FastAPIで認証
FastAPIでJWT認証を実装します。ユーザー登録、ログイン、認証が必要なエンドポイントの保護を行います。
必要なパッケージ
pip install python-jose[cryptography] passlib[bcrypt]
python-jose: JWT生成・検証
passlib: パスワードハッシュ
認証ユーティリティ
auth.py
from datetime import datetime, timedelta
from typing import Optional
from jose import JWTError, jwt
from passlib.context import CryptContext
from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer
from sqlalchemy.orm import Session
from database import get_db
import models
import os
# 設定
SECRET_KEY = os.getenv("SECRET_KEY", "your-secret-key-change-in-production")
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30
# パスワードハッシュ
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
# OAuth2スキーム
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="auth/login")
def verify_password(plain_password: str, hashed_password: str) -> bool:
"""パスワード検証"""
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password: str) -> str:
"""パスワードハッシュ化"""
return pwd_context.hash(password)
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
"""アクセストークン生成"""
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
def get_current_user(
token: str = Depends(oauth2_scheme),
db: Session = Depends(get_db)
) -> models.User:
"""現在のユーザーを取得(認証必須エンドポイント用)"""
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
user_id: int = payload.get("sub")
if user_id is None:
raise credentials_exception
except JWTError:
raise credentials_exception
user = db.query(models.User).filter(models.User.id == user_id).first()
if user is None:
raise credentials_exception
return user
認証エンドポイント
routers/auth.py
from datetime import timedelta
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordRequestForm
from sqlalchemy.orm import Session
from database import get_db
import models
import schemas
from auth import (
verify_password,
get_password_hash,
create_access_token,
get_current_user,
ACCESS_TOKEN_EXPIRE_MINUTES,
)
router = APIRouter(prefix="/auth", tags=["auth"])
@router.post("/register", response_model=schemas.UserResponse, status_code=201)
def register(user: schemas.UserCreate, db: Session = Depends(get_db)):
"""ユーザー登録"""
# メール重複チェック
db_user = db.query(models.User).filter(models.User.email == user.email).first()
if db_user:
raise HTTPException(status_code=400, detail="Email already registered")
# ユーザー作成
hashed_password = get_password_hash(user.password)
db_user = models.User(
email=user.email,
name=user.name,
password_hash=hashed_password
)
db.add(db_user)
db.commit()
db.refresh(db_user)
return db_user
@router.post("/login", response_model=schemas.Token)
def login(
form_data: OAuth2PasswordRequestForm = Depends(),
db: Session = Depends(get_db)
):
"""ログイン"""
# ユーザー検索
user = db.query(models.User).filter(models.User.email == form_data.username).first()
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password",
headers={"WWW-Authenticate": "Bearer"},
)
# パスワード検証
if not verify_password(form_data.password, user.password_hash):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password",
headers={"WWW-Authenticate": "Bearer"},
)
# トークン生成
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
access_token = create_access_token(
data={"sub": str(user.id)},
expires_delta=access_token_expires
)
return {"access_token": access_token, "token_type": "bearer"}
@router.get("/me", response_model=schemas.UserResponse)
def get_me(current_user: models.User = Depends(get_current_user)):
"""現在のユーザー情報"""
return current_user
スキーマ追加
schemas.py に追加
class Token(BaseModel):
access_token: str
token_type: str
class TokenData(BaseModel):
user_id: Optional[int] = None
認証が必要なエンドポイント
routers/posts.py の例
from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy.orm import Session
from database import get_db
import models
import schemas
from auth import get_current_user
router = APIRouter(prefix="/posts", tags=["posts"])
@router.post("/", response_model=schemas.PostResponse, status_code=201)
def create_post(
post: schemas.PostCreate,
db: Session = Depends(get_db),
current_user: models.User = Depends(get_current_user) # 認証必須
):
"""記事作成(認証必須)"""
db_post = models.Post(**post.model_dump(), author_id=current_user.id)
db.add(db_post)
db.commit()
db.refresh(db_post)
return db_post
@router.put("/{post_id}", response_model=schemas.PostResponse)
def update_post(
post_id: int,
post: schemas.PostCreate,
db: Session = Depends(get_db),
current_user: models.User = Depends(get_current_user)
):
"""記事更新(本人のみ)"""
db_post = db.query(models.Post).filter(models.Post.id == post_id).first()
if not db_post:
raise HTTPException(status_code=404, detail="Post not found")
# 本人チェック
if db_post.author_id != current_user.id:
raise HTTPException(status_code=403, detail="Not authorized to update this post")
db_post.title = post.title
db_post.content = post.content
db.commit()
db.refresh(db_post)
return db_post
@router.delete("/{post_id}", status_code=204)
def delete_post(
post_id: int,
db: Session = Depends(get_db),
current_user: models.User = Depends(get_current_user)
):
"""記事削除(本人のみ)"""
db_post = db.query(models.Post).filter(models.Post.id == post_id).first()
if not db_post:
raise HTTPException(status_code=404, detail="Post not found")
if db_post.author_id != current_user.id:
raise HTTPException(status_code=403, detail="Not authorized to delete this post")
db.delete(db_post)
db.commit()
return None
main.pyへの統合
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from database import engine, Base
from routers import auth, posts
Base.metadata.create_all(bind=engine)
app = FastAPI(title="Blog API")
# CORS設定
app.add_middleware(
CORSMiddleware,
allow_origins=["http://localhost:3000"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
# ルーター登録
app.include_router(auth.router)
app.include_router(posts.router)
APIテスト(curl)
# 1. ユーザー登録
curl -X POST http://localhost:8000/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "name": "テスト", "password": "password123"}'
# 2. ログイン
curl -X POST http://localhost:8000/auth/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=test@example.com&password=password123"
# → {"access_token": "eyJhbG...", "token_type": "bearer"}
# 3. 認証が必要なエンドポイント
curl http://localhost:8000/auth/me \
-H "Authorization: Bearer eyJhbG..."
# 4. 記事作成
curl -X POST http://localhost:8000/posts \
-H "Authorization: Bearer eyJhbG..." \
-H "Content-Type: application/json" \
-d '{"title": "タイトル", "content": "本文"}'
まとめ
-
✓
OAuth2PasswordBearerでトークン取得 -
✓
Depends(get_current_user)で認証必須に - ✓ 本人チェックで認可(Authorization)を実装
- ✓ SECRET_KEYは環境変数で管理