This FastAPI application provides authentication and pollution data retrieval services through a set of secure endpoints. Users can authenticate, manage their account, and fetch pollution data for different countries and years.
- Endpoints
- Useage Instructions
- Security
- Testing
- Installation via Github Container Registry
- Deployment and Workflow Setup
- Branching Strategy
-
POST
/auth/token- Description: This endpoint allows users to log in by providing a username and password. On successful login, it returns a JWT token that must be used to authenticate subsequent requests.
- Request Body:
grant_type: passwordusername: stringpassword: string
- Response: JWT token for authenticating further requests.
- Authentication Required: No
-
GET
/auth/me- Description: Fetch details about the currently authenticated user.
- Response: Information about the authenticated user, including username and authentication details.
- Authentication Required: Yes (JWT Token)
-
POST
/auth/register- Description: Register a new user by providing a username and password.
- Request Body:
username: stringpassword: string
- Response: Confirmation of successful registration.
- Authentication Required: No
-
POST
/auth/2fa/enable- Description: Enables two-factor authentication (2FA) for the currently authenticated user. This endpoint generates and displays a QR code for an authentication app (like Google Authenticator).
- Response: QR Code.
- Authentication Required: Yes (JWT Token)
-
POST
/auth/2fa/verify- Description: Verifies the 2FA code provided by the user during the login process.
- Request Body:
2fa_code: string (code generated by the 2FA app)
- Response: Confirmation of 2FA verification.
- Authentication Required: Yes (JWT Token)
- GET
/pollution_data/get- Description: Fetches pollution data for a specific country and year. The user must be authenticated to access this endpoint.
- Query Parameters:
country: string (Country name)year: integer (Year)
- Response: JSON data containing pollution metrics for the specified country and year.
- Authentication Required: Yes (JWT Token)
- User Registration
If not already done, use the endpoint /auth/register to create a new user.
- Authenticate with FastAPI
As most calls within the API require a JWT Token, authenticate with FastAPI by interacting with the Oauth-Flow (Green Button on the top-right of the page) to generate an Access Token. Client ID and Client Secret are not required for this application.
- Fetch Air Pollution Data
Once authenticated, the endpoint /pollution_data/get can be used to fetch air pollution data. Keep in mind, that data is only availble between 2010 and 2021 and not all countries have data for every year. If that is the case an error message will be displayed instead of the regular response indicating that there is no data for the selected year or country.
Example calls:
- country: Australia, year: 2014
- country: United States, year: 2011
- country: Uruguay, year: 2018
This application implements several layers of security to protect user data and ensure secure access to the endpoints:
-
JWT Authentication:
- All endpoints (except
/auth/registerand/auth/token) require the user to be authenticated using a valid JWT token. This token is generated upon successful submission of the /auth/token-request and must be included in theAuthorizationheader of subsequent requests in the formatBearer <token>.
Within FastAPI this token can also be generated by interacting with the OAuth-UI.
- All endpoints (except
-
Password Protection:
- User passwords are securely hashed and stored to prevent unauthorized access. Plaintext passwords are never stored or transmitted. The secret-key used for hashing is stored in a .env-file for this demo application and is part of the built docker image. For production use and in general, there are better options such as providing the secret-key as github secret or docker build argument.
-
Two-Factor Authentication (2FA):
- For additional security, users can enable two-factor authentication (2FA). Once enabled, users will be required to provide a 2FA code (from an authenticator app) in addition to their username and password during login. For the current version, this feature is disabled.
-
HTTPS:
- The application should be deployed behind an HTTPS-enabled server to encrypt all communication between the client and the server, ensuring sensitive data like passwords and tokens are protected in transit. For the purpose of this demo, this feature is not enabled.
-
Client Id & Client Secret (Optional):
- The application can optionally use a client_id and client_secret to authorize and authenticate API clients. This ensures only authorized applications can access the API and helps with tracking usage and applying rate limiting to mitigate brute-force attacks or prevent abuse of authentication endpoints.
This application includes automated tests using FastAPI's TestClient. Below are the tests that are performed:
Tests verify that fastAPI runs as expected and a 200 response is returned.
Tests check if the response content includes the expected data, verifying the data for selected countries.
Tests ensure proper error handling by verifying that the correct error messages and status codes are returned when invalid data are supplied.
The HVV Air Pollution API can be pulled from the GitHub Container Registry and run using Docker. Follow the steps below:
-
Authenticate Docker with the GitHub Container Registry
docker login ghcr.io
Use your Github-Username and a personal access token (PAT). The access token needs the following scopes:
- repos
- workflows
- write_packages
An access token can be created by navigating to the User Settings:
Settings→Developer settings→Personal Access Tokens→Tokens (classic) -
Pull the image from GitHub Container Registry
docker pull ghcr.io/<your-repo/<your-containername>:latest
-
Run the container
sudo docker run -d --name hvv-api -p 80:7555 ghcr.io/<your-repo/<your-containername>:latest
-
Access the API
The api can be accessed under http://localhost/docs. If accessing the page is not possible, make sure that port 80 and 7555 are open. It might also be necessary to change the port mapping in the docker run statement.
This section outlines the steps to unzip a GitHub repository, create a new GitHub repository, clone it, run the Docker container, and push changes to trigger a GitHub Actions workflow.
-
On Linux/Unix, use the following command to unzip the files:
unzip <repository-name>.zip cd <repository-name>
On Windows, just unzip the files in the explorer.
-
Create a new GitHub Repository
Create a new repository on github.com. In preparation for adding the workflow to build the docker container, add a Personal Access Token (PAT) as Secret under
Settings→Secrets and Variables→Actionsnamed GHCR_TOKEN. The GHCR_TOKEN needs to have the following scopes:- repos
- workflows
- write_packages
-
Create the local repository
Create the local repository and push your code to the dev-branch using the following code:
git init git add . git commit -m "Initial commit" git remote add origin https://github.com/<username>/<repository-name>.git git push -u origin dev
To build and run the docker container using the dockerfile and compose.yaml within the repository, follow these steps:
- Build the docker image
docker compose build [--no-cache]
- Start the docker image
docker compose up [-d]
Purpose: Serves as the primary line for the project, from which releases are generated.
Process:
The main branch should always be deployable and contains the most stable code. All changes to the main branch must be submitted via Pull Requests (PRs), which must be reviewed by at least two other team member.
Purpose: Serves as the primary developement line for the project, from which the main branch is updated.
Process:
All changes to the dev branch must be submitted via Pull Requests (PRs), which must be reviewed by at least two other team member.
Purpose: A separate branch for each new feature or client requirement.
Process:
Each new feature or client project receives its own branch, e.g., feature/new-reporting-module. The branch name should clearly describe the feature or project for easy identification. Once completed, the feature branch is merged into the main branch via a PR. The PR must pass code reviews and all automated tests.
Purpose: Quick fixes for critical bugs in the main branch.
Process:
Hotfixes are developed on a separate branch, e.g., hotfix/critical-database-fix. Once completed, the hotfix is merged into the main branch and simultaneously into the current development branch to avoid regressions.
Goal: Ensure that the new code is error-free and consistent with the existing project code.
All commits must be made to a non-protected branch and submitted through a pull request before being merged into a protected branch. Pull requests targeting a protected branch require two approvals and no pending change requests to proceed with the merge. This rule applies to the dev branch.
Only users with bypass permissions are authorized to create or delete branches. This rule applies to both the main and dev branches.
Only users with bypass permissions are authorized to create or delete tags. Applied to main and dev branch.
Prevent commits that make changes to specified files in the main and dev branches from being pushed to the commit history. Applied to main and dev branch.