This guide will explore the current state of authentication, delve into what passkeys are, how they work, and discuss the challenges and future of this technology.

The Current State of Authentication

Authentication is a critical component of digital security, serving as the gateway to systems and data. Despite numerous advancements, traditional authentication methods, such as passwords and social logins, remain prevalent. But these methods are increasingly proving to be inadequate in addressing modern security challenges.

Passwords, once considered the gold standard, are now recognized as a significant weak link in cybersecurity. The rise in sophisticated cyberattacks, coupled with poor password practices, has highlighted the urgent need for more robust authentication mechanisms.

Passwords are susceptible to various attacks, including phishing, brute force, and credential stuffing. Many users also recycle passwords across multiple sites, exacerbating the risk. Managing multiple passwords can be cumbersome, leading to weak password practices and forgotten credentials.

Social logins, while convenient, bring their own set of issues, including privacy concerns and dependency on third-party platforms. Users are often wary of sharing their social media credentials with third-party sites, fearing data misuse.

Also, social logins tie users to specific platforms, which can be problematic if a user decides to leave a social network or if the platform experiences an outage.

Magic links, an alternative authentication method, also have their limitations. Magic links are sent via email, which is not always secure. If an email account is compromised, so is the authentication.

The process of checking email and clicking a link can be cumbersome, particularly for users on mobile devices or with poor internet connectivity. Emails can also be delayed, end up in spam folders, or fail to deliver, causing frustration and potential access issues for users.

As the digital landscape continues to evolve, the need for more secure, user-friendly, and scalable authentication solutions becomes paramount. This exploration of the inherent problems with passwords, social logins, and magic links sets the stage for understanding why passkeys are a vital innovation in the field of authentication.

What are Passkeys?

Passkeys represent a modern authentication solution designed to address the shortcomings of traditional methods. Essentially, passkeys eliminate the need for passwords by utilizing a pair of cryptographic keys to authenticate users securely.

At the core of passkeys is public-private key cryptography. Each user has a unique pair of keys: a public key, which is stored on the server, and a private key, which remains securely on the user's device.

When a user attempts to authenticate, they use a method like biometric verification (fingerprint or facial recognition) or a device-specific security feature to access their private key.

This private key generates a cryptographic signature that the server verifies using the corresponding public key, ensuring a secure and seamless authentication process.

Diagram showing the passkey authentication process

Passkeys are built on the FIDO2 standard, which promotes interoperability and security across different devices and platforms. Major tech companies, including Google, Microsoft, Okta, and Apple, support this standard, making it a robust and widely adopted solution.

The use of biometrics and device-based authentication enhances security by ensuring that the private key never leaves the user's device and is never exposed to potential attackers.

This approach significantly reduces the risk of phishing attacks, as there are no passwords to be stolen or guessed. Passkeys also help streamline the user experience by eliminating the need to remember and manage multiple passwords.

Implementing passkeys involves a few key steps:

1. Registration: During account creation or passkey setup, the user's device generates a new key pair. The public key is sent to the server and stored with the user's account information.
2. Authentication: When the user logs in, they use their private key to generate a cryptographic signature. The server verifies this signature using the stored public key, ensuring that the user is who they claim to be.

Visit learnpasskeys.io to learn in detail how each of these processes work.

By leveraging these principles, passkeys offer a secure, user-friendly, and scalable solution for modern authentication needs. As developers, understanding how passkeys work and how to implement them is crucial in staying ahead in the realm of digital security.

Challenges with Passkeys

While passkeys offer numerous advantages over traditional authentication methods, they are not without their challenges. Understanding these challenges is crucial for developers and organizations considering adopting this technology.

Adoption and Integration

One of the primary challenges with passkeys is the integration with existing systems.

Many organizations rely on legacy systems that are not compatible with passkey technology, requiring significant overhauls to implement. Migrating to a passkey-based system involves not only technical adjustments but also changes in infrastructure, which can be resource-intensive and time-consuming.

User Education and Trust

Introducing a new authentication method requires educating users about how it works and why it's beneficial.

Users need to understand and trust the new system, which can be a hurdle given the novelty of passkeys. Ensuring that users feel comfortable and secure with the transition from passwords to passkeys is essential for widespread adoption.

Technical Considerations

Passkeys rely heavily on device capabilities. Not all devices support biometric authentication or the FIDO2 standard, potentially limiting the adoption of passkeys.

Developers need to ensure that fallback mechanisms are in place for users with unsupported devices, which can complicate the implementation process.

Compatibility and Interoperability

While the FIDO2 standard promotes interoperability, ensuring compatibility across different devices, operating systems, and browsers can still be challenging. Developers need to thoroughly test their implementations to ensure a seamless user experience across all platforms.

Despite these challenges, the benefits of passkeys in terms of security and user experience make them a compelling option for modern authentication. By addressing these challenges proactively, developers and organizations can pave the way for a more secure and user-friendly authentication future.

The Future of Authentication

The evolution of authentication is a testament to our ongoing quest for balance between security and convenience. From the simplicity of passwords to the robust security of passkeys, each step forward has been driven by the need to protect our digital lives against increasingly sophisticated threats.

Passkeys represent a significant leap in this journey, offering a secure, user-friendly alternative to traditional methods. By leveraging cryptographic keys and biometric verification, passkeys address many of the vulnerabilities that plague passwords and social logins.

The path to widespread adoption is not without its challenges, though, from integration hurdles to user education. But despite these obstacles, the benefits of passkeys make them a compelling option for modern authentication.

As developers and organizations navigate these challenges, the future of authentication looks promising. By embracing innovations like passkeys, we can move towards a more secure, seamless digital experience for all users.

The story of authentication is ongoing, and as we continue to innovate, the lessons from our past and the potential of our future guide us towards a safer digital world. Stay ahead of the curve, keep learning, and together, we can build a more secure digital landscape.

Thanks for reading!

In the early stages of a SaaS product, it's easy to get caught up in the excitement of designing elaborate architectures, experimenting with bleeding-edge frameworks, and optimizing every line of code. While these things are important, they can also become significant roadblocks if taken too far.

I've seen projects stall for months as developers (myself) debated the merits of different databases or attempted to master a complex framework before writing a single line of product code. This kind of overengineering can drain resources, delay launches, and ultimately put the entire project at risk.

One of the most valuable lessons I've learned is the power of leveraging familiar technologies. When you and your team know a toolset inside and out, you can build features faster, troubleshoot more efficiently, and deliver a more stable product.

This doesn't mean you should never learn new things. But in the early stages of a product, where speed is crucial, it's often more beneficial to focus on building something that works, rather than something that's technically impressive but takes forever to complete.

As your product matures and gains traction, there will be opportunities to experiment with new technologies and optimize your tech stack. But in the beginning, the most important thing is to get your product in front of users and start gathering feedback.

What Tech Stack Should I Use?

There's no one-size-fits-all answer when it comes to the perfect tech stack. The best choice for you will depend on several factors:

• Your Use Case: What kind of SaaS product are you building? Different types of applications may benefit from different technologies. For example, a real-time collaboration tool might prioritize WebSocket and reactive frameworks, while a data-heavy analytics platform might favor a robust database and powerful server-side processing.
• Your Team's Expertise: Don't underestimate the value of familiarity. If your team is already proficient in a particular language or framework, leverage that expertise. It'll save you valuable time and reduce the risk of running into unexpected issues.
• Scalability and Performance Requirements: Do you anticipate rapid growth? If so, choose a tech stack that can scale with your user base and traffic. Consider cloud-based solutions and technologies that are known for their performance and reliability.

General Recommendations

While there's no magic formula, here are some general recommendations for SaaS tech stacks (for web apps) that have proven successful:

Front-End

• React/NextJS: A popular JavaScript library for building user interfaces. It's known for its flexibility, component-based architecture, and large community.
• Vue.js: Another popular JavaScript framework that's easy to learn and integrate into existing projects.
• Angular: A full-featured framework developed by Google, offering a structured approach to building complex applications.

Back-End

• Node.js: A JavaScript runtime environment that allows you to use JavaScript for server-side development. It's known for its speed, scalability, and large ecosystem of libraries and frameworks.
• Python (with Django or FastAPI): A versatile language that's great for rapid development and data-intensive applications. Django and Flask are popular frameworks that provide structure and simplify common tasks.
• Ruby (with Rails): Known for its convention-over-configuration approach and developer-friendly tools, Rails can help you build web applications quickly and efficiently.

Database

• PostgreSQL: A powerful and reliable open-source relational database that offers strong support for complex queries, data integrity, and scalability.
• MongoDB/DynamoDB: A NoSQL database that's flexible and scalable, making it a good choice for applications with evolving data models or unstructured data.

Additional Considerations

• Authentication: Authentication is one of those systems you don’t want to build, so use third party services like Auth0 to get you started quickly and that would scale as you grow.
• Caching: Consider using a caching layer like Redis to improve performance and reduce database load.
• Queueing: For background tasks and asynchronous processing, message queues like RabbitMQ, Kafka, or Amazon SQS can be valuable.
• Monitoring and Logging: Implement tools like Datadog, Sentry to monitor your application's performance and track errors.

Why this Stack?

• Speed to Market: This stack combines familiar technologies (JavaScript, Python) with modern frameworks (React, Django/Flask, Express/NestJS) that facilitate rapid development.
• Scalability: AWS, Azure, and GCP offer auto-scaling and other features that allow your application to grow with your user base. PostgreSQL and MongoDB are known for their scalability.
• Flexibility: This stack supports both relational and NoSQL databases, giving you flexibility to choose the right data model for your application. The three major cloud providers offer a variety of services to meet your evolving needs.
• Community and Support: All of these technologies have large, active communities and extensive documentation, making it easier to find help and resources when you need them.

Conclusion

Choosing the right tech stack for your SaaS product is a critical decision, but it's important to remember that technology is just one ingredient in the recipe for success. A well-validated idea, a strong team, and a relentless focus on delivering value to customers are all equally important.

Throughout my journey as a developer, I've learned a few key lessons:

• Prioritize Speed to Market: Don't let the pursuit of technological perfection delay your launch. Get your product in front of users as quickly as possible to gather feedback and iterate.
• Embrace Familiarity: Leverage the technologies you know and love to minimize the learning curve and maximize productivity.
• Start Simple, Then Scale: Begin with a minimum viable product (MVP) and the simplest tech stack that meets your needs. You can always evolve and optimize as you grow.
• Don't Be Afraid to Pivot: Be open to changing your tech stack if it no longer serves your needs. The right tools at one stage of your product's lifecycle may not be the right tools later on.
• Focus on the User: Ultimately, your tech stack is just a means to an end. The most important thing is to build a product that solves a real problem for your users and delivers exceptional value.

By prioritizing speed to market, leveraging your team's strengths, and remaining adaptable, you'll be well on your way to building a successful SaaS product. Remember, the best tech stack is the one that empowers you to create something truly meaningful for your customers.

It is very common to see devs on social media sharing how you can build anything with JavaScript or how Python is great for data scientists.

As a Python fanatic myself, I actually don't always use Python for my projects because Python doesn't excel at everything. So today, I want to share my thoughts about the main use cases in which Python shines.

Scripting and Automation

It's never been easier to script and automate tasks thanks to the rise of no-code and tools like Apple's Shortcuts app. But even after integrating those into my day-to-day routine, there are many times when I still rely on Python to get things done.

I use Python in part because I'm already familiar with the language. Plus its simplicity and extensive library ecosystem help me get results quicker than with other programming languages.

Here are some of the tasks you can automate with Python along with some personal examples:

File management

You can automate tasks like file organization, renaming, copying, and deletion using Python.

I personally use Obsidian as my note-taking tool, where all my notes land in a dedicated "inbox" folder for processing. A Python script then reads the notes and moves each one to the appropriate folder based on their contents.

The script sounds fancy, but it is pretty simple, as I already have a system in place.

Here is what my script for organizing notes looks like:

import shutil
import os
import frontmatter

# List of frontmatter properties with folder destinations
frontmatter_to_dir = {
    'project': '1. Projects',
    'area': '2. Areas',
    'resource': '3. Resources',
}

def try_move_file(file, destination):
    print('- Moving file', file, "to", destination)
    try:
        shutil.move(file, destination)
    except Exception as err:
        print('-  - Project not found', err)


# Read all the files inside the "!inbox" directory
notes = os.listdir('!inbox')
for note in notes:
    note_path =  f"!inbox/{note}"
    # Read the file's frontmatter
    note_metadata = frontmatter.load(note_path)

    # Check if the file has a property to categorize this note,
    # for example: project, area, or resource
    for group, group_destination in frontmatter_to_dir.items():
        if group in note_metadata:
            # Try moving the file, it can be the case the project is
            # for example mispelled, in that case it won't do anything with the note
            try_move_file(note_path, f"{group_destination}/{note_metadata[group]}/{note}")

Data processing

Python is in a unique position when it comes to data processing. Whether you are trying to process text, images, large data sets, or perform complex calculations, there are excellent Python libraries for all use cases.

I usually create Python scripts to understand information. For example, I run a company with multiple SaaS products, and I have Python scripts to process statements and help me with the accounting.

Extracting data from text files or web pages

You can use Python to extract data from websites, analyze web content, and gather information to send summaries or others. I used this until very recently to download RSS feeds from my favorite blogs and websites and create a one-email summary that I would then use to read the most interesting articles. I'm now using Readwise Reader for this purpose.

To showcase how to extract data from web pages using Python, I created a small script that would visit a site, parse it’s HTML and return information from elements in the DOM. In particular, it will visit a newspaper, find information about the exchange rate for the pair ARS/USD of the day, and print it on the screen. Great script for those living in Argentina.

import requests
from bs4 import BeautifulSoup

# Load the newspapaer website to scrap information about the current exchange rate for USD/ARS
URL = 'https://www.lanacion.com.ar/'
page = requests.get(URL)

# Parse the HTML data
soup = BeautifulSoup(page.content, "html.parser")
# Use select to find an element in the DOM
# In our case, we need a span inside a link with a specific title
span = soup.select('a[title="Dólar blue"] span')[0]
price = span.get_text()
# In a real scenario, instead of simply printing the price,
# I'd for example, email me the results or do some other processing
print(price) # e.g. $930,00

Sending emails

This is how my newsletter started: sending emails to subscribers through a Python script. Now, that's not scaling very well as I wanted fancier features, and I moved on to ConvertKit – but the Python script was good for being a free, smaller-scale solution.

Sending emails require access to an SMTP server, or similar service, in my case I was using a proprietary API to send those, Amazon SES, because when it comes to emailing in bulk, there are certain measures you want to take not to damage the score of your domain, or your emails will end up on the spam folder.

Here is how I was doing that:

import boto3
import json

# All email addresses where store in s3
s3_bucket = ''
# Provide the path to your file in the S3 bucket
s3_key = 'mail_list/addresses.txt'

s3_client = boto3.client('s3')
# Retrieve the email ids from the file
s3_object = s3_client.get_object(Bucket=s3_bucket, Key=s3_key)
email_ids = s3_object['Body'].read().decode('utf-8').split('\n')

# Send email for each email ID
ses_client = boto3.client('ses')
for email_id in email_ids:
    email_id = email_id.strip() # Remove leading/trailing whitespace

    # Perform email sending operations using SES client
    response = ses_client.send_email(
        Source='<FromAddress>',
        Destination={'ToAddresses': [email_id]},
        Message={
            'Subject': {'Data': 'Your Subject'},
            'Body': {'Text': {'Data': 'Your Email Body'}}
        }
    )

print(f"Email sent to {email_id}. Message ID: {response['MessageId']}")

Web Applications and APIs

It's true – you can't do web development just with Python. You'll still need HTML, CSS, and JavaScript. But when it comes to building backends for web applications, Python is a fantastic option.

Thanks to popular Python frameworks like Django, Flask, and FastAPI, it's very easy to start building your web applications and APIs.

In most products and applications I build, I use a combination of NextJS for the frontend, powered by a Python backend using FastAPI, and it's a killer combo.

But I'm not alone in choosing Python to build web backends. Companies like Microsoft, Instagram, Pinterest, and the Washington Post use Python to serve millions of users.

Data Analysis / Data Science / AI

Python is the undeniable leader in data science, artificial intelligence, and machine learning. This is in part thanks to its vast ecosystem of open-source libraries, like Pandas, Numpy, Tensorflow, and Python in Excel among others. This extensive toolkit empowers you to tackle virtually any challenge within these domains.

Are you performing complex statistical analysis? No problem, there's a library for that. Are you eager to start using state-of-the-art machine learning models? Python has you covered! Do you need a complex neural network? Of course, you can do that!

Python's vast ecosystem of libraries allows you to build what you need quickly, with libraries that are production-ready, fast, and efficient and that have high-quality APIs.

Here are some examples of related applications of Python for data science and AI:

• Time series analysis
• Data Visualization
• Sales predictions
• Language processing
• Sentiment analysis
• Recommendation systems (like music, videos, and so on)
• Classification
• Computer vision
• Self-driving cars
• and many more...

Application Testing

Python's user-friendly syntax and readability make it an excellent choice for QA testers of all skill levels. Its straightforward structure and clear code organization facilitate rapid prototyping and implementation of test scripts.

Again, it's thanks to Python's rich ecosystem with libraries like Playwright and Selenium that Python is a great option for this category.

For web applications, QA engineers write test scripts that load the application in a headless browser, normally a QA or test environment, and perform a series of validations to determine that the application is correctly working.

For example, if you want to test a user’s list page, you can load the page, and querying DOM elements, you can validate that effectively the app is rendering results. Even more so, you can simulate keyboard strokes, clicks, complete forms, and much more with these tools.

Here is a same script that loads the python.org website, performs a search, and validates that the result by comparing the resulting page against the No results found message.

from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.by import By

# Set the driver to use Firefox, can also be Chrome, IE, and Remote
driver = webdriver.Firefox()
# Load the target website
driver.get("http://www.python.org")
# Validate that the page loaded by comparing the page title
assert "Python" in driver.title
# Find the search input element by name
elem = driver.find_element(By.NAME, "q")
# Empty it
elem.clear()
# Type `pycon`
elem.send_keys("pycon")
# Press an enter to trigger the search form
elem.send_keys(Keys.RETURN)
# Validate that the text `No results found.` is not present in the page
assert "No results found." not in driver.page_source
# Close the browser
driver.close()

Conclusion

Python's versatility and extensive library ecosystem make it an excellent choice for various projects. Whether you need to automate tasks, process data, build web applications and APIs, perform data analysis and AI, or conduct application testing, Python has you covered.

Its simplicity, readability, and powerful libraries allow you to achieve results quickly and efficiently. So, next time you're considering a programming language for your project, consider Python's strengths in these areas.

Thanks for reading!

You can follow me (@bajcmartinez) along with @jesstemporal on Twitter/X to learn more about Python and how to build secure Python applications. We're developer advocates at Auth0 by Okta and regularly post content and live streams about Python.

This central access point to your application’s data raises the question: how can you provide access to the information to those who need it while denying access to unauthorized requests?

The industry has provided several protocols and best practices for securing APIs. Today we will focus on OAuth2, one of the most popular options for authorizing clients into our APIs.

But how do we implement OAuth2? There are two ways to go about it:

1. Do it yourself approach
2. Work with a safe 3rd party like Auth0

In this article, I will walk you through an implementation of OAuth2 for Python and Flask using Auth0 as our identity provider. But first, we are going to discuss the do-it-yourself approach.

Why Not Build Your Own Authentication and Authorization?

For a few years now, I wanted to give back to the community that helped me so much by teaching me programming and helping me progress in my search for knowledge. I always thought that a great way to contribute was by having my own blog, a thing that I tried more than a few times and failed.

But where did I fail? Instead of focusing on writing, I tried to build my own blog engine because it’s in my nature. It’s what developers do. They love to build.

But why do I mention that here? Because many fall into the same trap when building APIs. Let me explain with an example.

Bob is a great developer, and he has this great idea for a ToDo app that can be the next big thing. Bob is very aware that for a successful implementation, users can only access their own data.

Here is bob’s application timeline:

• Sprint 0: Research ideas and start prototyping
• Sprint 1: Build user table and login screen with API
• Sprint 2: Add password reset screens and build all email templates
• Sprint 3: Build, create and list ToDos screens
• Sprint 4: MVP goes live
• User feedback:
  • Some users can’t log in due to a bug
  • Some users feel unsafe without 2-factor authentication
  • Some users don’t want to get yet another password. They prefer single sign-on with Google or Facebook.
  • …

Let’s talk about what happened. Bob spent the first few sprints not building his app but building the basic blocks, like logging in and out functionality, email notifications, and so on. This valuable time could have been spent differently, but what happens next is more concerning.

Bob’s backlog starts to fill in. Now, he needs to improvise a 2-factor authentication method, add single sign-on, and more non-product-related functions that could potentially delay his product.

And there’s still a big question to be answered: did Bob implement all the security mechanisms correctly? A critical error could expose all the user’s information to outsiders.

What Bob did is what I did with my blog many times. Sometimes, it's helpful to rely on 3rd parties if we want to get things done right.

Today, hackers and attacks have become so sophisticated that security is not a trivial factor anymore. It is a complicated system on its own, and it is often best to leave its implementation to experts – not only so it’s done right, but also so we can focus on what matters: building our applications and APIs.

How to Set Up a Free Auth0 Identity Management Account

Auth0 is a leading authentication and authorization provider, but let’s see how it can help Bob (or you) build a better app:

1. It saves time
2. It’s secure
3. It has a free plan

Time to get practical. First, make sure you have an Auth0 account. If not, you can create one here for free.

Create a New Auth0 API

There is still one more thing we have to do before we start coding. Head over to the APIs section of your Auth0 dashboard and click on the “Create API” button. After that, fill in the form with your details. However, make sure you select RS256 as the Signing Algorithm.

Your form should look like the following:

Creating the API – image showing fields to fill out

The API details page opens after successfully creating an API. Keep that tab open, as it contains information we need to set up our application. If you close it, don’t worry, you can always access it again.

How to Bootstrap our Application

Because we will focus on the security aspects only, we will take a few shortcuts when building our demo API. However, when developing actual APIs, please follow best practices for Flask APIs.

Install the dependencies

First, install the following dependencies for setting up Flask and authenticating users.

pipenv install flask python-dotenv python-jose flask-cors six

Build the endpoints

Our API will be straightforward. It will consist of only three endpoints, all of which, for now, will be publicly accessible. However, we will fix that soon. Here are our endpoints:

• / (public endpoint)
• /user (requires a logged in user)
• /admin (only users of admin role)

Let’s get to it:

from flask import Flask

app = Flask(__name__)

@app.route("/")
def index_view():
    """
    Default endpoint, it is public and can be accessed by anyone
    """
    return jsonify(msg="Hello world!")

@app.route("/user")
def user_view():
    """
    User endpoint, can only be accessed by an authorized user
    """
    return jsonify(msg="Hello user!")

@app.route("/admin")
def admin_view():
    """
    Admin endpoint, can only be accessed by an admin
    """
    return jsonify(msg="Hello admin!")

Very simple right? Let’s run it:

~ pipenv run flask run
* Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

And if we access our endpoint:

~ curl -i http://localhost:5000
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 23
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 21:24:57 GMT

{"msg":"Hello world!"}

~ curl -i http://localhost:5000/user
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 22
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 21:25:42 GMT

{"msg":"Hello user!"}

~ curl -i http://localhost:5000/admin
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 23
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 21:26:18 GMT

{"msg":"Hello admin!"}

How to Secure the Endpoints

As we are using OAuth, we will authenticate requests by validating an access token in JWT format. We'll send it to the API on each request as part of the HTTP headers.

Auth0 configuration variables

As mentioned in the previous section, our API needs to be aware and will require information from our Auth0 dashboard. So head back to your API details page, and grab two different values.

First, the API Identifier:

This is the value required when the API is created. You can also get it from your API details page:

How to find the API identifier on the API details page

Next, Auth0 domain:

Unless you're using a custom domain, this value will be [TENANT_NAME].auth0.com, and you can grab it from the Test tab (make sure not to include https:// and the last forward slash /).

Getting the Auth0 domain

Next, pass those values into variables so they can be used in the validation functions.

AUTH0_DOMAIN = 'YOUR-AUTH0-DOMAIN'
API_IDENTIFIER = 'API-IDENTIFIER'
ALGORITHMS = ["RS256"]

Error methods

During this implementation, we will need a way to throw errors when authentication fails. So we will use the following helpers for those needs:

class AuthError(Exception):
    def __init__(self, error, status_code):
        self.error = error
        self.status_code = status_code

@app.errorhandler(AuthError)
def handle_auth_error(ex):
    response = jsonify(ex.error)
    response.status_code = ex.status_code
    return response

How to capture the JWT token

The first step to validate a user is to retrieve the JWT token from the HTTP headers. This is very simple, but there are a few things to keep in mind. Here is an example of it:

def get_token_auth_header():
    """
    Obtains the Access Token from the Authorization Header
    """
    auth = request.headers.get("Authorization", None)
    if not auth:
        raise AuthError({"code": "authorization_header_missing",
                        "description":
                            "Authorization header is expected"}, 401)

    parts = auth.split()

    if parts[0].lower() != "bearer":
        raise AuthError({"code": "invalid_header",
                        "description":
                            "Authorization header must start with"
                            " Bearer"}, 401)
    elif len(parts) == 1:
        raise AuthError({"code": "invalid_header",
                        "description": "Token not found"}, 401)
    elif len(parts) > 2:
        raise AuthError({"code": "invalid_header",
                        "description":
                            "Authorization header must be"
                            " Bearer token"}, 401)

    token = parts[1]
    return token

How to validate the token

Having a token passed to our API is a good sign, but it doesn’t mean that it is a valid client. We need to check the token signature.

Since the logic to require authentication can be used for more than one endpoint, it would be important to abstract it and make it easily accessible for developers to implement. The best way to do this is by using decorators.

def requires_auth(f):
    """
    Determines if the Access Token is valid
    """
    @wraps(f)
    def decorated(*args, **kwargs):
        token = get_token_auth_header()
        jsonurl = urlopen("https://"+AUTH0_DOMAIN+"/.well-known/jwks.json")
        jwks = json.loads(jsonurl.read())
        unverified_header = jwt.get_unverified_header(token)
        rsa_key = {}
        for key in jwks["keys"]:
            if key["kid"] == unverified_header["kid"]:
                rsa_key = {
                    "kty": key["kty"],
                    "kid": key["kid"],
                    "use": key["use"],
                    "n": key["n"],
                    "e": key["e"]
                }
        if rsa_key:
            try:
                payload = jwt.decode(
                    token,
                    rsa_key,
                    algorithms=ALGORITHMS,
                    audience=API_IDENTIFIER,
                    issuer="https://"+AUTH0_DOMAIN+"/"
                )
            except jwt.ExpiredSignatureError:
                raise AuthError({"code": "token_expired",
                                "description": "token is expired"}, 401)
            except jwt.JWTClaimsError:
                raise AuthError({"code": "invalid_claims",
                                "description":
                                    "incorrect claims,"
                                    "please check the audience and issuer"}, 401)
            except Exception:
                raise AuthError({"code": "invalid_header",
                                "description":
                                    "Unable to parse authentication"
                                    " token."}, 401)

            _request_ctx_stack.top.current_user = payload
            return f(*args, **kwargs)
        raise AuthError({"code": "invalid_header",
                        "description": "Unable to find appropriate key"}, 401)
    return decorated

The newly created requires_auth decorator, when applied to an endpoint, will automatically reject the request if no valid user can be authenticated.

How to require an authenticated request for an endpoint

We are ready to secure our endpoints, let’s update the user and admin endpoints to utilize our decorator.

@app.route("/user")
@requires_auth
def user_view():
    """
    User endpoint, can only be accessed by an authorized user
    """
    return jsonify(msg="Hello user!")

@app.route("/admin")
@requires_auth
def admin_view():
    """
    Admin endpoint, can only be accessed by an admin
    """
    return jsonify(msg="Hello admin!")

Our only change was adding @required_auth at the top of the declaration of each endpoint function, and with that we can test once again:

~ curl -i http://localhost:5000/user
HTTP/1.0 401 UNAUTHORIZED
Content-Type: application/json
Content-Length: 89
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 21:42:26 GMT

{"code":"authorization_header_missing","description":"Authorization header is expected"}

~ curl -i http://localhost:5000/admin
HTTP/1.0 401 UNAUTHORIZED
Content-Type: application/json
Content-Length: 89
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 21:42:42 GMT

{"code":"authorization_header_missing","description":"Authorization header is expected"}

As expected, we can’t access our endpoints as the authorization header is missing. But before we add one, let’s see if our public endpoint still works:

~ curl -i http://localhost:5000
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 23
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 21:43:55 GMT

{"msg":"Hello world!"}

Awesome, it works as expected.

How to test it out

For testing our newly secured endpoints, we need to get a valid access token that we can pass to the request. We can do that directly on the Test tab on the API details page, and it’s as simple as copying a value from the screen:

Copying the token for testing

Once we have the token we can change our curl request accordingly:

~ curl -i -H "Authorization: bearer [ACCESS_TOKEN]"  http://localhost:5000/user
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 22
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 22:17:06 GMT

{"msg":"Hello user!"}

Please remember to replace [ACCESS_TOKEN] with the value you copied from the dashboard.

It works! But we still have some work to do. Even though our /admin endpoint is secured, it can be accessed by any user:

~ curl -i -H "Authorization: bearer [ACCESS_TOKEN]"  http://localhost:5000/admin
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 23
Server: Werkzeug/2.0.1 Python/3.9.1
Date: Tue, 24 Jan 2023 22:21:09 GMT

{"msg":"Hello admin!"}

Role-based access control

For role-based access control there’s a few things we need to do:

1. Create permissions for the API
2. Enable adding permissions to the JWT for the API
3. Update the code
4. Test with users

The first 2 points are very well explained in the Auth0 docs, so just make sure you add the corresponding permissions on your API.

Next, we need to update the code. We need a function to check if a given permission exists in the access token and return True if it does and False if it does not:

def requires_scope(required_scope):
    """
    Determines if the required scope is present in the Access Token
    Args:
        required_scope (str): The scope required to access the resource
    """
    token = get_token_auth_header()
    unverified_claims = jwt.get_unverified_claims(token)
    if unverified_claims.get("scope"):
            token_scopes = unverified_claims["scope"].split()
            for token_scope in token_scopes:
                if token_scope == required_scope:
                    return True
    return False

And lastly, it can be used as follows:

@app.route("/admin")
@requires_auth
def admin_view():
    """
    Admin endpoint, can only be accessed by an admin
    """
    if requires_scope("read:admin"):
        return jsonify(msg="Hello admin!")

    raise AuthError({
        "code": "Unauthorized",
        "description": "You don't have access to this resource"
    }, 403)

Now, only users with the permission read:admin can access our admin endpoint.

In order to test your final implementation, you can follow the steps detailed on obtaining an access token for a given user.

You can also use the Auth0 Dashboard to test permissions, but that is outside the scope of this article. If you would like to learn more about it, read here.

Conclusion

Today we learned how to secure a Flask API. We explored the do-it-yourself path, and we built a secure API with three levels of access – public access, private access and privately-scoped access.

There’s so much more that Auth0 can do for your APIs and also for your client applications. Today we just scratched the surface, and it’s up to you and your team when working with real-life scenarios to explore all the potential of their services.

The full code is available on GitHub.

Thanks for reading! If you like my teaching style, you can Subscribe to my weekly newsletter for developers and builders and get a weekly email with relevant content.

You got into freelancing so you could work when you want, make more money, and control your life.

But, if you haven’t realized it yet, building a career as a freelancer requires you to embrace more than just writing code.

Part of developing your career is branding.

You recognize something magical about big brands like Apple, Mcdonald's, or Shell.

You see a logo and know instantly what it stands for and what it delivers.

These international companies have huge marketing budgets, so they can spend large amounts of money on branding.

You probably also recognize the personal brands of well-known celebrities who are associated with certain types of movies or who promote popular products.

Yet you feel that pinning down your personal brand is hard. It is!

But don’t worry. I’m going to walk you through a simple process for building a personal brand.

By the time you're done reading this article, you’ll know how to build your brand.

Why Building a Personal Brand is Important

As I mentioned in How to Generate Leads as a Freelancer, it can be tough to stand out from the crowd. So you need to showcase your business and make connections with potential clients.

One way to do this is to harness the power and potential of a personal brand.

Many freelancers think branding is hard, complicated, time-consuming, or unpleasant.

It can be, but only if you approach it the wrong way.

Your personal brand is very simple - it’s you.

It’s the picture of you, the essence of how you work, and how you want people to talk about you when they tell others about your work.

• Daniel is a database engineer who does great work in both SQL and PHP.
• Erin is a full-stack web developer who helps small companies create websites ready for Web3.
• Juan teaches people how to build a career as a programmer.

All three of these are examples of a personal brand that connects what they do and what they want others to think about when they think of their brands.

It all starts here by identifying what you do and how you want other people to talk about and think about you and your work. When you know this, everything else becomes easy.

How to Start Building Your Personal Brand

You begin by committing to one essential thing: staying true to yourself.

Your brand can’t be some digital costume you wear to get clients. They’ll see through that in a heartbeat.

It needs to come from who you are.

So, ask yourself three questions:

1. Who am I?

Start by defining yourself as a freelancer with 3 - 4 key words or phrases that you want to define your work, such as:

• Creative
• Easy to work with
• Hardworking
• Reliable

How do you want people to describe what it means to work with you?

2. What do I do?

Then, get specific about what you do (and what you don’t do). For example,

• I design mobile-responsive websites using Java and PHP.
• I write secure apps based on Web3 technology.
• I close security gaps in websites and recover business sites that have been hijacked with ransomware.

These statements don’t say, “I design websites” or “I write apps.” That’s too generic.

Be specific about what you do.

Getting clear about what you do means you’ll attract the right type of clients.

3. What makes me unique?

Finally, it’s easy to chase a persona or identity you’ve seen used successfully by someone else. But don’t do something because you’ve seen it be successful for someone else.

Stay true to who you are (refer to your Who Am I? list):

• Do you love to change your hair color? Embrace that.
• Do you have a defining personality trait that makes you different or special? Promote it.
• Do you have a particular skill or spread of skills that means you can offer something unique? Don’t hide it – use it as a way to differentiate yourself.

For more tips on How to Promote Your Services (and yourself) as a Freelancer, read this.

Define Your Look

This is the hard part, especially for those of us who are not natural designers.

Surprisingly, you want to know the hardest part about defining your look?

Keeping it simple.

The mistake most people make in developing the visuals for a brand is that they develop things that are far too complicated and detailed.

When you work on defining the “look” for your business, follow three principles:

1. Keep everything related to your brand within 2-3 colors.
2. Design a simple and timeless logo.
3. Invest in good photos.

Don’t chase trends, “in colors,” or new and exciting things. Find and embrace something that will look good all the time.

The colors you use, the logo on your emails and letterhead, and the images you use for social media will define your brand and will communicate a lot of subtle things about how it is to work with you.

If it’s simple, clear, and easy, YOU will be associated with these things.

There are a lot of books, blogs, and websites that teach you what colors to choose and how to build a visual brand.

But, for most freelancers, the best piece of advice is simple:

Get help from an expert.

I understand the impulse to save money by trying to do it yourself.

But unless you have some design skills (or want to spend a lot of time learning), you lose far more than you win by trying to do it yourself.

It takes more time, you’ll make more mistakes, and the results won’t be nearly as good as they could be.

Someone who knows the principles of design will make you look better than you will.

Remember the importance of first impressions!

Old, fuzzy, outdated photos of yourself are unprofessional and could stop new clients from working with you.

And, just because your friend claims to design logos doesn’t mean they are good at it.

Instead, take the plunge and invest in a professional photographer, or hop onto 99designs and have someone develop a logo for you.

Get expert advice to figure out how your website should flow.

Find someone who specializes in web design to help you improve the look and feel of your site.

Even though it may cost more upfront, these investments will reward you with a brand that attracts clients and genuinely represents you.

Tell Your Story

Every freelancer needs to be able to talk about their business fluently and comfortably.

But you’d be surprised how hard it is for many freelancers to answer the question, What do you do?

The key is to prepare ahead of time.

Write out (literally) what you’ll say to people and how you’ll describe your freelancing career before they ask the question.

Your answers will come out clearer, they’ll sound polished, and you’ll feel better delivering them when you aren’t making it up on the spot.

There are four “versions” of your story that you’ll need to develop.

1. The tagline/slogan.

• Bringing websites into the web3 era.
• Web development made simple.
• Integrating your website into everything you do.

A good tagline is clear, short, and delivers the essential value of what you do in one simple statement.

Notice what a tagline does not have: details, explanations, or descriptions. Instead, it focuses on the benefits you deliver.

You use a tagline in a website header, on a business card, or to book-end a promotional video in places where you don’t have time or space to get detailed.

2. The elevator pitch

This expands on the tagline by giving just a bit more information and focusing on the service you provide (instead of simply the benefit).

• I help small businesses integrate web3 technology into websites before their competitors.
• As a full-stack developer, I manage and coordinate website design and updates for businesses.
• I help businesses find ways to use their websites to increase sales and cut costs, improving business revenue.

The elevator pitch is great for introductions and introducing yourself at a conference. It gives someone just a bit of detail, but not enough to feel overwhelmed or like you are trying to make a sale with them.

3. A short bio

This is a few sentences or short paragraphs about how you started doing what you do and why you have customers today.

I graduated in 2015 from __ University with a degree in computer engineering. After several years of honing my skills in a corporate setting, I decided to take what I’d learned and help small businesses achieve the same success.

In 2019, I launched my own freelance career, and by 2020, it grew into a full-time career.

Today, I’ve worked with clients in 3 countries, successfully completing more than 45 different website projects covering everything from website redesigns to integrating new functionality into existing websites.

Everything in this description communicates information relevant to someone who is considering hiring you by answering questions about experience, success, and expertise.

If you are giving a presentation at a local chamber of commerce event or a breakout session at a regional conference, a short bio is a great thing to provide to attendees. It’s also great to have ready-to-go for initial client meetings or sales calls because you can give them important, relevant information to establish your credibility.

4. A long bio

The difference between a short and long bio is more than length.

In the longer bio, you can add a bit more personality (though you should keep this simple) and more details about your business.

In the example below, you’ll notice where I added some additional detail.

I graduated in 2015 from __ University with a degree in computer engineering. This degree focused on programming, giving me expertise in SQL, PHP, Python, and Java.

After several years of honing my skills in a corporate setting **leading increasingly large teams at __ and __**, I decided to take what I’d learned and help small businesses achieve the same success._

In 2019, I launched my own freelance career, and by 2020, it grew into a full-time career. Today, I’ve worked with clients in 3 countries, successfully completing more than 45 different website projects covering everything from website redesigns to integrating new functionality into existing websites.

Over the course of this time, my projects have become increasingly complex. Not only have I gained experience in several additional languages and skills, but I’ve also become a Six Sigma Green Belt.

The long bio is great for the “about” page on your website.

By planning ahead (and literally writing out) these four versions of your story, you’ll feel more confident selling your brand to clients and answering any questions they may have about your business.

Following the steps I’ve laid out so far will help you hone and develop your unique brand to represent your freelance business. But successful marketing doesn’t stop with that.

Share Your Work

Building your brand is only good if people see it. Once you’ve established your brand identity, it’s time to share it with the world.

As I emphasize in How to Get Better at Sales, selling and marketing your business requires a long-term mindset. You must actively pursue new connections and opportunities.

When you complete a new project, share it with current and potential clients.

Seek and share client testimonials.

Get active on social media by answering questions, offering your insight on important questions in your field, and building a following.

Interact with people – everywhere.

This could be on social media, tweeting, replying, and re-tweeting your brand and business.

But this could also involve building a blog or speaking at conferences. You could start a podcast or become active at your local Chamber.

And don’t forget to focus on giving back to people in your community.

It’s easy to turn every interaction into a transaction, measuring it by whether or not you’ve gained followers, increased subscribers, or signed a new client.

But, one of the most important elements to developing a real, vibrant, and believable personal brand is to give back to people.

So, be generous with your time, expertise, and knowledge because people will notice.

Examples of developers with a great personal brands

Simon Høiberg

Simon is a great example of a developer who's cultivated his personal brand. Just by looking at his Twitter profile we can easily understand all about his brand.

He makes it very clear from the go what you would expect from him on the platform, what is he working on, his YouTube channel, and his passion to talk about SaaS, tech, and business.

His growth has been exponential everywhere he goes – Twitter, LinkedIn, and YouTube.

If you want get inspiration, definitely check him out.

James Q. Quick

Once again, an example of delivering a message directly on his Twitter profile, we have James. Just with a quick look we can tell he is all about content creation for developers, he does public speaking, online teaching, and he runs a podcast.

Ania Kubów

Ania is another great example. She focuses on building games with JavaScript on her YouTube channel and is also a super star here at freeCodeCamp.

Her brand is very clear and distinctive when you look at her social media profiles.

Conclusion

You can build an honest, vibrant, and engaging personal brand, even if marketing isn’t your particular strength.

The keys are simple:

• Define who you are and what makes your business unique
• Invest in a professional to help to design your brand.
• Prepare (in advance) to tell your story.
• Share your personal brand and your work through genuine connections with people.

Follow my advice, and you’ll soon reap the benefits of a successful marketing brand that attracts clients and allows you to pursue the financial and flexible rewards of freelancing.

Before you go, if you want to learn more about web development, how to code, freelancing and making money online as a developer, check out my free newsletter.

Thanks for reading!

They've worked on developing algorithms that would detect the disease within a matter of seconds – and only by looking at chest X-rays and/or CT scan images.

Some of these techniques have proven to be extremely useful and accurate in diagnosing COVID-19 cases.

There are multiple approaches that use both machine and deep learning to detect and/or classify of the disease. And researches have proposed newly developed architectures along with transfer learning approaches.

In this article, we will look at a transfer learning approach that classifies COVID-19 cases using chest X-ray images.

The model we are going to use is one of the seven variants of the EfficientNet architecture. We will use a pre-trained model on the immense ImageNet dataset. EfficientNet is an advanced and complex convolutional neural network-based architecture.

We will further investigate the details of Convolutional Neural Networks, pre-trained models, and EfficientNet during the course of this article. I've divided it into five parts:

1. What are convolutional neural networks?
2. A dive into transfer learning.
3. What is EfficientNet?
4. An introduction to PyTorch.
5. Implementation of COVID-19 classifier using EfficientNet with PyTorch.

This tutorial assumes that you have prior knowledge of both machine learning and deep learning. If you want to further develop your foundation in these topics, check out this article on Artificial Intelligence vs Machine Learning vs Deep Learning.

Also, although the dataset we'll work with here is COVID-related, you can apply the actual code implementation and analysis to other datasets.

What is a Convolutional Neural Network?

Convolutional Neural networks (CNNs) are a type of deep neural network that works on visual data – this is, images. A CNN takes an image as an input and performs two or three-dimensional convolutional operations on the image with several filters, also referred to as kernels.

These convolution operations output a 2D or 3D matrix which contains the learnable weights and biases regarding the spatial information of the input image. This output matrix is referred to as the feature map of the image.

Processing a convolutional neural network in the training process can be, in some cases, extremely slow. This is why it's a good idea to use GPUs and TPUs during training for deep learning techniques, especially convolutional neural networks.

Convolutional neural networks learn spatial and temporal information about the image far better than the basic feed forward neural network. Also, CNNs can reduce the size of the image while retaining the most important information in the image, which is crucial for predictive analysis of images.

Source

The starting layers of convolutional neural networks learn the abstract and simpler features in an image, such as lines and edges. But as we move deeper into the network, the feature map turns to the more complex structures in the image.

It starts to learn the more specific features of the image, such as a cat, a dog, or a person, the same way we would, as humans, perceive the world around us. This is a core concept in modern deep learning-based computer vision.

Now before we move on to advanced concepts, it is important to learn the basics of 2D convolution.

What is 2D Convolution?

2D convolution is a bit complex to explain, but here it goes: if the convolutional process (which is extensively used in h1-D signal processing) is performed between two signals – but not just along a single dimension, rather along two mutually perpendicular dimensions – it is called 2D convolution.

In the case of images, the two mutually perpendicular dimensions are the rows and columns of a greyscale image. The convolutional operation is mathematically done by multiplying and then accumulating the values of the overlapping samples of the two input signals, where one of the signals is flipped. The output of this multiplication and accumulation gives a single point on the feature map.

In the case of CNNs, the image is one signal and the filter/kernel is the second signal which is flipped. The size of the kernel is always smaller than that of the image.

The flipped kernel is then swept across the whole image both row by row and column by column to output the feature map.

2d convolution

Here a 3x3 kernel is swept across a 6x6 image to output a 4x4 feature map. As you can see, the dimensions of the output feature map are smaller than the input image. So there are a few concepts used in convolution to control the dimensions of the output feature map. These include padding, stride, and kernel size.

Padding is the manual addition of rows and columns around the input to keep the output dimension the same as the input dimension or vary it.

Stride refers to the jump the kernel takes during the sweep, both in columns and rows. In the example above, the stride of the convolution is 1 as the kernel is moving one unit in both rows and columns.

Kernel size refers to the dimensions of the kernel used. Changing the dimensions of the kernel to be swept changes the output size of the feature map.

The image below describes the convolution with the same kernel size but with a padding of 1 and stride of 2.

The equation that describes the relationship of stride, padding, and kernel size to input and output dimensions is as follows:

The concept of 3D convolution is just an extension of 2D convolution where both the input image and the kernel are three-dimensional.

Like 2D convolution, we sweep the three-dimensional kernel across the whole image in two mutually perpendicular dimensions, namely the rows and the columns.

We do not usually sweep the kernel across the color channels because the kernel has the same third dimension, that is the channel length, as the original image. This gives an output feature map that is two-dimensional instead of three.

To learn more about the details of 3D convolution, you can read this article.

What is Transfer Learning?

In transfer learning, you take a machine or deep learning model that is pre-trained on a previous dataset and use it to solve a different problem without needing to re-train the whole model.

Instead, you can just use the weights and biases of the pre-trained model to make a prediction. You transfer the weights from one model to your own model and adjust them to your own dataset without re-training all the previous layers of the architecture.

We use transfer learning in the applications of convolutional neural networks and natural language processing because it decreases the computation time and complexity of the training process. And, in many cases, it performs surprisingly well.

This also helps in cases where we have limited data available – since neural networks demand an extremely large amount of data to achieve good performance.

This means that using transfer learning methods can greatly reduce the demand for data since the weights and biases are pre-adjusted and are able to work better with just a small amount of data by tweaking the weights and biases a little.

But transfer learning models do not always give you great performance (although the newer architectures perform efficiently on almost every problem). Still, sometimes the problem at hand needs an architecture that is pre-trained on data that's similar to what you have. This factor depends upon the complexity of the problem you are trying to solve.

There are a couple ways you can perform transfer learning:

1. Using a pre-trained model.
2. Developing a new model.

You can use a pre-trained model in two ways. First, you can use the pre-trained weights and biases as initial parameters for your own model, and then train a whole convolutional model using those weights.

The other way is to perform feature extraction from the pre-trained model. You use the parameters of the pre-trained model to extract features from your input image and just train a simple classifier on top of it.

Another option is that if you have a problem with a small amount of data, you develop another model for a similar problem that has a large amount of data and train the model. Then you can use the trained weights from the new model to solve the original problem with less data.

In this tutorial, we will be using a pre-trained model as a feature extractor and we'll train a simple classifier on top of it to output the prediction.

There are many well-known architectures in the field of deep learning that are nowadays used for the purpose of transfer learning. Almost all of these are trained on the ImageNet dataset which is the largest open-source dataset available. It contains around 1000 classes and has around fifteen million instances.

Among these pre-trained architectures, LeNet is the first one that was proposed in 1998. Other well-known models include VGG, ResNet, AlexNet, GoogleNet, Inception, and Xception.

EfficientNet is also part of the series that was proposed recently, in 2019.

What is EfficientNet?

EfficientNet (or perhaps it's better to say EfficientNets) is a family of convolutional neural network-based image classification models. They perform extremely well on the state-of-the-art ImageNet dataset and other popular datasets such as CIFAR-100 and Flowers.

In addition to performing so well, the architecture is small and computes faster than any of the previous models. The architecture has variants ranging from EfficientNet-B0 up to EffieicntNet-B7.

The variants ranging from B0 to B7 are based on the compound scaling method to scale up the baseline in B0 to obtain B1 to B7. EfficientNet-B7 acquired a Top-1 accuracy of 84.4% on the ImageNet dataset, which is the highest level of Top-1 accuracy ever achieved on ImageNet.

If you want to learn more about how EfficientNets work, you can read this paper ‘Efficientnet: Rethinking Model Scaling for Convolutional Neural Networks.’

Source

In the coding tutorial further along in this article, we'll be using the EfficientNet-B0 as a feature extractor and a classifier on top of it to classify COVID-19 using chest x-ray images.

An Introduction to PyTorch

PyTorch is a Python-supported library that helps us build deep learning models. Unlike Keras (another deep learning library), PyTorch is flexible and gives the developer more control.

It is similar to NumPy in processing but has a faster GPU acceleration. To learn more about NumPy and its features, you can check out this in-depth guide along with its documentation.

PyTorch has a data structure known as a ‘Tensor’ that is similar to the NumPy ndarray but it has the option to operate on GPU.

PyTorch provides an uncomplicated way to switch computation between a CPU and a GPU. It also supports processing on NumPy arrays by simply providing a built-in module that can convert NumPy arrays into Tensors and vice versa.

One of the handiest modules in PyTorch is grad(). It allows you to compute the gradient of a tensor as it goes forward into processing without needing to manually compute the gradient and store it.

This gives you greater control of your deep learning operations, specifically back propagation, during the training process. This is helpful when computing the loss function which lets you adjust the parameters of a model.

We can also limit a tensor so that its gradient is not computed during the entire process by making the module's requires_grad equal False. To learn more about tensors and how to perform gradient computations in PyTorch, you can check out this tutorial and this course.

How to Implement a COVID-19 Classifier using EfficientNet with PyTorch

Now let's move on to the practical implementation of EfficientNet in PyTorch. We will use the B0 variant of the EfficientNet family.

First, we'll examine the data and preprocess it. Kaggle has an vast library of datasets available for open-source use in projects and research. There are no limits as to what dataset can be used for this project. You can use any dataset containing chest X-ray images of COVID-19 patients and people without COVID.

For the sake of this tutorial, we'll use this dataset here. But for the code to work on your custom dataset, you must divide your data into three directories: train, test, and valid.

Each directory should contain two more directories with the labels covid and normal. These covid and normal folders will contain the images corresponding to the specific class of the directory they are present in.

The original dataset we'll use in this article contains three folders: covid, normal, and pneumonia. We discard the pneumonia folder completely and divide the other data in the same way described above.

We do this to create a logical division between the data used for training and the data used for testing and validation. Also, PyTorch, by default, takes the name of the folder, an instance it is present in, as the label of the class – so we do not have a label file corresponding to the input dataset.

The data and the architecture

Let's have a look at the data. Below we can see the x-ray images of patients with COVID-19:

And here we can see the normal category’s x-ray images:

There are 237 total layers in the B-0 architecture. The whole architecture can be condensed into the following diagrams. We provide the x-ray data to the input layer.

Source

We will freeze the learning of the weights across all these blocks as we will be using the pre-trained weights to extract the features from our own input.

We'll do the feature extraction after the input passes Module 7. We then transfer the feature map obtained from Module 7 to our own final classification layers (this is why it's called transfer learning). We top the architecture with the following top layers:

• BatchNorm1d
• Linear(output neurons = 512)
• ReLU()
• BatchNorm1d()
• Linear(output neurons = 128)
• ReLU()
• BatchNorm1d()
• Dropout(probability of zeroing the parameters = 0.4)
• Linear(output neurons = 2)

Let's head over to the code

Now before we start the code, there are a couple of dependencies we need to install. First, you'll need to install PyTorch on your local machine. You can do this using the pip install command in your Python environment. Refer here to install it depending on your machine (whether it has GPU available or not).

Before you move on to the code, I strongly recommend that you actually work through the code yourself. This makes it much easier to understand. With that said, you can access the full code in a Jupyter notebook here.

You also need to install Efficientnet support for PyTorch into the same Python environment. Run the command below to install it:

pip install efficientnet_pytorch

Apart from this you will need to import some other dependencies at the start of the code.

Now we start building the classification model. To start, we import all the necessary modules:

#importing required modules
import gdown
import zipfile
import numpy as np
from glob import glob
import matplotlib.pyplot as plt
import torch
import torch.nn as nn
from torchsummary import summary
from torchvision import datasets, transforms as T
from efficientnet_pytorch import EfficientNet
import os
import torch.optim as optim
from PIL import ImageFile
from sklearn.metrics import accuracy_score

All these modules are essential to perform multiple functions across the model. You can install all the absent modules using the pip command.

Then we download and extract the data we prepared for the model:

#importing data
#Dataset address
url = 'https://drive.google.com/uc?export=download&id=1B75cOYH7VCaiqdeQYvMuUuy_Mn_5tPMY'
output = 'data.zip'
gdown.download(url, output, quiet=False)
#giving zip file name
data_dir='./data.zip'
#Extracting data from zip file
with zipfile.ZipFile(data_dir, 'r') as zf:
zf.extractall('./data/')

The gdown.download module downloads the data from the URL provided and the zipfile.extractall extracts the data into the same directory where you currently are (or the same runtime if you are working on Google Colab).

I highly recommend working on Google Colab for this project in case you do not locally have a GPU available.

Next, create a check variable to check the availability of a GPU.

#Checking the availability of a GPU
use_cuda = torch.cuda.is_available()

This module returns ‘True’ if GPU is available and ‘False' if not.

Next, we need to apply pre-processing techniques to the data. Since our data is pre-augmented, we do not need to apply many pre-processing techniques to it. We only resize all the images to a single size of (224,224). We do this because the images in our dataset are all of different dimensions and we need a consistent dimension for the model.

We'll also convert the images to tensors to be processed by PyTorch and then we normalize all the images. This normalize function normalizes all the images with a mean and standard deviation of 0.5.

After that, we create the locations for the train, test and validation sets which will be given as input to the ‘datasets’ module. We do this so that the PyTorch model knows exactly where the data is located and also so that that data can be loaded to the GPU. We keep a batch size of 32.

#declaring batch size
batch_size = 32

#applying required transformations on the dataset
img_transforms = {
    'train':
    T.Compose([
        T.Resize(size=(224,224)), 
        T.ToTensor(),
        T.Normalize([0.5, 0.5, 0.5], [0.5, 0.5, 0.5]), 
        ]),

    'valid':
    T.Compose([
        T.Resize(size=(224,224)),
        T.ToTensor(),
        T.Normalize([0.5, 0.5, 0.5], [0.5, 0.5, 0.5])
        ]),

    'test':
    T.Compose([
        T.Resize(size=(224,224)),
        T.ToTensor(),
        T.Normalize([0.5, 0.5, 0.5], [0.5, 0.5, 0.5])
        ]),
     }

# creating Location of data: train, validation, test
data='./data/'

train_path=os.path.join(data,'train')
valid_path=os.path.join(data,'test')
test_path=os.path.join(data,'valid')


# creating Datasets to each of  folder created in prev
train_file=datasets.ImageFolder(train_path,transform=img_transforms['train'])
valid_file=datasets.ImageFolder(valid_path,transform=img_transforms['valid'])
test_file=datasets.ImageFolder(test_path,transform=img_transforms['test'])


#Creating loaders for the dataset
loaders_transfer={
    'train':torch.utils.data.DataLoader(train_file,batch_size,shuffle=True),
    'valid':torch.utils.data.DataLoader(valid_file,batch_size,shuffle=True),
    'test': torch.utils.data.DataLoader(test_file,batch_size,shuffle=True)
}

After pre-processing, we move on to building the model.

#importing the pretrained EfficientNet model

model_transfer = EfficientNet.from_pretrained('efficientnet-b0')

# Freeze weights
for param in model_transfer.parameters():
    param.requires_grad = False
in_features = model_transfer._fc.in_features


# Defining Dense top layers after the convolutional layers
model_transfer._fc = nn.Sequential(
    nn.BatchNorm1d(num_features=in_features),    
    nn.Linear(in_features, 512),
    nn.ReLU(),
    nn.BatchNorm1d(512),
    nn.Linear(512, 128),
    nn.ReLU(),
    nn.BatchNorm1d(num_features=128),
    nn.Dropout(0.4),
    nn.Linear(128, 2),
    )
if use_cuda:
    model_transfer = model_transfer.cuda()

First, we import the EfficientNet-B0 model with its pre-trained weights. Next, we disable the training of the parameters of the model because we are going to use the pre-trained parameters to extract features from our data.

Then we replace the top fully connected layers of the model with our own classifier.

Batchnorm normalizes the whole batch of data into the number of neurons given as an argument. This reduces the complexity of the model and prevents it from overfitting. Dropout does something similar – it zeroes out some neurons in the model with a probability of the value given as an argument.

The Linear layer is a simple fully-connected neural network layer.

Finally, we transfer our model to the GPU, if available.

# selecting loss function
criterion_transfer = nn.CrossEntropyLoss()

#using Adam classifier
optimizer_transfer = optim.Adam(model_transfer.parameters(), lr=0.0005)

Here, we select the loss function and the optimizer for our training phase. We also define the value of the learning rate for the optimizer. You can change this value to see how different learning rates influence the model in different ways.

Next, we move on to the training of the model.

ImageFile.LOAD_TRUNCATED_IMAGES = True

# Creating the function for training
def train(n_epochs, loaders, model, optimizer, criterion, use_cuda, save_path):
    """returns trained model"""
    # initialize tracker for minimum validation loss
    valid_loss_min = np.Inf 
    trainingloss = []
    validationloss = []

    for epoch in range(1, n_epochs+1):
        # initialize the variables to monitor training and validation loss
        train_loss = 0.0
        valid_loss = 0.0

        ###################
        # training the model #
        ###################
        model.train()
        for batch_idx, (data, target) in enumerate(loaders['train']):
            # move to GPU
            if use_cuda:
                data, target = data.cuda(), target.cuda()

            optimizer.zero_grad()
            output = model(data)
            loss = criterion(output, target)
            loss.backward()
            optimizer.step()

            train_loss = train_loss + ((1 / (batch_idx + 1)) * (loss.data - train_loss))

        ######################    
        # validating the model #
        ######################
        model.eval()
        for batch_idx, (data, target) in enumerate(loaders['valid']):
            if use_cuda:
                data, target = data.cuda(), target.cuda()

            output = model(data)
            loss = criterion(output, target)
            valid_loss = valid_loss + ((1 / (batch_idx + 1)) * (loss.data - valid_loss))

        train_loss = train_loss/len(train_file)
        valid_loss = valid_loss/len(valid_file)

        trainingloss.append(train_loss)
        validationloss.append(valid_loss)

        # printing training/validation statistics 
        print('Epoch: {} \tTraining Loss: {:.6f} \tValidation Loss: {:.6f}'.format(
            epoch, 
            train_loss,
            valid_loss
            ))

        ## saving the model if validation loss has decreased
        if valid_loss < valid_loss_min:
            torch.save(model.state_dict(), save_path)

            valid_loss_min = valid_loss

    # return trained model
    return model, trainingloss, validationloss

We create a function for the training and validation phase of the model. We allow the model to accept truncated images also with fewer than three channels. We initialize the values of the train and validation losses and start the training loop. We import the data batch by batch from the data loaders and perform the training operations.

After the training loop, we start the validation loop where we only compute the loss and the output predictions and do not update the parameters as we did in the training loop. We save the model which has the minimum loss for the validation set.

# training the model

n_epochs=10

model_transfer, train_loss, valid_loss = train(n_epochs, loaders_transfer, model_transfer, optimizer_transfer, criterion_transfer, use_cuda, 'model.pt')

We run the model for 10 epochs, that is 10 loops. You can change the number of epochs and test out the loss values. The saved model is saved under the name model.pt. Now we load the model and move on to the testing phase.

# Defining the test function

def test(loaders, model, criterion, use_cuda):

    # monitoring test loss and accuracy
    test_loss = 0.
    correct = 0.
    total = 0.
    preds = []
    targets = []

    model.eval()
    for batch_idx, (data, target) in enumerate(loaders['test']):
        # moving to GPU
        if use_cuda:
            data, target = data.cuda(), target.cuda()
        # forward pass
        output = model(data)
        # calculate the loss
        loss = criterion(output, target)
        # updating average test loss 
        test_loss = test_loss + ((1 / (batch_idx + 1)) * (loss.data - test_loss))
        # converting the output probabilities to predicted class
        pred = output.data.max(1, keepdim=True)[1]
        preds.append(pred)
        targets.append(target)
        # compare predictions
        correct += np.sum(np.squeeze(pred.eq(target.data.view_as(pred))).cpu().numpy())
        total += data.size(0)

    return preds, targets

# calling test function
preds, targets = test(loaders_transfer, model_transfer, criterion_transfer, use_cuda)

We now create a test function to apply our model to our test dataset and evaluate its performance.

We pass the dataset batch by batch as we did in the train and testing phase, but we only do it once here instead of 10 epochs. This is because we just have to test the model and not update the parameters.

The function returns the predictions it computed for the input test set and also the original target values of the test set.

Now we compute the accuracy of the model. First, we need to convert the tensors, that is predictions and targets, into NumPy arrays. We do this by first moving them from the GPU to the CPU and then converting them to NumPy arrays. The following code does this:

#converting the tensor object to a list for metric functions

preds2, targets2 = [],[]

for i in preds:
  for j in range(len(i)):
    preds2.append(i.cpu().numpy()[j])
for i in targets:
  for j in range(len(i)):
    targets2.append(i.cpu().numpy()[j])

Now we compute the accuracy using the accuracy metric of the sklearn library.

#Computing the accuracy
acc = accuracy_score(targets2, preds2)
print("Accuracy: ", acc)

Our model had an accuracy of 95.45%.

The next image is the confusion matrix for the test run of the classifier. In it, you can see the visual of the model’s performance. The actual labels indicate whether the person had COVID or not, while the predicted labels indicate how our model classified the images.

As we can see, our model predicted most of the labels correctly. The small portion of wrongly predicted labels include 7 people who did not have COVID, but our model predicted they did. This is not too alarming.

On the other hand, there were 14 examples where our model predicted that they did not have COVID, but they did. In machine learning, these are called false negatives. This is a very alarming situation because we would've sent home people suffering from COVID-19. This would increase their risk that the disease would get worse.

Conclusion

Convolutional neural networks have proved extremely useful in computer vision techniques, and we can also use them efficiently in medical imaging and diagnosis.

Transfer learning is an effective method for using pre-trained architectures to perform efficiently in other applications.

But as we saw above, using these models depends upon what kind of problem we have and what our objectives are. Just like in the detection of COVID-19, we would prefer to have a model that gives us 0 false negatives. But there's still great potential for deep learning to be useful in COVID diagnosis as well as other medical diagnosis techniques.

Thanks for reading! If you enjoyed the article and would like to read more interesting articles around computer science, Python and JavaScript, please follow me on Twitter.