| .. | ||
| main.py | ||
| README.md | ||
| requirements.txt | ||
Backend
This is the api service that will supply the frontend with the insights that are driven by the machine learning and data modelling services.
Usage
Local
For running the serice locally, natigate to the backend directory and run the following command:
uvicorn main:app --reload
Thoughts for authenticating the frontend with the backend
To provide secure communication between your frontend Next.js application and your backend FastAPI service, you have several options. Here are a few popular approaches:
-
JWT (JSON Web Tokens): Since you're already using JWT for authentication in the frontend, you can also use this to authenticate requests to your FastAPI backend. This involves passing the JWT token in the Authorization header of the request from your frontend to the backend. Then, you can use a JWT decoder on the backend to validate the token. This can be done using libraries such as PyJWT in your FastAPI application.
-
API Keys: This is another common approach where you issue unique keys for each user/service that needs to access the backend API. Each API call then includes this key in the request header. FastAPI can easily validate these keys. While this approach is simpler than JWT, it provides less flexibility and security, as it doesn't allow for claims or scopes.
-
OAuth2.0: OAuth2 is a protocol that allows applications to request authorization to access resources on behalf of a user. FastAPI has direct support for OAuth2 using the OAuth2PasswordBearer class, which can be used for issuing access tokens to clients. Note that this could be overkill if you're already using JWT and the calls to your backend are not on behalf of a user.
-
Mutual TLS (mTLS): Mutual TLS is a method of two-way communication encryption where both client and server authenticate each other. This can be more complex to setup but can provide an additional layer of security in some scenarios.
No matter which method we choose, you should always serve your applications over HTTPS to ensure that all data, including tokens or keys, is encrypted during transmission. Also, ensure that you handle the JWT tokens carefully, especially if they are stored in the client's browser, as they could be vulnerable to Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks. Consider httpOnly cookies for storing tokens if your use case allows it.
I think that we could use both JWT + API Key.
Notes:
Using both JWT and API keys can provide an additional layer of security and could be a good approach for our requirements.
- JSON Web Tokens (JWT) are useful for carrying user context between services. With JWT, you can embed user-specific data (like user ID, roles, permissions, etc.) in a secure, tamper-proof token. This can be validated by your FastAPI backend to authenticate and authorize the user.
- API Keys can serve as an identifier for the client application (in this case, your Next.js frontend). It can provide a straightforward way to track and control how the client application is calling the backend API.
Here's a rough workflow of how these can be used together:
A user logs in to the Next.js frontend using NextAuth and receives a JWT. This JWT is stored securely in the client's browser. For each request from the frontend to the backend, the JWT is included in the Authorization header. In addition to the JWT, an API key unique to the frontend application is included in each request (possibly in a custom header like X-API-Key). The backend service validates both the JWT (for user authentication and authorization) and the API key (for client application validation). This approach provides a double check for each request:
The JWT verifies that the request comes from a legitimate, authenticated user. The API key verifies that the request comes from a trusted client application.