Chapter 23: Authentication

ASP.NET Core Identity is a complete membership system. FastAPI does not ship an equivalent. You choose:

• Use an external identity provider such as Auth0, Entra ID, Cognito, Clerk, or FusionAuth.
• Use a library such as fastapi-users when it fits.
• Build a small local account system when requirements are modest.
• Use Django if you want integrated auth, admin, sessions, permissions, and forms.

For RecipeVault, build a modest local account system so you understand the moving parts.

Password rules:

• Store password hashes, never passwords.
• Use Argon2id or bcrypt through a maintained password hashing library.
• Use secure random reset tokens with expiration.
• Rate-limit login and reset attempts.
• Rotate session identifiers on login.

Session login flow for browser UI:

1. User posts email and password.
2. Handler loads user by normalized email.
3. Password hash is verified.
4. Session cookie stores a server-side or signed session identifier.
5. Current user dependency loads the user for each request.

FastAPI can use Starlette's session middleware, but serious production systems often use server-side session storage or external identity providers.