Secure Authentication System (SAS)

A professional-grade authentication system implementing secure user registration, login, and session management with JWT.

Features

• Secure user registration with password hashing
• JWT-based authentication
• Session management
• Role-based access control
• Password reset functionality
• Protection against common security vulnerabilities
• Modern interactive UI: Login, Signup, and Dashboard pages

Technologies

• Python (Flask)
• PostgreSQL
• JWT Authentication
• Bcrypt encryption
• HTML, CSS, JavaScript (for frontend UI)

Screenshots

Login Page

Dashboard Page

Secure Authentication System - Setup Guide

This document provides step-by-step instructions to set up and run the Secure Authentication System.

Prerequisites

• Python 3.8 or higher
• PostgreSQL (portable or installed version)
• pip (Python package manager)

Project Structure

SAS/
├── app/                  # Application package
│   ├── config/           # Configuration files
│   ├── models/           # Database models
│   ├── routes/           # API routes
│   ├── templates/        # HTML templates
│   ├── static/           # Static files
│   ├── utils/            # Utility functions
│   └── database.py       # Database connection
├── app.py                # Main application entry point
├── init_db.py            # Database initialization script
├── create_admin.py       # Admin user creation script
├── setup.py              # Setup script
├── requirements.txt      # Python dependencies
├── start_postgres.bat    # PostgreSQL startup script (Windows)
├── test_api.py           # API testing script
└── README.md             # Project README

Setup Instructions

1. Configure PostgreSQL

If you're using PostgreSQL portable:

1. Edit start_postgres.bat and update the PGBIN path to point to your PostgreSQL bin directory
2. Run start_postgres.bat to start the PostgreSQL server
3. Note: You may need to create a user and password that match the ones in your .env file

If you're using installed PostgreSQL:

1. Make sure PostgreSQL is running
2. Create a new database called sas_db or use an existing one and update the connection string in .env

2. Create Environment File

Create a .env file in the project root with the following content:

SECRET_KEY=your_secret_key_here
JWT_SECRET_KEY=your_jwt_secret_key_here
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/sas_db
FLASK_ENV=development

Alternatively, run python setup.py which will create this file for you with random secret keys.

3. Install Dependencies

pip install -r requirements.txt

4. Initialize the Database

python init_db.py

5. Create an Admin User (Optional but Recommended)

python create_admin.py <username> <email> <password>

Example:

python create_admin.py admin admin@example.com Admin123!

Alternatively, you can run python setup.py which will guide you through the admin user creation process.

6. Run the Application

python app.py

The application will start and be available at http://localhost:5000

Testing the API

To test the API endpoints, run:

python test_api.py

This will execute a series of tests for registration, login, profile retrieval, and token refresh.

API Endpoints

• POST /api/auth/register - User registration
• POST /api/auth/login - User login
• GET /api/auth/me - Get user profile (protected)
• POST /api/auth/refresh - Refresh access token
• POST /api/auth/logout - Logout user
• GET /api/user/ - Get all users (admin only)
• GET /api/user/{id} - Get user by ID
• PUT /api/user/{id} - Update user by ID
• DELETE /api/user/{id} - Delete user by ID (admin only)

Security Features

This authentication system implements several security best practices:

1. Password hashing with bcrypt
2. JWT-based authentication
3. Token expiration and refresh mechanism
4. Role-based access control
5. Protection against common security vulnerabilities
6. Strong password validation
7. Secure HTTP headers (in production)

Common Issues

1. PostgreSQL Connection Issues

   • Make sure PostgreSQL is running and accessible
   • Check that the port, username, and password match your configuration

2. Admin Access Issues

   • If you can't access admin endpoints, make sure you created an admin user
   • Verify that you're using the correct JWT token with admin privileges

Usage

• Visit /login to log in, or /signup to register a new account.
• After login, you'll be redirected to /dashboard where you can:
  • View your JWT tokens
  • Refresh your access token
  • View your user profile
  • (If admin) View all users
  • Logout

API Endpoints

• POST /api/auth/register - User registration
• POST /api/auth/login - User login
• GET /api/auth/me - Get user profile (protected)
• POST /api/auth/refresh - Refresh access token
• POST /api/auth/logout - Logout user
• GET /api/user/ - Get all users (admin only)
• GET /api/user/{id} - Get user by ID
• PUT /api/user/{id} - Update user by ID
• DELETE /api/user/{id} - Delete user by ID (admin only)

Security Features

This authentication system implements several security best practices:

1. Password hashing with bcrypt
2. JWT-based authentication
3. Token expiration and refresh mechanism
4. Role-based access control
5. Protection against common security vulnerabilities
6. Secure HTTP headers (in production)
7. Modern, secure frontend authentication flows

Changelog

• Removed Swagger UI and static API dashboard
• Added interactive login and signup pages
• Added a modern dashboard page for JWT and user management
• All authentication and user management can now be done through the web UI
• Admins can view all users from the dashboard
• JWT is managed in the frontend (localStorage for demo; can be upgraded to HttpOnly cookies)