bryanb
/
Big-Link-Man
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Big-Link-Man/docs/stories/story-1.4-api-foundation.md

11 KiB
Raw Blame History

Story 1.4: Internal API Foundation - COMPLETED

Overview

Implemented a secure REST API foundation with FastAPI, including HTTP Basic Authentication, role-based access control, and comprehensive test coverage.

Story Details

As a developer, I want to create a basic, secured REST API endpoint, so that the foundation for inter-service communication is established.

Acceptance Criteria - ALL MET

1. Basic REST API Created

Status: COMPLETE

A FastAPI application is created within the src/api module:

  • Location: src/api/main.py
  • Framework: FastAPI v0.104.1
  • Automatic OpenAPI documentation at /docs and /openapi.json
  • Clean separation of concerns with modular structure

2. Health Check Endpoint

Status: COMPLETE

A simple health check endpoint is available:

  • Endpoint: GET /health
  • Returns: {"status": "healthy", "message": "API is running"}
  • Status Code: 200 OK
  • No authentication required (public endpoint)
  • Useful for monitoring and deployment health checks

3. API Endpoints Require Authentication

Status: COMPLETE

All API endpoints (except public /health) require authentication:

  • Authentication Method: HTTP Basic Authentication
  • Credentials validated against database
  • Password verification using bcrypt
  • Returns 401 Unauthorized for invalid credentials
  • WWW-Authenticate header included in 401 responses

4. API Designed for Extensibility

Status: COMPLETE

The API is designed with future growth in mind:

  • Versioned endpoints (/api/v1/...)
  • Modular structure (main.py, routes.py, schemas.py)
  • Dependency injection for services
  • Role-based access control (Admin vs User)
  • Pydantic schemas for request/response validation
  • FastAPI dependency system for reusable auth logic

Implementation Details

Files Created/Modified

1. src/api/main.py - NEW

class FastAPI application with authentication dependencies:
- app: FastAPI application instance
- security: HTTPBasic security scheme
- get_auth_service() -> AuthService: Dependency for auth service
- get_current_user() -> User: Dependency for authenticated endpoints
- get_current_admin_user() -> User: Dependency for admin-only endpoints

Key Features:

  • HTTP Basic Authentication using FastAPI security
  • Dependency injection for authentication
  • Clean separation between regular and admin authentication
  • Proper error handling with appropriate HTTP status codes

2. src/api/routes.py - NEW

API endpoint definitions:
Public Endpoints:
- GET /health: Health check endpoint

Authenticated Endpoints:
- GET /api/v1/me: Get current user information

Admin-Only Endpoints:
- GET /api/v1/admin/status: Admin status check

Endpoint Features:

  • Full OpenAPI documentation
  • Pydantic response models
  • Proper HTTP status codes
  • Security requirements documented
  • Tag-based organization

3. src/api/schemas.py - NEW

Pydantic models for API validation:
- LoginRequest: Login credentials
- UserResponse: User information response
- LoginResponse: Successful login response
- ErrorResponse: Error message response
- HealthResponse: Health check response

Schema Features:

  • Field validation using Pydantic
  • from_attributes configuration for ORM compatibility
  • Detailed field descriptions
  • Type safety

4. src/api/__init__.py - UPDATED

  • Exports app instance
  • Imports routes to register them
  • Includes documentation on running the API

5. requirements.txt - UPDATED

  • Added httpx==0.25.2 for FastAPI TestClient support

Endpoints

Public Endpoints

GET /health

  • No authentication required
  • Returns health status
  • Response: {"status": "healthy", "message": "API is running"}
  • Use case: Load balancer health checks, monitoring

Authenticated Endpoints

GET /api/v1/me

  • Requires: HTTP Basic Authentication
  • Returns: Current user information (id, username, role)
  • Status: 200 OK on success, 401 on auth failure
  • Use case: Get information about authenticated user

Admin-Only Endpoints

GET /api/v1/admin/status

  • Requires: HTTP Basic Authentication + Admin role
  • Returns: Admin status information
  • Status: 200 OK for admins, 403 for non-admins, 401 for unauthenticated
  • Use case: Admin dashboard, system status

Authentication Flow

  1. Client sends request with HTTP Basic Auth header
  2. FastAPI extracts credentials using HTTPBasic dependency
  3. get_auth_service() provides AuthService instance
  4. get_current_user() validates credentials against database
  5. On success: User object passed to endpoint
  6. On failure: 401 Unauthorized returned

Role-Based Access Control

The API implements two-tier authorization:

Regular User Access:

  • get_current_user() dependency
  • Validates authentication only
  • Allows access to user-level endpoints

Admin Access:

  • get_current_admin_user() dependency
  • Validates authentication AND admin role
  • Returns 403 Forbidden if user is not admin
  • Allows access to admin-only endpoints

Test Coverage

Unit Tests (tests/unit/test_api_endpoints.py)

  • 16 test cases covering all endpoint scenarios
  • Tests using mocked dependencies
  • Tests authentication flow
  • Tests role-based access control
  • All tests passing

Test Classes:

  • TestHealthEndpoint: Health check endpoint tests (3 tests)
  • TestAuthenticatedEndpoints: Authenticated endpoint tests (3 tests)
  • TestAdminEndpoints: Admin endpoint tests (4 tests)
  • TestAuthenticationDependencies: Dependency function tests (4 tests)
  • TestAPIResponseSchemas: Response schema validation (3 tests)

Integration Tests (tests/integration/test_api_integration.py)

  • 15 integration test cases with real database
  • Tests full authentication flow from database to API
  • Tests with real users and hashed passwords
  • Tests security features
  • All tests passing

Test Classes:

  • TestHealthEndpointIntegration: Health endpoint with real API (1 test)
  • TestAuthenticationFlowIntegration: Auth flow with database (4 tests)
  • TestAdminEndpointsIntegration: Admin endpoints with real users (3 tests)
  • TestMultipleUsersIntegration: Multiple users scenarios (2 tests)
  • TestAPIExtensibility: Extensibility features (2 tests)
  • TestSecurityIntegration: Security verification (3 tests)

Security Features

  1. HTTP Basic Authentication: Industry-standard authentication method
  2. Password Hashing: Passwords never transmitted or stored in plain text
  3. Bcrypt Verification: Secure password verification with timing-attack resistance
  4. Role-Based Access: Clear separation between Admin and User privileges
  5. Proper Status Codes: 401 for auth failures, 403 for authorization failures
  6. No Information Leakage: Generic error messages for security
  7. Database Session Management: Proper session handling with dependency injection

API Documentation

FastAPI provides automatic interactive documentation:

Swagger UI: http://localhost:8000/docs

  • Interactive API testing interface
  • Try out endpoints with authentication
  • View request/response schemas

ReDoc: http://localhost:8000/redoc

  • Alternative documentation interface
  • Clean, readable format

OpenAPI JSON: http://localhost:8000/openapi.json

  • Machine-readable API specification
  • For code generation and tools

Running the API

Development Server:

uvicorn src.api.main:app --reload --host 0.0.0.0 --port 8000

Production Server:

uvicorn src.api.main:app --host 0.0.0.0 --port 8000 --workers 4

Testing with curl:

# Health check (no auth)
curl http://localhost:8000/health

# Get current user (with auth)
curl -u username:password http://localhost:8000/api/v1/me

# Admin endpoint (with admin auth)
curl -u admin:password http://localhost:8000/api/v1/admin/status

Dependencies

  • fastapi==0.104.1 - Web framework
  • uvicorn[standard]==0.24.0 - ASGI server
  • httpx==0.25.2 - HTTP client for testing
  • pydantic==2.5.0 - Data validation
  • passlib[bcrypt]==1.7.4 - Password hashing
  • bcrypt==4.0.1 - Bcrypt implementation

Testing Commands

# Run all API tests
.venv/Scripts/python -m pytest tests/unit/test_api_endpoints.py tests/integration/test_api_integration.py -v

# Run unit tests only
.venv/Scripts/python -m pytest tests/unit/test_api_endpoints.py -v

# Run integration tests only
.venv/Scripts/python -m pytest tests/integration/test_api_integration.py -v

# Run with coverage
.venv/Scripts/python -m pytest tests/unit/test_api_endpoints.py tests/integration/test_api_integration.py --cov=src/api --cov-report=html

Next Steps

This API foundation is now ready for:

  • Story 1.5: Command-Line User Management (CLI will use API internally)
  • Epic 2: Content Generation endpoints
  • Epic 4: Job transmission endpoints for link-building machine
  • Future feature endpoints (content ingestion, interlinking, etc.)

Extensibility Examples

Adding a New Endpoint

# In src/api/routes.py
@app.get("/api/v1/projects", response_model=List[ProjectResponse])
async def list_projects(current_user: User = Depends(get_current_user)):
    """List all projects for the current user"""
    # Implementation here
    pass

Adding Admin-Only Endpoint

# In src/api/routes.py
@app.post("/api/v1/admin/users", response_model=UserResponse)
async def create_user(
    user_data: CreateUserRequest,
    current_admin: User = Depends(get_current_admin_user)
):
    """Create a new user (admin only)"""
    # Implementation here
    pass

Adding Request Validation

# In src/api/schemas.py
class CreateProjectRequest(BaseModel):
    name: str = Field(..., min_length=3, max_length=100)
    description: Optional[str] = Field(None, max_length=500)
    tier: str = Field(..., pattern="^(Tier1|Tier2|Tier3)$")

Notes

  • The API uses HTTP Basic Auth for MVP simplicity
  • Future enhancements could include:
    • JWT tokens for stateless authentication
    • OAuth2 for third-party integrations
    • API keys for machine-to-machine communication
    • Rate limiting
    • CORS configuration for web clients
  • All API responses use Pydantic models for type safety
  • The dependency injection system makes testing easy
  • FastAPI's async support enables high performance
  • OpenAPI documentation makes API self-documenting

Architecture Decisions

Why FastAPI?

  • Modern, fast Python web framework
  • Automatic API documentation
  • Type safety with Pydantic
  • Async support for high performance
  • Excellent developer experience

Why HTTP Basic Auth?

  • Simple to implement for MVP
  • No session management needed
  • Works well with internal APIs
  • Easy to test
  • Can be upgraded to JWT later

Why Versioned URLs?

  • Enables backward compatibility
  • Allows API evolution
  • Standard REST practice
  • Easy to deprecate old versions

Why Dependency Injection?

  • Clean, testable code
  • Easy to mock for testing
  • Reusable auth logic
  • FastAPI best practice

Completion Checklist

  • FastAPI application created
  • Health check endpoint implemented
  • Authentication system integrated
  • Role-based access control implemented
  • Pydantic schemas defined
  • Unit tests written and passing (16 tests)
  • Integration tests written and passing (15 tests)
  • Documentation generated automatically
  • Extensible architecture established
  • Security features implemented
  • Story documentation completed