← All work

Database Systems · individual project

Auth API + JWT, from scratch

An authentication system rebuilt without the libraries.

Auth API + JWT, from scratch, cover artwork
Year
2025
Role
Solo · coursework
Status
Shipped
Type
Database Systems

A Flask + SQLite authentication API where the JWTs, password hashing, and SQL safety were all written by hand, no auth library, no ORM.

The problem

Most students reach for a library the moment an interviewer says 'JWT.' The point of building this from scratch was to actually understand the bytes: how the token is base64-url-encoded, how the HMAC-SHA-256 signature is computed, and why parameterized queries are non-negotiable.

Graded against an instructor test suite that intentionally tried to break the API with SQL-injection attacks and tampered JWTs, if either succeeded, the project scored zero.

Approach

  • Designed a SQLite schema with uniqueness constraints on usernames and emails, plus a password-history table so a user can never reuse a past password, the full MSU policy, enforced server-side.
  • Hashed passwords with SHA-256 over a per-user salt via Python's hashlib; no plaintext ever touched disk, and the salt was reused across all of a user's historical passwords so the history check actually worked.
  • Built JWTs by hand: base64-url-safe header + payload, signed with HMAC-SHA-256 via Python's hmac module, then verified on every authorized request against the same key.
  • Wrote every SQL statement as a parameterized query, single-quote, UNION-extraction, and comment-injection probes all bounced.
  • Wrapped every connection in try/except with explicit close() in the failure path so a poisoned test couldn't leave the database file locked for the next case.

Impact

  • Cleared the instructor's injection test suite, including the cases that silently pass vulnerable implementations.
  • Demonstrates the cryptographic primitives behind auth aren't a black box for me.

Stack

Backend

PythonFlask

Data

SQLiteParameterized SQL

Crypto

hashlib (SHA-256)hmacbase64JWT by hand

Next

Recipes API with a social graph