permission-core Auth
This example shows how to connect permission-core to VextJS Auth. Vext keeps authentication and route guards separate:
auth()parses the Bearer token and fillsreq.auth.permission-coreowns authorization decisions such asinvoke + GET:/api/posts.RouteOptions.authdeclares the guard that Vext should enforce for a route.
The verified consumer project is vext-test: src/plugins/permission.ts, src/middlewares/permission-core-auth.ts, src/routes/auth-context.ts, and verify.mjs cases #246-#250.
1. Install
For a demo or test project, MemoryAdapter is enough. For production, follow permission-core's production guide and use a persistent storage adapter with the cache-hub + monsqlize stack recommended by permission-core.
2. Create the permission plugin
3. Bridge auth() to permission-core
Register the middleware name in src/config/default.ts:
4. Protect routes with RouteOptions.auth
RouteOptions.auth is the preferred guard contract. The older openapi.guardSecurityMap fallback still exists for legacy middleware-only examples, but new code should put security on auth.security so runtime protection and OpenAPI output share the same source.
5. Direct assert() in handlers
Use req.auth.assert() when a route has additional runtime decisions that are easier to express inside the handler:
If permission-core denies the operation, Vext returns AUTH_FORBIDDEN through the Auth guard path.
6. Verify
The same flow is covered by vext-test:
The relevant assertions are:
#246identity and safe request context snapshot#247permission-corecan()allow#248permission-corecan()deny#249missing, malformed, and unknown credential errors#250req.auth.assert()plus OpenAPIbearerAuth