Skip to content

Add bearer token authentication support to DEEPaaS API#198

Draft
Copilot wants to merge 39 commits intov3-fastapifrom
copilot/fix-b598d608-a289-49a7-936d-7c2129b214a1
Draft

Add bearer token authentication support to DEEPaaS API#198
Copilot wants to merge 39 commits intov3-fastapifrom
copilot/fix-b598d608-a289-49a7-936d-7c2129b214a1

Conversation

Copy link
Copy Markdown

Copilot AI commented Sep 26, 2025
edited
Loading

This PR implements bearer token authentication for DEEPaaS API endpoints to address cases where fine-grained authentication is not needed but API access control is required.

Overview

The implementation adds optional bearer token authentication that can be enabled via configuration. When enabled, protected endpoints require a valid Authorization: Bearer <token> header. The feature is backward compatible - authentication is disabled by default and existing deployments continue to work unchanged.

Key Features

🔐 Security Implementation

  • Uses FastAPI's built-in HTTPBearer security scheme following RFC 6750 standards
  • Protects model endpoints (/v2/models/) and predict endpoints (/v2/models/{model}/predict)
  • Public endpoints (root / and version /v2/) remain accessible without authentication
  • Proper HTTP 401 responses with WWW-Authenticate: Bearer headers for unauthorized requests

⚙️ Configuration

The bearer token is configured via the new --auth-bearer-token option:

# Command line
deepaas-run --auth-bearer-token my-secret-token

# Environment variable
export DEEPAAS_AUTH_BEARER_TOKEN=my-secret-token
deepaas-run

# Configuration file
[DEFAULT]
auth_bearer_token = my-secret-token

🔌 API Usage

When authentication is enabled, API clients must include the bearer token:

# Models endpoint
curl -H "Authorization: Bearer my-secret-token" \
     http://localhost:5000/v2/models/

# Predict endpoint
curl -H "Authorization: Bearer my-secret-token" \
     -X POST -F "data=@image.jpg" \
     http://localhost:5000/v2/models/my-model/predict

Implementation Details

New Files

  • deepaas/auth.py - Authentication module with token validation logic (using Sphinx docstring format)
  • deepaas/tests/test_auth.py - Unit tests for authentication functionality
  • deepaas/tests/test_e2e_auth.py - End-to-end API integration tests
  • doc/source/user/authentication.rst - Documentation with usage examples and security considerations (reStructuredText format)

Modified Files

  • deepaas/config.py - Added auth_bearer_token configuration option (marked as secret)
  • deepaas/api/v2/models.py - Added authentication dependency to model endpoints
  • deepaas/api/v2/predict.py - Added authentication dependency to predict endpoints
  • doc/source/user/index.rst - Added authentication documentation to user documentation index

Behavioral Changes

  • When auth_bearer_token is not set (default): All endpoints work as before - no authentication required
  • When auth_bearer_token is set: Model and predict endpoints require valid bearer token, other endpoints remain public
  • Invalid/missing tokens: Return HTTP 401 with appropriate error messages

Testing

Added comprehensive test coverage with 18 new tests:

  • Unit tests for authentication logic (token validation, error handling)
  • Integration tests with FastAPI test client
  • End-to-end API tests covering all authentication scenarios
  • All existing tests continue to pass (36 total tests)

Security Considerations

  • Token is stored as a secret configuration option
  • No performance overhead when authentication is disabled
  • Follows security best practices with proper HTTP status codes and headers
  • Documentation includes security recommendations for production use

This implementation provides a simple but effective authentication mechanism for deployments that need basic API access control without the complexity of fine-grained authorization systems.

Fixes #151

Original prompt

This section details on the original issue you should resolve

<issue_title>Add support for bearer authentication</issue_title>
<issue_description>It would be useful to be able to setup a bearer token system/API keys for authentication, for cases where we do not need fine-grained auth.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #151

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@alvarolopez
feat!: start migrating code to fastapi
448e47f
@alvarolopez
fix: remove handling of multiple models
541d20d
@alvarolopez
fix: do not run models in complex process pool
67c08fc
@alvarolopez
feat!: move debug endpoint to FastAPI
af8bccd
@alvarolopez
fix: global variables should be used FIXME
65054d6
@alvarolopez
fix: use get_router() function to get the router
7879564
@alvarolopez
feat!: move models endpoint to FastAPI
c18e85c
@alvarolopez
feat!: move predict method to FastAPI
f14dcfe 
This requires that we change all model args/responses from Marshmallow
to Pydantic. Most of the code is in this change, we can split it later
on two different changes (marshmallow + pydantic and FastAPI for
predict).
@alvarolopez
feat: bump version to v3 to clarify when developing
3bc6183
@alvarolopez
fix: remove old commented aiohttp code
5d156a7
@alvarolopez
fix: remove old testing dependency
67538f3
@alvarolopez
fix: dependencies in tox are not used anymore
89b5ca2
@alvarolopez
fix: use .get_router() function to setup router at API level
a01e496
@alvarolopez
feat: move version habdling to app root router
c52c316
@alvarolopez
fix: warm model according to configuration
438513d
@alvarolopez
fix: honour base_path
1646095
@alvarolopez
fix: allow enabling/disabing docs
491ed15
@alvarolopez
fix: allow disabling training endpoint
f5b35f3
@alvarolopez
feat: add tags to routes
829b967
@alvarolopez
fix: remove commented code
2af32c9
@alvarolopez
fix: include version responses
5e5e6ed
@alvarolopez
fix: comment training responses
1a85c02
@alvarolopez
fix: update some old links to point to AI4EOSC
feff217
@alvarolopez
fix: remove wrong comment
983b416
@alvarolopez
style: make black happy
5d25503
@alvarolopez
feat!: remove /train endpoints for all models
d987476 
After checking with people using the package for a while, the training
methods were not used at all, therefore we are now removing the training
endpoints. This also allows us to have a much more simple codebase.
@alvarolopez
fix: remove unused assignment
a08cf63
@alvarolopez
fix: use correct variable name
9b71271
@alvarolopez
style: change code style and fix linters
9804134
@alvarolopez
fix: improve unit testing
a7b27a7
Copilot AI and others added 3 commits September 26, 2025 10:44
@alvarolopez
Initial exploration of DEEPaaS codebase for bearer authentication imp…
f09be96 
…lementation

Co-authored-by: alvarolopez <468751+alvarolopez@users.noreply.github.com>
@alvarolopez
Add bearer token authentication support to DEEPaaS
0eb0251 
Co-authored-by: alvarolopez <468751+alvarolopez@users.noreply.github.com>
@alvarolopez
Fix code style issues in bearer authentication implementation
6faf8a0 
Co-authored-by: alvarolopez <468751+alvarolopez@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for bearer authentication Add bearer token authentication support to DEEPaaS API Sep 26, 2025
Copilot AI requested a review from alvarolopez September 26, 2025 10:55
alvarolopez
alvarolopez requested changes Sep 26, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@alvarolopez alvarolopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please address the changes, and take into account that we use rST for docs.

Comment thread deepaas/auth.py Outdated
) -> str:
"""Verify the bearer token against the configured token.

Args:
Copy link
Copy Markdown
Collaborator

@alvarolopez alvarolopez Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please use sphinx syntax here

Copy link
Copy Markdown
Author

Copilot AI Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the docstring to use proper Sphinx syntax with :param:, :type:, :returns:, :rtype:, and :raises: format in commit 288b790.

@alvarolopez
Address review feedback: Use Sphinx docstring format and convert docs…
288b790 
… to reStructuredText

Co-authored-by: alvarolopez <468751+alvarolopez@users.noreply.github.com>
Copy link
Copy Markdown
Author

Copilot AI commented Sep 26, 2025

@copilot please address the changes, and take into account that we use rST for docs.

Addressed both changes:

  1. Fixed Sphinx docstring format in deepaas/auth.py
  2. Converted documentation from Markdown to reStructuredText format and moved to doc/source/user/authentication.rst

The documentation is now properly integrated into the Sphinx documentation structure and follows project conventions. Commit 288b790.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Sep 26, 2025

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI requested a review from alvarolopez September 26, 2025 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alvarolopez alvarolopez Awaiting requested review from alvarolopez

Assignees

@alvarolopez alvarolopez

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alvarolopez