Skip to content

Identity

Identity is Deepstaging's model for who users are and what they can do. It covers three layers: resolving the current user per-request, defining your application's permission and role structure, and enforcing access control on handlers.

Quick Start

// 1. Define permissions
[Permissions]
public enum Permission
{
    Contacts_Read,
    Contacts_Write,
    Contacts_Delete,
}

// 2. Map permissions to roles
[Roles]
public static partial class AppRoles
{
    [Role("Admin",
        (int)Permission.Contacts_Read,
        (int)Permission.Contacts_Write,
        (int)Permission.Contacts_Delete)]
    public static partial void Admin();

    [Role("Viewer",
        (int)Permission.Contacts_Read)]
    public static partial void Viewer();
}

// 3. Enforce on handlers
public static class ContactCommands
{
    [CommandHandler]
    [Require(Permission.Contacts_Write)]
    public static Eff<AppRuntime, ContactCreated> Handle(CreateContact cmd) => ...

    [QueryHandler]
    [Require(Permission.Contacts_Read)]
    public static Eff<AppRuntime, QueryResult<Contact>> Handle(GetContacts query) => ...
}

The generator produces IPermissionResolver (role-to-permission mapping), PermissionPolicies (ASP.NET policy registration), role seed data, and typed RequireAttribute/RoleAttribute that eliminate (int) casts.

How It Fits Together

HTTP Request
  → JWT middleware (ASP.NET)           → authenticates, sets ClaimsPrincipal
  → IdentityMiddleware (Deepstaging)   → resolves ICurrentUser with roles + permissions
  → Endpoint authorization (ASP.NET)   → checks [Authorize] / [Require] policies
  → Dispatch handler                   → runs the effect pipeline

IdentityMiddleware builds ICurrentUser per-request from IIdentityStore data. It resolves roles, flattens permissions via IPermissionResolver, and makes the result available to authorization policies and handler code. Authorization is checked before the handler runs:

Authorize → Validate → Handler → Audit → Auto-commit

What's Next

Page Description
Current User ICurrentUser, IdentityMiddleware, IIdentityStore, IPermissionResolver, user entity conventions
Authorization Ad-hoc policies ([AuthPolicies], [Authorize]), RBAC ([Permissions], [Roles], [Require], [Public])
Effects IdentityModule effect methods for programmatic role and identity management

Diagnostics

ID Severity Description Section
DSDSP08 Error [AuthPolicies] class must be static partial Authorization
DSDSP09 Error [AuthPolicy] method must be static bool(ClaimsPrincipal) Authorization
DSDSP14 Warning Handler has no [Require], [Authorize], or [Public] Authorization
DSID02 Info User entity has no PasswordHash — local auth disabled Current User
DSID03 Info User entity has no Roles — role management disabled Current User
DSID07 Info User entity has no auth properties (PasswordHash or GoogleSub) Current User