🔨 update: oauth for svelte

Author: Zerohertz

app/api/v1/endpoints/auth.py

@@ -1,17 +1,20 @@
+import secrets
 from typing import Annotated
 
 from dependency_injector.wiring import Provide, inject
-from fastapi import Depends, Form, status
-from fastapi.responses import ORJSONResponse
+from fastapi import Depends, Form, Request, status
+from fastapi.responses import ORJSONResponse, RedirectResponse
 
 from app.core.auth import (
     GitHubOAuthDeps,
     GoogleOAuthDeps,
     PasswordOAuthDeps,
     UserAuthDeps,
 )
+from app.core.configs import configs, oauth_endpoints
 from app.core.container import Container
 from app.core.router import CoreAPIRouter
+from app.exceptions.auth import GitHubOAuthFailed
 from app.schemas.auth import (
     GitHubOAuthRequest,
     GoogleOAuthRequest,
@@ -44,7 +47,7 @@ async def refresh(
 
 
 @router.post(
-    "/register/password",
+    "/password/register",
     response_model=UserResponse,
     response_class=ORJSONResponse,
     status_code=status.HTTP_201_CREATED,
@@ -61,7 +64,7 @@ async def register_password(
 
 
 @router.post(
-    "/token/password",
+    "/password/token",
     response_model=JwtToken,
     response_class=ORJSONResponse,
     status_code=status.HTTP_200_OK,
@@ -78,8 +81,69 @@ async def token_password(
     return await service.token_password(schema=request)
 
 
+@router.get(
+    "/google/login",
+    response_model=None,
+    response_class=RedirectResponse,
+    status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+    summary="",
+    description="",
+)
+async def log_in_google():
+    state = secrets.token_urlsafe(nbytes=configs.TOKEN_URLSAFE_NBYTES)
+    response = RedirectResponse(
+        url="https://accounts.google.com/o/oauth2/v2/auth?"
+        f"client_id={configs.GOOGLE_OAUTH_CLIENT_ID}"
+        "&response_type=code"
+        f"&redirect_uri={configs.BACKEND_URL}{oauth_endpoints.GOOGLE_CALLBACK}"
+        f"&state={state}"
+        "&scope=email profile",
+        status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+    )
+    response.set_cookie(key="oauth_google_state", value=state, httponly=True)
+    return response
+
+
+@router.get(
+    "/google/callback",
+    response_model=JwtToken,
+    response_class=RedirectResponse,
+    status_code=status.HTTP_302_FOUND,
+    summary="Obtain an access token via Google OAuth",
+    description="- Authenticate using Google OAuth and receive an access token.<br/>\n"
+    "- The client must provide an authorization code obtained from Google.",
+)
+@inject
+async def callback_google(
+    code: str,
+    state: str,
+    request: Request,
+    service: AuthService = Depends(Provide[Container.auth_service]),
+):
+    # NOTE: /?code=***&state=***
+    # /?state=***&code=***&scope=***&authuser=***&prompt=***
+
+    if state != request.cookies.get("oauth_google_state"):
+        raise GitHubOAuthFailed
+    jwt_token = await service.token_google(
+        GoogleOAuthRequest(
+            grant_type="authorization_code",
+            code=code,
+            redirect_uri=f"{configs.BACKEND_URL}{oauth_endpoints.GOOGLE_CALLBACK}",
+        )
+    )
+    return RedirectResponse(
+        url=f"{configs.FRONTEND_URL}/login"
+        f"?access_token={jwt_token.access_token}"
+        f"&refresh_token={jwt_token.refresh_token}"
+        f"&token_type={jwt_token.token_type}"
+        f"&expires_in={jwt_token.expires_in}",
+        status_code=status.HTTP_302_FOUND,
+    )
+
+
 @router.post(
-    "/token/google",
+    "/google/token",
     response_model=JwtToken,
     response_class=ORJSONResponse,
     status_code=status.HTTP_200_OK,
@@ -95,8 +159,64 @@ async def token_google(
     return await service.token_google(request)
 
 
+@router.get(
+    "/github/login",
+    response_model=None,
+    response_class=RedirectResponse,
+    status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+    summary="",
+    description="",
+)
+async def log_in_github():
+    state = secrets.token_urlsafe(nbytes=configs.TOKEN_URLSAFE_NBYTES)
+    response = RedirectResponse(
+        url="https://github.com/login/oauth/authorize?"
+        f"client_id={configs.GITHUB_OAUTH_CLIENT_ID}"
+        "&response_type=code"
+        f"&redirect_uri={configs.BACKEND_URL}{oauth_endpoints.GITHUB_CALLBACK}"
+        f"&state={state}",
+        status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+    )
+    response.set_cookie(key="oauth_github_state", value=state, httponly=True)
+    return response
+
+
+@router.get(
+    "/github/callback",
+    response_model=JwtToken,
+    response_class=RedirectResponse,
+    status_code=status.HTTP_302_FOUND,
+    summary="Obtain an access token via GitHub OAuth",
+    description="- Authenticate using GitHub OAuth and receive an access token.<br/>\n"
+    "- The client must provide an authorization code obtained from GitHub.",
+)
+@inject
+async def callback_github(
+    code: str,
+    state: str,
+    request: Request,
+    service: AuthService = Depends(Provide[Container.auth_service]),
+):
+    # NOTE: /?code=***&state=***
+    if state != request.cookies.get("oauth_github_state"):
+        raise GitHubOAuthFailed
+    jwt_token = await service.token_github(
+        GitHubOAuthRequest(
+            grant_type="authorization_code", code=code, redirect_uri=configs.BACKEND_URL
+        )
+    )
+    return RedirectResponse(
+        url=f"{configs.FRONTEND_URL}/login"
+        f"?access_token={jwt_token.access_token}"
+        f"&refresh_token={jwt_token.refresh_token}"
+        f"&token_type={jwt_token.token_type}"
+        f"&expires_in={jwt_token.expires_in}",
+        status_code=status.HTTP_302_FOUND,
+    )
+
+
 @router.post(
-    "/token/github",
+    "/github/token",
     response_model=JwtToken,
     response_class=ORJSONResponse,
     status_code=status.HTTP_200_OK,

app/core/auth.py

@@ -67,13 +67,13 @@ async def get_admin_user(user: Annotated[UserOut, UserAuthDeps]) -> UserOut:
 
 PasswordOAuthDeps = Depends(
     OAuth2PasswordBearer(
-        tokenUrl=oauth_endpoints.PASSWORD, scheme_name="Password OAuth"
+        tokenUrl=oauth_endpoints.PASSWORD_TOKEN, scheme_name="Password OAuth"
     )
 )
 GoogleOAuthDeps = Depends(
     OAuth2AuthorizationCodeBearer(
         authorizationUrl=f"https://accounts.google.com/o/oauth2/v2/auth?client_id={configs.GOOGLE_OAUTH_CLIENT_ID}",
-        tokenUrl=oauth_endpoints.GOOGLE,
+        tokenUrl=oauth_endpoints.GOOGLE_TOKEN,
         refreshUrl=None,
         scheme_name="Google OAuth",
         scopes={
@@ -85,7 +85,7 @@ async def get_admin_user(user: Annotated[UserOut, UserAuthDeps]) -> UserOut:
 GitHubOAuthDeps = Depends(
     OAuth2AuthorizationCodeBearer(
         authorizationUrl=f"https://github.com/login/oauth/authorize?client_id={configs.GITHUB_OAUTH_CLIENT_ID}",
-        tokenUrl=oauth_endpoints.GITHUB,
+        tokenUrl=oauth_endpoints.GITHUB_TOKEN,
         # NOTE: https://github.com/Zerohertz/fastapi-cookbook/issues/33#issuecomment-2627994536
         refreshUrl=None,
         scheme_name="GitHub OAuth",

app/core/configs.py

@@ -19,6 +19,8 @@ class Configs(BaseSettings):
     PROJECT_NAME: str
     DESCRIPTION: str
     VERSION: str
+    BACKEND_URL: str
+    FRONTEND_URL: str
     PREFIX: str
     TZ: str = "Asia/Seoul"
 
@@ -47,6 +49,8 @@ def allow_origins(cls, value: str) -> List[str]:
     JWT_SECRET_KEY: str
     JWT_ALGORITHM: str
 
+    TOKEN_URLSAFE_NBYTES: int = 128
+
     ADMIN_NAME: str
     ADMIN_EMAIL: str
     ADMIN_PASSWORD: str
@@ -85,9 +89,12 @@ def DATABASE_URI(self) -> str:
 
 
 class OAuthEndpoints(BaseSettings):
-    PASSWORD: str = f"{configs.PREFIX}/v1/auth/token/password"
-    GOOGLE: str = f"{configs.PREFIX}/v1/auth/token/google"
-    GITHUB: str = f"{configs.PREFIX}/v1/auth/token/github"
+    PASSWORD_TOKEN: str = f"{configs.PREFIX}/v1/auth/password/token"
+    GOOGLE_TOKEN: str = f"{configs.PREFIX}/v1/auth/google/token"
+    GITHUB_TOKEN: str = f"{configs.PREFIX}/v1/auth/github/token"
+
+    GOOGLE_CALLBACK: str = f"{configs.PREFIX}/v1/auth/google/callback"
+    GITHUB_CALLBACK: str = f"{configs.PREFIX}/v1/auth/github/callback"
 
 
 oauth_endpoints = OAuthEndpoints()

app/exceptions/handlers.py

@@ -21,7 +21,7 @@ async def global_exception_handler(request: Request, exc: Exception) -> ORJSONRe
 async def core_exception_handler(
     request: Request, exc: CoreException  # pylint: disable=unused-argument
 ) -> ORJSONResponse:
-    logger.error(exc)
+    logger.exception(exc)
     return ORJSONResponse(
         content=APIResponse.error(status=exc.status, message=repr(exc)).model_dump(
             mode="json"

app/tests/api/v1/test_auth.py

@@ -37,7 +37,7 @@ def __init__(
 
     def register(self) -> None:
         response = self.client.post(
-            f"{configs.PREFIX}/v1/auth/register/password",
+            f"{configs.PREFIX}/v1/auth/password/register",
             headers=self.headers,
             data=self.request.model_dump(),
         )
@@ -50,7 +50,7 @@ def register(self) -> None:
     def log_in(self) -> str:
         request = PasswordOAuthRequest.model_validate(self.request.model_dump())
         response = self.client.post(
-            f"{configs.PREFIX}/v1/auth/token/password",
+            f"{configs.PREFIX}/v1/auth/password/token",
             headers=self.headers,
             data=request.model_dump(),
         )
@@ -93,7 +93,7 @@ def test_register_and_log_in(sync_client: TestClient):
         mock_user, access_token = register_and_log_in(sync_client)
         mock_user.get_me(access_token)
     response = sync_client.post(
-        f"{configs.PREFIX}/v1/auth/register/password",
+        f"{configs.PREFIX}/v1/auth/password/register",
         headers=mock_user.headers,
         data=mock_user.request.model_dump(),
     )

envs/test.env

@@ -2,6 +2,8 @@ PORT="8000"
 
 PROJECT_NAME="Zerohertz's FastAPI Cookbook (test)"
 VERSION="v0.1.4"
+BACKEND_URL=""
+FRONTEND_URL=""
 PREFIX="/api"
 TZ="Asia/Seoul"
 
@@ -21,6 +23,7 @@ GITHUB_OAUTH_CLIENT_ID=""
 GITHUB_OAUTH_CLIENT_SECRET=""
 JWT_SECRET_KEY="fastapi"
 JWT_ALGORITHM="HS256"
+TOKEN_URLSAFE_NBYTES=128
 ADMIN_NAME="PyTest"
 ADMIN_EMAIL="[email protected]"
 ADMIN_PASSWORD="PyTest98!@"

k8s/postgresql/configmap.yaml

@@ -7,6 +7,8 @@ data:
     PORT="8000"
     PROJECT_NAME="Zerohertz's FastAPI Cookbook (dev)"
     VERSION="v0.1.4"
+    BACKEND_URL="https://dev.zerohertz.xyz"
+    FRONTEND_URL="http://localhost:5173"
     PREFIX="/api"
     TZ="Asia/Seoul"
     DB_ECHO=true
@@ -16,6 +18,8 @@ data:
     PORT="8000"
     PROJECT_NAME="Zerohertz's FastAPI Cookbook (prod)"
     VERSION="v0.1.4"
+    BACKEND_URL="https://api.zerohertz.xyz"
+    FRONTEND_URL="https://zerohertz.vercel.app"
     PREFIX=""
     TZ="Asia/Seoul"
     DB_ECHO=false