Expand description
Native auth contracts for pocopine server functions.
The crate stays provider-neutral. Pocopine’s generated server routes
build a host-only request context before decoding the server-function
body; host middleware can validate a session/JWT/provider token and
insert an AuthUser or Principal into request extensions.
Guards then inspect that context through ordinary Rust functions.
§Module layout
- [
role] —RoleandPermission(stringly-typed grant tokens) - [
user] —AuthUser(the canonical user payload + claim bag) - [
principal] —Principal(request identity) andSession - [
context] —RequestContextandensure_*/require_*guards (host-only) - [
provider] —AuthProvider,SessionStore,AuthError - [
predicate] —Predicatetrait,Decisionoutcome, and combinators (any_of,all_of,require_auth,require_role,require_permission)
Structs§
- Auth
Error - Auth provider failure.
- Auth
User - Authenticated application user.
- Permission
- Permission attached to an authenticated user.
- Principal
- Request principal. Anonymous requests have no user, but the type still exposes role/permission probes so guard closures stay ergonomic.
- Request
Context - Request metadata available to server-function auth guards.
- Role
- Role attached to an authenticated user.
- Session
- Auth session metadata.
Enums§
- Decision
- Outcome of a
Predicatecheck against aPrincipal. - Deny
Reason - Closed-set reason carried by
Decision::Deny.
Constants§
- SESSION_
COOKIE - Default session cookie name used by the simple auth helpers.
Traits§
- Auth
Provider - Auth provider contract. Clerk/Auth0/Supabase adapters can implement this without changing the server-function guard ABI.
- Predicate
- Sync, cross-target permission check against a
Principal. - Session
Store - Session persistence contract for first-party/simple auth.
Functions§
- all_of
- Predicate that allows only when both child predicates allow.
Returns the first
Denyreason (short-circuits). - any_of
- Predicate that allows when either child predicate allows.
Tries
pfirst; ifpdenies, triesq. The reason onDenyis the second predicate’s reason — the assumption is the broader (latter) check carries the more useful user-visible failure. - ensure_
login - Ensure the request is authenticated.
- ensure_
permission - Ensure the request has a permission.
- ensure_
role - Ensure the request has a role.
- require_
admin - Built-in
#[server(guard = ...)]guard requiring the conventionaladminrole (matched by string). - require_
auth - Predicate matching any authenticated user.
- require_
login - Built-in
#[server(guard = ...)]guard requiring any logged-in user. - require_
permission - Predicate matching any user holding
permission(string match). - require_
role - Predicate matching any user holding
role(string match). - require_
staff - Built-in
#[server(guard = ...)]guard requiring the conventionalstaffrole (matched by string).
Type Aliases§
- Auth
Future - Boxed async result used by provider traits without choosing an async-trait dependency.
- Auth
Result - Provider/session result type.