Aura Auth

Architecture

Transport, strategy, backend, and the four persistence entities.

Layers

LayerRoleCode
TransportReads/writes the session token on HTTP (Bearer header or cookie)aura_auth.transport
StrategyValidates credentials and returns a user (e.g. password on a credential account)aura_auth.strategies.password
BackendImplements BackendProtocol — CRUD for users, accounts, sessions, verificationsaura_auth.backend.sqlalchemy
OrchestrationAuraAuth, UserManager — register, login, sessions, verification helpersaura_auth.app, aura_auth.manager

Contracts (protocols, schemas, config, exceptions, security helpers) live in aura_auth._core. Higher layers depend on protocols, not on each other’s concrete types.

Four tables

  1. User — identity: name, email, email_verified, image, timestamps.
  2. Account — one row per sign-in method: provider_id (e.g. "credential"), account_id, optional OAuth fields, password (hashed) for credential accounts.
  3. Session — opaque token, user_id, expires_at, optional IP / user agent.
  4. Verification — short-lived rows for email verification, resets, etc.

Login creates a session row; current_user resolves the token against the session table, then loads the user by id. This is not a stateless JWT login flow (though TokenHelper remains available for other signing needs).

Request flow (login)

  1. Client posts email/password to POST /auth/login.
  2. Password strategy finds the credential account, verifies bcrypt, returns the user.
  3. UserManager creates a session with a new opaque token.
  4. Response returns AuthResponse; transport may set Bearer in the body only, or also Set-Cookie when cookie transport is enabled.

Quickstart

Mount the auth router, create tables, and protect a route with Depends.

Configuration

AuraAuthConfig fields passed through AuraAuth(database_url=..., secret=..., **kwargs).

On this page

LayersFour tablesRequest flow (login)