neo-neo-todo/backend/README.md

# Backend Technical Write Up

## Setup

- Install `pdm`
- Install dependencies with `pdm sync`
- Run development backend with `pdm run dev`
- Run tests with `pdm run test`

### Setup for Development

- run `eval $(pdm venv activate in-project)` to activate the virtual env.

## Structure

- Use FastAPI's `router` to organize different API routes
  - `member` route for getting the current member/user
  - `todo` route to create/read/update/delete todos
  - `token` route for authentication (login/logout)
- Separate folder for PostgreSQL migrations: Might need a better migration tool. Right now, `alembic` only works with SQLalchemy.
- Use Pydantic data validation always

## TODO list

- [ ] Setup Docker image and k8s for the API: 3 containers: API, Redis and PostgreSQL.

## Authentication notes

This API uses OAuth2 (an authorization framework) with JWTs as the format for access token.

When a user logs in and is granted an access token by an OAuth 2.0 server, the token is often a JWT. This token can then be sent with requests to access protected resources, and the server can verify the token's authenticity and permissions based on the JWT's contents.

- The flow used was: Password flow but instead of username, we use the user's email instead
- In the Oauth2 spec, the `scope` part is a string of permission(s)

### Sign up flow TODO

### Login flow

- Send a POST request to API route /token
- If username and password are correct, create JWT for user
- User logged in

### Check authentication status

- Send a GET request to API route /members/meo
- If status code is 401: they are not authenticated
- If status code is 200: they are authenticated and we can get the email and email_verified status
Fix(Docker): Seperate DEV and PROD - Restructured the project 2023-10-10 14:33:11 -04:00			`# Backend Technical Write Up`
feat(api): added rate limiting - Need update on testing env 2024-01-24 21:09:15 -05:00
feat(api+testing): select todo by member_id and id - Added test code coverage with `pytest-cov` - Added comments for member model functions 2024-03-03 00:57:14 -05:00			`## Setup`

			- Install `pdm`
			- Install dependencies with `pdm sync`
			- Run development backend with `pdm run dev`
			- Run tests with `pdm run test`

feat(api): insecure login flow skeleton - Updated backend technical writeup 2024-03-11 22:33:30 -04:00			`### Setup for Development`
feat(api+testing): select todo by member_id and id - Added test code coverage with `pytest-cov` - Added comments for member model functions 2024-03-03 00:57:14 -05:00
			- run `eval $(pdm venv activate in-project)` to activate the virtual env.

feat(api): added rate limiting - Need update on testing env 2024-01-24 21:09:15 -05:00			`## Structure`

			- Use FastAPI's `router` to organize different API routes
feat(api): login and authentication routes - Remove fastapi-limiter, we will rate limit at load balancer level as it is too hard to get fastapi-limiter to play nice with pytest. - Wrote technical writeups on how the login flow and check for user authentication status work 2024-03-23 14:53:33 -04:00			- `member` route for getting the current member/user
			- `todo` route to create/read/update/delete todos
			- `token` route for authentication (login/logout)
feat(api): update backend writeup 2024-03-03 00:23:13 -05:00			- Separate folder for PostgreSQL migrations: Might need a better migration tool. Right now, `alembic` only works with SQLalchemy.
			`- Use Pydantic data validation always`

			`## TODO list`
feat(api): login and authentication routes - Remove fastapi-limiter, we will rate limit at load balancer level as it is too hard to get fastapi-limiter to play nice with pytest. - Wrote technical writeups on how the login flow and check for user authentication status work 2024-03-23 14:53:33 -04:00
feat(api): update backend writeup 2024-03-03 00:23:13 -05:00			`- [ ] Setup Docker image and k8s for the API: 3 containers: API, Redis and PostgreSQL.`
feat(api): insecure login flow skeleton - Updated backend technical writeup 2024-03-11 22:33:30 -04:00
			`## Authentication notes`

			`This API uses OAuth2 (an authorization framework) with JWTs as the format for access token.`

			`When a user logs in and is granted an access token by an OAuth 2.0 server, the token is often a JWT. This token can then be sent with requests to access protected resources, and the server can verify the token's authenticity and permissions based on the JWT's contents.`

			`- The flow used was: Password flow but instead of username, we use the user's email instead`
			- In the Oauth2 spec, the `scope` part is a string of permission(s)
feat(api): login and authentication routes - Remove fastapi-limiter, we will rate limit at load balancer level as it is too hard to get fastapi-limiter to play nice with pytest. - Wrote technical writeups on how the login flow and check for user authentication status work 2024-03-23 14:53:33 -04:00
			`### Sign up flow TODO`

			`### Login flow`

			`- Send a POST request to API route /token`
			`- If username and password are correct, create JWT for user`
			`- User logged in`

			`### Check authentication status`

			`- Send a GET request to API route /members/meo`
			`- If status code is 401: they are not authenticated`
			`- If status code is 200: they are authenticated and we can get the email and email_verified status`