feat: unified actor session and claims mapping#2
Merged
Conversation
Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims for provider claim transformation, and allow_claim/2 policy. Make kura optional so OIDC-only apps don't need a database. Simplify security callbacks to use the shared actor session.
🟠 Code Coverage — 68.5%170 of 248 lines covered. 🛡️ Security AuditNo vulnerabilities found in 12 dependencies. |
Hank flagged it as dead code — the session key is defined locally in nova_auth_actor instead.
Taure
added a commit
that referenced
this pull request
Mar 31, 2026
* feat: unified actor session and claims mapping
* feat: add unified actor session and claims mapping
Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims
for provider claim transformation, and allow_claim/2 policy. Make kura
optional so OIDC-only apps don't need a database. Simplify security
callbacks to use the shared actor session.
* fix: remove unused NOVA_AUTH_ACTOR_SESSION_KEY macro
Hank flagged it as dead code — the session key is defined locally
in nova_auth_actor instead.
* feat: make PBKDF2 iterations configurable
Read from `{nova_auth, [{pbkdf2_iterations, N}]}` app env.
Defaults to 600,000 (OWASP recommendation). Lower values
trade security margin for speed in non-banking contexts.
Taure
added a commit
that referenced
this pull request
Mar 31, 2026
* feat: unified actor session and claims mapping
* feat: add unified actor session and claims mapping
Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims
for provider claim transformation, and allow_claim/2 policy. Make kura
optional so OIDC-only apps don't need a database. Simplify security
callbacks to use the shared actor session.
* fix: remove unused NOVA_AUTH_ACTOR_SESSION_KEY macro
Hank flagged it as dead code — the session key is defined locally
in nova_auth_actor instead.
* feat: make PBKDF2 iterations configurable
Read from `{nova_auth, [{pbkdf2_iterations, N}]}` app env.
Defaults to 600,000 (OWASP recommendation). Lower values
trade security margin for speed in non-banking contexts.
Taure
added a commit
that referenced
this pull request
Mar 31, 2026
* feat: unified actor session and claims mapping * feat: add unified actor session and claims mapping Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims for provider claim transformation, and allow_claim/2 policy. Make kura optional so OIDC-only apps don't need a database. Simplify security callbacks to use the shared actor session. * fix: remove unused NOVA_AUTH_ACTOR_SESSION_KEY macro Hank flagged it as dead code — the session key is defined locally in nova_auth_actor instead. * docs: update README and guides for unified actor session - Update README to reflect optional kura, actor session, and link to nova_auth_oidc - Update getting-started guide with OIDC-only and password auth paths - Update configuration guide with optional password keys and actor type - Add actor-session guide explaining the unified session concept - Add claims-mapping guide with static and callback examples - Add policies guide covering allow_claim and OIDC integration - Update ex_doc config with new guides and Taure source URL * chore: disable audit, upgrade erlang-ci to v2.0.9 (#4) * chore: disable audit, upgrade erlang-ci to v2.0.9, fix permissions * fix: add kura to plt_extra_apps for dialyzer * feat: make PBKDF2 iterations configurable (#2) * feat: unified actor session and claims mapping * feat: add unified actor session and claims mapping Add nova_auth_actor for strategy-agnostic session storage, nova_auth_claims for provider claim transformation, and allow_claim/2 policy. Make kura optional so OIDC-only apps don't need a database. Simplify security callbacks to use the shared actor session. * fix: remove unused NOVA_AUTH_ACTOR_SESSION_KEY macro Hank flagged it as dead code — the session key is defined locally in nova_auth_actor instead. * feat: make PBKDF2 iterations configurable Read from `{nova_auth, [{pbkdf2_iterations, N}]}` app env. Defaults to 600,000 (OWASP recommendation). Lower values trade security margin for speed in non-banking contexts. * feat: add OIDC behaviour and JWT validation (#4) * feat: add OIDC behaviour and JWT validation module nova_auth_oidc defines the callback for OIDC provider configuration (providers, scopes, claims mapping). nova_auth_oidc_jwt validates ID tokens and maps claims to actor maps via nova_auth_claims. * fix: suppress hank false positive for behaviour callback * fix: restructure JWT decode for dialyzer compatibility * fix: use erlang-ci @v2 * fix: start kura application in integration test setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nova_auth_actorfor strategy-agnostic session storage (Nova ETS)nova_auth_claimsfor provider claim transformation (static map or callback)allow_claim/2policy for claim-based authorizationoptional_applications) so OIDC-only apps don't need a databasenova_auth_securityto use the shared actor sessionTest plan
rebar3 fmt --checkcleanrebar3 xrefcleanrebar3 dialyzerno new warningselp lintno new warningselp eqwalize-allno new errors in changed files