"""AuthProvider interface. Operators enable any subset of providers (local, OIDC, social). A provider's job is narrow: verify a credential and return the matching User (or None). Session issuance, tokens, and registration live in the auth service and are provider-agnostic, so adding OIDC/social later (Phase 5) is additive. """ from abc import ABC, abstractmethod from sqlalchemy.ext.asyncio import AsyncSession from app.models.user import User class AuthProvider(ABC): name: str @abstractmethod async def authenticate( self, session: AsyncSession, *, identifier: str, secret: str ) -> User | None: """Return the User if the credential is valid, else None.""" raise NotImplementedError