Skip to content

feat(examples): per-resource membership authz examples (Dioxus + Leptos)#15

Merged
tonybierman merged 2 commits into
mainfrom
feat/membership-authz-examples
May 27, 2026
Merged

feat(examples): per-resource membership authz examples (Dioxus + Leptos)#15
tonybierman merged 2 commits into
mainfrom
feat/membership-authz-examples

Conversation

@tonybierman
Copy link
Copy Markdown
Collaborator

@tonybierman tonybierman commented May 27, 2026

What

Two minimal, parallel examples demonstrating arium's per-resource membership authorization axis — kept apart from everything else (no OAuth/MFA/mail/tokens) so the membership story stands alone:

  • examples/dioxus-authz-example
  • examples/leptos-authz-example

Each shows the same three pieces:

  1. DemoAuthority — an in-memory ResourceAuthority (role per doc id, registered via AuthConfigBuilder::resource_authority). arium stores no memberships; it calls this on every check.
  2. ResourceGate — a cosmetic UI gate that shows/hides the rename field.
  3. rename_doc — the resource-scoped mutation, enforced by require_resource_{dioxus,leptos} (the real boundary). An "Attempt edit anyway" button on the view-only docs proves the server rejects it, gate or no gate.
Document Role Field shown? Server fn (require ≥ Editor)
Team roadmap Owner shown accepted
Design notes Editor shown accepted
Company handbook Viewer hidden rejected
Q3 board minutes (none) hidden rejected

Bug fix surfaced by these examples

These are the first server/ssr builds without mail, which exposed a latent bug in both adapters: the no-mail register_with_password returned LoginOutcome::LoggedIn but never called complete_login/mark_email_verified — so signup left the caller anonymous and a later sign-in failed as Unverified (UI: "Unexpected sign-in outcome"). Fixed in both arium-dioxus and arium-leptos.

Supporting test/infra changes:

  • Added a round-trip assertion that register itself establishes the session (the harness previously only checked a separate login did).
  • Made each tests/common/spawn_app mail-agnostic so the round-trip runs under --no-default-features (verified the fix on the no-mail path; proved the assertion catches the regression by reverting complete_login).
  • Retightened the dead skip_email_verification gate to all(server/ssr, mail).
  • Hardened the harness temp-DB suffix with a monotonic counter (was pid+nanos, collided under parallel tests → spurious "duplicate column" migration errors).

CI note

The no-mail examples can't be unified into one workspace build alongside the mail-on fullstack examples (AuthConfig::builder arity differs by feature), so they're --excluded from the workspace cargo test/doc/clippy commands and built in isolation — same treatment as the existing dioxus fullstack example.

Verification

  • Both examples build: server/SSR + wasm/hydrate; clippy clean.
  • arium-{dioxus,leptos} clippy clean in both mail-on and no-mail configs.
  • Full default test suites green (round-trip + access_control); no-mail round-trips green.
  • cargo-machete clean.

🤖 Generated with Claude Code

tonybierman and others added 2 commits May 27, 2026 14:06
@tonybierman @claude
feat(examples): per-resource membership authz examples (Dioxus + Leptos)
1ec15ff 
Add dioxus-authz-example and leptos-authz-example — minimal, parallel demos
of arium's per-resource membership axis: an in-memory ResourceAuthority
(role per doc id, registered via AuthConfigBuilder::resource_authority), a
cosmetic ResourceGate that shows/hides the rename field, and a mutation
server fn enforced by require_resource_{dioxus,leptos}. An "Attempt edit
anyway" button on the view-only docs shows the boundary (not the gate) is
what rejects. No OAuth/MFA/mail/tokens, so the membership axis stands alone.

These are the first server/ssr builds WITHOUT mail, which exposed a latent
bug in both adapters: the no-mail register_with_password returned LoggedIn
but never called complete_login/mark_email_verified — so signup left the
caller anonymous and a later sign-in failed as Unverified. Fix both to mark
verified + complete_login. Add a roundtrip assertion that register itself
establishes the session, make each test harness mail-agnostic so it runs
under --no-default-features, and retighten the dead skip_email_verification
gate to all(server/ssr, mail). Harden the harness temp-DB suffix with a
monotonic counter against parallel collisions.

The no-mail examples can't unify with the mail-on fullstack examples in one
workspace build (AuthConfig::builder arity differs by feature), so they're
excluded from the workspace CI test/doc/clippy commands and exercised in
isolation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tonybierman @claude
style: apply rustfmt to the authz examples
06f249d 
Fixes the `cargo fmt` CI check. Also drops the stale
DX_AUTH_SKIP_EMAIL_VERIFICATION reference from the dioxus example's module
doc — a no-op in this no-mail build.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tonybierman tonybierman merged commit 168136c into main May 27, 2026
32 checks passed
@tonybierman tonybierman deleted the feat/membership-authz-examples branch May 28, 2026 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tonybierman