Authentication System

Security Notice

Authentication is not yet implemented in the current version. TradeEntry v1.x is designed for single-user or trusted local network use only. Do not expose the backend to the public internet without adding authentication.

Current State (v1.x)

No authentication required for any API endpoints
All data is accessible to anyone who can reach the server
Intended for use on a local machine or private VPN

Planned: JWT Authentication (v2.0)

Flow

Login Request
    │ POST /api/auth/login { username, password }
    ▼
FastAPI validates credentials against user table
    │
    ▼
Returns { access_token, refresh_token }
    │
    ▼
Frontend stores access_token in memory (not localStorage)
    │
    ▼
All API requests: Authorization: Bearer <access_token>
    │
    ▼
FastAPI JWT middleware validates token on each request

Planned Endpoints

Endpoint	Description
`POST /api/auth/login`	Issue JWT tokens
`POST /api/auth/refresh`	Refresh expired access token
`POST /api/auth/logout`	Invalidate refresh token
`GET /api/auth/me`	Get current user profile

User Roles

Role	Permissions
`admin`	Full access including user management
`trader`	Trade entry, reports, bhav download
`viewer`	Read-only access to charts and reports

Technology

python-jose for JWT signing (HS256)
passlib for password hashing (bcrypt)
FastAPI Depends for route protection

Planned for v2.0. See Roadmap.

Current State (v1.x)​

Planned: JWT Authentication (v2.0)​

Flow​

Planned Endpoints​

User Roles​

Technology​