Skip to main content

Authentication & identity toolkit for the Neva framework.

Project description

neva-auth

Authentication & identity toolkit for the Neva framework — Laravel philosophy, framework-agnostic core, composable so you adopt only the slice you need.

Design: see DESIGN.md for the full architecture, contracts, schema, composability rules, v1 scope, and roadmap.

Status

The framework-agnostic core is complete and tested end to end — token engine, contracts, the extensibility model, security events, and the flows below — and is ready to adopt as a token-issuance backbone (bring your own drivers). For what's planned beyond today, see the roadmap in DESIGN.md.

Flows. client_credentials (M2M), authorization_code + PKCE (S256; public and confidential clients), and refresh_token (rotation with reuse detection — replaying a rotated token revokes the whole family) all run through POST /oauth/token; POST /oauth/introspect validates. First-party password login (POST /auth/login, over an agnostic UserProvider) issues tokens, and GET /auth/me resolves the user via the CurrentUser dependency.

Extensibility (DESIGN §7.1). Every pluggable axis with runtime dispatch is a StrategyResolver registry — guards (AuthManager), authn methods (AuthnManager), and OAuth grants (GrantManager) — so a consumer registers its own driver under a name. The token format and backend are boot-time bindings chosen by config; bring your own by implementing the protocol. The wire token need not carry the jti (a format sets ParsedToken.lookup_key), so reference / split-token schemes plug in unchanged.

Events. The engine emits TokenIssued / TokenRevoked / TokenReuseDetected; the login flow emits LoginSucceeded / LoginFailed. Consumers project these onto their own model for presence or audit — the toolkit ships no presence service (DESIGN §10).

The FastAPI layer lives in neva.auth.http behind the [fastapi] extra and is mounted manually (app.include_router(...)), so neva-auth and neva-fastapi never require each other — the bridge is opt-in.

Modules

Module Provides
neva.auth.core contracts, AuthManager (guards) + AuthnManager (methods), Auth facade, security events
neva.auth.tokens TokenEngine + TokenFormat/TokenBackend contracts (opaque + SQL default), format-declared lookup_key, family_id-tracked rotation/reuse, family + subject revocation
neva.auth.guards bearer TokenGuard; guard name→driver→provider resolution
neva.auth.oauth client registry, PKCE code store, and the token-endpoint grants (client_credentials, authorization_code+PKCE, refresh_token) via GrantManager + GrantResolver
neva.auth.http /oauth/token, /oauth/introspect, /auth/login, /auth/me, Authenticated/CurrentUser/require_scope deps ([fastapi])

Each module ships its own ServiceProvider and (where relevant) its own migrations, so a consumer wires only what they list in config/providers.py. The HTTP layer lives in neva.auth.http (the [fastapi] extra) — never in neva-fastapi, which stays unaware of auth.

Develop

uv sync
poe lint     # ruff check
poe fmt      # ruff format
poe tc       # mypy
poe test     # pytest

asyncio_mode = "auto" is set, so async tests need no @pytest.mark.asyncio.

Contributing

Commits follow Conventional Commits with gitmoji prefixes, enforced by cz_gitmoji. Commitizen is a dev dependency — run cz commit for the guided wizard, or format manually as :gitmoji: type(scope): subject.

Releases are cut per-repo with commitizen from the repo root:

cz bump                          # bump version in pyproject, write CHANGELOG, tag v<version>
git push --follow-tags origin main
uv build && uv publish           # build + publish the wheel/sdist

cz bump derives the level from the commits since the last tag, updates CHANGELOG.md, and runs scripts/retag-with-changelog.sh to rewrite the new tag with the rendered changelog as its annotation.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

neva_auth-0.1.0.tar.gz (183.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

neva_auth-0.1.0-py3-none-any.whl (37.7 kB view details)

Uploaded Python 3

File details

Details for the file neva_auth-0.1.0.tar.gz.

File metadata

  • Download URL: neva_auth-0.1.0.tar.gz
  • Upload date:
  • Size: 183.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.8.22

File hashes

Hashes for neva_auth-0.1.0.tar.gz
Algorithm Hash digest
SHA256 d70b602578e1c8f5f88de55963411b963de3c08b450cf784bb02a193c05fa134
MD5 86601dcfb90e8d0e260b5801bb33b6d9
BLAKE2b-256 7b57637914b256562bc5896bab5bc4c5ad637fc120aaf11a49fe4917882ad562

See more details on using hashes here.

File details

Details for the file neva_auth-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: neva_auth-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 37.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.8.22

File hashes

Hashes for neva_auth-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1b1d3ca1a175d249126db7c6d36b8e0b11430ef5f10d783be30db15927d22fe2
MD5 d09f116b13c96beecadbb516cf48d4f8
BLAKE2b-256 8901a560e73aa8d1a4c036fd208bf1f470f05215bf6ac62a163595715a03b90c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page