title: Secure Auth System
emoji: π‘οΈ
colorFrom: gray
colorTo: gray
sdk: docker
app_port: 7860
pinned: false
Secure Authentication System with SMTP OTP Verification
A professional, modular authentication system built with FastAPI (Python) and React (Vite + JavaScript). This version implements secure signup and recovery flows using Email OTP (One-Time Password) Verification via Python's built-in SMTP protocols.
π Key Features
- SMTP Email Verification: Creates inactive users on signup, sends a 6-digit OTP to their email, and locks login attempts until the account is verified.
- Console Fallback Mode: If SMTP parameters are not set in
.env, the server outputs verification codes to the console so you can test the system completely offline! - Secure Forgot Password Recovery: A 2-step password recovery flow sending OTP codes to users before allowing a credential reset.
- Modular Backend Architecture: Clean separation of models, routes, database, schemas, configs, and helpers.
- JWT Access & Refresh Token System: Implements short-lived access tokens (30 minutes) and long-lived refresh tokens (7 days).
- Automatic Token Rotation: Refreshing your session issues a new access/refresh pair and revokes the old refresh token.
- Server-Side Token Revocation (Logout): Invalides active tokens immediately on logout by storing them in a SQLite database blacklist.
- Bcrypt Password Hashing: Clean hashing using Python's direct
bcryptpackage to prevent dictionary attacks. - Request Logger & Rate Limiter: Logs API logs to
requests.logand restricts traffic per IP address in-memory. - Premium Glassmorphic UI: Beautiful dark-mode dashboard styled with vanilla CSS and subtle micro-animations.
π οΈ Technology Stack
- Backend: FastAPI, SQLite (Database), SQLAlchemy (ORM), Pydantic (Data Validation), PyJWT/Jose (JWT tokens), Bcrypt, built-in Smtplib.
- Frontend: React, React Router Dom (Routing), Axios (Interceptors for token injection & auto-refresh).
π Project Structure
βββ backend/
β βββ config.py # Loads .env configurations
β βββ database.py # SQLAlchemy engine & SQLite session setup
β βββ models.py # User and RevokedToken database models
β βββ schemas.py # Pydantic input/output validation models
β βββ auth.py # Password hashing, JWT dependencies & SMTP mailers
β βββ routes/ # Authentication & user routing endpoints
β βββ .env # Secret configurations & SMTP details
β βββ requirements.txt # Python requirements
β βββ main.py # FastAPI entry point, logger, & rate-limiting
βββ frontend/
βββ package.json # Frontend dependencies
βββ vite.config.js # Vite dev server configuration
βββ index.html # HTML template
βββ src/
βββ main.jsx # Renders React root
βββ App.jsx # App router & AuthProvider integration
βββ index.css # Gorgeous dark-glass UI styling
βββ api/axios.js # Axios client with interceptors
βββ components/ # Reusable components (Navbar, Guards)
βββ context/ # Auth Context provider managing global states
βββ pages/ # Login, Register, VerifyEmail, and Dashboard views
βοΈ Setup and Installation
Option 1: Running with Docker Compose (Recommended)
You can start the entire stack (React + FastAPI + SQLite) with a single command. Docker Compose will automatically read your SMTP settings from ./backend/.env.
In the root project folder, run:
docker compose up --build
- React Frontend URL: http://localhost:5173
- FastAPI Docs URL: http://localhost:8000/docs
To stop the containers:
docker compose down
Option 2: Running Locally
1. Backend Setup
- Navigate to the backend directory:
cd backend - Create and activate a Python virtual environment:
python3 -m venv .venv source .venv/bin/activate - Install dependencies:
pip install -r requirements.txt - Copy/create a
.envfile and fill in your SMTP credentials (or leave them blank to use console simulation logs):uvicorn main:app --reload
2. Frontend Setup
- In a new terminal, navigate to the frontend directory:
cd frontend - Install npm packages:
npm install - Run the development server:
npm run dev
π§ Configuring SMTP Server for Real Emails
To make the app send actual emails to your users, edit the backend/.env file:
SMTP_SERVER=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your_email@gmail.com
SMTP_PASSWORD=your_google_app_password
Note: For security reasons, do not use your primary password. Instead, generate a secure 16-character App Password from your Google Account settings.
π€ Deploying to Hugging Face Spaces
You can easily deploy this full-stack application to Hugging Face Spaces using the Docker SDK! Since we set up a multi-stage Dockerfile, Hugging Face will compile your React files and run your Python API together on a single port automatically.
Step-by-Step Deployment Guide:
- Create a Hugging Face Account: Sign up at huggingface.co.
- Create a New Space:
- Click your profile icon -> New Space.
- Choose a Space name (e.g.
secure-auth-smtp). - Select Docker as the SDK.
- Choose the Blank template.
- Click Create Space.
- Configure Secret Variables:
- Go to the Settings tab of your new Space.
- Scroll down to Variables and secrets.
- Add a new secret for each of the following:
SECRET_KEY: (Any secure random text)DATABASE_URL:sqlite:////app/users.dbSMTP_SERVER:smtp.gmail.comSMTP_PORT:587SMTP_USER:your_email@gmail.comSMTP_PASSWORD:your_google_app_password_token
- Push your Repository:
- Clone the Hugging Face space using git, copy all the files from this folder into it, and push:
git add . git commit -m "Initial commit" git push
- Clone the Hugging Face space using git, copy all the files from this folder into it, and push:
- Ready!: The space will build automatically and show Running once deployed.
π‘οΈ License
Distributed under the MIT License. See LICENSE for more information.