Get Starteddocs.rscrates.ioGitHub

Auth middleware

Two paths depending on your app type. Mechanics of #[middleware] are in Flow middleware.

ResumaApp (single-page / todo template)

Use set_action_middleware for #[server] actions only. See todo example.

set_action_middleware(|req| {
    Box::pin(async move {
        let req = attach_session(req)?;
        Ok(req)
    })
});

// attach_session sets:
req.set_extension("user_id", json!(user));
req.set_extension("roles", json!(roles));

FlowApp (multi-page site)

Use #[middleware] — runs before pages, loaders, submits, and actions.

#[middleware]
async fn require_auth(mut req: FlowRequest) -> Result<FlowRequest> {
    if req.header("authorization").is_none() {
        return Err(ResumaError::Unauthorized);
    }
    req.set_extension("authenticated", json!(true));
    Ok(req)
}

What happens on Err?

  • Pages — error view (401/403/429)
  • Submits — JSON/HTML error response
  • Actions{ ok: false, error: \"...\" }

Helpers on FlowRequest

req.is_authenticated()
req.user_id()      // Option<&str>
req.has_role("admin")