Feature/services/authenticated endpoints

[mazenelabd]

Service-Level Authentication and Password Utilities

Overview

This PR introduces an authentication system for Mindtrace services, enabling instance-level authentication with Bearer token support, along with password hashing utilities in the core module.

Key Features

Service-Level Authentication

• Instance-based authentication
• Scope-based endpoints: Support for PUBLIC and AUTHENTICATED endpoint scopes via Scope enum
• Token verification: Flexible token verification with support for both sync and async verifiers
• User injection: FastAPI dependency injection for accessing current user information in endpoints

Connection Manager Header Support

• Default headers: Set default headers (e.g., Authorization Bearer tokens) on connection managers for all requests
• Per-request headers: Override default headers on a per-request basis

Password Hashing Utilities

• Secure password hashing: New hash_password() and verify_password() utilities using Argon2 (via pwdlib)
• Advanced access: get_password_hasher() for direct access to pwdlib features
• Core module integration: Password utilities exported from mindtrace.core for easy access

Samples

• CRUD service sample: Complete example of CRUD operations using the services module
• Authenticated CRUD service: Full authentication example with MongoDB, JWT tokens, and user management
• Header usage examples: Demonstrates both default and per-request header patterns

Technical Changes

Services Module (mindtrace/services)

• Added set_token_verifier() method to Service class for instance-level token verification
• Added get_auth_dependency() and get_current_user_dependency() for FastAPI integration
• Enhanced add_endpoint() to support scope parameter for authentication control
• Updated ConnectionManager with set_default_headers() and clear_default_headers() methods
• Modified generate_connection_manager() to support header forwarding in generated methods

Core Module (mindtrace/core)

• New password.py utility module with password hashing functions
• Added pwdlib>=0.3.0 as a dependency
• Updated exports to include password utilities

Testing

• 100% code coverage for all new lines

Usage

For Services Using Authentication

# Instance-level authentication (new way)
from mindtrace.services import Service, Scope

class MyService(Service):
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.set_token_verifier(self.verify_token)
        
        self.add_endpoint("protected", self.get_data, scope=Scope.AUTHENTICATED)
    
    def verify_token(self, token: str) -> dict:
        # Your verification logic
        return {"user_id": "123"}

For Connection Managers Using Headers

# Set default headers (recommended)
cm = MyService.launch()
cm.set_default_headers({"Authorization": f"Bearer {token}"})
result = cm.protected_endpoint()  # Automatically includes headers

# Or use per-request headers
result = cm.protected_endpoint(headers={"Authorization": f"Bearer {token}"})

[vik-rant]

module-level global token_verifier ends up getting shared by all services in a process, and cumbersome to test.
consider making it an instance variable of Service.

[vik-rant]

failing to call set_token_verifier() (dev oversight or otherwise) on authenticated endpoints will silently grant all access.
should raise exception when no verifier is set, and authentication is expected.

[vik-rant]

implementation details, stack traces, file paths etc. might end up in the API responses.
consider using a general response "Token verification failed" and logging the actual error server-side.

[mazenelabd]

I would say it is a better practice to keep the 401 but we can replace it if you think it is better to raise some other error message
https://security.stackexchange.com/questions/110759/unauthorized-access-to-a-page-when-or-if-you-should-return-401-http-status-cod#/

[vik-rant]

Yes, I am not suggesting to remove the 401.
We should return a 401 response but without the details of e (which may include local implementation-specific details.
Instead log the error details from e and then continue raising 401.

[mazenelabd]

Makes sense

[vik-rant]

Suggested change

	verifier: Optional[Union[Callable[[str], dict], Callable[[str], Awaitable[dict]]]] = None
	verifier: Callable[[str], dict | Awaitable[dict]] | None = None

[vik-rant]

Suggested change

	def set_token_verifier(verifier: Union[Callable[[str], dict], Callable[[str], Awaitable[dict]]]):
	def set_token_verifier(verifier: Callable[[str], dict | Awaitable[dict]]):

[vik-rant]

Suggested change

	def get_token_verifier() -> Optional[Callable[[str], dict]]:
	def get_token_verifier() -> Callable[[str], dict | Awaitable[dict]] | None:

[vik-rant]

Suggested change

	if inspect.iscoroutinefunction(verifier):
	if inspect.isawaitable(verifier):

[mazenelabd]

Thanks for the suggestion. inspect.isawaitable() doesn't work on function objects, it only works on coroutines/futures. We need to check before calling whether the function is async, so I think iscoroutinefunction() is the right approach here. I also came across this aio-libs/sphinxcontrib-asyncio#4.
Please let me know if I am missing something.

[vik-rant]

You're right.
I missed adding a key line in the suggestion.
The general idea is:

async def verify_token(token: str) -> dict:
    try:
        user_info = verifier(token)  # missed this line earlier. If sync, we already have a result, otherwise check if we need to await
        if inspect.isawaitable(user_info):
            user_info = await user_info
        return user_info
    except HTTPException:
        raise
    except Exception as e:
        raise HTTPException(401) from e

Sometimes sync functions may return awaitables (Future, a wrapped async def, or something with an __await__ or an async __call__), or if token verifier is decorated (logging, retry, caching, tracing, etc.), then:

inspect.iscoroutinefunction(verifier)

will return False. But:

res = verifier(token)
inspect.isawaitable(res)

will handle all these cases.

iscoroutinefunction() answers "was this written as async def?"
isawaitable() answers "do we need to await this now?"
Runtime execution should care about the second one IMO.

[vik-rant]

let's prefer to raise and fail fast when an incorrect scope str is provided while adding endpoints.
currently a typo like scope="authenticate" will just log a warning and make the endpoint public.

[vik-rant]

auth_dependency should be inserted first to perform auth check first and fail fast?

[vik-rant]

confusing alias change from verify_token (semantically f(token: str) -> bool) to get_current_user (semantically f(?) -> User/dict/?) in the very first sample usage a user encounters. What is this function supposed to do?

[vik-rant]

Depends(get_current_user) will run the auth check a second time. Would have already been called once when we hit the endpoint since it is added as Scope.AUTHENTICATED in add_endpoint()?

[vik-rant]

instead of a module-level verify_token_async and a freestanding set_service_instance, can it be a bound method on the service, e.g. self.verify_token_async and no need for global set_service_instance stuff.
Overall i think we should clarify the following processes:

• extraction of token via schemes
• verifying a token, and extracting claims
• loading user details from verified claims
• usage of scope.AUTHENTICATED on self.add_endpoint() vs (or +) current_user=Depends(self.get_current_user) on the endpoint function definition. Which one does what, how to use them, is it one vs the other or both? Is the result from one cached and fed to the other, or is JWT decoding + DB fetch being repeated?

example flow for an endpoint seems to be:

Request to /get_user with Bearer token
    │
    ├─► scope=Scope.AUTHENTICATED triggers _create_verify_token_dependency()
    │       └─► calls verify_token_async(token)  ← FIRST CALL (DB lookup, JWT decode)
    │
    └─► Depends(get_current_user) triggers _create_get_user_dependency()
            └─► calls verify_token_async(token)  ← SECOND CALL (same work repeated)

[vik-rant]

We can use hash_password and verify_password from mindtrace.core now.
There is also a convenience util verify_and_maybe_upgrade which should be useful for login flows.

[uzairali19]

We are creating a new HTTPBearer() instance, inside both _create_verify_token_dependency() and _create_get_user_dependency().

Since get_auth_dependency() and get_current_user_dependency() call these methods during route registration, this results in multiple security scheme instances being created and duplicated entries in the OpenAPI specification.

We should create a single HTTPBearer instance (for example, in __init__ or set_user_authenticator()) and reuse it across.

fastapi/fastapi#2750

[uzairali19]

If I have an endpoint that uses both, the scope as Scope.AUTHENTICATED and Depends(get_current_user), the authenticator function is executed twice per request:
• once via the route-level Security dependency
• once via the Depends(get_current_user) injection

Both are calling the authenticator independently, and they don't share the state. FastAPI’s dependency caching does not apply here because these are different dependency functions.

This results in duplicate JWT verification/database lookups per request and could be avoided by sharing or caching the authentication result per request.

https://fastapi.tiangolo.com/tutorial/dependencies/#caching-dependencies

[vik-rant]

Interesting. The fastapi link shared here has no section #caching-dependencies. AI-generated link?

[uzairali19]

That is interesting indeed 😁
There isn’t a public changelog for documentation anchors.

The behavior I’m referring to is still documented under “Using the same dependency multiple times”:
https://fastapi.tiangolo.com/tutorial/dependencies/sub-dependencies/#using-the-same-dependency-multiple-times

FastAPI caches dependencies per request only when the same dependency callable is reused.
Using both Security(...) and Depends(get_current_user) creates dependency entries, so the auth logic runs twice.

The behavior itself hasn't changed

[uzairali19]

Over here, the set_user_authenticator() directly assigns self.user_authenticator with no safeguards.

If this method is called again at runtime (or set to None), the service's authentication behaviour would silently change or break.

We should restrict this to one-time initialization at startup or guard it against reassignment after service is launched.

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/

[uzairali19]

Over here, even if the HTTP response body is sanitized, the original exception is still attached as __cause__ and can be exploited by logging, middleware, or a monitoring system.

If e contains sensitive information (such as database or infrastructure details), this could unintentionally leak through logs or error pipelines. If full suppression is intended, from None would be safer.

https://owasp.org/www-community/Improper_Error_Handling

[uzairali19]

This is bad, we are sending raw credentials.credentials value without any validation directly to the authenticator.

I could give this some random large strings on the Authentication header, potentially triggering expensive JWT parsing or database lookups and creating a denial-of-service vector.

We should add some basic safeguards, max length format validation, before invoking the authenticator.

https://owasp.org/www-community/attacks/Denial_of_Service

[uzairali19]

We are exposing the internal method name here and the implementation details. Is this intended? Why are we doing this?

We should have a generic internal error message for this case

https://owasp.org/www-community/Improper_Error_Handling

[uzairali19]

We should enforce Authentication for the MCP tools as well.

When this is called on the service level, the tool will bypass the authentication regardless of the scope parameter.

Tools are externally callable as well

[vik-rant]

this function is updating, not setting.