A modern authentication system starter built with FastAPI backend and a React frontend using shadcn/ui, dark mode, avatar management, and a modern admin dashboard. This project provides a solid foundation for production-ready apps with role-based access control, user management, and beautiful UI/UX.
π― Purpose: The included React frontend is designed for real-world authentication and admin flows. Easily extend with more features or integrate with your own backend.
The easiest way to run both backend and frontend simultaneously:
python run.pyThis will start:
- Backend API on http://localhost:8000
- Frontend UI on http://localhost:3000 (React + shadcn)
Press Ctrl+C to stop both servers.
- β Modern UI/UX: Built with shadcn/ui, dark mode, and beautiful design
- β Avatar Management: Upload, preview, and delete profile avatars
- β Admin Dashboard: Stats, user management, and role badges
- β Role-Based Navigation: Dynamic UI based on user roles
- β Theme Toggle: Built-in dark mode support
- β Profile Page: Edit profile, change password, manage avatar
- β Login/Register: Modern forms with validation and error handling
- β Responsive Design: Works on mobile and desktop
- β TanStack Router: Modern routing and navigation
- β API Client: Automatic token refresh and error handling
- β Avatar Upload/Delete: Endpoints for uploading and deleting user avatars
- β
Static File Serving: Avatars served via
/static/avatars/ - β Modern Architecture: Modular FastAPI with separation of concerns
- β JWT Authentication: Access and refresh tokens with role information
- β Secure Session Management: Redis-backed session tracking with device information
- β Role-Based Access Control (RBAC): Flexible role management system
- β SQLite Database: Persistent storage with SQLAlchemy ORM
- β User Management: Registration, login, profile updates
- β Admin Panel: Admin-only user management endpoints
- β
API Versioning: Clean
/api/v1/endpoints - β OAuth2 Compatible: Standard OAuth2 password flow
- β
Auto Documentation: Swagger UI at
/docs - β Enhanced Security: Password policies and security headers
- π Custom Rate Limiting: High-performance rate limiting with configurable limits
- π Session Tracking: Track active sessions with device info and IP addresses
- π Monitoring: Comprehensive metrics and health checks
- π Structured Logging: JSON-formatted security event logging
- π Production Ready: Enhanced security and observability
Fastapi-Starter/
βββ run.py # π― Start both servers
βββ backend/ # π§ FastAPI Backend
β βββ run.py # Backend server entry point
β βββ app/ # Modular FastAPI application
β βββ data/ # SQLite database & avatar uploads
β βββ requirements.txt # Python dependencies
βββ frontend/ # π§βπ» React Frontend (shadcn/ui)
βββ src/ # React source code
βββ public/ # Static assets
βββ package.json # Frontend dependencies
βββ README.md # Frontend guide- Upload Avatar: Go to Profile, click avatar, upload image (PNG/JPG/GIF up to 5MB)
- Delete Avatar: Click 'Delete Current' in avatar dialog
- Avatar Storage: Avatars are stored in
backend/data/uploads/avatars/and served at/static/avatars/ - Fallback: If no avatar, Dicebear initials are shown
- Stats Cards: Total users, admins, active/inactive users
- User Table: Avatar, status, roles, actions (edit/delete)
- Role Badges: Visual role indicators
- Search: Filter users by name/email
- Secure Sessions: Redis-backed session storage with database fallback
- Device Tracking: Track login device, browser, and IP address information
- Session List: View all active sessions in user profile
- Remote Logout: Delete sessions from other devices
- Automatic Cleanup: Expired sessions are automatically removed
- Session Cookies: Secure, HttpOnly cookies for enhanced security
- Custom Rate Limiting: High-performance in-memory rate limiting
- Configurable Limits: Environment-based rate limit configuration
- Endpoint-Specific: Different limits for auth, API, and admin endpoints
- Security Headers: CSRF protection, HSTS, and content security policies
- Monitoring: Real-time metrics and health checks
- Admin Protection: Special rate limits for admin operations
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/users/me/avatar |
Upload user avatar |
| DELETE | /api/v1/users/me/avatar |
Delete user avatar |
| GET | /static/avatars/{filename} |
Serve avatar image |
| GET | /api/v1/sessions/ |
Get user's active sessions |
| DELETE | /api/v1/sessions/{session_id} |
Delete specific session |
| GET | /metrics |
Application metrics (admin only) |
- Login/Register: Modern forms, error handling, dark mode
- Profile: Edit info, change password, manage avatar, view active sessions
- Session Management: View and delete active sessions from other devices
- Admin: Manage users, roles, avatars
- Theme Toggle: Top right in header
The application supports extensive configuration via environment variables:
SECRET_KEY=your-secret-key
SECURE_COOKIES=false # Set to true in production
HTTPS_ONLY=false # Set to true in productionDEFAULT_RATE_LIMIT=1000 per hour
AUTH_LOGIN_RATE_LIMIT=5 per minute
AUTH_REGISTER_RATE_LIMIT=3 per minute
API_GENERAL_RATE_LIMIT=100 per minute
ADMIN_OPERATIONS_RATE_LIMIT=50 per minuteREDIS_URL=redis://localhost:6379
ACCESS_TOKEN_EXPIRE_MINUTES=30
REFRESH_TOKEN_EXPIRE_DAYS=7See backend/.env.example for all available configuration options.
Happy Coding! π
Built with β€οΈ using FastAPI, React, shadcn/ui, and modern web technologies.