All Projects
F
personalOpen Source

FastAPI FullAuth

A production-grade async authentication and authorization library for FastAPI, published to PyPI. Built around a composable opt-in philosophy - the abstract user adapter exposes only core CRUD, with role, permission, OAuth, and passkey support layered as separate mixins. Routers auto-skip when the adapter doesn't implement their mixin, and model submodules register their tables only when explicitly imported, so a personal-finance wallet app gets just users + refresh tokens while a SaaS gets the full RBAC + OAuth + passkey surface from the same library. Security hardening was driven by systematic audits - refresh-token rotation uses atomic compare-and-swap with reuse-replay detection, OAuth auto-link is gated on email_verified, passkey ceremonies enforce user verification and clone detection via sign-count CAS, and lockout responses don't leak account-existence signal.

View Source CodeLive Demo

Tech Stack

PythonFastAPIPyPIOpen SourcePydanticSQLModelSQLAlchemyOAuth2WebAuthnJWTArgon2idAsync
  • Composable opt-in architecture - abstract user adapter plus four optional mixins (Role, Permission, OAuth, Passkey); routers auto-skip when the adapter lacks the matching mixin, and model submodules register their tables only when imported via lazy __getattr__ so an email/password-only app gets exactly two tables and nothing else
  • JWT access/refresh tokens with atomic compare-and-swap rotation - concurrent refresh calls with the same token can no longer both succeed, and CAS failure triggers family-wide revocation as reuse-replay detection; Argon2id and bcrypt password hashing with transparent rehashing on login and explicit 72-byte rejection to prevent silent bcrypt truncation
  • OAuth2 social login (Google, GitHub) with verified-email gating to block account takeover via unverified provider emails, plus WebAuthn / Passkey passwordless authentication with user-verification enforcement, userHandle binding validation, and sign-count compare-and-swap to detect cloned authenticators
  • Pluggable adapters for SQLModel and SQLAlchemy using composable mixins, with Redis and in-memory backends for token blacklist, account lockout, rate limiting, and passkey challenge stores; multi-worker safety verified by emitting a startup warning when any backend is memory-only in what looks like a production deployment
  • Fully type-annotated with a PEP 561 py.typed marker so consumer mypy, pyright, and IDE language servers get real types on every import; core API is a generic FullAuth[UserSchema, CreateUserSchema] with PEP 696 defaults so apps extend by passing their schema types at instantiation rather than subclassing - no inheritance required
  • Six typed event hooks (after_register, after_login, after_oauth_register/login, send_verification_email, send_password_reset_email) plus a constructor-level custom JWT-claims builder, modular routers (auth, profile, verify, admin, oauth, passkey), CSRF middleware, security-headers middleware, and 49 environment-configurable settings driven by Pydantic BaseSettings with FULLAUTH_ env prefix
  • Distributed on PyPI with MkDocs documentation, 188 async pytest tests, multi-version CI on Python 3.10–3.14, OIDC-based PyPI publishing (no stored secrets), and a bundled in-wheel LLM agent skill (SKILL.md plus 12 reference files) so AI coding assistants apply the library's composable-opt-in conventions automatically
Back to All Projects