A FastAPI-based backend for generating, encrypting, signing, and verifying secure QR codes linked to products stored in a Supabase database. This project implements RSA encryption, digital signatures, and secure scan logging to ensure product authenticity and traceability.
-
Product Management
- Add, view, and delete products from Supabase.
-
QR Code Generation
- Encrypts product data with RSA.
- Generates a digital signature for authenticity.
- Produces QR codes as base64-encoded images.
-
QR Code Scanning
- Decrypts QR data and verifies its signature.
- Records scan events (with time, location, and user info) in Supabase.
-
Security
- End-to-end RSA encryption/decryption.
- Digital signature verification.
- Data integrity checks.
| Component | Technology |
|---|---|
| Backend Framework | FastAPI |
| Database | Supabase |
| Encryption | RSA + Fernet (cryptography) |
| QR Code Generation | qrcode |
| Data Models | Pydantic |
| Server | Uvicorn |
git clone https://github.com/<your-username>/<your-repo-name>.git
cd <your-repo-name>python -m venv venv
source venv/bin/activate # On Linux/Mac
venv\Scripts\activate # On Windowspip install -r requirements.txtCreate a .env file in the project root with the following values:
SUPABASE_URL=https://<your-supabase-url>.supabase.co
SUPABASE_KEY=<your-supabase-api-key>
ALLOWED_ORIGINS=http://localhost,http://localhost:5173,https://your-frontend.vercel.app
⚠️ Never commit your Supabase keys directly in code. Use environment variables instead.
Start the FastAPI server using Uvicorn:
uvicorn main:app --reloadThe API will run by default at:
http://127.0.0.1:8000
GET / Returns a simple message confirming the server is running.
GET /products
POST /add_product
{
"name": "Product Name",
"description": "Product Description",
"serial_number": "12345"
}DELETE /delete_product
{
"ids": ["uuid1", "uuid2"]
}POST /generate_qr
{
"id": "product-uuid"
}Response:
- Encrypted data
- Digital signature
- Base64-encoded QR image
POST /scan_qr
{
"qr_code_id": "uuid",
"scanned_data": "data: <encrypted> | signature: <base64>",
"scanned_by": "John Doe",
"location": "Warehouse A"
}Response:
{
"signature_verified": true,
"decryption_successful": true
}- RSA Encryption (512-bit) used for encrypting product identifiers.
- Digital Signatures created using SHA-256 hash and RSA private key.
- QR Code Integrity verified upon scanning (detects tampering).
- Scan Logging ensures auditability with timestamps and locations.
.
├── main.py # FastAPI application
├── public.pem # RSA public key
├── private.pem # RSA private key
├── requirements.txt # Python dependencies
├── README.md # Project documentation
└── .env # Environment variables (not committed)
| Column | Type | Description |
|---|---|---|
| id | UUID | Unique identifier |
| name | Text | Product name |
| description | Text | Product description |
| serial_number | Text | Product serial |
| created_at | Timestamp | Record creation time |
| Column | Type | Description |
|---|---|---|
| id | UUID | QR Code ID |
| product_id | UUID | Related product |
| encrypted_data | Text | RSA encrypted payload |
| digital_signature | Text | Base64 signature |
| qr_code | Text | Base64 QR image |
| created_at | Timestamp | Creation time |
| Column | Type | Description |
|---|---|---|
| id | UUID | Scan ID |
| qr_code_id | UUID | QR reference |
| scan_time | Timestamp | When scanned |
| scanned_by | Text | Who scanned |
| location | Text | Where scanned |
| scan_status | Text | valid or tampered |
- RSA keys (
public.pem,private.pem) are generated automatically if missing. - Ensure Supabase tables are created before running.
- Frontend URL must be listed in
allow_originsfor CORS.
This project is licensed under the MIT License. Feel free to modify and distribute for educational or commercial use.
Abrar Asghar Data Analyst • AI Developer