Authentication with JWT, Part 1

[lotif]

PR Type

Feature

Short Description

Clickup Ticket(s): https://app.clickup.com/t/868ddgvh7

First of all, obligatory "sorry for the long PR" :)

This is the first part of implementing authentication with JWT, which consists of authentication with a default user and password and gatekeeping of the APIs to only authenticated users. The second part will contain the logic and endpoints to change the default password on first access.

On this PR:

• Front End:
  • Installing additional libraries for token handling, namely crypto and js-cookie.
  • Making a login page with its own layout under the app/login folder.
  • Moving all pages that share the same layout to app/(root)/, according to Next.js naming conventions.
  • On login submit, it will:
    • Encrypt the password with sha256 to avoid transit and storage of plain text password.
    • Submit username and password to api/server/auth/login endpoint.
    • Upon successful response, saves the authentication token as a browser cookie to be used on all other future requests.
  • Pass in the authentication token stored in the browser's cookies to all API requests except api/server/auth/login.
  • Redirect the user to the login page if any request returns a 401 code (Unauthorized), which means the token is either expired or does not exist.
  • Adding a password field to the client configuration section when creating a new training job so we can authenticate to the client as well. Hashing the password with sha256 before sending it to the server to avoid transit and storage of plain text passwords.
• Back End:
  • Installing extra libraries required to implement authentication, namely bcrypt, pyjwt and python-jose.
  • Making new User database entities on both server (User) and client (UserDAO), which will store the username, password and a secret key that will be used to securely sign a JWT token.
  • On service init for both server and client, create a new default admin user (if one does not already exist) with a default password hashed with sha256 and a randomly generated secret key.
  • Making endpoints on both the client and server to issue a token given a successful user and password match.
  • Making check_token functions on both the client and server to check if a given token is valid.
  • Adding the check_token function to the decorators of all endpoints except api/server/auth/login and api/client/auth/login.
  • Adding a hashed_password field to the client to store the hashed password to the database to be used when calling any client endpoints.
  • Adding a dictionary of client tokens to the FastAPI app object to store the tokens issued for all active clients.
  • Before each api call to a client, try to get a valid token from the dictionary, and if it doesn't find it, send a token request to the client and save the token to the dictionary. Once that has been done, send the token on the authorization field of the client request.

Tests Added

Fully unit and integration tested.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 86.01695% with 66 lines in your changes missing coverage. Please review.

Project coverage is 93.09%. Comparing base (1e36281) to head (fa748ca).

Files with missing lines	Patch %	Lines
florist/app/hooks.tsx	14.63%	35 Missing ⚠️
florist/app/auth.tsx	59.37%	13 Missing ⚠️
florist/app/client_imports.tsx	21.42%	11 Missing ⚠️
florist/app/login/page.tsx	97.00%	3 Missing ⚠️
florist/api/routes/client/auth.py	94.44%	2 Missing ⚠️
florist/api/routes/server/auth.py	96.15%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #188      +/-   ##
==========================================
- Coverage   93.43%   93.09%   -0.35%     
==========================================
  Files          25       31       +6     
  Lines        2971     3373     +402     
  Branches      162      246      +84     
==========================================
+ Hits         2776     3140     +364     
- Misses        195      233      +38     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR implements JWT authentication for both the client and server, secures API endpoints with token checks, and adjusts client‐side asset and import paths to align with Next.js conventions.

• Updated asset and import paths in front‐end files such as sidebar.tsx, page.tsx, and layout.tsx.
• Revised jobs hooks and edit pages to handle client password hashing and removed the redundant usePost hook.
• Enhanced back-end routes to add JWT-based dependency checks and integrated new authentication endpoints for both server and client.

Reviewed Changes

Copilot reviewed 49 out of 49 changed files in this pull request and generated no comments.

File	Description
florist/app/(root)/sidebar.tsx, page.tsx, layout.tsx	Updates to asset paths and import statements for consistency with Next.js conventions.
florist/app/(root)/jobs/*	Adjusted import paths, updated SWR keys, removed redundant usePost hook, and added client password field and hashing functionality.
florist/api/*	Added JWT token dependency checks on routes, integrated new auth endpoints, and set up default user creation with secure secret key generation.
florist/api/db/server_entities.py	Introduced a new User entity with secret key generation and methods to fetch and create users in the database.

Comments suppressed due to low confidence (1)

florist/api/db/server_entities.py:62

• The function 'jsonable_encoder' is used here but not imported. Please import it from 'fastapi.encoders' (i.e., add 'from fastapi.encoders import jsonable_encoder') to avoid runtime errors.

json_user = jsonable_encoder(self)