JamesBhattarai
a0d4e59c24
feat: add password reset and email verification flow feat: add org invite listing, cancellation, and invite link fallback feat: add user suspend/unsuspend with audit logging feat: add department certificate policy (expiry, extensions) feat: enforce dept cert policy on SSH certificate signing feat: wire up OIDC consent and token flow (replace mocks) feat: rework CLI auth bridge to use frontend login flow feat: add admin OAuth provider management (CRUD) chore: refactor model import paths after module reorganisation chore: clean up config, decorators, and dev tooling
Authy2 Backend - Authentication & Authorization API
Production-ready Flask/SQLAlchemy API for authentication and authorization services.
Features
- 🔐 Multi-method Authentication: Password, OAuth (Google, GitHub, Microsoft), SAML, OIDC
- 👥 Multi-tenancy: Organization-based access control with roles
- 🔑 Session Management: Secure session handling with Redis
- 📝 Audit Logging: Comprehensive activity tracking
- 🛡️ Security: Bcrypt password hashing, CORS, security headers, rate limiting
- 📊 API Response Envelope: Consistent response format across all endpoints
- ✅ Validation: Marshmallow schemas for request/response validation
- 🧪 Testing: Comprehensive unit and integration tests
- 📚 Documentation: OpenAPI/Swagger compatible
Tech Stack
- Framework: Flask 3.0
- Database: PostgreSQL with SQLAlchemy ORM
- Caching/Sessions: Redis
- Validation: Marshmallow
- Testing: Pytest
- Security: Flask-Bcrypt, Flask-CORS
- Migration: Flask-Migrate (Alembic)
Quick Start
Prerequisites
- Python 3.11+
- PostgreSQL 14+
- Redis 6+
Installation
- Clone the repository:
git clone <repository-url>
cd authy2/backend
- Create virtual environment:
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
- Install dependencies:
pip install -r requirements/development.txt
- Set up environment variables:
cp .env.example .env
# Edit .env with your configuration
- Initialize database:
python scripts/init_db.py
- Seed sample data (optional):
python scripts/seed_data.py
- Run the application:
flask run
# Or using the WSGI file
python wsgi.py
The API will be available at http://localhost:5000
API Endpoints
Authentication
POST /api/v1/auth/register- Register new userPOST /api/v1/auth/login- LoginPOST /api/v1/auth/logout- LogoutGET /api/v1/auth/me- Get current userGET /api/v1/auth/sessions- Get user sessionsDELETE /api/v1/auth/sessions/:id- Revoke session
Users
GET /api/v1/users/me- Get current user profilePATCH /api/v1/users/me- Update profileDELETE /api/v1/users/me- Delete accountPOST /api/v1/users/me/password- Change passwordGET /api/v1/users/me/organizations- Get user organizations
Organizations
POST /api/v1/organizations- Create organizationGET /api/v1/organizations/:id- Get organizationPATCH /api/v1/organizations/:id- Update organizationDELETE /api/v1/organizations/:id- Delete organizationGET /api/v1/organizations/:id/members- Get membersPOST /api/v1/organizations/:id/members- Add memberDELETE /api/v1/organizations/:id/members/:userId- Remove memberPATCH /api/v1/organizations/:id/members/:userId/role- Update role
Health
GET /api/health- Health check
O-auth Setup
- Redirect URI
http://localhost:5000/api/v1/auth/external/[google|microsoft]/callback
API Response Format
All API responses follow the standardized envelope format:
{
"version": "1.0",
"success": true,
"code": 200,
"message": "Success message",
"request_id": "uuid-v4",
"data": {},
"meta": {}
}
Error responses:
{
"version": "1.0",
"success": false,
"code": 400,
"message": "Error message",
"request_id": "uuid-v4",
"error": {
"type": "VALIDATION_ERROR",
"details": {}
}
}
Database Migrations
Create a new migration:
flask db migrate -m "Description of changes"
Apply migrations:
flask db upgrade
Rollback:
flask db downgrade
Environment Configuration
- Development:
FLASK_ENV=development - Testing:
FLASK_ENV=testing - Production:
FLASK_ENV=production
Production Deployment
Using Gunicorn
pip install -r requirements/production.txt
gunicorn -w 4 -b 0.0.0.0:8000 wsgi:app
Security Considerations
- All passwords hashed with Bcrypt (12+ rounds in production)
- CORS configured for allowed origins
- Security headers enabled (CSP, HSTS, etc.)
- Rate limiting on sensitive endpoints
- SQL injection protection via SQLAlchemy ORM
- Session management with secure cookies
- Request ID tracking for audit trails
Boostrap db
python manage.py db upgrade
running seed
python -m scripts.seed_data
Running flask in dev
FLASK_ENV=development flask run --debug --port 8888
Test creds
OIDC Client
client_id: acme-portal-001 client_secret: acme_secret_portal_2024
User
email: bob@acme-corp.com password: UserPass123!
Sqlite editor
sqlite_web instance/db_file.db --port 9999 --host 0.0.0.0