< Back to Wilco BlogDeploying Secure APIs with FastAPI (Advanced)
Written by
Wilco team
December 26, 2024
Tags
No items found.

Deploying Secure APIs with FastAPI (Advanced)

In this advanced quest, we will dive deep into the world of API development using FastAPI, focusing specifically on securing your APIs against various threats. You will learn how to implement authentication and authorization mechanisms, protect against common vulnerabilities like SQL injection and cross-site scripting, and utilize best practices for API documentation and versioning.

Securing your APIs

Security is a vital aspect of any API. To secure our FastAPI application, we will be implementing various mechanisms such as authentication, authorization, and protection against common vulnerabilities.

Implementing Authentication and Authorization

Authentication is the process of verifying the identity of a user or system. In FastAPI, we can use various schemes like OAuth2 or JWT for this purpose. Let's take a look at an example of how to use JWT for authentication.


# Code to implement JWT authentication
from fastapi import Depends, FastAPI
from fastapi.security import OAuth2PasswordBearer

app = FastAPI()

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

@app.get("/items/")
async def read_items(token: str = Depends(oauth2_scheme)):
    return {"token": token}

After authentication, we need to authorize the user to access different parts of our application. FastAPI allows us to use dependency injection to handle authorization. Below is an example of how to do this.


# Code to implement authorization
from fastapi import Depends, FastAPI, HTTPException
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from fastapi.openapi.models import OAuthFlows as OAuthFlowsModel
from fastapi.security.oauth2 import OAuth2
from fastapi.security.utils import get_authorization_scheme_param
from pydantic import BaseModel

app = FastAPI()

class OAuth2PasswordBearerWithCookie(OAuth2PasswordBearer):
    def __init__(
        self,
        tokenUrl: str,
        scheme_name: str = None,
        scopes: dict = None,
        auto_error: bool = True,
    ):
        if not scopes:
            scopes = {}
        flows = OAuthFlowsModel(password={"tokenUrl": tokenUrl, "scopes": scopes})
        super().__init__(flows=flows, scheme_name=scheme_name, auto_error=auto_error)

    async def __call__(self, request: Request) -> Optional[str]:
        authorization: str = request.cookies.get("Authorization")
        scheme, param = get_authorization_scheme_param(authorization)
        if not authorization or scheme.lower() != "bearer":
            if self.auto_error:
                raise HTTPException(
                    status_code=status.HTTP_403_FORBIDDEN, detail="Not authenticated"
                )
            else:
                return None
        return param

Protecting against Common Vulnerabilities

Two of the most common vulnerabilities in API development are SQL injection and cross-site scripting (XSS). To protect against these, FastAPI provides built-in support for preventing SQL injection by using SQLAlchemy ORM for database interactions. It also automatically escapes any HTML content returned in JSON responses, preventing XSS attacks.

API Documentation and Versioning

FastAPI provides automatic interactive API documentation using Swagger UI. This can be accessed at '/docs' endpoint. For versioning, you can use URL path versioning. Here's an example of how to do it:


# Code to implement API versioning
app = FastAPI()

@app.get("/v1/items/")
async def read_items_v1():
    return [{"item_id": "Foo"}]

@app.get("/v2/items/")
async def read_items_v2():
    return [{"item_id": "Bar"}]

Integrating FastAPI with Databases

FastAPI can be easily integrated with databases using SQLAlchemy ORM. Here's an example of how to do it:


# Code to integrate FastAPI with databases
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker

SQLALCHEMY_DATABASE_URL = "sqlite:///./test.db"

engine = create_engine(
    SQLALCHEMY_DATABASE_URL, connect_args={"check_same_thread": False}
)
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)

Using Environment Variables for Configuration

It's a good practice to use environment variables for configuration. You can use python-dotenv library for this purpose. Here's an example of how to do it:


# Code to use environment variables for configuration
from dotenv import load_dotenv
import os

load_dotenv()  # take environment variables from .env.

DATABASE_URL = os.getenv("DATABASE_URL")

Setting up CI/CD pipelines

Continuous integration and continuous deployment (CI/CD) can help streamline your development process. You can use services like Jenkins, Travis CI, or GitHub Actions for this purpose.

Top 10 Key Takeaways

  1. FastAPI provides various mechanisms to secure your APIs such as authentication and authorization.
  2. You can use OAuth2 or JWT for authentication in FastAPI.
  3. FastAPI allows you to use dependency injection to handle authorization.
  4. FastAPI provides built-in support to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS).
  5. FastAPI provides automatic API documentation using Swagger UI.
  6. You can use URL path versioning for API versioning in FastAPI.
  7. FastAPI can be easily integrated with databases using SQLAlchemy ORM.
  8. It's a good practice to use environment variables for configuration in FastAPI.
  9. You can use services like Jenkins, Travis CI, or GitHub Actions to set up CI/CD pipelines.
  10. FastAPI is a powerful and easy-to-use framework for building secure and robust APIs.

Ready to start learning? Start the quest now

Start Quest Now >