A secure, robust FastAPI-based two-factor authentication system that provides enhanced security for web applications.
2FASecureGuard is a comprehensive authentication system that implements secure two-factor authentication (2FA) using Time-based One-Time Passwords (TOTP). This project provides a complete authentication flow including user registration, login, and 2FA management through a clean RESTful API.
-
User Management
- Registration with email and password
- Secure password hashing
- JWT-based authentication
-
Two-Factor Authentication
- TOTP-based 2FA (compatible with Google Authenticator, Authy, etc.)
- QR code generation for easy 2FA setup
- 2FA enablement workflow
- 2FA verification during login
- Option to disable 2FA
-
Security
- Password hashing with bcrypt
- JWT token-based authentication
- Protection against brute force attacks
- TOTP verification with pyotp
- FastAPI: High-performance web framework
- SQLite: Lightweight, file-based database
- SQLAlchemy: SQL toolkit and ORM
- PyOTP: Python library for generating and verifying one-time passwords
- JWT: JSON Web Tokens for secure authentication
- Pydantic: Data validation and settings management
- QRCode: QR code generation for TOTP setup
- POST /auth/register - Register a new user
- POST /auth/login - Login (with optional 2FA verification)
- POST /auth/2fa/setup - Initialize 2FA setup (generates QR code)
- POST /auth/2fa/verify - Verify and enable 2FA
- POST /auth/2fa/disable - Disable 2FA for user
-
Create a virtual environment:
python3 -m venv .venv
-
Activate the virtual environment:
-
On macOS/Linux:
source .venv/bin/activate -
On Windows (PowerShell):
.venv\Scripts\Activate
- Install the required dependencies:
pip install -r requirements.txt- Set up environment variables (copy from .env.example):
cp .env.example .env- Configure your secret key and other settings in the .env file:
SECRET_KEY=your_secure_secret_key
ALGORITHM=HS256
- Start the FastAPI server:
uvicorn main:app --reload- Access the API documentation at
http://localhost:8000/docs
- User registers with email and password
- User logs in with credentials
- User initiates 2FA setup through
/auth/2fa/setupendpoint - User scans the provided QR code with authenticator app
- User verifies setup by providing a valid TOTP code to
/auth/2fa/verify - 2FA is now enabled for the user account
- Future login attempts will require both password and TOTP code
import requests
response = requests.post(
"http://localhost:8000/auth/register",
json={"email": "user@example.com", "password": "securepassword"}
)
print(response.json())import requests
# First login attempt - will return 2FA requirement
response = requests.post(
"http://localhost:8000/auth/login",
json={"email": "user@example.com", "password": "securepassword"}
)
# If 2FA is required, submit with TOTP code
if response.json().get("data", {}).get("requires_2fa"):
response = requests.post(
"http://localhost:8000/auth/login",
json={
"email": "user@example.com",
"password": "securepassword",
"otp_code": "123456" # Code from authenticator app
}
)
# Get the JWT token
token = response.json().get("data", {}).get("access_token")Run tests using pytest:
pytestFor more detailed information about the API endpoints, schemas, and usage examples, see the automatically generated Swagger documentation at /docs or ReDoc at /redoc when running the application.
This project is licensed under the MIT License - see the LICENSE file for details.
Created by EmmyAnieDev
Feel free to open issues or submit pull requests!