Bird
Raised Fist0
FastAPIframework~10 mins

Password hashing with bcrypt in FastAPI - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to import the bcrypt hashing function.

FastAPI
from passlib.context import CryptContext

pwd_context = CryptContext(schemes=[[1]], deprecated="auto")
Drag options to blanks, or click blank then click option'
A"sha256"
B"bcrypt"
C"md5"
D"argon2"
Attempts:
3 left
💡 Hint
Common Mistakes
Using insecure or unsupported hashing schemes like md5 or sha256.
Forgetting to put quotes around the scheme name.
2fill in blank
medium

Complete the function to hash a plain password using bcrypt.

FastAPI
def hash_password(password: str) -> str:
    return pwd_context.[1](password)
Drag options to blanks, or click blank then click option'
Averify
Bhashing
Cencrypt
Dhash
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'verify' instead of 'hash' to create a password hash.
Using non-existent methods like 'encrypt' or 'hashing'.
3fill in blank
hard

Fix the error in the password verification function.

FastAPI
def verify_password(plain_password: str, hashed_password: str) -> bool:
    return pwd_context.[1](plain_password, hashed_password)
Drag options to blanks, or click blank then click option'
Averify
Bhash
Ccheck
Dcompare
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'hash' instead of 'verify' to check passwords.
Using non-existent methods like 'check' or 'compare'.
4fill in blank
hard

Fill both blanks to create a FastAPI endpoint that hashes a password.

FastAPI
from fastapi import FastAPI, HTTPException

app = FastAPI()

@app.post("/hash_password")
async def hash_endpoint(password: str):
    hashed = pwd_context.[1](password)
    return {"hashed_password": [2]
Drag options to blanks, or click blank then click option'
Ahash
Bpassword
Chashed
Dverify
Attempts:
3 left
💡 Hint
Common Mistakes
Returning the plain password instead of the hashed one.
Using 'verify' instead of 'hash' to create the hash.
5fill in blank
hard

Fill all three blanks to verify a password and raise an error if it fails.

FastAPI
from fastapi import FastAPI, HTTPException

app = FastAPI()

@app.post("/login")
async def login(password: str, hashed_password: str):
    if not pwd_context.[1](password, hashed_password):
        raise HTTPException(status_code=401, detail="[2]")
    return {"message": "[3]"}
Drag options to blanks, or click blank then click option'
Averify
BInvalid password
CLogin successful
Dhash
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'hash' instead of 'verify' to check passwords.
Returning success message even if password is wrong.

Practice

(1/5)
1. What is the main purpose of using bcrypt for password hashing in FastAPI?
easy
A. To speed up the login process by caching passwords
B. To encrypt passwords so they can be decrypted later
C. To securely store passwords by converting them into a hashed format
D. To generate random passwords for users automatically

Solution

  1. Step 1: Understand password hashing purpose

    Password hashing converts passwords into a secure format that cannot be reversed, protecting user data.

  2. Step 2: Identify bcrypt role in FastAPI

    bcrypt is used to hash passwords securely, not to encrypt or cache them.

  3. Final Answer:

    To securely store passwords by converting them into a hashed format -> Option C

  4. Quick Check:

    Password hashing = secure storage [OK]
Hint: Hashing hides passwords, not encrypts or caches them [OK]
Common Mistakes:
  • Confusing hashing with encryption
  • Thinking bcrypt speeds up login by caching
  • Believing bcrypt generates passwords automatically
2. Which of the following is the correct way to import and create a bcrypt password context using passlib in FastAPI?
easy
A. from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
B. import bcrypt pwd_context = bcrypt.PasswordContext()
C. from fastapi.security import bcrypt pwd_context = bcrypt.Context()
D. import passlib pwd_context = passlib.bcrypt()

Solution

  1. Step 1: Recall correct import for bcrypt context

    Passlib's CryptContext is imported from passlib.context and configured with schemes=["bcrypt"].

  2. Step 2: Check syntax correctness

    from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") correctly imports and creates pwd_context with bcrypt scheme and deprecated="auto".

  3. Final Answer:

    from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") -> Option A

  4. Quick Check:

    Correct import and setup = from passlib.context import CryptContext pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") [OK]
Hint: Use CryptContext from passlib.context with schemes=['bcrypt'] [OK]
Common Mistakes:
  • Importing bcrypt directly instead of CryptContext
  • Using wrong module names like fastapi.security
  • Calling non-existent constructors
3. Given the following code snippet, what will be the output of print(pwd_context.verify('secret123', hashed_password)) if hashed_password is generated by hashing 'secret123'? 
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
hashed_password = pwd_context.hash('secret123')
print(pwd_context.verify('secret123', hashed_password))
medium
A. Raises a TypeError
B. True
C. False
D. Prints the hashed password string

Solution

  1. Step 1: Understand pwd_context.hash and verify

    pwd_context.hash creates a hashed password from the plain text. verify checks if the plain text matches the hash.

  2. Step 2: Analyze the verify call

    Since 'secret123' was hashed and then verified against the same string, verify returns True.

  3. Final Answer:

    True -> Option B

  4. Quick Check:

    Verify correct password = True [OK]
Hint: Verify returns True if password matches hash [OK]
Common Mistakes:
  • Expecting verify to return the hash
  • Confusing verify output with hash output
  • Thinking verify raises errors on match
4. Identify the error in this FastAPI password hashing code snippet: 
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"])

password = "mypassword"
hashed = pwd_context.hash(password)

if pwd_context.verify(password, hashed):
    print("Password verified")
else:
    print("Verification failed")
medium
A. Using verify method incorrectly with arguments reversed
B. No error; code works correctly
C. Not importing bcrypt module explicitly
D. Missing deprecated="auto" in CryptContext initialization

Solution

  1. Step 1: Check CryptContext initialization

    Best practice is to include deprecated="auto" to handle scheme deprecation warnings.

  2. Step 2: Verify method usage and imports

    verify is used correctly with (plain, hashed). bcrypt import is not needed explicitly with passlib.

  3. Final Answer:

    Missing deprecated="auto" in CryptContext initialization -> Option D

  4. Quick Check:

    Include deprecated="auto" to avoid warnings [OK]
Hint: Always add deprecated="auto" in CryptContext [OK]
Common Mistakes:
  • Omitting deprecated="auto" causes warnings
  • Reversing arguments in verify method
  • Importing bcrypt separately when unnecessary
5. You want to create a FastAPI endpoint that accepts a user's plain password, hashes it with bcrypt, and stores it securely. Which of the following code snippets correctly implements this functionality considering best practices?
hard
A. from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"}
B. from fastapi import FastAPI import bcrypt app = FastAPI() @app.post("/register") def register(password: str): hashed_password = bcrypt.hashpw(password, bcrypt.gensalt()) return {"hashed": hashed_password}
C. from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"]) @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password.encode()) return {"msg": "Password hashed"}
D. from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: bytes): hashed_password = pwd_context.hash(password) return {"msg": "User registered"}

Solution

  1. Step 1: Check correct use of passlib CryptContext and hashing

    from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"} correctly imports CryptContext with deprecated="auto" and hashes the plain string password.

  2. Step 2: Validate FastAPI endpoint and parameter types

    from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"} uses async def with password as str, which is standard for FastAPI input. It hashes and comments storing securely.

  3. Step 3: Compare other options for errors

    from fastapi import FastAPI import bcrypt app = FastAPI() @app.post("/register") def register(password: str): hashed_password = bcrypt.hashpw(password, bcrypt.gensalt()) return {"hashed": hashed_password} uses bcrypt module incorrectly with str instead of bytes; from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"]) @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password.encode()) return {"msg": "Password hashed"} hashes password.encode() but misses deprecated="auto"; from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: bytes): hashed_password = pwd_context.hash(password) return {"msg": "User registered"} expects bytes input which is unusual for FastAPI JSON input.

  4. Final Answer:

    from fastapi import FastAPI from passlib.context import CryptContext app = FastAPI() pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") @app.post("/register") async def register(password: str): hashed_password = pwd_context.hash(password) # Store hashed_password securely return {"msg": "User registered"} -> Option A

  5. Quick Check:

    Use passlib CryptContext with str input and deprecated="auto" [OK]
Hint: Use passlib CryptContext with str password and deprecated="auto" [OK]
Common Mistakes:
  • Using bcrypt module directly with wrong input types
  • Omitting deprecated="auto" in CryptContext
  • Accepting password as bytes instead of str in FastAPI