Skip to content

Add bearer token authentication support to DEEPaaS API #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 39 commits into
base: v3-fastapi
Choose a base branch
from
Draft

Add bearer token authentication support to DEEPaaS API #198

Copilot wants to merge 39 commits into from

Conversation

Copy link

Copilot AI commented Sep 26, 2025
edited
Loading

This PR implements bearer token authentication for DEEPaaS API endpoints to address cases where fine-grained authentication is not needed but API access control is required.

Overview

The implementation adds optional bearer token authentication that can be enabled via configuration. When enabled, protected endpoints require a valid Authorization: Bearer <token> header. The feature is backward compatible - authentication is disabled by default and existing deployments continue to work unchanged.

Key Features

🔐 Security Implementation

  • Uses FastAPI's built-in HTTPBearer security scheme following RFC 6750 standards
  • Protects model endpoints (/v2/models/) and predict endpoints (/v2/models/{model}/predict)
  • Public endpoints (root / and version /v2/) remain accessible without authentication
  • Proper HTTP 401 responses with WWW-Authenticate: Bearer headers for unauthorized requests

⚙️ Configuration

The bearer token is configured via the new --auth-bearer-token option:

# Command line
deepaas-run --auth-bearer-token my-secret-token

# Environment variable
export DEEPAAS_AUTH_BEARER_TOKEN=my-secret-token
deepaas-run

# Configuration file
[DEFAULT]
auth_bearer_token = my-secret-token

🔌 API Usage

When authentication is enabled, API clients must include the bearer token:

# Models endpoint
curl -H "Authorization: Bearer my-secret-token" \
     http://localhost:5000/v2/models/

# Predict endpoint
curl -H "Authorization: Bearer my-secret-token" \
     -X POST -F "[email protected]" \
     http://localhost:5000/v2/models/my-model/predict

Implementation Details

New Files

  • deepaas/auth.py - Authentication module with token validation logic (using Sphinx docstring format)
  • deepaas/tests/test_auth.py - Unit tests for authentication functionality
  • deepaas/tests/test_e2e_auth.py - End-to-end API integration tests
  • doc/source/user/authentication.rst - Documentation with usage examples and security considerations (reStructuredText format)

Modified Files

  • deepaas/config.py - Added auth_bearer_token configuration option (marked as secret)
  • deepaas/api/v2/models.py - Added authentication dependency to model endpoints
  • deepaas/api/v2/predict.py - Added authentication dependency to predict endpoints
  • doc/source/user/index.rst - Added authentication documentation to user documentation index

Behavioral Changes

  • When auth_bearer_token is not set (default): All endpoints work as before - no authentication required
  • When auth_bearer_token is set: Model and predict endpoints require valid bearer token, other endpoints remain public
  • Invalid/missing tokens: Return HTTP 401 with appropriate error messages

Testing

Added comprehensive test coverage with 18 new tests:

  • Unit tests for authentication logic (token validation, error handling)
  • Integration tests with FastAPI test client
  • End-to-end API tests covering all authentication scenarios
  • All existing tests continue to pass (36 total tests)

Security Considerations

  • Token is stored as a secret configuration option
  • No performance overhead when authentication is disabled
  • Follows security best practices with proper HTTP status codes and headers
  • Documentation includes security recommendations for production use

This implementation provides a simple but effective authentication mechanism for deployments that need basic API access control without the complexity of fine-grained authorization systems.

Fixes #151

Original prompt

This section details on the original issue you should resolve

<issue_title>Add support for bearer authentication</issue_title>
<issue_description>It would be useful to be able to setup a bearer token system/API keys for authentication, for cases where we do not need fine-grained auth.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #151

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@alvarolopez
feat!: start migrating code to fastapi
448e47f
@alvarolopez
fix: remove handling of multiple models
541d20d
@alvarolopez
fix: do not run models in complex process pool
67c08fc
@alvarolopez
feat!: move debug endpoint to FastAPI
af8bccd
@alvarolopez
fix: global variables should be used FIXME
65054d6
@alvarolopez
fix: use get_router() function to get the router
7879564
@alvarolopez
feat!: move models endpoint to FastAPI
c18e85c
@alvarolopez
feat!: move predict method to FastAPI
f14dcfe 
This requires that we change all model args/responses from Marshmallow
to Pydantic. Most of the code is in this change, we can split it later
on two different changes (marshmallow + pydantic and FastAPI for
predict).
@alvarolopez
feat: bump version to v3 to clarify when developing
3bc6183
@alvarolopez
fix: remove old commented aiohttp code
5d156a7
@alvarolopez
fix: remove old testing dependency
67538f3
@alvarolopez
fix: dependencies in tox are not used anymore
89b5ca2
@alvarolopez
fix: use .get_router() function to setup router at API level
a01e496
@alvarolopez
feat: move version habdling to app root router
c52c316
@alvarolopez
fix: warm model according to configuration
438513d
@alvarolopez
fix: honour base_path
1646095
@alvarolopez
fix: allow enabling/disabing docs
491ed15
@alvarolopez
fix: allow disabling training endpoint
f5b35f3
@alvarolopez
feat: add tags to routes
829b967
@alvarolopez
fix: remove commented code
2af32c9
@alvarolopez
fix: include version responses
5e5e6ed
@alvarolopez
fix: comment training responses
1a85c02
@alvarolopez
fix: update some old links to point to AI4EOSC
feff217
@alvarolopez
fix: remove wrong comment
983b416
@alvarolopez
style: make black happy
5d25503
@alvarolopez
feat!: remove /train endpoints for all models
d987476 
After checking with people using the package for a while, the training
methods were not used at all, therefore we are now removing the training
endpoints. This also allows us to have a much more simple codebase.
@alvarolopez
fix: remove unused assignment
a08cf63
@alvarolopez
fix: use correct variable name
9b71271
@alvarolopez
style: change code style and fix linters
9804134
@alvarolopez
fix: improve unit testing
a7b27a7
Copilot AI changed the title [WIP] Add support for bearer authentication Add bearer token authentication support to DEEPaaS API Sep 26, 2025
Copilot AI requested a review from alvarolopez September 26, 2025 10:55
alvarolopez
alvarolopez requested changes Sep 26, 2025
View reviewed changes
Copy link
Collaborator

@alvarolopez alvarolopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please address the changes, and take into account that we use rST for docs.

deepaas/auth.py Outdated
) -> str:
"""Verify the bearer token against the configured token.

Args:
Copy link
Collaborator

@alvarolopez alvarolopez Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please use sphinx syntax here

Copy link
Author

Copilot AI Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the docstring to use proper Sphinx syntax with :param:, :type:, :returns:, :rtype:, and :raises: format in commit 288b790.

Copy link
Author

Copilot AI commented Sep 26, 2025

@copilot please address the changes, and take into account that we use rST for docs.

Addressed both changes:

  1. Fixed Sphinx docstring format in deepaas/auth.py
  2. Converted documentation from Markdown to reStructuredText format and moved to doc/source/user/authentication.rst

The documentation is now properly integrated into the Sphinx documentation structure and follows project conventions. Commit 288b790.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 26, 2025

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI requested a review from alvarolopez September 26, 2025 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alvarolopez alvarolopez Awaiting requested review from alvarolopez

Assignees

@alvarolopez alvarolopez

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alvarolopez