FastAuth provides complete authentication workflows with a focus on security, flexibility, and developer experience.
Overview
Authentication is a solved problem, yet developers keep reimplementing it with subtle security flaws. FastAuth aims to provide a drop-in solution that handles the complexities of modern authentication while remaining flexible enough to adapt to different project requirements.
Key Features
Complete Auth Workflows
- Registration - Email/password signup with validation
- Login - Secure credential verification
- Logout - Session invalidation and token revocation
- Token Refresh - Seamless token renewal without re-authentication
Role-Based Access Control
- Fine-Grained Permissions - Define granular access rules
- Role Hierarchy - Inherit permissions from parent roles
- Resource-Level Authorization - Control access per resource
- Decorator-Based - Simple
@requires_role("admin")syntax
Session Management
- Multi-Device Support - Track sessions across devices
- Session Listing - Users can see all active sessions
- Remote Logout - Revoke sessions from any device
- Activity Tracking - Last activity timestamps
Social Authentication
- OAuth Providers - Google, GitHub, and more
- Account Linking - Connect multiple providers to one account
- Provider Abstraction - Consistent API across providers
Self-Service Features
- Email Verification - Confirm user email ownership
- Password Reset - Secure reset flow with expiring tokens
- Profile Updates - Users manage their own data
Type Safety
- Full Type Hints - 100% type coverage
- Pydantic Models - Validated request/response schemas
- IDE Support - Autocomplete and error detection
Security
FastAuth implements security best practices recommended by OWASP:
Password Security
- Argon2 Hashing - Memory-hard algorithm resistant to GPU attacks
- Configurable Parameters - Tune memory, iterations, and parallelism
- Automatic Rehashing - Upgrade hashes when parameters change
Token Security
- JWT with Configurable Expiration - Short-lived access tokens
- Refresh Token Rotation - New refresh token on each use
- Token Binding - Optionally bind tokens to client fingerprint
Rate Limiting
- Login Attempts - Prevent brute force attacks
- Password Reset - Limit reset email frequency
- Registration - Prevent spam account creation
Session Security
- Secure Cookie Flags - HttpOnly, Secure, SameSite
- Session Revocation - Immediate invalidation capability
- Concurrent Session Limits - Optionally limit active sessions
Database Agnostic
The adapter pattern allows FastAuth to work with any database:
- SQLAlchemy - PostgreSQL, MySQL, SQLite
- MongoDB - Document-based storage
- Custom - Implement the adapter interface
Usage
from fastapi import Depends, FastAPI
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from sqlmodel import Session, SQLModel, create_engine
from fastauth.api import dependencies
from fastauth.api.auth import router as auth_router
from fastauth.security.jwt import decode_access_token
# Database setup
DATABASE_URL = "sqlite:///./app.db"
engine = create_engine(DATABASE_URL)
def init_db():
SQLModel.metadata.create_all(engine)
def get_session():
with Session(engine) as session:
yield session
# Create app
app = FastAPI(title="My Auth App")
init_db()
# Include auth router
app.include_router(auth_router)
# Override session dependency
app.dependency_overrides[dependencies.get_session] = get_session
# Protected route
security = HTTPBearer()
@app.get("/protected")
def protected(credentials: HTTPAuthorizationCredentials = Depends(security)):
payload = decode_access_token(credentials.credentials)
return {
"message": "You are authenticated",
"user_id": payload["sub"],
}Configuration
FastAuth is highly configurable:
You can learn more by visting the Core Concepts Page.
What I Learned
Building FastAuth deepened my understanding of:
- Security tradeoffs - Convenience vs. security is a constant balance
- API design - Making complex features feel simple requires iteration
- Open source maintenance - Documentation is as important as code
- Python ecosystem - Type hints and async/await patterns