0

I will start off by saying I have followed a guide of how to make a secure API using FastAPI (https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/).

What happens is that you will have two api which one is post and get

  • POST is where you pass the

    curl -X POST "http://127.0.0.1:8000/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=&username=hello&password=world&scope=&client_id=&client_secret="

  • GET is an api that requires the access_token Bearer to be able to access the API etc http://127.0.0.1:8000/getUser

Now I am pretty confused on how safe you can run the application because what makes me confused is that I would need to make a POST request with my username and password to the API which will return me access_token and I believe with that access_token I later on access the next api which is http://127.0.0.1:8000/getUser? Is this the correct way or am I out of scope?

Because what makes me unsafe is that if I now lets say "hardcode" my username and password into a python script and someone manages to reverese engineer the script/exe/whatever (Maybe even see through network what is sending as params/data)- they will be able to access my token in that case. So what would be the suggestion here?

Thrillofit86
  • 599
  • 2
  • 7
  • 20

1 Answers1

1

It's a pretty broad question. A good place to start is probably the OAuth2 RFC 6749.

Some of the foundational understanding that need to get right as a first step is:

  1. A precondition of OAuth2.0 is TLS. Assuming you're using TLS 1.2 or 1.3 with appropriate cipher suites, we can safely assume network sniffing is not a possibility

  2. If you're using OAuth2.0 on behalf of a human user, you'd use "Authorization Code" or "Password Credentials" grant types where the user would enter the username password manually

  3. If you're using OAuth2.0 on behalf of the client itself (NOT a human user), you'd use "Client Credentials" grant type

All these grant types have different flows. Since you've mentioned about hard coding, I'm assuming you're referring to the use case mentioned in point no. 3. Hard coding secrets is NEVER an option. The most secured way to handle this is, storing the secrets in a Vault. A less secured option is to store the secret in a separate file in encrypted form.

I'll recommend you to read the following answers as well:

https://stackoverflow.com/a/59433000/1235935

https://stackoverflow.com/a/54011649/1235935

https://stackoverflow.com/a/54258744/1235935

https://stackoverflow.com/a/59464645/1235935

Saptarshi Basu
  • 8,640
  • 4
  • 39
  • 58