Configuration

View Source

All configuration is provided through the config/0 callback in your module implementing -behaviour(nova_auth). The returned map is merged with defaults and cached in persistent_term for fast access.

Password Auth Keys

These keys are only required when using password authentication modules (nova_auth_accounts, nova_auth_session, etc.). OIDC-only applications can omit them entirely.

Required (for password auth)

KeyTypeDescription
repomodule()Your Kura repo module
user_schemamodule()Kura schema for the users table
token_schemamodule()Kura schema for the user tokens table

Optional

KeyTypeDefaultDescription
user_identity_fieldatom()emailField used for user lookup during authentication
user_password_fieldatom()hashed_passwordField storing the password hash on the user record
session_validity_dayspos_integer()14How long session tokens remain valid (days)
confirm_validity_dayspos_integer()3How long email confirmation tokens remain valid (days)
reset_validity_hourspos_integer()1How long password reset tokens remain valid (hours)
hash_algorithmatom()pbkdf2_sha256Password hashing algorithm
token_bytespos_integer()32Number of random bytes for token generation

Full Example

-module(my_auth).
-behaviour(nova_auth).
-export([config/0]).

config() ->
    #{
        repo => my_repo,
        user_schema => my_user,
        token_schema => my_user_token,
        user_identity_field => email,
        user_password_field => hashed_password,
        session_validity_days => 30,
        confirm_validity_days => 7,
        reset_validity_hours => 2,
        hash_algorithm => pbkdf2_sha256,
        token_bytes => 64
    }.

Actor Type

All authentication strategies produce an actor map stored in the Nova session. The actor type is defined as:

-type actor() :: #{
    id := binary() | integer(),
    provider := atom(),
    atom() => term()
}.

The id and provider fields are required. Additional fields (email, roles, etc.) depend on your authentication strategy and claims mapping.

Password Hashing

The default algorithm is PBKDF2-SHA256 with these parameters:

Hashes are stored in PHC string format:

$pbkdf2-sha256$600000$<base64-salt>$<base64-hash>

Verification uses crypto:hash_equals/2 for constant-time comparison to prevent timing attacks. Failed lookups call nova_auth_password:dummy_verify/0 to prevent user enumeration.

Token Generation

Tokens are generated as base64-encoded random bytes (crypto:strong_rand_bytes/1). Only the SHA-256 hash of the token is stored in the database. The raw token is returned to the caller once and never stored.

Cache Invalidation

Configuration is cached in persistent_term. If you change your config at runtime, call nova_auth:invalidate_cache(MyAuthMod) to force a refresh.