Package-by-Package Context, Architecture & Workflows¶
This document breaks down the System Context, Module Architecture, and sequential Workflows for each of the active packages in the Astra monorepo.
1. Astra Yantra (Core Module / astraauth.core)¶
The absolute foundation containing framework-agnostic domain models, settings validation, and cryptographic/policy primitives.
System Context¶
graph LR
Core["astraauth-core / astraauth.core"]
DB[("Relational Database")]
Crypt["cryptography / joserfc / pwdlib"]
Policies["Policy Configs (RBAC + ABAC)"]
Core --> DB
Core --> Crypt
Core --> Policies
Module Architecture¶
config/settings.py: Resolves settings utilizingpydantic-settings(database configurations, token expirations, CORS rules, throttling thresholds).security/throttling.py: Controls login and verification rate limits using sliding windows (in-memory or Redis).persistence/relational.py&repositories/: Centralizes unified SQL connection queries for SQLite, PostgreSQL, and MySQL.oauth/: Implements client credentials, PKCE checks, token hashing, API keys (using constant-time timing protection), and Argon2id password hashing.authorization/: Evaluation rules matching user metadata and attributes (ABAC) to enforce scopes (ScopePolicy).
Core Workflow: Access Token Verification¶
sequenceDiagram
participant Caller as Calling Service / Middleware
participant Core as astraauth.core
participant JWKS as JWKS Store
participant DB as Persistence Engine
Caller->>Core: Verify Token Signature (JWT)
Core->>JWKS: Fetch Cached Public Key (JWKS)
JWKS-->>Core: Public Key Returned
Core->>Core: Cryptographically Verify Signature & Expiration
alt Signature Valid
Core->>DB: Query Session Active Status & Tenant (tid)
DB-->>Core: Session Active
Core->>Core: Evaluate ABAC Rules (Tenant & Scope policies)
Core-->>Caller: Returns Verified Claims (User ID, Roles, Tenant)
else Signature Invalid
Core-->>Caller: Raise TokenValidationError
end
2. Astra Sutra (Service Module / astraauth.service)¶
The runtime composition layer that bootstraps application setups, connection pools, structured logging, and observability.
System Context¶
graph TD
Service["astraauth-service / astraauth.service"]
Config["Runtime Settings File"]
Logger["Structured Logging (Redacted)"]
Pools["DB Connection Pools"]
CorePkg["astraauth.core"]
Service --> Config
Service --> Logger
Service --> Pools
Service --> CorePkg
Module Architecture¶
factory.py: The dependency injector. Builds the repository engine, links the correct database pool, configures the event bus, and injects runtime services.startup.py: Coordinates database schema updates, manages startup lifecycles, and listens for configuration change triggers.observability.py: Manages structured log JSON outputs and telemetry context (correlation ID injection).redaction.py: Exposes helper filters that intercept logs to redact passwords, hashes, keys, and challenge pins.
Core Workflow: Configuration Hot-Reload¶
sequenceDiagram
participant Operator as Admin UI / CLI
participant Service as astraauth.service
participant Core as astraauth.core
participant Pools as Database Connection Pools
Operator->>Service: Trigger Settings Reload (e.g. key rotation or DB shift)
Service->>Service: Read updated configuration file
Service->>Core: Re-validate configuration model with Pydantic
alt Config Valid
Service->>Pools: Terminate active connection pools gracefully
Service->>Pools: Initialize new connection pools with updated configs
Service->>Core: Apply updated JWKS keys and cache rules
Service-->>Operator: Return Status 200 (Success)
else Config Invalid
Service-->>Operator: Raise ConfigurationError (Roll back changes)
end
3. Astra Setu (Adapters Module / astraauth.adapters)¶
Framework wrappers providing pre-built route handlers, session managers, and middleware hooks for major Python runtimes.
System Context¶
graph LR
WebFrameworks["FastAPI / Flask / Django / Robyn / Litestar"]
Adapter["astraauth-adapters / astraauth.adapters"]
Core["astraauth-core / astraauth.core"]
WebFrameworks --> Adapter
Adapter --> Core
Module Architecture¶
base.py: Defines the parentAstraBaseMiddlewareprotocol.http_types.py: Translates framework-specific request variables into unifiedHttpRequestandHttpResponsedataclasses.extensions.py: Route builder helpers to auto-inject login, logout, and token endpoints into target application routers.fastapi/,flask/,django/,litestar/,robyn/,asgi/: Specific controller submodules mapping framework endpoints to AstraAuth core hooks.
Core Workflow: FastAPI Dependency Authentication Check¶
sequenceDiagram
actor Client as External Client
participant API as FastAPI Application Route
participant Adapter as fastapi_adapter
participant Core as astraauth.core
Client->>API: GET /protected-resource (Cookie / Authorization Header)
API->>Adapter: Check Dependency (e.g. Depends(require_user(scope="admin")))
Adapter->>Adapter: Extract credentials -> Translate to HttpRequest
Adapter->>Core: Call token verification engine
alt Verification Success
Core-->>Adapter: Returns User Claims
Adapter-->>API: Inject authenticated User Context
API-->>Client: Return HTTP 200 (Resource Data)
else Verification Failure
Core-->>Adapter: Raise AuthenticationError
Adapter-->>Client: Return HTTP 401 Unauthorized
end
4. Plugins Engine (astraauth.plugins)¶
The execution coordinator that loads, registers, and sandboxes tenant-specific custom hooks (middleware) with timeout bounds.
System Context¶
graph TD
Plugins["astraauth.plugins (Engine)"]
Registry["Relational Plugin Registry"]
Sandbox["Async Timeout Task Sandbox"]
Events["Event Bus Auditing"]
Plugins --> Registry
Plugins --> Sandbox
Plugins --> Events
Module Architecture¶
contracts.py: Exposes base execution schemas and parameters that custom tenant plugins must conform to.runtime.py: Implements the plugin loading pipeline, handles error boundaries, and runs scripts under strict async timeout conditions.
Core Workflow: Sandboxed Pre-Authentication Plugin Exec¶
sequenceDiagram
participant AuthEngine as Authentication Pipeline (Core)
participant Runtime as Plugins Runtime (Tantra)
participant Task as Async Sandbox Task
participant Logger as Audit Event Log
AuthEngine->>Runtime: Trigger Hook: "auth.pre_authenticate" (Payload)
Runtime->>Runtime: Read Tenant Registry configuration
Runtime->>Task: Create sandboxed Task (Timeout: 500ms)
alt Task completes under 500ms
Task-->>Runtime: Returns updated Auth Payload (Valid)
Runtime->>Logger: Write success audit record
Runtime-->>AuthEngine: Continue authentication pipeline
else Task Times Out / Raises Error
Task-->>Runtime: TaskTimeout / ExecutionException
Runtime->>Logger: Write CRITICAL audit record (Plugin Failure)
alt fail_closed is True
Runtime-->>AuthEngine: Raise PluginExecutionError (Aborts Auth)
else fail_closed is False
Runtime-->>AuthEngine: Bypass error, continue with fallback
end
end
5. Astra Pramaan (Identity Provider / astraauth.idp)¶
Coordinates identity linking, user mapping, and token validation for federated identity setups (OIDC).
System Context¶
graph LR
IdP["astraauth-idp / astraauth.idp"]
ExtOIDC["Upstream OIDC Providers (Okta/Google)"]
Core["astraauth-core / astraauth.core"]
Audit["Federation Audit Logger"]
IdP --> ExtOIDC
IdP --> Core
IdP --> Audit
Module Architecture¶
store.py: Exposes interfaces to persist linked identity configurations and callback states.sql_store.py: Concrete SQL-based store implementation for identity linking, state caching, and OIDC logs.models.py: Defines schemas for external credentials, role mapping rules, and identity providers.services.py: Dispatches JWKS verification, maps claims, links user accounts, and builds OIDC configuration discovery templates.
Core Workflow: External OIDC Authentication & Account Mapping¶
sequenceDiagram
actor User as User Agent
participant Adapter as Adapters
participant IDP as astraauth.idp
participant Okta as Upstream Okta OIDC
participant Core as astraauth.core
User->>Adapter: GET /auth/federation/callback?code=xxx&state=yyy
Adapter->>Pramaan: Handle Callback
Pramaan->>Pramaan: Verify State validation
Pramaan->>Okta: Exchange Code for Access/ID Token
Okta-->>Pramaan: Return Tokens (ID Token)
Pramaan->>Pramaan: Verify ID Token signature using Okta public JWKS
Pramaan->>Pramaan: Extract profile claims (Email, groups)
Pramaan->>Core: Query linked identity mapping
alt Identity Exists & Linked
Core-->>Pramaan: Return linked internal User Record
else Identity Exists but Not Linked
Pramaan->>Core: Auto-link email matching user / Create new mapped user
Core-->>Pramaan: Return linked internal User Record
end
Pramaan->>Core: Create internal session token for user
Core-->>Adapter: Session Created
Adapter-->>User: Redirect to dashboard (with Auth Cookie)
6. Astra Mudra (WebAuthn Module / astraauth.webauthn)¶
Houses FIDO2 ceremony controllers, handles registration/authentication challenges, and verifies cryptographic public keys.
System Context¶
graph LR
Mudra["astraauth-webauthn / astraauth.webauthn"]
FIDO2["fido2 Library"]
Core["astraauth-core / astraauth.core"]
WebAuthnStore["SQL Key Credentials Store"]
Mudra --> FIDO2
Mudra --> Core
Mudra --> WebAuthnStore
Module Architecture¶
store.py&sql_store.py: Declares structures and handles relational databases mapping for registered WebAuthn credentials (public keys, signatures, usage counters).models.py: Schemas for FIDO2 ceremony states, challenge requests, and registration responses.services.py: Implements key registration verification and assertion ceremony validations.
Core Workflow: WebAuthn Assertion/Login Ceremony¶
sequenceDiagram
actor User as User Agent
participant Adapter as Adapters
participant WebAuthn as astraauth.webauthn
participant DB as SQL Credential Store
participant Core as astraauth.core
User->>Adapter: Request Login Options (Username)
Adapter->>Mudra: Build Assertion Options
Mudra->>DB: Query registered public keys for Username
DB-->>Mudra: Keys list
Mudra->>Mudra: Generate challenge parameters (via fido2)
Mudra-->>User: Return options + challenge (HTTP 200)
User->>User: Call navigator.credentials.get() (User signs challenge)
User->>Adapter: Submit signed challenge assertion
Adapter->>Mudra: Verify Assertion
Mudra->>DB: Fetch public key for signing key ID
DB-->>Mudra: Public key
Mudra->>Mudra: Verify cryptographically (Signature, Origin, and RP ID)
alt Cryptographic Signature Valid
Mudra->>Core: Upgrade Session authentication state to MFA-Approved
Core-->>Adapter: Authentication Complete
Adapter-->>User: Return HTTP 200 (Success)
else Signature Invalid
Mudra-->>Adapter: Raise VerificationError (Authentication Fails)
end
7. Astra Tantra (Plugins Hub / astraauth-plugins)¶
The separate workspace package housing standard builtin plugins and serving as the hub/registry for community extensions.
System Context¶
graph LR
Hub["astraauth-plugins (Hub)"]
CorePlugins["astraauth.plugins (Engine)"]
Builtins["Builtin Plugins (Geo/Risk)"]
Hub --> CorePlugins
Hub --> Builtins
Module Architecture¶
builtin_plugins.py: Houses the standardGeoSignalPluginandRiskSignalPluginparameters.__init__.py: Serves as the plugin hub registration gateway, exposing built-in plugins and re-exporting key execution contracts fromastraauth.pluginsfor backward compatibility.examples.py: Minimal references representing how third-party plugins configure hooks.
8. Astra Dwaar (Operator CLI / astraauth-cli)¶
The operator interface providing text prompt wizards, textual TUIs, database setup checks, and key backup controllers.
System Context¶
graph TD
CLI["astraauth-cli"]
Service["astraauth.service"]
Console["Operator Terminal console"]
Backup["Encrypted State Files"]
CLI --> Service
CLI --> Console
CLI --> Backup
9. Astra Netra (Admin UI Console / astraauth-admin-ui)¶
A FastAPI-powered web-dashboard utilizing HTMX to allow real-time configurations, audits, and key updates without client JavaScript bundles.
System Context¶
graph TD
AdminUI["astraauth-admin-ui"]
Service["astraauth.service"]
HTMX["HTMX AJAX Web Clients"]
Templates["HTMY Templates & Static Assets"]
AdminUI --> Service
AdminUI --> HTMX
AdminUI --> Templates
10. Astra Niyam (ReBAC Policy Engine / astraauth-policy)¶
A Zanzibar-inspired relationship-based access control engine providing schema parsing and check evaluation.
System Context¶
graph TD
Policy["astraauth-policy"]
Store["RelationTupleStore (In-memory/Relational)"]
Parser["SchemaParser (DSL compiler)"]
Engine["CheckEngine (Transitive solver)"]
Policy --> Store
Policy --> Parser
Policy --> Engine
Module Architecture¶
parser.py: Schema compiler parsing KeyNetra-style entity relationship DSL declarations.engine.py: Transitive check query solver executing graph traversal algorithm calls.store.py: Models and query interfaces for relation fact assertions.
11. Astra Mandal (Multi-Tenancy / astraauth-tenancy)¶
Provides request context tenant context bindings and ASGI/Flask routing middleware.
System Context¶
graph TD
Tenancy["astraauth-tenancy"]
Context["ContextVar variables"]
ASGI["ASGITenancyMiddleware"]
Flask["Flask context hooks"]
Tenancy --> Context
Tenancy --> ASGI
Tenancy --> Flask
Module Architecture¶
models.py: Tracks workspace boundaries and database connection strings.middleware.py: IntegratesASGITenancyMiddlewareand Flask hooks to dynamically intercept and set context variables.
```