| # Auth-System-SMTP β High-Level Design (HLD) |
|
|
| --- |
|
|
| ## 1. System Overview |
|
|
| ``` |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| β CLIENT (Browser) β |
| β React 18 + Vite (Port 5173) β |
| β β |
| β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββββββββββ β |
| β β Register β β Login β β Verify β β Dashboard β β |
| β β Page β β Page β β Email β β (Profile/Admin) β β |
| β ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ ββββββββββ¬ββββββββββ β |
| β β β β β β |
| β ββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββββββββββΌββββββββββ β |
| β β AuthContext (State) β β |
| β β + Axios Interceptors (Token) β β |
| β ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ β |
| ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββ |
| β HTTP/HTTPS |
| β Authorization: Bearer <token> |
| βΌ |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| β API SERVER (FastAPI) β |
| β (Port 8000, Uvicorn) β |
| β β |
| β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Middleware Layer β β |
| β β ββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β β |
| β β β CORS β β Rate Limiter β β Request Logger β β β |
| β β β Middlewareβ β (60 req/min) β β (IP, method, path) β β β |
| β β ββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β β |
| β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Route Handlers β β |
| β β β β |
| β β Auth Routes (/auth) User Routes (/me, /admin) β β |
| β β ββββββββββββββββββββ ββββββββββββββββββββββββ β β |
| β β β register β β GET /me β β β |
| β β β verify-email β β PUT /me β β β |
| β β β login β β DELETE /me β β β |
| β β β forgot-password β β GET /admin/users β β β |
| β β β reset-password β ββββββββββββββββββββββββ β β |
| β β β refresh β β β |
| β β β logout β β β |
| β β ββββββββββββββββββββ β β |
| β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Core Services β β |
| β β βββββββββββββ βββββββββββββ βββββββββββββββββββββββββ β β |
| β β β Auth β β Config β β Database Manager β β β |
| β β β Service β β Loader β β (SQLAlchemy Engine) β β β |
| β β β β β β β β β β |
| β β β bcrypt β β .env β β SQLite3 Connection β β β |
| β β β JWT β β variables β β Session Factory β β β |
| β β β SMTP Send β β β β Base (ORM) β β β |
| β β βββββββ¬ββββββ βββββββββββββ βββββββββββββ¬ββββββββββββ β β |
| β ββββββββββΌβββββββββββββββββββββββββββββββββββββΌββββββββββββββββ β |
| ββββββββββββββΌβββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββ |
| β β |
| βΌ βΌ |
| ββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ |
| β SMTP SERVER β β SQLite Database β |
| β (Gmail / Console) β β (users.db) β |
| β β β β |
| β smtp.gmail.com β β ββββββββββββββ βββββββββββββββ β |
| β Port 587 (STARTTLS) β β β users β βrevoked_tokensβ β |
| β β β ββββββββββββββ βββββββββββββββ β |
| β Sends OTP emails: β β β |
| β - Email Verify β β Tables: β |
| β - Password Reset β β - users β |
| ββββββββββββββββββββββββ β - revoked_tokens β |
| ββββββββββββββββββββββββββββββββββββ |
| ``` |
|
|
| --- |
|
|
| ## 2. Component Architecture |
|
|
| ### 2.1 Backend Components |
|
|
| ``` |
| backend/ |
| βββ main.py β FastAPI app, CORS, rate limiting, middleware |
| βββ config.py β Loads .env variables via python-dotenv |
| βββ database.py β SQLAlchemy engine + session + Base |
| βββ models.py β ORM models: User, RevokedToken |
| βββ schemas.py β Pydantic request/response schemas |
| βββ auth.py β Password hashing, JWT, SMTP email |
| βββ routes/ |
| β βββ auth_routes.py β /auth endpoints (register, login, etc.) |
| β βββ user_routes.py β /me and /admin endpoints |
| βββ .env β Environment variables (secrets) |
| ``` |
|
|
| **Data Flow:** |
| ``` |
| Request β Middleware (CORS, Rate Limit, Logging) |
| β Route Handler (auth_routes / user_routes) |
| β Auth Service (validate token, hash password, send email) |
| β Database (SQLAlchemy ORM β SQLite) |
| β Response (JSON) |
| ``` |
|
|
| ### 2.2 Frontend Components |
|
|
| ``` |
| frontend/ |
| βββ src/ |
| β βββ main.jsx β Entry point, BrowserRouter |
| β βββ App.jsx β Root component, all routes |
| β βββ index.css β Global styles (glassmorphism) |
| β βββ api/ |
| β β βββ axios.js β Axios instance + interceptors |
| β βββ context/ |
| β β βββ AuthContext.jsx β Auth state management |
| β βββ components/ |
| β β βββ Navbar.jsx β Navigation bar |
| β β βββ ProtectedRoute.jsx β Route guard |
| β βββ pages/ |
| β βββ Register.jsx β Registration form |
| β βββ Login.jsx β Login form |
| β βββ VerifyEmail.jsx β OTP verification form |
| β βββ Dashboard.jsx β User dashboard + admin panel |
| ``` |
|
|
| **Component Hierarchy:** |
| ``` |
| <App> |
| βββ <AuthProvider> (Context) |
| β βββ <Navbar /> |
| β βββ <Routes> |
| β β βββ /register β <Register /> |
| β β βββ /login β <Login /> |
| β β βββ /verify-email β <VerifyEmail /> |
| β β βββ /dashboard β <ProtectedRoute> β <Dashboard /> |
| β β βββ / β <Navigate to="/login" /> |
| ``` |
|
|
| --- |
|
|
| ## 3. Authentication Flow Diagrams |
|
|
| ### 3.1 Registration Flow |
|
|
| ``` |
| ββββββββββββ ββββββββββββ ββββββββββββ |
| β Client β β Server β β SMTP β |
| ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ |
| β β β |
| β POST /auth/register β β |
| β { username, email, password } β β |
| ββββββββββββββββββββββββββββββββββββββββββΆβ β |
| β β β |
| β βββββββββββββββ€ β |
| β β Validate: β β |
| β β - Email len β β |
| β β - Password β β |
| β β strength β β |
| β β - Uniquenessβ β |
| β βββββββββββββββ€ β |
| β β β |
| β βββββββββββββββ€ β |
| β β bcrypt.hash β β |
| β β + OTP gen β β |
| β β + Create β β |
| β β User β β |
| β βββββββββββββββ€ β |
| β β β |
| β β Send OTP via SMTP β |
| β ββββββββββββββββββββββββββββββββΆβ |
| β β β |
| β 200 OK (redirect to /verify-email) β β |
| βββββββββββββββββββββββββββββββββββββββββββ β |
| β β β |
| β β ββββββββββββββββββββββββββ β |
| β β β Console fallback: β β |
| β β β Print OTP if SMTP failsβ β |
| β β ββββββββββββββββββββββββββ β |
| ``` |
|
|
| ### 3.2 Login Flow |
|
|
| ``` |
| ββββββββββββ ββββββββββββ |
| β Client β β Server β |
| ββββββ¬ββββββ ββββββ¬ββββββ |
| β β |
| β POST /auth/login β |
| β (OAuth2 form: username + password) β |
| ββββββββββββββββββββββββββββββββββββββββββΆβ |
| β β |
| β βββββββββββββββ€ |
| β β Look up β |
| β β user by β |
| β β username β |
| β βββββββββββββββ€ |
| β β |
| β βββββββββββββββ€ |
| β β bcrypt β |
| β β .checkpw() β |
| β βββββββββββββββ€ |
| β β |
| β βββββββββββββββ€ |
| β β Check: β |
| β β - is_active β |
| β β - is_verifiedβ |
| β βββββββββββββββ€ |
| β β |
| β βββββββββββββββ€ |
| β β Generate: β |
| β β - access_token β |
| β β - refresh_token β |
| β βββββββββββββββ€ |
| β β |
| β 200 OK β |
| β { access_token, refresh_token } β |
| βββββββββββββββββββββββββββββββββββββββββββ |
| β β |
| β Store in sessionStorage β |
| β Set AuthContext user β |
| ``` |
|
|
| ### 3.3 Token Refresh Flow |
|
|
| ``` |
| ββββββββββββ ββββββββββββ |
| β Client β β Server β |
| ββββββ¬ββββββ ββββββ¬ββββββ |
| β β |
| β API Request with expired access_token β |
| ββββββββββββββββββββββββββββββββββββββββββΆβ |
| β β |
| β 401 Unauthorized β |
| βββββββββββββββββββββββββββββββββββββββββββ |
| β β |
| β Axios interceptor detects 401 β |
| β β |
| β POST /auth/refresh β |
| β { refresh_token } β |
| ββββββββββββββββββββββββββββββββββββββββββΆβ |
| β β |
| β βββββββββββββββ€ |
| β β Decode JWT β |
| β β Check type β |
| β β == "refresh"β |
| β βββββββββββββββ€ |
| β β |
| β βββββββββββββββ€ |
| β β Check if β |
| β β revoked β |
| β βββββββββββββββ€ |
| β β |
| β βββββββββββββββ€ |
| β β Revoke old β |
| β β refresh tokenβ |
| β β (rotation) β |
| β βββββββββββββββ€ |
| β β |
| β βββββββββββββββ€ |
| β β Issue new β |
| β β access + β |
| β β refresh pairβ |
| β βββββββββββββββ€ |
| β β |
| β 200 OK β |
| β { access_token, refresh_token } β |
| βββββββββββββββββββββββββββββββββββββββββββ |
| β β |
| β Retry original request with new token β |
| ββββββββββββββββββββββββββββββββββββββββββΆβ |
| β β |
| β 200 OK (success) β |
| βββββββββββββββββββββββββββββββββββββββββββ |
| ``` |
|
|
| ### 3.4 Logout Flow |
|
|
| ``` |
| ββββββββββββ ββββββββββββ |
| β Client β β Server β |
| ββββββ¬ββββββ ββββββ¬ββββββ |
| β β |
| β POST /auth/logout β |
| β { refresh_token } β |
| β Authorization: Bearer <access_token> β |
| ββββββββββββββββββββββββββββββββββββββββββΆβ |
| β β |
| β βββββββββββββββ€ |
| β β Insert both β |
| β β tokens into β |
| β β revoked_ β |
| β β tokens tableβ |
| β βββββββββββββββ€ |
| β β |
| β 200 OK β |
| βββββββββββββββββββββββββββββββββββββββββββ |
| β β |
| β Clear sessionStorage β |
| β Set user = null β |
| β Redirect to /login β |
| ``` |
|
|
| --- |
|
|
| ## 4. Data Models |
|
|
| ### 4.1 Entity Relationship Diagram |
|
|
| ``` |
| βββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββ |
| β users β β revoked_tokens β |
| βββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββββββ€ |
| β id INTEGER PK β β id INTEGER PK β |
| β username VARCHAR UNI β β token VARCHAR UNI β |
| β email VARCHAR UNI β β revoked_at DATETIME β |
| β password VARCHAR β β expires_at DATETIME β |
| β is_active BOOLEAN β ββββββββββββββββββββββββββββββββ |
| β role VARCHAR β |
| β created_at DATETIME β Relationship: One user can have |
| β is_verified BOOLEAN β many revoked tokens (1:N) |
| β verification_code VARCHARβ |
| β reset_code VARCHAR β |
| βββββββββββββββββββββββββββ |
| ``` |
|
|
| ### 4.2 User Model Fields |
|
|
| | Field | Type | Constraints | Default | Description | |
| |-------|------|-------------|---------|-------------| |
| | `id` | Integer | PK, auto-increment, indexed | β | Unique user identifier | |
| | `username` | String(50) | UNIQUE, NOT NULL, indexed | β | Login username | |
| | `email` | String(120) | UNIQUE, NOT NULL, indexed | β | User email address | |
| | `password` | String(255) | NOT NULL | β | bcrypt hashed password | |
| | `is_active` | Boolean | β | `True` | Account active status | |
| | `role` | String(10) | β | `"user"` | User role (user/admin) | |
| | `created_at` | DateTime | β | `datetime.utcnow()` | Registration timestamp | |
| | `is_verified` | Boolean | β | `False` | Email verified status | |
| | `verification_code` | String(6) | nullable | `None` | Registration OTP | |
| | `reset_code` | String(6) | nullable | `None` | Password reset OTP | |
|
|
| ### 4.3 RevokedToken Model Fields |
|
|
| | Field | Type | Constraints | Default | Description | |
| |-------|------|-------------|---------|-------------| |
| | `id` | Integer | PK, auto-increment, indexed | β | Record identifier | |
| | `token` | String(512) | UNIQUE, NOT NULL, indexed | β | Full JWT string | |
| | `revoked_at` | DateTime | β | `datetime.utcnow()` | Revocation timestamp | |
| | `expires_at` | DateTime | NOT NULL | β | Token original expiry | |
|
|
| --- |
|
|
| ## 5. Security Architecture |
|
|
| ### 5.1 Authentication & Authorization Layers |
|
|
| ``` |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| β SECURITY LAYERS β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ |
| β β |
| β Layer 1: Password Security β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β bcrypt hashing (salt + hash) β β |
| β β Password strength validation (β₯8 chars, 1 letter, β β |
| β β 1 digit) β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 2: JWT Token Security β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Dual-token system (access 30min + refresh 7days) β β |
| β β Token rotation on refresh (old token revoked) β β |
| β β Token type validation (access vs refresh) β β |
| β β Revocation checking on every request β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 3: Email Verification β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β OTP-based email verification β β |
| β β 6-digit numeric code β β |
| β β Must verify before login β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 4: Rate Limiting β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Global: 60 requests per 60 seconds per IP β β |
| β β HTTP 429 when exceeded β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 5: CORS Protection β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Whitelist: localhost:5173, localhost:3000 β β |
| β β Credentials allowed β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 6: Role-Based Access Control β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Admin-only endpoints (/admin/users) β β |
| β β User role checking in route handlers β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 7: Input Validation β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Pydantic schemas for all inputs β β |
| β β Email validation (EmailStr) β β |
| β β Field length constraints β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Layer 8: Error Handling β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β Generic error messages (no stack trace leak) β β |
| β β Request logging for audit trail β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| ``` |
|
|
| ### 5.2 Token Lifecycle |
|
|
| ``` |
| ββββββββββββββββββββ |
| β User Login β |
| ββββββββββ¬ββββββββββ |
| β |
| ββββββββββΌββββββββββ |
| β Issue Access + β |
| β Refresh Tokens β |
| ββββββββββ¬ββββββββββ |
| β |
| ββββββββββββββββΌβββββββββββββββ |
| β β β |
| ββββββββββΌββββββββ β ββββββββββΌββββββββ |
| β Use Access β β β Use Refresh β |
| β Token (30min) β β β Token (7days) β |
| ββββββββββ¬ββββββββ β ββββββββββ¬ββββββββ |
| β β β |
| ββββββββββΌββββββββ β ββββββββββΌββββββββ |
| β Token Expires β β β Refresh Used β |
| β (401 Response) β β β (Token Rotation)β |
| ββββββββββ¬ββββββββ β ββββββββββ¬ββββββββ |
| β β β |
| ββββββββ¬ββββββββ β |
| β βββββββββΌβββββββββ |
| ββββββββΌβββββββββ β Issue New β |
| β Send Refresh β β Access+Refresh β |
| β Token to β β Pair β |
| β /auth/refresh β ββββββββββββββββββ |
| ββββββββ¬βββββββββ |
| β |
| ββββββββΌβββββββββ |
| β Old Refresh β |
| β Token Revoked β |
| β (stored in DB)β |
| βββββββββββββββββ |
| ``` |
|
|
| --- |
|
|
| ## 6. API Design |
|
|
| ### 6.1 Request/Response Schemas |
|
|
| **Register Request:** |
| ```json |
| POST /auth/register |
| { |
| "username": "string (3-50 chars)", |
| "email": "string (valid email)", |
| "password": "string (β₯8 chars, 1 letter, 1 digit)" |
| } |
| ``` |
|
|
| **Register Response:** |
| ```json |
| 200 OK |
| { |
| "message": "User registered successfully. Please verify your email." |
| } |
| ``` |
|
|
| **Login Request:** |
| ```json |
| POST /auth/login |
| Content-Type: application/x-www-form-urlencoded |
| |
| username=string&password=string |
| ``` |
|
|
| **Login Response:** |
| ```json |
| 200 OK |
| { |
| "access_token": "eyJ...", |
| "refresh_token": "eyJ...", |
| "token_type": "bearer" |
| } |
| ``` |
|
|
| **Refresh Request:** |
| ```json |
| POST /auth/refresh |
| { |
| "refresh_token": "eyJ..." |
| } |
| ``` |
|
|
| **Refresh Response:** |
| ```json |
| 200 OK |
| { |
| "access_token": "eyJ...", |
| "refresh_token": "eyJ..." |
| } |
| ``` |
|
|
| ### 6.2 Error Response Format |
|
|
| ```json |
| 401 Unauthorized |
| { |
| "detail": "Invalid authentication credentials" |
| } |
| |
| 422 Validation Error |
| { |
| "detail": [ |
| { |
| "loc": ["body", "password"], |
| "msg": "Password must be at least 8 characters with at least one letter and one digit", |
| "type": "value_error" |
| } |
| ] |
| } |
| |
| 429 Too Many Requests |
| { |
| "detail": "Too many requests. Please try again later." |
| } |
| ``` |
|
|
| --- |
|
|
| ## 7. SMTP Email System |
|
|
| ### 7.1 Email Flow |
|
|
| ``` |
| ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ |
| β Route β β Auth β β SMTP β |
| β Handler ββββββΆβ Service ββββββΆβ Server β |
| β β β β β β |
| β send_email()β β smtplib β β Gmail β |
| β called β β STARTTLS β β Port 587 β |
| ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ |
| β |
| β (if SMTP not configured or fails) |
| βΌ |
| ββββββββββββββββ |
| β Console β |
| β Fallback β |
| β (print OTP) β |
| ββββββββββββββββ |
| ``` |
|
|
| ### 7.2 SMTP Configuration |
|
|
| | Setting | Value | Purpose | |
| |---------|-------|---------| |
| | Server | `smtp.gmail.com` | Gmail SMTP server | |
| | Port | `587` | STARTTLS encryption | |
| | Protocol | STARTTLS | Upgrades plain connection to TLS | |
| | Auth | Username + App Password | Gmail-specific authentication | |
|
|
| ### 7.3 Email Templates Sent |
|
|
| **Email Verification:** |
| ``` |
| Subject: Verify your email - Auth System |
| |
| Hello {username}, |
| |
| Your verification code is: {otp_code} |
| |
| This code will expire in 10 minutes. |
| |
| If you did not register, please ignore this email. |
| ``` |
|
|
| **Password Reset:** |
| ``` |
| Subject: Password Reset Request - Auth System |
| |
| Hello {username}, |
| |
| Your password reset code is: {otp_code} |
| |
| This code will expire in 10 minutes. |
| |
| If you did not request this, please ignore this email. |
| ``` |
|
|
| --- |
|
|
| ## 8. Frontend State Management |
|
|
| ### 8.1 AuthContext Flow |
|
|
| ``` |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| β AuthContext β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ |
| β β |
| β State: β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β user: null | { id, username, email, role, ... } β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Methods: β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β login(username, password) β β |
| β β β POST /auth/login β β |
| β β β Store tokens in sessionStorage β β |
| β β β Fetch user profile β β |
| β β β β |
| β β logout() β β |
| β β β POST /auth/logout β β |
| β β β Clear sessionStorage β β |
| β β β Set user = null β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| β Initialization (on mount): β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β 1. Check sessionStorage for access_token β β |
| β β 2. If exists β GET /me to validate β β |
| β β 3. If valid β set user state β β |
| β β 4. If invalid β clear session, set user = null β β |
| β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β |
| β β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| ``` |
|
|
| ### 8.2 Axios Interceptor Chain |
|
|
| ``` |
| Request Flow: |
| ββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββ |
| β API βββββΆβ Request βββββΆβ Server βββββΆβ Response β |
| β Call β β Interceptor β β β β β |
| ββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββ¬ββββββ |
| β β |
| β Attach Bearer token β |
| β from sessionStorage β |
| β |
| βββββββββββββββΌβββββββββββ |
| β Response Interceptor β |
| βββββββββββββββ¬βββββββββββ |
| β |
| βββββββββββββββΌβββββββββββ |
| β If 401: β |
| β 1. POST /auth/refresh β |
| β 2. Update tokens β |
| β 3. Retry request β |
| β 4. If fail β /login β |
| ββββββββββββββββββββββββββ |
| ``` |
|
|
| --- |
|
|
| ## 9. Deployment Architecture |
|
|
| ### 9.1 Development Setup |
|
|
| ``` |
| βββββββββββββββββββββββββββββββββββββββββββββββββββ |
| β Development Environment β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββ€ |
| β β |
| β Terminal 1: Backend β |
| β $ cd backend β |
| β $ source .venv/bin/activate β |
| β $ uvicorn main:app --reload --port 8000 β |
| β β |
| β Terminal 2: Frontend β |
| β $ cd frontend β |
| β $ npm run dev β |
| β β Vite dev server on http://localhost:5173 β |
| β β |
| β Database: SQLite (auto-created) β |
| β Email: Console fallback (no SMTP needed) β |
| β β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββ |
| ``` |
|
|
| ### 9.2 Production Recommendations |
|
|
| ``` |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| β Production Architecture β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ |
| β β |
| β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββ β |
| β β Nginx βββββΆβ Uvicorn βββββΆβ PostgreSQL β β |
| β β (Reverse β β (Gunicorn β β (or MySQL) β β |
| β β Proxy) β β Workers) β β β β |
| β β Port 443 β β Port 8000 β β Port 5432 β β |
| β β HTTPS β β β β β β |
| β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββ β |
| β β β β |
| β β βββββββββββββββ β β |
| β β β Redis β β β |
| β β β (Cache + βββββββββββββββ€ β |
| β β β Rate β β β |
| β β β Limiting) β β β |
| β β βββββββββββββββ β β |
| β β β β |
| β β βββββββββββββββ β β |
| β βββββββββββββΆβ Static β β β |
| β β Files β β β |
| β β (React β β β |
| β β Build) β β β |
| β βββββββββββββββ β β |
| β β β |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ |
| ``` |
|
|
| --- |
|
|
| ## 10. Environment Configuration |
|
|
| | Variable | Development | Production | Purpose | |
| |----------|-------------|------------|---------| |
| | `SECRET_KEY` | `super_secret_dev_key...` | Strong random 256-bit key | JWT signing | |
| | `ALGORITHM` | `HS256` | `HS256` or `RS256` | JWT algorithm | |
| | `ACCESS_TOKEN_EXPIRE_MINUTES` | `30` | `15` | Shorter in prod | |
| | `REFRESH_TOKEN_EXPIRE_DAYS` | `7` | `7` | Refresh token TTL | |
| | `DATABASE_URL` | `sqlite:///./users.db` | `postgresql://...` | Database | |
| | `SMTP_SERVER` | `smtp.gmail.com` | `smtp.gmail.com` | Email server | |
| | `SMTP_PORT` | `587` | `587` | Email port | |
| | `SMTP_USER` | `user@gmail.com` | `noreply@domain.com` | Email sender | |
| | `SMTP_PASSWORD` | `app_password` | `app_password` | Email auth | |
|
|
| --- |
|
|
| ## 11. Future Improvements |
|
|
| ### High Priority |
| - [ ] Add `.gitignore` (exclude `.env`, `users.db`, `__pycache__`, `node_modules`) |
| - [ ] Use `secrets` module for OTP generation (cryptographic randomness) |
| - [ ] Add per-account brute-force lockout (e.g., 5 failed attempts β 15min lock) |
| - [ ] Move to PostgreSQL for production use |
|
|
| ### Medium Priority |
| - [ ] Add Docker + docker-compose for containerized deployment |
| - [ ] Implement email rate limiting (prevent OTP spam) |
| - [ ] Add CSRF protection |
| - [ ] Add comprehensive unit and integration tests |
| - [ ] Implement account deletion with cascade (revoke all tokens) |
|
|
| ### Low Priority |
| - [ ] Add OAuth2 social login (Google, GitHub) |
| - [ ] Implement 2FA (TOTP-based) |
| - [ ] Add admin dashboard for user management |
| - [ ] Implement audit logging |
| - [ ] Add API versioning (v1/, v2/) |
|
|