# Authentication and Authorization - Theory Notes

Authentication and authorization are critical aspects of modern web applications to ensure secure and controlled access to resources.

---

## 1. Authentication Basics
Authentication is the process of verifying the identity of a user or system. It ensures that only legitimate users can access the application.

### Key Concepts:
- **Credentials**: Information provided by the user, like username and password, to prove identity.
- **Authentication Flow**: The steps taken to verify a user's credentials.
- **Token**: A piece of data issued after successful authentication, used for subsequent requests.

### Example:
1. User sends a login request with username and password.
2. The system verifies the credentials against the database.
3. If valid, the system generates a token (e.g., JWT) and sends it to the user.
4. The user includes this token in future requests to access protected resources.

---

## 2. JWT Authentication
JWT (JSON Web Token) is a compact, self-contained token format widely used for authentication.

### Structure of JWT:
- **Header**: Contains metadata about the token (e.g., type and algorithm).
- **Payload**: Contains claims or data, like user ID and roles.
- **Signature**: Ensures the integrity and authenticity of the token.

### How JWT Works:
1. User logs in and the server generates a JWT.
2. The token is signed with a secret key.
3. The token is sent to the user and included in requests as a header (e.g., `Authorization: Bearer <token>`).
4. The server verifies the token before granting access to resources.

### Example:
- **Header**:
  ```json
  {
    "alg": "HS256",
    "typ": "JWT"
  }
  ```
- **Payload**:
  ```json
  {
    "sub": "john",
    "roles": ["user"],
    "exp": 1682700000
  }
  ```
- **Signature**: Created using the header, payload, and secret key.

---

## 3. OAuth2 with Password Flow
OAuth2 is a widely-used framework for access delegation. The Password Flow allows direct authentication using a username and password.

### Steps:
1. User sends credentials to the `/token` endpoint.
2. Server validates credentials and returns an access token.
3. User includes the access token in future requests to access protected resources.

### Benefits:
- Centralized authentication.
- Token-based approach eliminates the need to send credentials repeatedly.

---

## 4. Role-Based Access Control (RBAC)
RBAC restricts access to resources based on a user's roles. Each role is associated with specific permissions.

### Example Roles:
- **Admin**: Can manage users and view all resources.
- **User**: Can access their own data but not administrative features.

### How RBAC Works:
1. User logs in and receives a token with role information.
2. The server verifies the role during each request.
3. If the user lacks the required role, access is denied.

---

## 5. Implementing Role-Based Access Control
### Steps:
1. Define roles and permissions in the application.
2. Add role information to the user's JWT token.
3. Create a dependency to enforce role checks on endpoints.

### Example:
- **Admin Endpoint**:
  ```python
  async def admin_only(user: User = Depends(get_current_user)):
      if "admin" not in user.roles:
          raise HTTPException(status_code=403, detail="Access denied")
  ```

---

## 6. Handling Permissions Using Dependencies
FastAPI allows permission checks via dependencies, making the code modular and reusable.

### Steps:
1. Create a dependency function to check permissions.
2. Attach the dependency to protected endpoints.

### Example:
```python
async def role_required(required_roles: List[str], user: User = Depends(get_current_user)):
    if not any(role in user.roles for role in required_roles):
        raise HTTPException(status_code=403, detail="Insufficient permissions")
    return user

@app.get("/admin")
def admin_dashboard(user: User = Depends(lambda: role_required(["admin"]))):
    return {"message": "Welcome to the admin dashboard!"}
```

---

## Summary:
1. **Authentication** ensures the user is who they claim to be.
2. **JWT** provides a secure, stateless way to manage user sessions.
3. **OAuth2 Password Flow** simplifies token generation.
4. **RBAC** enforces access control based on roles.
5. **Dependencies** in FastAPI modularize permission handling.

By implementing these concepts, you can create secure and scalable authentication and authorization mechanisms for your applications.
