the client.

**Advantages:**
- Tokens are self-contained, meaning the server does not need to store session information.
- JWTs can include additional metadata (e.g., roles, permissions).
- Works well for distributed systems.

**Disadvantages:**
- Revoking or invalidating JWTs before their expiration is challenging.
- The payload is Base64-encoded and not encrypted, so sensitive information should not be included.

---
## **Illustration of Request and Response:**

### Login Request  
    ```http
        POST /login HTTP/1.1
        Host: example.com
        Content-Type: application/json

        {
        "username": "user",
        "password": "password"
        }

    ```
### Login Response  
    ```http
        HTTP/1.1 200 OK
        {
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciJ9.qwerty123"
        }

    ```
### Accessing a Protected Route  
    ```http
        GET /jwt-user HTTP/1.1
        Host: example.com
        Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciJ9.qwerty123

    ```
### Response (Success)
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```

### Response (Invalid Token)
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid token"
        }
    ```

---

In [None]:
from flask import Flask, request  # Import Flask and request object
from flask_jwt_extended import create_access_token  # Import create_access_token to generate JWT tokens
import json  # Import json to handle JSON data for encoding user information in the token
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, get_jwt_identity, verify_jwt_in_request  # Import JWT utilities
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from datetime import datetime, timedelta  # Import datetime and timedelta for token expiration
from enum import Enum  # Import Enum for user roles
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app
import json  # Import json for handling JSON data

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_43"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
# Set the secret key for JWT
app.config['JWT_SECRET_KEY'] = 'your_secret_key'
# Initialize Flask-RESTx API with metadata
api = Api(
    app,
    title="JWT Auth API",
    version="1.0",
    description="JWT Authentication Example with Role-Based Access",
    authorizations={
        'jwt': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "JWT Authentication - Use `Bearer <JWT>` in the header."
        }
    },
)
# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)
# Initialize JWTManager with Flask app
jwt = JWTManager(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Model for User
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role

    # Method to set password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    # Method to check password
    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

# Create all database tables
# Create all database tables
with app.app_context():
    db.create_all()

    # Create all database tables and add initial users
    with app.app_context():
        db.create_all()

    # Check if users already exist to avoid duplication
        if not User.query.filter_by(username="admin").first():
            admin_user = User(username="admin", role=UserRole.ADMIN.value)
            admin_user.set_password("adminpassword")
            db.session.add(admin_user)
            db.session.commit() 

        if not User.query.filter_by(username="user").first():
            regular_user = User(username="user", role=UserRole.USER.value)
            regular_user.set_password("userpassword")
            db.session.add(regular_user)
            db.session.commit() 

        if not User.query.filter_by(username="guest").first():
            guest_user = User(username="guest", role=UserRole.GUEST.value)
            guest_user.set_password("guestpassword")
            db.session.add(guest_user)
            db.session.commit() 
            
# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")
# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for JWT Authentication
jwt_auth_model = auth_ns.model('JWTAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

# Decorator for JWT Authentication with role-based access
# Decorator for JWT Authentication with role-based access
def jwt_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)  # Preserve the original function's metadata
        def decorated(*args, **kwargs):
            # Retrieve Authorization header
            auth_header = request.headers.get('Authorization')
            if not auth_header:  # If no authorization header is present
                return {"message": "Authorization header is missing"}, 401  # Return 401 Unauthorized

            # Handle JWT/Bearer Token Authentication
            elif auth_header.startswith('Bearer '):  # Check if the header starts with 'Bearer '
                token = auth_header.split(' ')[1]  # Extract the token from the header
                if len(token.split('.')) != 3:  # Check if the token has the correct format
                    return {"message": "JWT Authentication error: Not enough segments"}, 401  # Return 401 Unauthorized

                try:
                    verify_jwt_in_request()  # Verify the JWT in the request
                    user = json.loads(get_jwt_identity())  # Parse JSON string user_identity: {'username': 'admin', 'role': 'admin'}
                    user_name = user.get("username")  # Extract the username from the token
                    user_role = user.get("role")  # Extract the role from the token
                    
                    if user_role not in [role.value for role in allowed_roles]:  # Check if the user's role is allowed
                        return {"message": "Access forbidden: Insufficient permissions"}, 403  # Return 403 Forbidden

                    # Attach user information to the request context
                    request.current_user = {"username": user_name, "role": user_role}
                    return f(*args, **kwargs)  # Call the original function
                except Exception as e:  # Handle any exceptions that occur
                    return {"message": f"JWT Authentication error: {str(e)}"}, 401  # Return 401 Unauthorized with error message
            else:
                return {"message": "Unsupported authentication method"}, 401  # Return 401 Unauthorized if the method is not supported
        return decorated  # Return the decorated function
    return decorator  # Return the decorator function

# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(jwt_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400  # Return 400 Bad Request

        # Create a new user
        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)  # Set the user's password
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session

        return {"message": "User registered successfully"}, 201  # Return 201 Created

# Endpoint for user login
@auth_ns.route('/get_jwt_token')
class Login(Resource):
    @auth_ns.expect(jwt_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Verify user in the database
        user = User.query.filter_by(username=username).first()
        if not user or not user.check_password(password):  # If user does not exist or password is incorrect
            return {"message": "Invalid username or password"}, 401  # Return 401 Unauthorized

        # Create a JWT token
        token = create_access_token(identity=json.dumps({"username": username, "role": user.role}))
        return {"access_token": f"Bearer {token}"}, 200  # Return the token

# Endpoint for admin access with JWT Authentication
@auth_ns.route('/jwt-admin')
class JWTAdmin(Resource):
    @auth_ns.doc(security='jwt')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @jwt_auth_required([UserRole.ADMIN])
    def get(self):
        return {"message": f"Welcome Admin, {request.current_user['username']}!"}

# Endpoint for user access with JWT Authentication
@auth_ns.route('/jwt-user')
class JWTUser(Resource):
    @auth_ns.doc(security='jwt')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @jwt_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self):
        return {"message": f"Welcome User, {request.current_user['username']}!"}

# Endpoint for guest access with JWT Authentication
@auth_ns.route('/jwt-guest')
class JWTGuest(Resource):
    @auth_ns.doc(security='jwt')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @jwt_auth_required([UserRole.ADMIN, UserRole.USER, UserRole.GUEST])
    def get(self):
        return {"message": f"Welcome Guest, {request.current_user['username']}!"}

# Run the Flask application
run_simple("localhost", 5000, app)

## **4. Combined Basic, Token, and JWT Authentication**

This implementation allows multiple authentication mechanisms: Basic Authentication, Token Authentication, and JWT Authentication. Role-based access ensures only authorized users with appropriate roles can access specific endpoints.

In [None]:
from flask import Flask, request, g  # Import Flask, request, and g object
from flask_sqlalchemy import SQLAlchemy  # Import SQLAlchemy for database management
from flask_restx import Api, Resource, Namespace, fields  # Import Flask-RESTx components
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, verify_jwt_in_request, get_jwt_identity  # Import JWT utilities
from werkzeug.security import generate_password_hash, check_password_hash  # Import password hashing utilities
from datetime import datetime, timedelta, timezone  # Import datetime and timedelta for token expiration
from functools import wraps  # Import wraps for decorators
from enum import Enum  # Import Enum for user roles
import secrets  # Import secrets for generating secure tokens
import base64  # Import base64 for encoding and decoding credentials
import nest_asyncio  # Import nest_asyncio for Jupyter Notebook compatibility
from werkzeug.serving import run_simple  # Import run_simple to run the Flask app

# Apply nest_asyncio for Jupyter Notebook compatibility
nest_asyncio.apply()

# Initialize Flask application
app = Flask(__name__)
# Configure SQLAlchemy with MySQL database URI
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_44"
# Disable SQLAlchemy track modifications to save resources
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
# Set the secret key for JWT
app.config['JWT_SECRET_KEY'] = 'your_combined_secret'

# Initialize Flask-RESTx API with metadata
api = Api(
    app,
    title="Combined Auth API",
    version="1.0",
    description="Combined Basic, Token, and JWT Authentication with Role-Based Access",
    authorizations={
        'basic': {
            'type': 'basic',
            'description': "Basic Authentication - Provide `username:password` in Base64."
        },
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        },
        'jwt': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "JWT Authentication - Use `Bearer <JWT>` in the header."
        }
    },
)
# Initialize SQLAlchemy with Flask app
db = SQLAlchemy(app)
# Initialize JWTManager with Flask app
jwt = JWTManager(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Model for User
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    username = db.Column(db.String(50), unique=True, nullable=False)  # Unique username
    password_hash = db.Column(db.String(255), nullable=False)  # Password hash
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)  # User role

    # Method to set password hash
    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    # Method to check password
    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

# Database Model for Token
class Token(db.Model):
    id = db.Column(db.Integer, primary_key=True)  # Primary key
    token = db.Column(db.String(512), unique=True, nullable=False)  # Unique token
    expires_at = db.Column(db.DateTime, nullable=False)  # Token expiration time
    user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False)  # Foreign key to User model
    user = db.relationship('User', backref=db.backref('tokens', lazy=True))  # Relationship to User model

# Create all database tables and add initial users with tokens
with app.app_context():
    db.create_all()
    # Check if users already exist to avoid duplication
    if not User.query.filter_by(username="admin").first():
        admin_user = User(username="admin", role=UserRole.ADMIN.value)
        admin_user.set_password("adminpassword")
        db.session.add(admin_user)
        db.session.commit()
        # Create token for admin user
        admin_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=admin_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=admin_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"Admin Token: {admin_token}")

    if not User.query.filter_by(username="user").first():
        regular_user = User(username="user", role=UserRole.USER.value)
        regular_user.set_password("userpassword")
        db.session.add(regular_user)
        db.session.commit()
        # Create token for regular user
        user_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=user_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=regular_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"User Token: {user_token}")

    if not User.query.filter_by(username="guest").first():
        guest_user = User(username="guest", role=UserRole.GUEST.value)
        guest_user.set_password("guestpassword")
        db.session.add(guest_user)
        db.session.commit()
        # Create token for guest user
        guest_token = secrets.token_hex(32)  # Generate a 64-character hexadecimal token
        token_entry = Token(token=guest_token, expires_at=datetime.now(timezone.utc) + timedelta(days=1), user_id=guest_user.id)
        db.session.add(token_entry)
        db.session.commit()
        print(f"Guest Token: {guest_token}")

# Namespace for authentication endpoints
auth_ns = Namespace('auth', description="Authentication Endpoints")
# Add namespace to API
api.add_namespace(auth_ns)

# Swagger Model for Combined Authentication
combined_auth_model = auth_ns.model('CombinedAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})



# Decorator for Combined Authentication with role-based access
def combined_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)  # Preserve the original function's metadata
        def decorated(*args, **kwargs):
            auth_header = request.headers.get('Authorization')
            if not auth_header:  # If no authorization header is present
                return {"message": "Authorization header is missing"}, 401  # Return 401 Unauthorized

            # Handle Basic Authentication
            if auth_header.startswith('Basic '):  # Check if the header starts with 'Basic '
                try:
                    base64_credentials = auth_header.split(' ')[1]
                    credentials = base64.b64decode(base64_credentials).decode('utf-8')
                    username, password = credentials.split(':')
                    user = User.query.filter_by(username=username).first()
                    if not user or not user.check_password(password):  # If user does not exist or password is incorrect
                        return {"message": "Invalid credentials"}, 401  # Return 401 Unauthorized
                    if user.role not in [role.value for role in allowed_roles]:  # If user's role is not in the allowed roles
                        return {"message": "Access forbidden: Insufficient permissions"}, 403  # Return 403 Forbidden
                    g.current_user = {"username": user.username, "role": user.role}  # Attach user to the request context
                    return f(*args, **kwargs)  # Call the original function
                except Exception as e:  # Handle any exceptions that occur
                    return {"message": f"Basic Authentication error: {str(e)}"}, 401  # Return 401 Unauthorized with error message

            # Handle Token Authentication
            elif auth_header.startswith('Token '):  # Check if the header starts with 'Token '
                try:
                    token = auth_header.split(' ')[1]  # Extract the token
                    token_entry = Token.query.filter_by(token=token).first()  # Fetch token entry from the database
                    # Ensure both datetimes are timezone-aware for comparison
                    current_time = datetime.now(timezone.utc)
                    expires_at = token_entry.expires_at
                    if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
                        expires_at = expires_at.replace(tzinfo=timezone.utc)
                    if expires_at < current_time:  # Check if token is expired
                        return {"message": "Invalid or expired token"}, 401
                    user = User.query.get(token_entry.user_id)
                    if not user or user.role not in [role.value for role in allowed_roles]:  # Check if user's role is allowed
                        return {"message": "Access forbidden: Insufficient permissions"}, 403  # Return 403 Forbidden
                    g.current_user = {"username": user.username, "role": user.role}  # Attach user to the request context
                    return f(*args, **kwargs)  # Call the original function
                except Exception as e:  # Handle any exceptions that occur
                    return {"message": f"Token Authentication error: {str(e)}"}, 401  # Return 401 Unauthorized with error message

            # Handle JWT/Bearer Token Authentication
            elif auth_header.startswith('Bearer '):  # Check if the header starts with 'Bearer '
                try:
                    verify_jwt_in_request()  # Verify the JWT in the request
                    user = json.loads(get_jwt_identity())  # Parse JSON string user_identity: {'username': 'admin', 'role': 'admin'}
                    user_name = user.get("username")  # Extract the username from the token
                    user_role = user.get("role")  # Extract the role from the token
                    
                    if user_role not in [role.value for role in allowed_roles]:  # Check if the user's role is allowed
                        return {"message": "Access forbidden: Insufficient permissions"}, 403  # Return 403 Forbidden

                    # Attach user information to the request context 
                    g.current_user = {"username": user_name, "role": user_role}  # Attach user to the request context
                    return f(*args, **kwargs)  # Call the original function
                except Exception as e:  # Handle any exceptions that occur
                    return {"message": f"JWT Authentication error: {str(e)}"}, 401  # Return 401 Unauthorized with error message
                    
            return {"message": "Unsupported authentication method"}, 401  # Return 401 Unauthorized if the method is not supported
        return decorated  # Return the decorated function
    return decorator  # Return the decorator function



# Endpoint for user login
@auth_ns.route('/get_token')
class LoginToken(Resource):
    @auth_ns.expect(combined_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Verify user credentials
        user = User.query.filter_by(username=username).first()
        if not user or not user.check_password(password):  # If user does not exist or password is incorrect
            return {"message": "Invalid username or password"}, 401  # Return 401 Unauthorized

        # Retrieve token for the user
        token_entry = Token.query.filter_by(user_id=user.id).first()

        # Ensure both datetimes are timezone-aware for comparison
        current_time = datetime.now(timezone.utc)
        expires_at = token_entry.expires_at
        
        if expires_at.tzinfo is None:  # If expires_at is naive, assume it is in UTC
            expires_at = expires_at.replace(tzinfo=timezone.utc)
        if expires_at < current_time:  # Check if token is expired
            return {"message": "Invalid or expired token"}, 401

        return {"token": f"Token {token_entry.token}"}, 200  # Return the token

        
    
# Endpoint for user login
@auth_ns.route('/get_jwt_token')
class LoginJWT(Resource):
    @auth_ns.expect(combined_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Verify user in the database
        user = User.query.filter_by(username=username).first()
        if not user or not user.check_password(password):  # If user does not exist or password is incorrect
            return {"message": "Invalid username or password"}, 401  # Return 401 Unauthorized

        # Create a JWT token
        token = create_access_token(identity=json.dumps({"username": username, "role": user.role}))
        return {"access_token": f"Bearer  {token}"}, 200  # Return the token
    
# Endpoint for user registration
@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(combined_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json  # Get the JSON data from the request
        username = data['username']
        password = data['password']

        # Check if the username already exists
        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400  # Return 400 Bad Request

        # Create a new user
        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)  # Set the user's password
        db.session.add(user)  # Add the user to the session
        db.session.commit()  # Commit the session

        return {"message": "User registered successfully"}, 201  # Return 201 Created

# Endpoint for admin access with Combined Authentication
@auth_ns.route('/combined-admin')
class CombinedAdmin(Resource):
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @combined_auth_required([UserRole.ADMIN])
    def get(self):
        return {"message": f"Welcome Admin, {g.current_user['username']}!"}

# Endpoint for user access with Combined Authentication
@auth_ns.route('/combined-user')
class CombinedUser(Resource):
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @combined_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self):
        return {"message": f"Welcome User, {g.current_user['username']}!"}

# Endpoint for guest access with Combined Authentication
@auth_ns.route('/combined-guest')
class CombinedGuest(Resource):
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @combined_auth_required([UserRole.ADMIN, UserRole.USER, UserRole.GUEST])
    def get(self):
        return {"message": f"Welcome Guest, {g.current_user['username']}!"}

# Run the Flask application
run_simple("localhost", 5000, app)