Authentication & identity toolkit for the Neva framework.
Project description
neva-auth
Authentication & identity toolkit for the Neva framework — Laravel philosophy, framework-agnostic core, composable so you adopt only the slice you need.
Design: see
DESIGN.mdfor the full architecture, contracts, schema, composability rules, v1 scope, and roadmap.
Status
The framework-agnostic core is complete and tested end to end — token engine,
contracts, the extensibility model, security events, and the flows below — and is ready
to adopt as a token-issuance backbone (bring your own drivers). For what's planned
beyond today, see the roadmap in DESIGN.md.
Flows. client_credentials (M2M), authorization_code + PKCE (S256; public
and confidential clients), and refresh_token (rotation with reuse detection —
replaying a rotated token revokes the whole family) all run through POST /oauth/token;
POST /oauth/introspect validates. First-party password login (POST /auth/login,
over an agnostic UserProvider) issues tokens, and GET /auth/me resolves the user via
the CurrentUser dependency.
Extensibility (DESIGN §7.1). Every pluggable axis with runtime
dispatch is a StrategyResolver registry — guards (AuthManager), authn methods
(AuthnManager), and OAuth grants (GrantManager) — so a consumer registers its own
driver under a name. The token format and backend are boot-time bindings chosen
by config; bring your own by implementing the protocol. The wire token need not carry
the jti (a format sets ParsedToken.lookup_key), so reference / split-token schemes
plug in unchanged.
Events. The engine emits TokenIssued / TokenRevoked / TokenReuseDetected; the
login flow emits LoginSucceeded / LoginFailed. Consumers project these onto their own
model for presence or audit — the toolkit ships no presence service (DESIGN §10).
The FastAPI layer lives in neva.auth.http behind the [fastapi] extra and is
mounted manually (app.include_router(...)), so neva-auth and neva-fastapi never require
each other — the bridge is opt-in.
Modules
| Module | Provides |
|---|---|
neva.auth.core |
contracts, AuthManager (guards) + AuthnManager (methods), Auth facade, security events |
neva.auth.tokens |
TokenEngine + TokenFormat/TokenBackend contracts (opaque + SQL default), format-declared lookup_key, family_id-tracked rotation/reuse, family + subject revocation |
neva.auth.guards |
bearer TokenGuard; guard name→driver→provider resolution |
neva.auth.oauth |
client registry, PKCE code store, and the token-endpoint grants (client_credentials, authorization_code+PKCE, refresh_token) via GrantManager + GrantResolver |
neva.auth.http |
/oauth/token, /oauth/introspect, /auth/login, /auth/me, Authenticated/CurrentUser/require_scope deps ([fastapi]) |
Each module ships its own ServiceProvider and (where relevant) its own
migrations, so a consumer wires only what they list in config/providers.py.
The HTTP layer lives in neva.auth.http (the [fastapi] extra) — never in
neva-fastapi, which stays unaware of auth.
Develop
uv sync
poe lint # ruff check
poe fmt # ruff format
poe tc # mypy
poe test # pytest
asyncio_mode = "auto" is set, so async tests need no @pytest.mark.asyncio.
Contributing
Commits follow Conventional Commits
with gitmoji prefixes, enforced by
cz_gitmoji. Commitizen is
a dev dependency — run cz commit for the guided wizard, or format manually as
:gitmoji: type(scope): subject.
Releases are cut per-repo with commitizen from the repo root:
cz bump # bump version in pyproject, write CHANGELOG, tag v<version>
git push --follow-tags origin main
uv build && uv publish # build + publish the wheel/sdist
cz bump derives the level from the commits since the last tag, updates
CHANGELOG.md, and runs scripts/retag-with-changelog.sh to rewrite the new
tag with the rendered changelog as its annotation.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file neva_auth-0.1.0.tar.gz.
File metadata
- Download URL: neva_auth-0.1.0.tar.gz
- Upload date:
- Size: 183.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.22
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d70b602578e1c8f5f88de55963411b963de3c08b450cf784bb02a193c05fa134
|
|
| MD5 |
86601dcfb90e8d0e260b5801bb33b6d9
|
|
| BLAKE2b-256 |
7b57637914b256562bc5896bab5bc4c5ad637fc120aaf11a49fe4917882ad562
|
File details
Details for the file neva_auth-0.1.0-py3-none-any.whl.
File metadata
- Download URL: neva_auth-0.1.0-py3-none-any.whl
- Upload date:
- Size: 37.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.22
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1b1d3ca1a175d249126db7c6d36b8e0b11430ef5f10d783be30db15927d22fe2
|
|
| MD5 |
d09f116b13c96beecadbb516cf48d4f8
|
|
| BLAKE2b-256 |
8901a560e73aa8d1a4c036fd208bf1f470f05215bf6ac62a163595715a03b90c
|