arium 0.1.4

Framework-agnostic authentication engine (passwords, sessions, OAuth, MFA, RBAC, API tokens, audit) for axum + sqlx apps.
Documentation

Crates.io Docs.rs CI License

arium

Framework-agnostic authentication engine for axum + sqlx fullstack apps.

arium owns the auth domain — password hashing, sessions, OAuth and OpenID Connect (GitHub, Google, Microsoft, or any OIDC issuer), MFA/TOTP, email verification + password reset, RBAC, API tokens, and an audit log — plus the install helper that bolts the whole thing onto an axum::Router. It has no UI-framework dependency; framework adapters such as arium-dioxus wrap these primitives in their own server fns + UI.

Typical server-side usage:

use arium::{
    AuthConfig, Mailer, install, migrator,
    oauth::{github::GithubProvider, OAuthRegistry},
};

let pool = sqlx::sqlite::SqlitePoolOptions::new()
    .connect_with("sqlite://./app.db?mode=rwc".parse()?)
    .await?;
migrator().run(&pool).await?;

let mut oauth = OAuthRegistry::new(pool.clone())?;
if let Some(gh) = GithubProvider::from_env()? {
    oauth = oauth.with_provider(gh);
}

let cfg = AuthConfig::builder(pool.clone(), Mailer::from_env()?)
    .oauth(oauth)
    .build()?;

// `router` is any `axum::Router` (e.g. your framework's server router).
let router = install(router, cfg).await?;

oauth-github is on by default. The opt-in oauth-oidc, oauth-google, and oauth-microsoft features add a generic OpenID Connect provider plus Google/Microsoft presets — each from_env()-constructed and registered the same way as GithubProvider above.

Per-resource authorization

Beyond global RBAC (flat permission tokens), the authz module adds relationship-based checks — "what role does this user hold on this resource?" Implement authz::ResourceAuthority over your own membership storage and guard resource-scoped mutations with require_resource; it does a fresh per-request lookup and default-denies. arium ships no membership table — the app owns that storage; arium owns the enforcement boundary and the ResourceRole lattice.

Installation

[dependencies]
arium = "0.1"

arium requires exactly one database backend. sqlite is on by default; for PostgreSQL, disable defaults and select postgres:

[dependencies]
arium = { version = "0.1", default-features = false, features = ["postgres", "oauth-github", "mfa", "mail", "ratelimit", "tokens"] }
Feature Default Enables
sqlite yes SQLite backend (pick exactly one backend)
postgres no PostgreSQL backend (pick exactly one backend)
oauth-github yes GitHub OAuth provider + routes
oauth-oidc no Generic OpenID Connect provider (any issuer)
oauth-google no Google OIDC preset (implies oauth-oidc)
oauth-microsoft no Microsoft OIDC preset (implies oauth-oidc)
mfa yes TOTP MFA setup and challenge
mail yes Email verification & password reset (Mailer)
ratelimit yes Per-IP rate limiting on auth routes
tokens yes API token issuance, validation, and Bearer auth
sql-membership yes Bundled SqlMembershipStore + membership_migrator() for per-resource authz

Without mail, AuthConfig::builder takes the pool alone. Full API reference on docs.rs.

License

Licensed under either of:

at your option.