Authentication, sessions, admin dashboard, and per-user stores for the enlace platform
Project description
enlace_auth
Authentication, sessions, an admin dashboard, and per-user stores for the enlace multi-app platform.
enlace itself is auth-agnostic — it composes apps and routes traffic. This
package plugs in at compose time and adds:
/auth/login,/auth/logout,/auth/register,/auth/whoami,/auth/csrf,/auth/me/password,/auth/shared-login/_admin/api/*— list/create/delete users, admin password reset, view app policy, and grant/revoke per-app access at runtime (optional expiry). Gated by an admin allowlist.- per-user data injection via
request.state.store PlatformAuthMiddleware+CSRFMiddleware- optional OAuth2 / OIDC via Authlib
Quick start
from enlace import build_backend, PlatformConfig
from enlace_auth import plugin as auth_plugin
config = PlatformConfig.from_toml("platform.toml")
app = build_backend(config, plugins=[auth_plugin])
Or, if you serve via uvicorn --factory enlace.compose:create_app, set:
export ENLACE_PLUGINS=enlace_auth:plugin
Configuration
In platform.toml:
[auth]
enabled = true
session_cookie_name = "enlace_session"
session_max_age_seconds = 86400
signing_key_env = "ENLACE_SIGNING_KEY"
secure_cookies = true
[auth.stores]
backend = "file"
path = "~/.enlace/platform_store"
[stores.user_data]
backend = "file"
path = "~/.enlace/user_data"
Plus environment variables:
ENLACE_SIGNING_KEY— signing key (32+ chars). Generate withpython -c "import secrets; print(secrets.token_urlsafe(32))".ENLACE_ADMIN_EMAILS— comma-separated admin emails (gate/_admin).ENLACE_ALLOW_UNSIGNED=1— opt-out from fail-fast (diagnostics only).
Per-app access & runtime grants
Each app declares an access level in its app.toml
(public | protected:shared | protected:user). A protected:user app may also
declare a static baseline allow-list:
access = "protected:user"
allowed_users = ["owner@example.com"] # always allowed; edit-in-code baseline
On top of that baseline you can grant access at runtime — no redeploy — from
the admin dashboard or the CLI. Runtime grants are additive (effective access =
allowed_users ∪ active grants) and may carry an optional UTC expiry:
enlace-auth grant vault alice@example.com --expires 2026-12-31 # end of day UTC
enlace-auth list-grants --app vault
enlace-auth revoke-grant vault alice@example.com
Grants live in a grants/ store alongside sessions/ and users/ under
[auth.stores] path, so they persist across restarts and redeploys. A grant on
an app with an empty allowed_users (open to any authenticated user) is
rejected — it would have no additive effect and would unintentionally restrict an
open app. To remove a user listed in allowed_users, edit app.toml (that layer
is intentionally code-managed); the admin panel manages the runtime layer.
Doctor checks
from enlace.doctor import run_doctor
from enlace_auth.diagnostics import static_checks, http_checks
report = run_doctor(
config,
base_url="http://localhost:8000",
extra_static_checks=static_checks,
extra_http_checks=http_checks,
)
Status
Extracted from enlace 0.0.11. The Python API is stable; an admin frontend
ships separately as a normal enlaced app.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file enlace_auth-0.1.12.tar.gz.
File metadata
- Download URL: enlace_auth-0.1.12.tar.gz
- Upload date:
- Size: 66.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.20 {"installer":{"name":"uv","version":"0.11.20","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d6acd7d373fef65ba581f7c6110cbb0ccedc61ab9ac29332b5065cae88fd6dc
|
|
| MD5 |
6e8ba5047563df18aee5f092d9a457d3
|
|
| BLAKE2b-256 |
b7736b98361739c232e7c8314261ea58fa355effa3ef77025b7ed504dec676b7
|
File details
Details for the file enlace_auth-0.1.12-py3-none-any.whl.
File metadata
- Download URL: enlace_auth-0.1.12-py3-none-any.whl
- Upload date:
- Size: 57.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.20 {"installer":{"name":"uv","version":"0.11.20","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e50229e0a81f3fa14cd78aae611cca16a531cd2dea99530fd5af0860c687b216
|
|
| MD5 |
a04894b91c8987598354e807f772080b
|
|
| BLAKE2b-256 |
776eae3d97761bb07ad952064cfd32da97c4685c313d7eea28c86ab3ba5a7773
|