[Backend] Auth System - JWT Authentication #15

shoko · 2026-04-08T07:49:34+02:00

shoko commented

2026-04-08 07:49:34 +02:00

Summary

Implement JWT-based authentication system as described in issue #4.

Changes Made

New files:

src/backend/app/core/limiter.py - Rate limiter configuration

Modified files:

src/backend/app/api/auth.py - Complete auth implementation:
- POST /api/auth/register - Create new user with bcrypt hashed passwords
- POST /api/auth/login - Authenticate and return JWT token (5/min rate limited)
- POST /api/auth/logout - Invalidate token via blacklisting
- GET /api/auth/me - Get current authenticated user
- GET /api/auth/settings - Get user settings
- PATCH /api/auth/settings - Update user email/password
src/backend/app/db/schemas.py - Added UserSettings and UserSettingsUpdate schemas
src/backend/app/main.py - Added slowapi limiter setup
src/backend/requirements.txt - Added slowapi>=0.1.9

Security Features

Passwords hashed with bcrypt via passlib
JWT tokens expire after 24h (configurable via ACCESS_TOKEN_EXPIRE_MINUTES)
Protected routes require valid JWT in Authorization header
Rate limiting: 5 login attempts per minute per IP
Token blacklisting for logout

Dependencies

Depends on issue #3 (Database Models) which was already merged

Fixes #4

## Summary Implement JWT-based authentication system as described in issue #4. ### Changes Made **New files:** - `src/backend/app/core/limiter.py` - Rate limiter configuration **Modified files:** - `src/backend/app/api/auth.py` - Complete auth implementation: - `POST /api/auth/register` - Create new user with bcrypt hashed passwords - `POST /api/auth/login` - Authenticate and return JWT token (5/min rate limited) - `POST /api/auth/logout` - Invalidate token via blacklisting - `GET /api/auth/me` - Get current authenticated user - `GET /api/auth/settings` - Get user settings - `PATCH /api/auth/settings` - Update user email/password - `src/backend/app/db/schemas.py` - Added `UserSettings` and `UserSettingsUpdate` schemas - `src/backend/app/main.py` - Added slowapi limiter setup - `src/backend/requirements.txt` - Added `slowapi>=0.1.9` ### Security Features - Passwords hashed with bcrypt via passlib - JWT tokens expire after 24h (configurable via ACCESS_TOKEN_EXPIRE_MINUTES) - Protected routes require valid JWT in Authorization header - Rate limiting: 5 login attempts per minute per IP - Token blacklisting for logout ### Dependencies - Depends on issue #3 (Database Models) which was already merged ## Related Issue Fixes #4

shoko added 1 commit 2026-04-08 07:49:34 +02:00

feat: implement JWT authentication system 42640679c7

- Add register endpoint with bcrypt password hashing
- Add login endpoint returning JWT tokens
- Add logout endpoint with token blacklisting
- Add /me endpoint for current user info
- Add rate limiting (5/minute) for login attempts using slowapi
- Add user settings GET and PATCH endpoints
- Create auth middleware via get_current_user dependency
- Add UserSettings and UserSettingsUpdate schemas

han approved these changes 2026-04-08 07:56:04 +02:00

han left a comment

First-time contributor

lgtm

shoko merged commit a2f0c9a0e9 into main

2026-04-08 08:01:24 +02:00

shoko referenced this issue from a commit

2026-04-08 08:01:25 +02:00

Merge pull request '[Backend] Auth System - JWT Authentication' (#15) from fix/issue-4 into main

shoko referenced this pull request

2026-04-08 08:06:21 +02:00

[Backend] Bot CRUD - Bot Management with Max 3 Limit #16