REST API for ecommerce built with FastAPI. It provides user registration and JWT-based authentication, full CRUD for products and categories, and role-based access (superadmin, admin, company, user). The API uses PostgreSQL with SQLAlchemy and includes security middleware: input sanitization (XSS protection), rate limiting (100 req/min per IP), request size limits (5MB), and standard security headers. OpenAPI docs are available at /docs and /redoc.
- Users – Registration, login, CRUD, role-based access (superadmin, admin, company, user)
- Products – Full CRUD with categories, slugs, pricing, stock
- Categories – Hierarchical categories with parent/child
- Auth – JWT access tokens, bcrypt password hashing, protected routes
- Security – Input sanitization (XSS), rate limiting, request size limits, security headers
- Docs – OpenAPI/Swagger at
/docs, ReDoc at/redoc
Package-by-feature with layered structure. Each domain (users, products, categories) has:
| Layer | Role | Example |
|---|---|---|
| models | DB tables, ORM | User, Product, Category |
| dto | DTO, validation, serialization | UserCreate, ProductResponse |
| repositories | DB access, queries | UserRepository, ProductRepository |
| services | Business logic | UserService, ProductService |
| routes | HTTP endpoints | auth.py, products.py |
ecommerce/
├── app/
│ ├── app.py # FastAPI app, lifespan, routers
│ ├── config.py # Pydantic settings
│ ├── database.py # SQLAlchemy engine, session, init_db
│ ├── categories/
│ │ ├── models/ # Category, Base
│ │ ├── repositories/
│ │ ├── routes/
│ │ ├── dto/
│ │ └── services/
│ ├── products/
│ │ ├── models/
│ │ ├── repositories/
│ │ ├── routes/
│ │ ├── dto/
│ │ └── services/
│ ├── users/
│ │ ├── models/
│ │ ├── repositories/
│ │ ├── routes/ # auth.py, users.py
│ │ ├── dto/
│ │ └── services/
│ └── utils/
│ ├── auth.py # JWT, bcrypt, get_current_user
│ ├── constants.py # UserRole enum
│ ├── middleware.py # Security headers, CORS, GZip, TrustedHost
│ ├── rate_limit.py # Rate limit, request size limit
│ └── sanitize.py # Bleach-based input sanitization
│ └── server.py # Uvicorn entry point
├── tests/
│ ├── conftest.py
│ ├── test_auth.py
│ ├── test_sanitize.py
│ ├── test_users.py
│ ├── test_products.py
│ └── test_categories.py
├── pyproject.toml
└── uv.lock
- Framework: FastAPI
- Database: PostgreSQL, SQLAlchemy 2.0
- Auth: PyJWT, bcrypt (passlib)
- Validation: Pydantic, Pydantic-Settings
- Migrations: Alembic
- Testing: pytest, pytest-asyncio, pip-audit
- Package manager: uv
uv syncCreate .env:
DATABASE_URL=postgresql://user:pass@localhost:5432/fastapi-ecommerce
SECRET_KEY=your-secret-key-at-least-32-chars
PORT=5000
uv run python app/server.py- Swagger UI:
http://localhost:5000/docs - ReDoc:
http://localhost:5000/redoc
uv run python app/server.py # Start server
uv run pytest # Run tests
uv run pip-audit # Check dependencies for vulnerabilities- JWT (HS256) with configurable expiry
- bcrypt password hashing
- Input sanitization (Bleach) for JSON body and query params
- Rate limiting: 100 req/min per IP
- Request size limit: 5MB
- Security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Permissions-Policy
- Trusted Host validation
- CORS configured