Forem: Lee Yi Jie Joel

Integrating FastAPI with Supabase Auth

Lee Yi Jie Joel — Sun, 05 Mar 2023 16:06:23 +0000

Why this article and what we'll cover

In this article we'll go over the basics of how to implement login and logout functionality using Supabase Auth. We'll also go over how to guard routes so that only signed in users can access protected routes.

What is Supabase Auth

Supabase is a JSON Web Token based Auth service - it takes in the credentials of a user (for instance email and password) and returns a token that is used to securely transit information between parties. Other services can then make use of this token to know more about the user. For example, we can determine the user's role as well as the authentication methods that they have used to sign in.

Creating a sign up route

If integrating with Supabase Auth, one would simply need to wrap the client library in a route in order to get sign in, sign up, and sign out functionality. Here's an example:

Initialise a client in a centralised file

import os
from supabase import create_client, Client

url: str = os.environ.get("SUPABASE_URL")
key: str = os.environ.get("SUPABASE_KEY")
supa: Client = create_client(url, key)

Import the client into your application logic:

from .supabase import supa

@app.get("/sign_up")
def sign_up():
  res = supa.auth.sign_up(email="testsupa@gmail.com",
                          password="testsupabasenow")
  return res.get("access_token")

@app.get("/sign_out")
def sign_out():
  supa = init_supabase()
  res = supa.auth.sign_out()
  return "success"

@app.get("/sign_in")
def sign_in():
  supa = init_supabase()
  res = supa.auth.sign_in_with_password({"email":"testsupa@gmail.com", "password": "testsupabasenow"})
  return res.get("access_token")

To protect a route, there are two main options:

We can write a middleware function to validate the incoming JWT
We can use an extended version of the default FastAPI HTTPBearer together with Dependency Injection to validate the route

We're going to go with the second option as it is slightly less verbose.

Let's extend the built in HTTP Bearer class to decode and validate the JWT. We can do so by making use of a jwt library like python-jose or PyJWT. We'll also need the Supabase JWT secret which is under Settings > Auth at time of writing.

JWT Bearer class

Let's extend the built in JWT Bearer - below is a snippet taken from TestDriven.io's blog which performs a verification of the JWT to ensure that credentials are valid.

class JWTBearer(HTTPBearer):
    def __init__(self, auto_error: bool = True):
        super(JWTBearer, self).__init__(auto_error=auto_error)

    async def __call__(self, request: Request):
        credentials: HTTPAuthorizationCredentials = await super(JWTBearer, self).__call__(request)
        if credentials:
            if not credentials.scheme == "Bearer":
                raise HTTPException(status_code=403, detail="Invalid authentication scheme.")
            if not self.verify_jwt(credentials.credentials):
                raise HTTPException(status_code=403, detail="Invalid token or expired token.")
            return credentials.credentials
        else:
            raise HTTPException(status_code=403, detail="Invalid authorization code.")

    def verify_jwt(self, jwtoken: str) -> bool:
        isTokenValid: bool = False

        try:
            payload = decodeJWT(jwtoken)
        except:
            payload = None
        if payload:
            isTokenValid = True
        return isTokenValid

In order to protect the route, we can import the extended HTTP Bearer class and use the dependencies, option in FastAPI to protect the route.

Here's what it would look like:

from auth import JWTBearer
@app.post('/my-protected-route/',dependencies=[Depends(JWTBearer())], response_model=SchemaJob)
async def job(job: SchemaJob):
    ...
    # Some work here

Voila, you have a protected route.With this protection, requests to protected routes will raise an error if the Authorization Bearer: <jwt-token> header is not included.

It is also possible to extend this implementation by implementing custom checks based on claims or roles in def __call__ of the JWTBearer class above. For more information on JWTs, you may wish to check out the Supabase website Auth section for a deeper look into how JWTs function.

Here's the sample repo. Please feel free to leave any questions in the comments below.

The example code draws reference from:

Setting up FastAPI with SupabaseDB

Lee Yi Jie Joel — Tue, 10 Jan 2023 13:35:24 +0000

What is Supabase?

Supabase is an open source Firebase alternative. It comes with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

What is FastAPI?

FastAPI is a modern, fast (high-performance), web framework for building APIs with Python. It's commonly used to rapidly get an API up and running

Here we demonstrate how to make use of Supabase as a Postgres Database and connect it to FastAPI so that we can manage migrations. We will make use of Alembic as a migrations versioning tool. This example also heavily draws reference from the example provided by FastAPI

Setup

Let's first set up a virtual environment and install some dependencies

virtualenv .env
pip3 install supabase fastapi psycopg2 alembic

Create Base Files

In the supafast directory, create the core files by running
touch app.py __init__.py database.py models.py schema.py
the key point to note is that models.py contains pydantic models while schema.py contains the database models which are used to generate the database schema.

Populating the models and schema file

Here, we create a users model and schema model so that we can create a users table in the database. The working of both files are best explained by FastAPI's fantastic tutorial so please refer there instead.

Configure Database URL

Head to SQLALCHEMY_DATABASE_URL and change the URL to what's found on your Supabase Dashboard (Screenshot of what it looks like at time of writing)

Run alembic init migrations to generate a migrations folder containing all alembic migrations.

Linking Database models to Alembic

We need to let Alembic view the FastAPI database models we defined in models.py. In this case we only have a User model so let's import that in out migrations/env.py file by adding

from supafast.models import User

in migrations/env.py

Generating and applying the migrations

From here, we can go ahead and generate an initial migration by running

alembic revision --autogenerate -m "generate initial migration"

This should create a new version of the migration under migrations/versions/

We can then run alembic upgrade head to apply the migration changes to Supabase DB. Thereafter, we should be able to see the newly created table in the table editor.

Conclusion

You can find the final state of the source code in this Github repository. If you prefer a video form of this tutorial you can view the video

For a comprehensive overview of Authentication, Functions, Storage and other items in the Supabase Python SDK, you can also check out the Supabase Python Crash Course kindly put together by Patrick.

If you have any questions, feel free to leave them in the comments below.

References:
[1] https://fastapi.tiangolo.com/tutorial/