## **Flask-RESTX Authentication**

This lesson provides examples of implementing  
1. **Basic Authentication**
2.  **Token-Based Authentication**
3.  **JWT   Authentication**  


It incorporates  **Role-Based Authorization** to restrict access to endpoints based on user roles. Finally, it demonstrates how to  combine these methods, complete with Swagger documentation for each endpoint.  

---

In [None]:
%pip install flask --break-system-packages
%pip install flask-restx  --break-system-packages
%pip install flask flask-sqlalchemy   --break-system-packages
%pip install  mysql-connector-python --break-system-packages


## **1. Basic Authentication with Role-Based Access**

Basic authentication involves sending the username and password with each request (encoded in Base64). Role-based access control ensures only users with the appropriate role can access specific endpoints.


Basic Authentication is a simple method for enforcing access control. The client sends the username and password in the `Authorization` header of each HTTP request. These credentials are encoded using Base64 but are not encrypted. Therefore, it is recommended to use Basic Authentication only over HTTPS.

**How it works:**
- The client includes an `Authorization` header in the format `Basic <Base64(username:password)>`.
- The server decodes and verifies the credentials.
- If valid, the server processes the request; otherwise, it rejects it with a `401 Unauthorized` status.

- The client includes an `Authorization` header in the format `Basic <Base64(username:password)>`.
- The server decodes and verifies the credentials.
- If valid, the server processes the request; otherwise, it rejects it with a `401 Unauthorized` status.

---
## **Illustration of Request and Response:**
### Request  
    ```http
        GET /basic-user HTTP/1.1
        Host: example.com
        Authorization: Basic dXNlcjpwYXNzd29yZA==
    ```
### Response (Success)    
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```

### Response (Unauthorized)  
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid credentials"
        }
    ```

---

**Advantages:**
- Simple to implement.
- No need for additional infrastructure.

**Disadvantages:**
- Credentials are sent with every request, increasing the risk of exposure.
- Base64 encoding is not secure.
- No support for token revocation.
 

In [None]:

from flask import Flask, request
from flask_sqlalchemy import SQLAlchemy
from flask_restx import Api, Resource, Namespace, fields
from werkzeug.security import generate_password_hash, check_password_hash
from functools import wraps
from enum import Enum
import nest_asyncio
from werkzeug.serving import run_simple

# Apply nest_asyncio for Jupyter Notebook
nest_asyncio.apply()

app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_4"
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
api = Api(
    app,
    title="Basic Auth API",
    version="1.0",
    description="Basic Authentication Example with Role-Based Access",
    authorizations={
        'basic': {
            'type': 'basic',
            'description': "Basic Authentication - Provide `username:password` in Base64."
        }
    },
)
db = SQLAlchemy(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Model
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(50), unique=True, nullable=False)
    password_hash = db.Column(db.String(255), nullable=False)
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)

    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

with app.app_context():
    db.create_all()

# Namespace
auth_ns = Namespace('auth', description="Authentication Endpoints")
api.add_namespace(auth_ns)

# Swagger Model
basic_auth_model = auth_ns.model('BasicAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

def basic_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            auth = request.authorization
            if not auth:
                return {"message": "Authentication required"}, 401

            user = User.query.filter_by(username=auth.username).first()
            if not user or not user.check_password(auth.password):
                return {"message": "Invalid credentials"}, 401

            if user.role not in allowed_roles:
                return {"message": "Access forbidden: Insufficient permissions"}, 403

            return f(*args, **kwargs)
        return decorated
    return decorator

@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(basic_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json
        username = data['username']
        password = data['password']

        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400

        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)
        db.session.add(user)
        db.session.commit()

        return {"message": "User registered successfully"}, 201

@auth_ns.route('/basic-admin')
class BasicAdmin(Resource):
    @auth_ns.doc(security='basic')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @basic_auth_required([UserRole.ADMIN.value])
    def get(self):
        return {"message": "Welcome, Admin!"}

@auth_ns.route('/basic-user')
class BasicUser(Resource):
    @auth_ns.doc(security='basic')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @basic_auth_required([UserRole.USER.value])
    def get(self):
        return {"message": "Welcome, User!"}

@auth_ns.route('/basic-guest')
class BasicGuest(Resource):
    @auth_ns.doc(security='basic')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @basic_auth_required([UserRole.GUEST.value])
    def get(self):
        return {"message": "Welcome, Guest!"}

# Run the Application
run_simple("localhost", 5000, app)

 * Running on http://localhost:5000
[33mPress CTRL+C to quit[0m


### **2. Token-Based Authentication**

Token-Based Authentication involves issuing a token to the client upon successful login. The client must include this token in the `Authorization` header of subsequent requests. The token acts as a unique identifier for the client.

**How it works:**
- The client sends login credentials to a dedicated endpoint (e.g., `/login`).
- The server verifies the credentials and generates a token.
- The client includes the token in the `Authorization` header in the format `Token <your_token>` for each request.
- The server verifies the token to authenticate the client.

**Advantages:**
- Tokens are independent of credentials, so passwords are not sent repeatedly.
- Tokens can have a short lifespan, improving security.
- Easy integration with APIs.

**Disadvantages:**
- Tokens must be securely stored on the client side.
- Revoking tokens can be complex without a centralized store.

---
## **Illustration of Request and Response:**

### Login Request
    ```http
        POST /login HTTP/1.1
        Host: example.com
        Content-Type: application/json

        {
        "username": "user",
        "password": "password"
        }
    ```
### Login Response
    ```http
        HTTP/1.1 200 OK
        {
        "access_token": "abc123xyz"
        }
    ```
### Accessing a Protected Route
    ```http
        GET /token-user HTTP/1.1
        Host: example.com
        Authorization: Token abc123xyz
    ```
### Response (Success)
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```
### Response (Invalid Token)
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid or expired token"
        }
    ```

---

In [None]:
from flask import Flask, request
from flask_sqlalchemy import SQLAlchemy
from flask_restx import Api, Resource, Namespace, fields
from werkzeug.security import generate_password_hash, check_password_hash
from datetime import datetime, timedelta
from enum import Enum
import secrets
import nest_asyncio
from werkzeug.serving import run_simple

# Apply nest_asyncio for Jupyter Notebook
nest_asyncio.apply()

app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_token_auth"
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
api = Api(
    app,
    title="Token Auth API",
    version="1.0",
    description="Token-Based Authentication Example with Role-Based Access",
    authorizations={
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        }
    },
)
db = SQLAlchemy(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Models
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(50), unique=True, nullable=False)
    password_hash = db.Column(db.String(255), nullable=False)
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)

    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

class Token(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    token = db.Column(db.String(512), unique=True, nullable=False)
    expires_at = db.Column(db.DateTime, nullable=False)

with app.app_context():
    db.create_all()

# Namespace
auth_ns = Namespace('auth', description="Authentication Endpoints")
api.add_namespace(auth_ns)

# Swagger Model
token_auth_model = auth_ns.model('TokenAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

def token_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            token = request.headers.get('Authorization')
            if not token:
                return {"message": "Token is missing"}, 401

            token_entry = Token.query.filter_by(token=token).first()
            if not token_entry or token_entry.expires_at < datetime.utcnow():
                return {"message": "Invalid or expired token"}, 401

            user = User.query.filter_by(id=token_entry.id).first()
            if user.role not in allowed_roles:
                return {"message": "Access forbidden: Insufficient permissions"}, 403

            return f(*args, **kwargs)
        return decorated
    return decorator

@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(token_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json
        username = data['username']
        password = data['password']

        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400

        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)
        db.session.add(user)
        db.session.commit()

        return {"message": "User registered successfully"}, 201

@auth_ns.route('/token-admin')
class TokenAdmin(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.ADMIN.value])
    def get(self):
        return {"message": "Welcome, Admin!"}

@auth_ns.route('/token-user')
class TokenUser(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.USER.value])
    def get(self):
        return {"message": "Welcome, User!"}

@auth_ns.route('/token-guest')
class TokenGuest(Resource):
    @auth_ns.doc(security='apiKey')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @token_auth_required([UserRole.GUEST.value])
    def get(self):
        return {"message": "Welcome, Guest!"}

# Run the Application
run_simple("localhost", 5000, app)

### **3. JWT Authentication**

JSON Web Tokens (JWTs) are a compact and self-contained way to securely transmit information between parties. A JWT is a string consisting of three parts: Header, Payload, and Signature. The token is signed using a secret key or a public/private key pair.

**How it works:**
- The client sends login credentials to a `/login` endpoint.
- The server verifies the credentials and generates a JWT, which includes claims (e.g., user identity and roles).
- The client includes the token in the `Authorization` header in the format `Bearer <JWT>` for each request.
- The server verifies the token and extracts the claims to authenticate the client.

**Advantages:**
- Tokens are self-contained, meaning the server does not need to store session information.
- JWTs can include additional metadata (e.g., roles, permissions).
- Works well for distributed systems.

**Disadvantages:**
- Revoking or invalidating JWTs before their expiration is challenging.
- The payload is Base64-encoded and not encrypted, so sensitive information should not be included.

---
## **Illustration of Request and Response:**

### Login Request  
    ```http
        POST /login HTTP/1.1
        Host: example.com
        Content-Type: application/json

        {
        "username": "user",
        "password": "password"
        }

    ```
### Login Response  
    ```http
        HTTP/1.1 200 OK
        {
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciJ9.qwerty123"
        }

    ```
### Accessing a Protected Route  
    ```http
        GET /jwt-user HTTP/1.1
        Host: example.com
        Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciJ9.qwerty123

    ```
### Response (Success)
    ```http
        HTTP/1.1 200 OK
        {
        "message": "Welcome, User!"
        }
    ```

### Response (Invalid Token)
    ```http
        HTTP/1.1 401 Unauthorized
        {
        "message": "Invalid token"
        }
    ```

---

In [None]:

from flask import Flask, request
from flask_sqlalchemy import SQLAlchemy
from flask_restx import Api, Resource, Namespace, fields
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, get_jwt_identity, verify_jwt_in_request
from werkzeug.security import generate_password_hash, check_password_hash
from datetime import datetime, timedelta
from enum import Enum
import nest_asyncio
from werkzeug.serving import run_simple
import json

# Apply nest_asyncio for Jupyter Notebook
nest_asyncio.apply()

app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_jwt_auth"
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['JWT_SECRET_KEY'] = 'your_secret_key'
api = Api(
    app,
    title="JWT Auth API",
    version="1.0",
    description="JWT Authentication Example with Role-Based Access",
    authorizations={
        'jwt': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "JWT Authentication - Use `Bearer <JWT>` in the header."
        }
    },
)
db = SQLAlchemy(app)
jwt = JWTManager(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Model
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(50), unique=True, nullable=False)
    password_hash = db.Column(db.String(255), nullable=False)
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)

    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

with app.app_context():
    db.create_all()

# Namespace
auth_ns = Namespace('auth', description="Authentication Endpoints")
api.add_namespace(auth_ns)

# Swagger Model
jwt_auth_model = auth_ns.model('JWTAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

def jwt_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            try:
                verify_jwt_in_request()
                current_user = json.loads(get_jwt_identity())
                username = current_user.get('username')
                role = current_user.get('role')
                if role not in [role.value for role in allowed_roles]:
                    return {"message": "Access forbidden: Insufficient permissions"}, 403
                request.current_user = {"username": username, "role": role}
                return f(*args, **kwargs)
            except Exception as e:
                return {"message": f"JWT Authentication error: {str(e)}"}, 401
        return decorated
    return decorator

@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(jwt_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json
        username = data['username']
        password = data['password']

        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400

        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)
        db.session.add(user)
        db.session.commit()

        return {"message": "User registered successfully"}, 201

@auth_ns.route('/login')
class Login(Resource):
    @auth_ns.expect(jwt_auth_model, validate=True)
    @auth_ns.response(200, "Login Successful")
    @auth_ns.response(401, "Invalid Credentials")
    def post(self):
        data = request.json
        username = data['username']
        password = data['password']

        user = User.query.filter_by(username=username).first()
        if not user or not user.check_password(password):
            return {"message": "Invalid username or password"}, 401

        token = create_access_token(identity=json.dumps({"username": username, "role": user.role}))
        return {"access_token": token}, 200

@auth_ns.route('/jwt-admin')
class JWTAdmin(Resource):
    @auth_ns.doc(security='jwt')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @jwt_auth_required([UserRole.ADMIN])
    def get(self):
        return {"message": f"Welcome Admin, {request.current_user['username']}!"}

@auth_ns.route('/jwt-user')
class JWTUser(Resource):
    @auth_ns.doc(security='jwt')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @jwt_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self):
        return {"message": f"Welcome User, {request.current_user['username']}!"}

@auth_ns.route('/jwt-guest')
class JWTGuest(Resource):
    @auth_ns.doc(security='jwt')
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @jwt_auth_required([UserRole.ADMIN, UserRole.USER, UserRole.GUEST])
    def get(self):
        return {"message": f"Welcome Guest, {request.current_user['username']}!"}

# Run the Application
run_simple("localhost", 5000, app)

## **4. Combined Basic, Token, and JWT Authentication**

This implementation allows multiple authentication mechanisms: Basic Authentication, Token Authentication, and JWT Authentication. Role-based access ensures only authorized users with appropriate roles can access specific endpoints.

In [None]:

from flask import Flask, request
from flask_sqlalchemy import SQLAlchemy
from flask_restx import Api, Resource, Namespace, fields
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, verify_jwt_in_request, get_jwt_identity
from werkzeug.security import generate_password_hash, check_password_hash
from datetime import datetime, timedelta
from enum import Enum
import secrets
import base64
import nest_asyncio
from werkzeug.serving import run_simple

# Apply nest_asyncio for Jupyter Notebook
nest_asyncio.apply()

app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = "mysql+mysqlconnector://root:top!secret@localhost:3307/test_combined"
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['JWT_SECRET_KEY'] = 'your_combined_secret'
api = Api(
    app,
    title="Combined Auth API",
    version="1.0",
    description="Combined Basic, Token, and JWT Authentication with Role-Based Access",
    authorizations={
        'basic': {
            'type': 'basic',
            'description': "Basic Authentication - Provide `username:password` in Base64."
        },
        'apiKey': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "Token Authentication - Provide `Token <your_token>` in the header."
        },
        'jwt': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization',
            'description': "JWT Authentication - Use `Bearer <JWT>` in the header."
        }
    },
)
db = SQLAlchemy(app)
jwt = JWTManager(app)

# Enum for User Roles
class UserRole(Enum):
    ADMIN = "admin"
    USER = "user"
    GUEST = "guest"

# Database Models
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(50), unique=True, nullable=False)
    password_hash = db.Column(db.String(255), nullable=False)
    role = db.Column(db.String(20), default=UserRole.USER.value, nullable=False)

    def set_password(self, password):
        self.password_hash = generate_password_hash(password)

    def check_password(self, password):
        return check_password_hash(self.password_hash, password)

class Token(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    token = db.Column(db.String(512), unique=True, nullable=False)
    expires_at = db.Column(db.DateTime, nullable=False)

with app.app_context():
    db.create_all()

# Namespace
auth_ns = Namespace('auth', description="Authentication Endpoints")
api.add_namespace(auth_ns)

# Swagger Model
combined_auth_model = auth_ns.model('CombinedAuth', {
    'username': fields.String(required=True, description="User's username"),
    'password': fields.String(required=True, description="User's password")
})

def combined_auth_required(allowed_roles):
    def decorator(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            auth_header = request.headers.get('Authorization')
            if not auth_header:
                return {"message": "Authorization header is missing"}, 401

            if auth_header.startswith('Basic '):
                try:
                    base64_credentials = auth_header.split(' ')[1]
                    credentials = base64.b64decode(base64_credentials).decode('utf-8')
                    username, password = credentials.split(':')
                    user = User.query.filter_by(username=username).first()
                    if not user or not user.check_password(password):
                        return {"message": "Invalid credentials"}, 401
                    if user.role not in [role.value for role in allowed_roles]:
                        return {"message": "Access forbidden: Insufficient permissions"}, 403
                    request.current_user = {"username": username, "role": user.role}
                    return f(*args, **kwargs)
                except Exception as e:
                    return {"message": f"Basic Authentication error: {str(e)}"}, 401

            elif auth_header.startswith('Token '):
                try:
                    token = auth_header.split(' ')[1]
                    token_entry = Token.query.filter_by(token=token).first()
                    if not token_entry or token_entry.expires_at < datetime.utcnow():
                        return {"message": "Invalid or expired token"}, 401
                    user = User.query.filter_by(id=token_entry.id).first()
                    if user.role not in allowed_roles:
                        return {"message": "Access forbidden: Insufficient permissions"}, 403
                    request.current_user = {"username": user.username, "role": user.role}
                    return f(*args, **kwargs)
                except Exception as e:
                    return {"message": f"Token Authentication error: {str(e)}"}, 401

            elif auth_header.startswith('Bearer '):
                try:
                    verify_jwt_in_request()
                    current_user = json.loads(get_jwt_identity())
                    username = current_user.get('username')
                    role = current_user.get('role')
                    if role not in [role.value for role in allowed_roles]:
                        return {"message": "Access forbidden: Insufficient permissions"}, 403
                    request.current_user = {"username": username, "role": role}
                    return f(*args, **kwargs)
                except Exception as e:
                    return {"message": f"JWT Authentication error: {str(e)}"}, 401

            return {"message": "Unsupported authentication method"}, 401
        return decorated
    return decorator

@auth_ns.route('/register')
class Register(Resource):
    @auth_ns.expect(combined_auth_model, validate=True)
    @auth_ns.response(201, "User Registered Successfully")
    @auth_ns.response(400, "Username Already Exists")
    def post(self):
        data = request.json
        username = data['username']
        password = data['password']

        if User.query.filter_by(username=username).first():
            return {"message": "Username already exists"}, 400

        user = User(username=username, role=UserRole.USER.value)
        user.set_password(password)
        db.session.add(user)
        db.session.commit()

        return {"message": "User registered successfully"}, 201

@auth_ns.route('/combined-admin')
class CombinedAdmin(Resource):
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @combined_auth_required([UserRole.ADMIN])
    def get(self):
        return {"message": f"Welcome Admin, {request.current_user['username']}!"}

@auth_ns.route('/combined-user')
class CombinedUser(Resource):
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @combined_auth_required([UserRole.ADMIN, UserRole.USER])
    def get(self):
        return {"message": f"Welcome User, {request.current_user['username']}!"}

@auth_ns.route('/combined-guest')
class CombinedGuest(Resource):
    @auth_ns.doc(security=['basic', 'apiKey', 'jwt'])
    @auth_ns.response(200, "Access Granted")
    @auth_ns.response(401, "Unauthorized")
    @auth_ns.response(403, "Forbidden")
    @combined_auth_required([UserRole.ADMIN, UserRole.USER, UserRole.GUEST])
    def get(self):
        return {"message": f"Welcome Guest, {request.current_user['username']}!"}

# Run the Application
run_simple("localhost", 5000, app)