Ranvier
KR Browse Docs

#Auth & Security

Version: 0.33.0 Updated: 2026-03-15 Applies to: ranvier-std, ranvier-core Category: Deep Dives

Replace hidden middleware with visible, traceable Guard Transition nodes and IAM boundary verification.

#Guard Nodes (ranvier-std)

Guard Description
CorsGuard Validates request origin against allowed origins. Reads RequestOrigin from Bus, writes CorsHeaders.
RateLimitGuard Per-client token-bucket rate limiting. Reads ClientIdentity from Bus.
SecurityHeadersGuard Injects HSTS, CSP, X-Frame-Options, X-Content-Type-Options into Bus as SecurityHeaders.
IpFilterGuard Allow-list or deny-list IP filtering. Reads ClientIp from Bus.

All guards implement Transition<T, T> โ€” pass input through on success, return Fault on reject.

#IAM Framework (ranvier-core::iam)

  • IamVerifier trait: Implement verify(token) -> Result<IamIdentity, IamError> for your auth backend.
  • IamPolicy: None, RequireIdentity, RequireRole(String), RequireClaims(Vec<String>).
  • Axon::with_iam(policy, verifier): Automatic boundary verification before any Transition runs.
  • IamIdentity: Subject, roles, claims โ€” inserted into Bus for downstream access.
  • IamToken: Bus-injectable bearer token read by the Axon IAM boundary.

#Session Patterns

  • Session creation and validation as Transition nodes (not middleware).
  • Cookie-based or header-based token extraction via Bus injection.
  • Expiration and cleanup logic as explicit Transition steps.

#Quickstart

// Guard pipeline
Axon::new("Guarded API")
    .then(CorsGuard::new(CorsConfig::default()))
    .then(RateLimitGuard::new(100, 60_000))
    .then(SecurityHeadersGuard::new(SecurityPolicy::new()))
    .then(IpFilterGuard::allow_list(["127.0.0.1"]))
    .then(BusinessLogic);

#Workflows

  1. Add Guard nodes to your Axon pipeline with .then() for layered HTTP security.
  2. Implement IamVerifier for your JWT/OAuth/API-key backend.
  3. Attach IamPolicy via Axon::with_iam() for automatic boundary verification.
  4. Read IamIdentity from Bus in downstream Transitions for user context.
  5. Inject RequestOrigin, ClientIp, ClientIdentity from your HTTP adapter layer.

#Key Types

Type Description
CorsGuard<T> CORS origin validation as a Transition node
RateLimitGuard<T> Token-bucket rate limiter per ClientIdentity
IpFilterGuard<T> IP allow-list or deny-list filter
IamPolicy Enum: None / RequireIdentity / RequireRole / RequireClaims
IamVerifier Trait for authentication backends (JWT, OAuth, API key)
IamIdentity Verified identity with subject, roles, claims