| --- |
| title: Secure Auth System |
| emoji: π‘οΈ |
| colorFrom: gray |
| colorTo: gray |
| sdk: docker |
| app_port: 7860 |
| pinned: false |
| --- |
| |
| # Secure Authentication System with SMTP OTP Verification |
|
|
| A professional, modular authentication system built with **FastAPI** (Python) and **React** (Vite + JavaScript). This version implements secure signup and recovery flows using **Email OTP (One-Time Password) Verification** via Python's built-in SMTP protocols. |
|
|
| --- |
|
|
| ## π Key Features |
|
|
| * **SMTP Email Verification**: Creates inactive users on signup, sends a 6-digit OTP to their email, and locks login attempts until the account is verified. |
| * **Console Fallback Mode**: If SMTP parameters are not set in `.env`, the server outputs verification codes to the console so you can test the system completely offline! |
| * **Secure Forgot Password Recovery**: A 2-step password recovery flow sending OTP codes to users before allowing a credential reset. |
| * **Modular Backend Architecture**: Clean separation of models, routes, database, schemas, configs, and helpers. |
| * **JWT Access & Refresh Token System**: Implements short-lived access tokens (30 minutes) and long-lived refresh tokens (7 days). |
| * **Automatic Token Rotation**: Refreshing your session issues a new access/refresh pair and revokes the old refresh token. |
| * **Server-Side Token Revocation (Logout)**: Invalides active tokens immediately on logout by storing them in a SQLite database blacklist. |
| * **Bcrypt Password Hashing**: Clean hashing using Python's direct `bcrypt` package to prevent dictionary attacks. |
| * **Request Logger & Rate Limiter**: Logs API logs to `requests.log` and restricts traffic per IP address in-memory. |
| * **Premium Glassmorphic UI**: Beautiful dark-mode dashboard styled with vanilla CSS and subtle micro-animations. |
|
|
| --- |
|
|
| ## π οΈ Technology Stack |
|
|
| * **Backend**: FastAPI, SQLite (Database), SQLAlchemy (ORM), Pydantic (Data Validation), PyJWT/Jose (JWT tokens), Bcrypt, built-in Smtplib. |
| * **Frontend**: React, React Router Dom (Routing), Axios (Interceptors for token injection & auto-refresh). |
|
|
| --- |
|
|
| ## π Project Structure |
|
|
| ``` |
| βββ backend/ |
| β βββ config.py # Loads .env configurations |
| β βββ database.py # SQLAlchemy engine & SQLite session setup |
| β βββ models.py # User and RevokedToken database models |
| β βββ schemas.py # Pydantic input/output validation models |
| β βββ auth.py # Password hashing, JWT dependencies & SMTP mailers |
| β βββ routes/ # Authentication & user routing endpoints |
| β βββ .env # Secret configurations & SMTP details |
| β βββ requirements.txt # Python requirements |
| β βββ main.py # FastAPI entry point, logger, & rate-limiting |
| βββ frontend/ |
| βββ package.json # Frontend dependencies |
| βββ vite.config.js # Vite dev server configuration |
| βββ index.html # HTML template |
| βββ src/ |
| βββ main.jsx # Renders React root |
| βββ App.jsx # App router & AuthProvider integration |
| βββ index.css # Gorgeous dark-glass UI styling |
| βββ api/axios.js # Axios client with interceptors |
| βββ components/ # Reusable components (Navbar, Guards) |
| βββ context/ # Auth Context provider managing global states |
| βββ pages/ # Login, Register, VerifyEmail, and Dashboard views |
| ``` |
|
|
| --- |
|
|
| ## βοΈ Setup and Installation |
|
|
| ### Option 1: Running with Docker Compose (Recommended) |
| You can start the entire stack (React + FastAPI + SQLite) with a single command. Docker Compose will automatically read your SMTP settings from `./backend/.env`. |
|
|
| In the root project folder, run: |
| ```bash |
| docker compose up --build |
| ``` |
| * **React Frontend URL**: [http://localhost:5173](http://localhost:5173) |
| * **FastAPI Docs URL**: [http://localhost:8000/docs](http://localhost:8000/docs) |
|
|
| To stop the containers: |
| ```bash |
| docker compose down |
| ``` |
|
|
| --- |
|
|
| ### Option 2: Running Locally |
|
|
| #### 1. Backend Setup |
| 1. Navigate to the backend directory: |
| ```bash |
| cd backend |
| ``` |
| 2. Create and activate a Python virtual environment: |
| ```bash |
| python3 -m venv .venv |
| source .venv/bin/activate |
| ``` |
| 3. Install dependencies: |
| ```bash |
| pip install -r requirements.txt |
| ``` |
| 4. Copy/create a `.env` file and fill in your SMTP credentials (or leave them blank to use console simulation logs): |
| ```bash |
| uvicorn main:app --reload |
| ``` |
|
|
| #### 2. Frontend Setup |
| 1. In a new terminal, navigate to the frontend directory: |
| ```bash |
| cd frontend |
| ``` |
| 2. Install npm packages: |
| ```bash |
| npm install |
| ``` |
| 3. Run the development server: |
| ```bash |
| npm run dev |
| ``` |
|
|
| --- |
|
|
| ## π§ Configuring SMTP Server for Real Emails |
|
|
| To make the app send actual emails to your users, edit the `backend/.env` file: |
| ```env |
| SMTP_SERVER=smtp.gmail.com |
| SMTP_PORT=587 |
| SMTP_USER=your_email@gmail.com |
| SMTP_PASSWORD=your_google_app_password |
| ``` |
| *Note: For security reasons, do not use your primary password. Instead, generate a secure 16-character **App Password** from your Google Account settings.* |
|
|
| --- |
|
|
| ## π€ Deploying to Hugging Face Spaces |
|
|
| You can easily deploy this full-stack application to Hugging Face Spaces using the **Docker** SDK! Since we set up a multi-stage Dockerfile, Hugging Face will compile your React files and run your Python API together on a single port automatically. |
|
|
| ### Step-by-Step Deployment Guide: |
| 1. **Create a Hugging Face Account**: Sign up at [huggingface.co](https://huggingface.co/). |
| 2. **Create a New Space**: |
| * Click your profile icon -> **New Space**. |
| * Choose a **Space name** (e.g. `secure-auth-smtp`). |
| * Select **Docker** as the SDK. |
| * Choose the **Blank** template. |
| * Click **Create Space**. |
| 3. **Configure Secret Variables**: |
| * Go to the **Settings** tab of your new Space. |
| * Scroll down to **Variables and secrets**. |
| * Add a new secret for each of the following: |
| * `SECRET_KEY`: (Any secure random text) |
| * `DATABASE_URL`: `sqlite:////app/users.db` |
| * `SMTP_SERVER`: `smtp.gmail.com` |
| * `SMTP_PORT`: `587` |
| * `SMTP_USER`: `your_email@gmail.com` |
| * `SMTP_PASSWORD`: `your_google_app_password_token` |
| 4. **Push your Repository**: |
| * Clone the Hugging Face space using git, copy all the files from this folder into it, and push: |
| ```bash |
| git add . |
| git commit -m "Initial commit" |
| git push |
| ``` |
| 5. **Ready!**: The space will build automatically and show **Running** once deployed. |
| |
| --- |
|
|
| ## π‘οΈ License |
|
|
| Distributed under the MIT License. See `LICENSE` for more information. |
|
|