Skip to content
authx-rs

Middleware

All authx middleware follows the Tower Layer / Service pattern — compatible with any Tower-based stack (Axum, Hyper, etc.).

SessionLayer

Section titled “SessionLayer”

Resolves the Identity from the session cookie on every request. Injects it into request extensions so downstream extractors can access it.

use authx_axum::SessionLayer;


// Mount on the whole app — not just auth routes
app.layer(SessionLayer::new(store))

Effect: After this layer, every handler can use RequireAuth or RequireRole extractors. Unauthenticated requests pass through — handlers decide whether auth is required.

RateLimitLayer

Section titled “RateLimitLayer”

Per-IP sliding window rate limiter.

use authx_axum::{RateLimitLayer, RateLimitConfig};
use std::time::Duration;


app.layer(RateLimitLayer::new(
    RateLimitConfig::new(20, Duration::from_secs(60))
))

Returns 429 Too Many Requests when the limit is exceeded.

csrf_middleware

Section titled “csrf_middleware”

Validates Origin / Referer for mutating requests.

use authx_axum::{csrf_middleware, CsrfConfig};
use axum::middleware;


router.route_layer(middleware::from_fn_with_state(
    CsrfConfig::new(["https://app.example.com"]),
    csrf_middleware,
))

Returns 403 Forbidden when origin validation fails.

Middleware ordering

Section titled “Middleware ordering”

Tower applies layers from outermost to innermost (last .layer() call is outermost).

Recommended ordering from outermost to innermost:

app
  .layer(TraceLayer::new_for_http())   // 1. log everything
  .layer(SessionLayer::new(store))     // 2. resolve identity
  // rate limit applied to auth routes only via auth_router