Chapter 37: Capstone Build Plan
Build RecipeVault in slices. Each slice should have code, tests, and a visible result.
Slice 1: Project Skeleton
- Create
pyproject.toml. - Add FastAPI, Uvicorn, Pydantic, pytest, and HTTPX.
- Add
src/recipevault/main.py. - Add
/health. - Add the first test.
Slice 2: Recipe API
- Add create, list, get, update, and delete endpoints.
- Use Pydantic create/read/update models.
- Use in-memory storage only for this slice.
- Add validation tests and OpenAPI inspection.
Slice 3: Database
- Add SQLAlchemy models.
- Add session dependency.
- Add Alembic migrations.
- Replace in-memory storage with repositories.
- Add repository tests.
Slice 4: Server-Rendered Pages
- Add Jinja2 templates.
- Add recipe list, detail, create, and edit pages.
- Redirect after successful form posts.
- Render validation errors.
Slice 5: Authentication
- Add users table.
- Add password hashing.
- Add login/logout pages.
- Add current user dependency.
- Add secure session cookies.
Slice 6: Authorization
- Add owner checks for editing recipes.
- Add admin role.
- Add route-level and service-level authorization tests.
Slice 7: API Bearer Tokens
- Add token endpoint.
- Add JWT validation dependency.
- Protect write API endpoints.
- Add token expiration tests.
Slice 8: Security Hardening
- Add CSRF protection for browser forms.
- Add secure cookie settings.
- Add trusted host and CORS configuration.
- Add rate limiting for login.
- Review error handling.
Slice 9: Observability
- Add structured logging.
- Add request ID middleware.
- Add health and readiness endpoints.
- Add error tracking integration.
Slice 10: Background Work
- Add export request endpoint.
- Queue export job.
- Store export status.
- Download completed CSV.
Slice 11: Deployment
- Add container file.
- Add production settings documentation.
- Add migration command.
- Add smoke test.
Slice 12: Final Testing Pass
- Unit tests for domain rules.
- Integration tests for API flows.
- Web tests for form workflows.
- Authorization regression tests.
- OpenAPI contract review.
Python Web Ecosystem Map
| If you need... | Start with... | Notes |
|---|---|---|
| API-first service | FastAPI | Best default for this guide |
| Traditional server-rendered app with admin | Django | Strong integrated defaults |
| Tiny custom app or extension point | Flask | Simple, but you assemble more pieces |
| Typed validation | Pydantic | Used heavily by FastAPI |
| ORM and SQL control | SQLAlchemy | Explicit and powerful |
| Integrated ORM plus admin | Django ORM | Best inside Django projects |
| Durable workers | Celery, Dramatiq, ARQ | Choose based on infrastructure |
| HTTP clients | HTTPX | Sync and async APIs |
| Tests | pytest | Dominant Python testing style |
Recommended Learning Order
- Build FastAPI endpoints with Pydantic models.
- Learn dependencies and request-scoped database sessions.
- Learn SQLAlchemy 2.x and Alembic.
- Add Jinja2 templates for server-rendered pages.
- Add authentication and authorization.
- Add security hardening for browser workflows.
- Add tests at domain, service, route, and database levels.
- Add deployment and observability.
- Learn Django separately so you can recognize when integrated conventions beat assembling pieces yourself.
Source Notes
This guide is an original Python learning path organized around ASP.NET Core concepts. The chapter order mirrors an ASP.NET Core study sequence, but the explanations, examples, and recommendations are Python-specific.
Primary references used for ecosystem alignment:
- FastAPI documentation: https://fastapi.tiangolo.com/
- Pydantic documentation: https://docs.pydantic.dev/
- SQLAlchemy documentation: https://docs.sqlalchemy.org/
- Alembic documentation: https://alembic.sqlalchemy.org/
- Django security documentation: https://docs.djangoproject.com/en/5.2/topics/security/
- Python Packaging User Guide: https://packaging.python.org/