Database Systems · individual project
Auth API + JWT, from scratch
An authentication system rebuilt without the libraries.
- Year
- 2025
- Role
- Solo · coursework
- Status
- Shipped
- Type
- Database Systems
A Flask + SQLite authentication API where the JWTs, password hashing, and SQL safety were all written by hand, no auth library, no ORM.
The problem
Most students reach for a library the moment an interviewer says 'JWT.' The point of building this from scratch was to actually understand the bytes: how the token is base64-url-encoded, how the HMAC-SHA-256 signature is computed, and why parameterized queries are non-negotiable.
Graded against an instructor test suite that intentionally tried to break the API with SQL-injection attacks and tampered JWTs, if either succeeded, the project scored zero.
Approach
- Designed a SQLite schema with uniqueness constraints on usernames and emails, plus a password-history table so a user can never reuse a past password, the full MSU policy, enforced server-side.
- Hashed passwords with SHA-256 over a per-user salt via Python's hashlib; no plaintext ever touched disk, and the salt was reused across all of a user's historical passwords so the history check actually worked.
- Built JWTs by hand: base64-url-safe header + payload, signed with HMAC-SHA-256 via Python's hmac module, then verified on every authorized request against the same key.
- Wrote every SQL statement as a parameterized query, single-quote, UNION-extraction, and comment-injection probes all bounced.
- Wrapped every connection in try/except with explicit close() in the failure path so a poisoned test couldn't leave the database file locked for the next case.
Impact
- Cleared the instructor's injection test suite, including the cases that silently pass vulnerable implementations.
- Demonstrates the cryptographic primitives behind auth aren't a black box for me.
Stack
Backend
PythonFlask
Data
SQLiteParameterized SQL
Crypto
hashlib (SHA-256)hmacbase64JWT by hand