feat: #2 enhance password handling with SecretStr

jotaherrera · jotaherrera · commit aceeccaf1e7b · 2026-01-31T18:51:40.000-05:00
- Update password fields across models and schemas
   to use SecretStr
- Introduce PasswordStr and PasswordStrOptional types
  for consistent validation.
- Modify token handling to return SecretStr for access
  tokens.
- Update tests to reflect changes in password handling
  and validation.
diff --git a/app/api/v1/endpoints/token.py b/app/api/v1/endpoints/token.py
@@ -1,6 +1,7 @@
 from datetime import timedelta
 
 from fastapi import APIRouter
+from pydantic import SecretStr
 
 from app.api.v1.schemas.token import TokenRequest, TokenResponse
 from app.core.security import create_access_token
@@ -24,4 +25,4 @@ async def get_access_token(db: DbSession, login_request: TokenRequest) -> TokenR
         expires_delta=timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES),
     )
 
-    return TokenResponse(token=access_token, type="Bearer")
+    return TokenResponse(token=SecretStr(access_token), type="Bearer")
diff --git a/app/api/v1/schemas/token.py b/app/api/v1/schemas/token.py
@@ -1,13 +1,15 @@
 from typing import Literal
 
-from pydantic import BaseModel, EmailStr
+from pydantic import BaseModel, EmailStr, SecretStr
+
+from app.fields import PasswordStr
 
 
 class TokenRequest(BaseModel):
     email: EmailStr
-    password: str
+    password: PasswordStr
 
 
 class TokenResponse(BaseModel):
-    token: str
+    token: SecretStr
     type: Literal["Bearer"]
diff --git a/app/api/v1/schemas/user.py b/app/api/v1/schemas/user.py
@@ -2,6 +2,7 @@
 
 from pydantic import BaseModel, ConfigDict, EmailStr
 
+from app.fields import PasswordStr
 from app.operations.user.schemas import UserBase, UserCreateBase
 
 
@@ -26,4 +27,4 @@ class UsersResponse(BaseModel):
 
 class UserLogin(BaseModel):
     email: EmailStr
-    password: str
+    password: PasswordStr
diff --git a/app/config.py b/app/config.py
@@ -1,6 +1,6 @@
 from functools import lru_cache
 
-from pydantic import BaseModel
+from pydantic import BaseModel, SecretStr
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from sqlalchemy.engine.url import URL
 
@@ -9,13 +9,13 @@ class AppSettings(BaseModel):
     name: str = "pluto"
     debug: bool = False
     version: str = "0.1.0"
-    jwt_secret: str
+    jwt_secret: SecretStr
 
 
 class DatabaseSettings(BaseModel):
     name: str = "pluto"
     user: str
-    password: str
+    password: SecretStr
     host: str = "localhost"
     port: int = 5432
 
@@ -24,7 +24,7 @@ def url(self) -> URL:
         return URL.create(
             drivername="postgresql",
             username=self.user,
-            password=self.password,
+            password=self.password.get_secret_value(),
             host=self.host,
             port=self.port,
             database=self.name,
diff --git a/app/core/security.py b/app/core/security.py
@@ -21,12 +21,20 @@ def create_access_token(
     expires = datetime.now(UTC) + expires_delta
     to_encode.update({"exp": expires})
 
-    return jwt.encode(payload=to_encode, key=get_settings().app.jwt_secret, algorithm=ALGORITHM)
+    return jwt.encode(
+        payload=to_encode,
+        key=get_settings().app.jwt_secret.get_secret_value(),
+        algorithm=ALGORITHM,
+    )
 
 
 def decode_token(token: str) -> dict[str, Any]:
     try:
-        return jwt.decode(token.strip(), key=get_settings().app.jwt_secret, algorithms=ALGORITHM)
+        return jwt.decode(
+            token.strip(),
+            key=get_settings().app.jwt_secret.get_secret_value(),
+            algorithms=ALGORITHM,
+        )
     except jwt.InvalidTokenError as err:
         raise UnauthorizedError(detail="Could not validate credentials") from err
 
diff --git a/app/database/seeders/create_super_user.py b/app/database/seeders/create_super_user.py
@@ -1,6 +1,7 @@
 import logging
 import os
 
+from pydantic import SecretStr
 from sqlalchemy.orm import Session
 
 from app.operations.role import crud as crud_role
@@ -37,7 +38,7 @@ def create_super_user(db: Session) -> None:
 
     user = UserCreate(
         email=email,
-        password=password,
+        password=SecretStr(password),
         name=name,
         last_name=last_name,
         role_id=admin_role.id,
diff --git a/app/dependencies/auth.py b/app/dependencies/auth.py
@@ -2,6 +2,7 @@
 
 from fastapi.params import Depends
 from fastapi.security import OAuth2PasswordBearer
+from pydantic import SecretStr
 
 from app.core.security import decode_token, verify_password
 from app.database.session import DbSession
@@ -12,12 +13,12 @@
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
 
 
-def authenticate_user(db: DbSession, email: str, password: str) -> User | None:
+def authenticate_user(db: DbSession, email: str, password: SecretStr) -> User | None:
     db_user = crud_user.get_user_by_email(db, email)
     if db_user is None:
         return None
 
-    if not verify_password(password, db_user.password):
+    if not verify_password(password.get_secret_value(), db_user.password):
         return None
 
     return db_user
diff --git a/app/fields.py b/app/fields.py
@@ -0,0 +1,12 @@
+from typing import Annotated
+
+from pydantic import Field, SecretStr
+
+# Password constraints used for user-facing password fields (login, registration, update).
+PASSWORD_MIN_LENGTH = 8
+PASSWORD_MAX_LENGTH = 64
+
+PasswordStr = Annotated[
+    SecretStr,
+    Field(min_length=PASSWORD_MIN_LENGTH, max_length=PASSWORD_MAX_LENGTH),
+]
diff --git a/app/operations/user/crud.py b/app/operations/user/crud.py
@@ -18,7 +18,7 @@ def get_user_by_email(db: Session, email: str) -> User | None:
 
 
 def create_user(db: Session, user: UserCreate) -> User:
-    hashed_password = hash_password(user.password)
+    hashed_password = hash_password(user.password.get_secret_value())
     db_user = User(**user.model_dump(exclude={"password"}), password=hashed_password)
 
     db.add(db_user)
diff --git a/app/operations/user/schemas.py b/app/operations/user/schemas.py
@@ -1,5 +1,7 @@
 from pydantic import BaseModel, EmailStr
 
+from app.fields import PasswordStr
+
 
 class UserBase(BaseModel):
     email: EmailStr
@@ -8,7 +10,7 @@ class UserBase(BaseModel):
 
 
 class UserCreateBase(UserBase):
-    password: str
+    password: PasswordStr
 
 
 class UserCreate(UserCreateBase):
@@ -18,7 +20,7 @@ class UserCreate(UserCreateBase):
 
 class UserUpdate(BaseModel):
     email: EmailStr | None = None
-    password: str | None = None
+    password: PasswordStr | None = None
     name: str | None = None
     last_name: str | None = None
     role_id: int | None = None
diff --git a/tests/app/api/v1/schemas/test_token.py b/tests/app/api/v1/schemas/test_token.py
@@ -1,12 +1,12 @@
 import pytest
-from pydantic import ValidationError
+from pydantic import SecretStr, ValidationError
 
 from app.api.v1.schemas.token import TokenRequest
 
 
 def test_token_request_invalid_email() -> None:
     with pytest.raises(ValidationError) as ex:
-        TokenRequest(email="not-a-valid-email.com", password="test-password")  # noqa: S106
+        TokenRequest(email="not-a-valid-email.com", password=SecretStr("test-password"))
 
     errors = ex.value.errors()
     assert len(errors) == 1
diff --git a/tests/app/api/v1/schemas/test_user.py b/tests/app/api/v1/schemas/test_user.py
@@ -1,12 +1,12 @@
 import pytest
-from pydantic import ValidationError
+from pydantic import SecretStr, ValidationError
 
 from app.api.v1.schemas.user import UserLogin
 
 
 def test_user_login_invalid_email() -> None:
     with pytest.raises(ValidationError) as ex:
-        UserLogin(email="not-a-valid-email.com", password="test-password")  # noqa: S106
+        UserLogin(email="not-a-valid-email.com", password=SecretStr("test-password"))
 
     errors = ex.value.errors()
     assert len(errors) == 1
diff --git a/tests/app/core/test_security.py b/tests/app/core/test_security.py
@@ -30,7 +30,7 @@ def test_create_access_token() -> None:
 
     decoded_token = jwt.decode(
         token.strip(),
-        key=get_settings().app.jwt_secret,
+        key=get_settings().app.jwt_secret.get_secret_value(),
         algorithms=ALGORITHM,
     )
 
@@ -50,7 +50,11 @@ def test_decode_token() -> None:
         "sub": user_id,
         "exp": expires,
     }
-    token = jwt.encode(payload=to_encode, key=get_settings().app.jwt_secret, algorithm=ALGORITHM)
+    token = jwt.encode(
+        payload=to_encode,
+        key=get_settings().app.jwt_secret.get_secret_value(),
+        algorithm=ALGORITHM,
+    )
 
     decoded_token = decode_token(token)
 
diff --git a/tests/app/dependencies/test_auth.py b/tests/app/dependencies/test_auth.py
@@ -1,4 +1,5 @@
 import pytest
+from pydantic import SecretStr
 from sqlalchemy.orm import Session
 
 from app.core.security import create_access_token
@@ -10,13 +11,17 @@
 def test_authenticate_user(db_session: Session) -> None:
     password = "test-password"  # noqa: S105
     user = UserFactory.create(password=password)
-    authenticated_user = authenticate_user(db_session, user.email, password)
+    authenticated_user = authenticate_user(db_session, user.email, SecretStr(password))
 
     assert authenticated_user is not None
 
 
 def test_authenticate_user_non_existent_user(db_session: Session) -> None:
-    authenticated_user = authenticate_user(db_session, "wrong-email@mail.com", "wrong-password")
+    authenticated_user = authenticate_user(
+        db_session,
+        "wrong-email@mail.com",
+        SecretStr("wrong-password"),
+    )
 
     assert authenticated_user is None
 
@@ -25,7 +30,7 @@ def test_authenticate_user_wrong_password(db_session: Session) -> None:
     password = "test-password"  # noqa: S105
     user = UserFactory.create(password=password)
 
-    authenticated_user = authenticate_user(db_session, user.email, "wrong-password")
+    authenticated_user = authenticate_user(db_session, user.email, SecretStr("wrong-password"))
 
     assert authenticated_user is None
 
diff --git a/tests/app/operations/user/test_crud.py b/tests/app/operations/user/test_crud.py
@@ -1,3 +1,4 @@
+from pydantic import SecretStr
 from sqlalchemy.orm import Session
 
 from app.core.security import verify_password
@@ -42,7 +43,7 @@ def test_create_user(db_session: Session) -> None:
         email="johndoe@mail.com",
         name="John",
         last_name="Doe",
-        password="tests-password",  # noqa: S106
+        password=SecretStr("tests-password"),
         role_id=role.id,
     )
 
diff --git a/tests/app/operations/user/test_schemas.py b/tests/app/operations/user/test_schemas.py
@@ -0,0 +1,59 @@
+import pytest
+from pydantic import SecretStr, ValidationError
+
+from app.operations.user.schemas import UserCreateBase, UserUpdate
+
+
+def test_user_create_base_password_printing() -> None:
+    password = "test-password"  # noqa: S105
+    user_create = UserCreateBase(
+        email="johndoe@mail.com",
+        name="John",
+        last_name="Doe",
+        password=SecretStr(password),
+    )
+
+    assert user_create.password != password
+    assert user_create.password.get_secret_value() == password
+
+
+def test_user_create_base_password_min_length() -> None:
+    short_password = "1234567"  # noqa: S105
+    with pytest.raises(ValidationError) as exc:
+        UserCreateBase(
+            email="johndoe@mail.com",
+            name="John",
+            last_name="Doe",
+            password=SecretStr(short_password),
+        )
+
+    errors = exc.value.errors()
+    assert len(errors) == 1
+    assert errors[0]["loc"] == ("password",)
+    assert errors[0]["type"] == "too_short"
+
+
+def test_user_create_base_password_max_length() -> None:
+    long_password = "12345678901234567890123456789012345678901234567890123456789012345"  # noqa: S105
+    with pytest.raises(ValidationError) as exc:
+        UserCreateBase(
+            email="johndoe@mail.com",
+            name="John",
+            last_name="Doe",
+            password=SecretStr(long_password),
+        )
+
+    errors = exc.value.errors()
+    assert len(errors) == 1
+    assert errors[0]["loc"] == ("password",)
+    assert errors[0]["type"] == "too_long"
+
+
+def test_user_update_invalid_email() -> None:
+    with pytest.raises(ValidationError) as ex:
+        UserUpdate(email="not-a-valid-mail.com", password=SecretStr("test-password"))
+
+    errors = ex.value.errors()
+    assert len(errors) == 1
+    assert errors[0]["loc"] == ("email",)
+    assert errors[0]["type"] == "value_error"
diff --git a/tests/app/test_config.py b/tests/app/test_config.py
@@ -28,6 +28,6 @@ def test_settings_loads_db_env_vars() -> None:
 
     assert settings.database.name == "test_db"
     assert settings.database.user == "test_user"
-    assert settings.database.password == "test_password"  # noqa: S105
+    assert settings.database.password.get_secret_value() == "test_password"
     assert settings.database.host == "test_host"
     assert settings.database.port == 123  # noqa: PLR2004
