Port access-control probes to Rust integration tests; document HTTPS hardening

Port access-control probes to Rust integration tests; document HTTPS hardening

#12 in tonybierman/arium — merged 2026-05-25

Summary

Outputs of reviewing the past-24h security-hardening merges (#1–#11):

  1. Replace the shell access-control probes with Rust integration tests. The two examples/*/access-control-probe.sh scripts (and their bespoke CI jobs that built the example server-only, nohup'd it on a port, waited for readiness, and curl'd it) are replaced by deterministic in-process integration tests in the adapter crates, run by the normal cargo test --workspace gate.
  2. Document the opt-in HTTPS production hardening in SECURITY.md — the cookie_secure / hsts / content_security_policy builder knobs added in PR #7 were in rustdoc but no consumer-facing doc.

Access-control tests (full 3-phase parity, both adapters)

crates/arium-{dioxus,leptos}/tests/access_control.rs:

  • Phase 1 — anonymous caller denied on every protected/admin endpoint.
  • Phase 2 — logged-in non-admin refused on admin endpoints (vertical privilege escalation).
  • Phase 3 — user B cannot revoke user A's API token (IDOR), verified directly via A's token list + a control revoke.

Harness extracted into a per-adapter tests/common/mod.rs (shared with the existing server_fn_roundtrip.rs, which now consumes it instead of inlining its own copy — the "no duplication" requirement). spawn_app disables rate limiting so a fast multi-endpoint sweep can't be masked by a 429.

Unlike the shell probe's loose assert_denied (which treated a 404 as a pass), the Rust port distinguishes a 404 from a real denial — and immediately caught a stale inventory entry: GET /api/user/permissions was never a route (permissions ride on /api/user/profile).

Engine-level tests (crates/arium/tests/{rbac,api_tokens}.rs) already cover the permission model + SQL scoping; these add the missing mounted-route enforcement coverage, so deleting the scripts loses nothing.

Removals

  • examples/*/access-control-probe.sh
  • the access-control and access-control-leptos jobs in .github/workflows/ci.yml (no replacement job needed — the test job runs the new tests)
  • fixed the now-stale .gitignore comment

Verification

  • cargo test --workspace --exclude dioxus-fullstack-example — green; both adapters' access_control (3 phases each) + refactored server_fn_roundtrip pass.
  • ci.yml parses; no lingering access-control-probe references except the provenance comments in the new test files.
  • wasm unaffected: all four test files carry #![cfg(not(target_arch = "wasm32"))] (identical gating to the pre-existing round-trip tests).

🤖 Generated with Claude Code

tonybierman/arium2026rust

Last updated 2026-05-26

Links to this note

Credits

Merged pull requests, newest first.