From 88b21fc08d7ea893bbbb1a8912dc663be7dbac88 Mon Sep 17 00:00:00 2001
From: Jonathan Cooper <reallysnazzy@protonmail.com>
Date: Sun, 1 Feb 2026 17:31:42 -0800
Subject: [PATCH] Add middleware

---
 sf-auth-middleware-axum/Cargo.lock        | 1267 ++++++++++++++++++++-
 sf-auth-middleware-axum/Cargo.toml        |   14 +
 sf-auth-middleware-axum/README.md         |  255 +++++
 sf-auth-middleware-axum/examples/basic.rs |  144 +++
 sf-auth-middleware-axum/src/callback.rs   |   66 ++
 sf-auth-middleware-axum/src/client.rs     |   64 ++
 sf-auth-middleware-axum/src/config.rs     |   41 +
 sf-auth-middleware-axum/src/error.rs      |   43 +
 sf-auth-middleware-axum/src/extractor.rs  |   79 ++
 sf-auth-middleware-axum/src/lib.rs        |   80 +-
 sf-auth-middleware-axum/src/middleware.rs |   47 +
 11 files changed, 2083 insertions(+), 17 deletions(-)
 create mode 100644 sf-auth-middleware-axum/README.md
 create mode 100644 sf-auth-middleware-axum/examples/basic.rs
 create mode 100644 sf-auth-middleware-axum/src/callback.rs
 create mode 100644 sf-auth-middleware-axum/src/client.rs
 create mode 100644 sf-auth-middleware-axum/src/config.rs
 create mode 100644 sf-auth-middleware-axum/src/error.rs
 create mode 100644 sf-auth-middleware-axum/src/extractor.rs
 create mode 100644 sf-auth-middleware-axum/src/middleware.rs

diff --git a/sf-auth-middleware-axum/Cargo.lock b/sf-auth-middleware-axum/Cargo.lock
index afe1a6c..219b948 100644
--- a/sf-auth-middleware-axum/Cargo.lock
+++ b/sf-auth-middleware-axum/Cargo.lock
@@ -2,6 +2,17 @@
 # It is not intended for manual editing.
 version = 4
 
+[[package]]
+name = "async-trait"
+version = "0.1.89"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "atomic-waker"
 version = "1.1.2"
@@ -60,12 +71,100 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "bitflags"
+version = "2.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
+
+[[package]]
+name = "bumpalo"
+version = "3.19.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510"
+
 [[package]]
 name = "bytes"
 version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
 
+[[package]]
+name = "cc"
+version = "1.2.55"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29"
+dependencies = [
+ "find-msvc-tools",
+ "shlex",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "cfg_aliases"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
+
+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
+[[package]]
+name = "deranged"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587"
+dependencies = [
+ "powerfmt",
+ "serde_core",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "errno"
+version = "0.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+dependencies = [
+ "libc",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "find-msvc-tools"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -75,6 +174,20 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "futures"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
 [[package]]
 name = "futures-channel"
 version = "0.3.31"
@@ -82,6 +195,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
 dependencies = [
  "futures-core",
+ "futures-sink",
 ]
 
 [[package]]
@@ -90,6 +204,29 @@ version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
 
+[[package]]
+name = "futures-io"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+
 [[package]]
 name = "futures-task"
 version = "0.3.31"
@@ -103,9 +240,39 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
 dependencies = [
  "futures-core",
+ "futures-macro",
+ "futures-sink",
  "futures-task",
  "pin-project-lite",
  "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "wasi",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "r-efi",
+ "wasip2",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -172,6 +339,24 @@ dependencies = [
  "pin-utils",
  "smallvec",
  "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+dependencies = [
+ "http",
+ "hyper",
+ "hyper-util",
+ "rustls",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+ "webpki-roots",
 ]
 
 [[package]]
@@ -180,14 +365,140 @@ version = "0.1.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f"
 dependencies = [
+ "base64",
  "bytes",
+ "futures-channel",
  "futures-core",
+ "futures-util",
  "http",
  "http-body",
  "hyper",
+ "ipnet",
+ "libc",
+ "percent-encoding",
  "pin-project-lite",
+ "socket2",
  "tokio",
  "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
+
+[[package]]
+name = "iri-string"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+dependencies = [
+ "memchr",
+ "serde",
 ]
 
 [[package]]
@@ -196,18 +507,55 @@ version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 
+[[package]]
+name = "js-sys"
+version = "0.3.85"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+
 [[package]]
 name = "libc"
 version = "0.2.180"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
 
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
 [[package]]
 name = "log"
 version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
 [[package]]
 name = "matchit"
 version = "0.8.4"
@@ -237,12 +585,50 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "nu-ansi-term"
+version = "0.50.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+
 [[package]]
 name = "once_cell"
 version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-link",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.2"
@@ -261,6 +647,30 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -270,6 +680,61 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2",
+ "thiserror",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
+dependencies = [
+ "bytes",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.60.2",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.44"
@@ -279,12 +744,161 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "reqwest"
+version = "0.12.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+dependencies = [
+ "base64",
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "percent-encoding",
+ "pin-project-lite",
+ "quinn",
+ "rustls",
+ "rustls-pki-types",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tokio-rustls",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "webpki-roots",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.17",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
+[[package]]
+name = "rustls"
+version = "0.23.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
+dependencies = [
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+dependencies = [
+ "web-time",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
 [[package]]
 name = "ryu"
 version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984"
 
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -292,6 +906,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
 dependencies = [
  "serde_core",
+ "serde_derive",
 ]
 
 [[package]]
@@ -351,12 +966,55 @@ dependencies = [
 ]
 
 [[package]]
-name = "sf-auth-starter"
+name = "sf-auth-middleware-axum"
 version = "0.1.0"
 dependencies = [
+ "async-trait",
  "axum",
+ "http",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "thiserror",
+ "tokio",
+ "tower",
+ "tower-sessions",
+ "tracing",
+ "tracing-subscriber",
+ "urlencoding",
 ]
 
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
+dependencies = [
+ "errno",
+ "libc",
+]
+
+[[package]]
+name = "slab"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -373,6 +1031,18 @@ dependencies = [
  "windows-sys 0.60.2",
 ]
 
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
 [[package]]
 name = "syn"
 version = "2.0.114"
@@ -389,6 +1059,105 @@ name = "sync_wrapper"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "time"
+version = "0.3.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9da98b7d9b7dad93488a84b8248efc35352b0b2657397d4167e7ad67e5d535e5"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde_core",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
+
+[[package]]
+name = "time-macros"
+version = "0.2.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78cc610bac2dcee56805c99642447d4c5dbde4d01f752ffea0199aee1f601dc4"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
@@ -396,9 +1165,12 @@ version = "1.49.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
 dependencies = [
+ "bytes",
  "libc",
  "mio",
+ "parking_lot",
  "pin-project-lite",
+ "signal-hook-registry",
  "socket2",
  "tokio-macros",
  "windows-sys 0.61.2",
@@ -415,6 +1187,16 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "tokio-rustls"
+version = "0.26.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
+dependencies = [
+ "rustls",
+ "tokio",
+]
+
 [[package]]
 name = "tower"
 version = "0.5.3"
@@ -431,6 +1213,40 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "tower-cookies"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "151b5a3e3c45df17466454bb74e9ecedecc955269bdedbf4d150dfa393b55a36"
+dependencies = [
+ "axum-core",
+ "cookie",
+ "futures-util",
+ "http",
+ "parking_lot",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
+[[package]]
+name = "tower-http"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
+ "iri-string",
+ "pin-project-lite",
+ "tower",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-layer"
 version = "0.3.3"
@@ -443,6 +1259,57 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
 
+[[package]]
+name = "tower-sessions"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "518dca34b74a17cadfcee06e616a09d2bd0c3984eff1769e1e76d58df978fc78"
+dependencies = [
+ "async-trait",
+ "http",
+ "time",
+ "tokio",
+ "tower-cookies",
+ "tower-layer",
+ "tower-service",
+ "tower-sessions-core",
+ "tower-sessions-memory-store",
+ "tracing",
+]
+
+[[package]]
+name = "tower-sessions-core"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "568531ec3dfcf3ffe493de1958ae5662a0284ac5d767476ecdb6a34ff8c6b06c"
+dependencies = [
+ "async-trait",
+ "axum-core",
+ "base64",
+ "futures",
+ "http",
+ "parking_lot",
+ "rand",
+ "serde",
+ "serde_json",
+ "thiserror",
+ "time",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "tower-sessions-memory-store"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "713fabf882b6560a831e2bbed6204048b35bdd60e50bbb722902c74f8df33460"
+dependencies = [
+ "async-trait",
+ "time",
+ "tokio",
+ "tower-sessions-core",
+]
+
 [[package]]
 name = "tracing"
 version = "0.1.44"
@@ -451,9 +1318,21 @@ checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 dependencies = [
  "log",
  "pin-project-lite",
+ "tracing-attributes",
  "tracing-core",
 ]
 
+[[package]]
+name = "tracing-attributes"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "tracing-core"
 version = "0.1.36"
@@ -461,33 +1340,222 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
 dependencies = [
  "once_cell",
+ "valuable",
 ]
 
+[[package]]
+name = "tracing-log"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+dependencies = [
+ "nu-ansi-term",
+ "sharded-slab",
+ "smallvec",
+ "thread_local",
+ "tracing-core",
+ "tracing-log",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
 
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "url"
+version = "2.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "urlencoding"
+version = "2.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "valuable"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
 [[package]]
 name = "wasi"
 version = "0.11.1+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.58"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f"
+dependencies = [
+ "cfg-if",
+ "futures-util",
+ "js-sys",
+ "once_cell",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55"
+dependencies = [
+ "bumpalo",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.85"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.53.5",
 ]
 
 [[package]]
@@ -499,6 +1567,22 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
+ "windows_i686_gnullvm 0.52.6",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.53.5"
@@ -506,64 +1590,227 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
 dependencies = [
  "windows-link",
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_gnullvm",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_aarch64_gnullvm 0.53.1",
+ "windows_aarch64_msvc 0.53.1",
+ "windows_i686_gnu 0.53.1",
+ "windows_i686_gnullvm 0.53.1",
+ "windows_i686_msvc 0.53.1",
+ "windows_x86_64_gnu 0.53.1",
+ "windows_x86_64_gnullvm 0.53.1",
+ "windows_x86_64_msvc 0.53.1",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
 
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
 
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+
+[[package]]
+name = "writeable"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+
+[[package]]
+name = "yoke"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+dependencies = [
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+
+[[package]]
+name = "zerotrie"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "zmij"
 version = "1.0.19"
diff --git a/sf-auth-middleware-axum/Cargo.toml b/sf-auth-middleware-axum/Cargo.toml
index b5226e1..d47202e 100644
--- a/sf-auth-middleware-axum/Cargo.toml
+++ b/sf-auth-middleware-axum/Cargo.toml
@@ -5,3 +5,17 @@ edition = "2024"
 
 [dependencies]
 axum = "0.8.8"
+tower = "0.5"
+tower-sessions = "0.15"
+http = "1.0"
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+thiserror = "2.0"
+tokio = { version = "1.0", features = ["full"] }
+tracing = "0.1"
+urlencoding = "2.1"
+async-trait = "0.1"
+
+[dev-dependencies]
+tracing-subscriber = "0.3"
diff --git a/sf-auth-middleware-axum/README.md b/sf-auth-middleware-axum/README.md
new file mode 100644
index 0000000..a0fb6cb
--- /dev/null
+++ b/sf-auth-middleware-axum/README.md
@@ -0,0 +1,255 @@
+# SF Auth Middleware for Axum
+
+Authentication middleware for Axum applications using the SnazzyFellas authentication service with tower_sessions for session management.
+
+## Features
+
+- **Middleware**: Automatically redirect unauthenticated users to the SF auth endpoint
+- **Extractor**: Type-safe access to authenticated user information via the `SfUser` extractor
+- **Callback Handler**: Ready-to-use route handler for authentication callbacks
+- **Session Integration**: Seamless integration with tower-sessions
+- **Fail-Closed Security**: Validation failures result in denied access, not automatic approval
+
+## Installation
+
+Add this to your `Cargo.toml`:
+
+```toml
+[dependencies]
+sf-auth-middleware-axum = "0.1"
+axum = "0.8"
+tower-sessions = "0.15"
+tokio = { version = "1", features = ["full"] }
+```
+
+## Quick Start
+
+```rust
+use axum::{routing::get, Router, middleware};
+use sf_auth_middleware_axum::{SfAuthConfig, sf_auth_middleware, auth_callback, SfUser};
+use tower_sessions::{MemoryStore, SessionManagerLayer};
+
+#[tokio::main]
+async fn main() {
+    // Configure the authentication middleware
+    let config = SfAuthConfig::new("https://myapp.com/dashboard");
+    
+    // Set up session store
+    let session_store = MemoryStore::default();
+    let session_layer = SessionManagerLayer::new(session_store);
+
+    // Build your application
+    let app = Router::new()
+        // Public callback route (no auth required)
+        .route("/auth/callback", get(auth_callback))
+        // Protected routes
+        .route("/dashboard", get(dashboard))
+        .layer(middleware::from_fn(move |session, req, next| {
+            sf_auth_middleware(config.clone(), session, req, next)
+        }))
+        // Add session layer
+        .layer(session_layer);
+
+    // Run the server
+    let listener = tokio::net::TcpListener::bind("0.0.0.0:3000").await.unwrap();
+    axum::serve(listener, app).await.unwrap();
+}
+
+async fn dashboard(user: SfUser) -> String {
+    format!("Hello, {}! Your ID: {}", user.username(), user.user_id())
+}
+```
+
+## How It Works
+
+1. **Protection**: Apply the middleware to routes that require authentication
+2. **Session Check**: The middleware checks for `sf_username` and `sf_user_id` in the session
+3. **Redirect**: If not authenticated, redirects to the SF authentication endpoint:
+   ```
+   https://snazzyfellas.com/api/redirect/authenticate?redirect_uri={your_configured_uri}
+   ```
+4. **Callback**: The SF server redirects back to `/auth/callback` with credentials (`user_id`, `username`, `key`)
+5. **Validation**: The callback handler validates credentials with the SF server:
+   ```
+   POST https://snazzyfellas.com/api/redirect/validate
+   Body: { "user_id": "...", "key": "..." }
+   Response: { "valid": true, "user_id": "..." }
+   ```
+6. **Session Setup**: On successful validation, sets `sf_username` and `sf_user_id` in the session
+7. **Access Granted**: Use the `SfUser` extractor in handlers to access authenticated user data
+
+## Architecture
+
+### Configuration (`SfAuthConfig`)
+
+Configure the redirect URI where users should land after authentication:
+
+```rust
+let config = SfAuthConfig::new("https://myapp.com/dashboard");
+```
+
+### Middleware (`sf_auth_middleware`)
+
+The middleware function checks authentication and redirects unauthenticated users:
+
+```rust
+use axum::middleware;
+
+.layer(middleware::from_fn(move |session, req, next| {
+    sf_auth_middleware(config.clone(), session, req, next)
+}))
+```
+
+### Callback Route (`auth_callback`)
+
+Mount this handler at `/auth/callback` to receive authentication callbacks:
+
+```rust
+.route("/auth/callback", get(auth_callback))
+```
+
+This route:
+- Receives `user_id`, `username`, and `key` as query parameters
+- Validates credentials with the SF server
+- Sets session values on successful validation
+- Returns error on validation failure (fail-closed)
+
+### Extractor (`SfUser`)
+
+Use the `SfUser` extractor in your handlers to access authenticated user data:
+
+```rust
+async fn protected_handler(user: SfUser) -> String {
+    format!("Username: {}, ID: {}", user.username(), user.user_id())
+}
+```
+
+The extractor provides:
+- `user.username()` - The authenticated user's username
+- `user.user_id()` - The authenticated user's ID
+
+If the session doesn't contain valid credentials, the extractor returns a `401 Unauthorized` error.
+
+## Session Keys
+
+The middleware uses fixed session keys for consistency:
+- `sf_username` - Stores the authenticated user's username
+- `sf_user_id` - Stores the authenticated user's ID
+
+## Error Handling
+
+The library uses a fail-closed security model:
+
+- **Network Errors**: If validation API calls fail, authentication is denied
+- **Invalid Response**: Malformed responses from the validation endpoint result in denied access
+- **Validation Failure**: If the SF server returns `valid: false`, session is not set
+- **User ID Mismatch**: If the returned user_id doesn't match the request, authentication is denied
+
+All errors implement Axum's `IntoResponse` trait for automatic HTTP error responses.
+
+## Session Store
+
+This library works with any tower-sessions store. Common options:
+
+### Memory Store (Development)
+```rust
+use tower_sessions::MemoryStore;
+let session_store = MemoryStore::default();
+```
+
+### Redis Store (Production)
+```rust
+use tower_sessions_redis_store::RedisStore;
+let pool = deadpool_redis::Pool::new(...);
+let session_store = RedisStore::new(pool);
+```
+
+### PostgreSQL Store (Production)
+```rust
+use tower_sessions_sqlx_store::PostgresStore;
+let pool = sqlx::PgPool::connect("...").await?;
+let session_store = PostgresStore::new(pool);
+```
+
+## Examples
+
+Run the included example:
+
+```bash
+cargo run --example basic
+```
+
+Then visit:
+- `http://localhost:3000/` - Public home page
+- `http://localhost:3000/dashboard` - Protected page (will redirect to SF auth)
+
+## API Reference
+
+### `SfAuthConfig`
+
+```rust
+pub struct SfAuthConfig { /* ... */ }
+
+impl SfAuthConfig {
+    pub fn new(redirect_uri: impl Into<String>) -> Self
+    pub fn redirect_uri(&self) -> &str
+}
+```
+
+### `SfUser`
+
+```rust
+pub struct SfUser { /* ... */ }
+
+impl SfUser {
+    pub fn username(&self) -> &str
+    pub fn user_id(&self) -> &str
+}
+```
+
+### `sf_auth_middleware`
+
+```rust
+pub async fn sf_auth_middleware(
+    config: SfAuthConfig,
+    session: Session,
+    req: Request,
+    next: Next,
+) -> Response
+```
+
+### `auth_callback`
+
+```rust
+pub async fn auth_callback(
+    session: Session,
+    Query(params): Query<CallbackQuery>,
+) -> Result<Response, SfAuthError>
+```
+
+## Security Considerations
+
+1. **HTTPS Required**: Always use HTTPS in production for session security
+2. **Secure Sessions**: Configure session cookies with `secure` and `httponly` flags
+3. **Session Expiry**: Set appropriate session expiration times
+4. **Fail-Closed**: The middleware denies access on any validation errors
+
+Example secure session configuration:
+
+```rust
+use tower_sessions::Expiry;
+use time::Duration;
+
+let session_layer = SessionManagerLayer::new(session_store)
+    .with_secure(true)
+    .with_http_only(true)
+    .with_expiry(Expiry::OnInactivity(Duration::hours(2)));
+```
+
+## License
+
+This project is licensed under the MIT License.
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
diff --git a/sf-auth-middleware-axum/examples/basic.rs b/sf-auth-middleware-axum/examples/basic.rs
new file mode 100644
index 0000000..a146996
--- /dev/null
+++ b/sf-auth-middleware-axum/examples/basic.rs
@@ -0,0 +1,144 @@
+use axum::{middleware, response::Html, routing::get, Router};
+use sf_auth_middleware_axum::{auth_callback, sf_auth_middleware, SfAuthConfig, SfUser};
+use tower_sessions::{MemoryStore, SessionManagerLayer};
+
+#[tokio::main]
+async fn main() {
+    // Set up tracing for debugging
+    tracing_subscriber::fmt::init();
+
+    // Configure the SF authentication middleware
+    // The redirect_uri should point to where users should land after authentication
+    let config = SfAuthConfig::new("http://localhost:3000/dashboard");
+
+    // Set up session store using in-memory storage
+    // In production, you'd want to use a persistent store like Redis or PostgreSQL
+    let session_store = MemoryStore::default();
+    let session_layer = SessionManagerLayer::new(session_store);
+
+    // Build the application router
+    let app = Router::new()
+        // Public route - no authentication required
+        .route("/", get(home))
+        // Authentication callback route - must be publicly accessible
+        // This is where the SF auth server redirects users after authentication
+        .route("/auth/callback", get(auth_callback))
+        // Protected routes - require authentication
+        .route("/dashboard", get(dashboard))
+        .route("/profile", get(profile))
+        // Apply authentication middleware to protected routes
+        .layer(middleware::from_fn(move |session, req, next| {
+            sf_auth_middleware(config.clone(), session, req, next)
+        }))
+        // Apply session layer (must be after the routes)
+        .layer(session_layer);
+
+    // Start the server
+    let listener = tokio::net::TcpListener::bind("0.0.0.0:3000")
+        .await
+        .unwrap();
+
+    println!("Server running on http://localhost:3000");
+    println!("Try accessing:");
+    println!("  - http://localhost:3000/ (public)");
+    println!("  - http://localhost:3000/dashboard (protected, will redirect to SF auth)");
+    println!("  - http://localhost:3000/profile (protected, will redirect to SF auth)");
+
+    axum::serve(listener, app).await.unwrap();
+}
+
+/// Public home page
+async fn home() -> Html<&'static str> {
+    Html(
+        r#"
+        <!DOCTYPE html>
+        <html>
+        <head>
+            <title>SF Auth Example</title>
+            <style>
+                body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
+                a { color: #0066cc; text-decoration: none; }
+                a:hover { text-decoration: underline; }
+                .button { 
+                    display: inline-block; 
+                    padding: 10px 20px; 
+                    background: #0066cc; 
+                    color: white; 
+                    border-radius: 4px; 
+                    margin: 10px 5px;
+                }
+                .button:hover { background: #0052a3; text-decoration: none; }
+            </style>
+        </head>
+        <body>
+            <h1>Welcome to SF Auth Example</h1>
+            <p>This is a public page that anyone can access.</p>
+            <p>Try accessing protected pages:</p>
+            <a href="/dashboard" class="button">Go to Dashboard (Protected)</a>
+            <a href="/profile" class="button">Go to Profile (Protected)</a>
+            <p>When you try to access a protected page, you'll be redirected to the SnazzyFellas authentication server.</p>
+        </body>
+        </html>
+        "#,
+    )
+}
+
+/// Protected dashboard page
+async fn dashboard(user: SfUser) -> Html<String> {
+    Html(format!(
+        r#"
+        <!DOCTYPE html>
+        <html>
+        <head>
+            <title>Dashboard</title>
+            <style>
+                body {{ font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }}
+                .user-info {{ background: #f0f0f0; padding: 15px; border-radius: 4px; margin: 20px 0; }}
+                a {{ color: #0066cc; }}
+            </style>
+        </head>
+        <body>
+            <h1>Dashboard</h1>
+            <div class="user-info">
+                <h2>Authenticated User</h2>
+                <p><strong>Username:</strong> {}</p>
+                <p><strong>User ID:</strong> {}</p>
+            </div>
+            <p><a href="/">Back to Home</a> | <a href="/profile">View Profile</a></p>
+        </body>
+        </html>
+        "#,
+        user.username(),
+        user.user_id()
+    ))
+}
+
+/// Protected profile page
+async fn profile(user: SfUser) -> Html<String> {
+    Html(format!(
+        r#"
+        <!DOCTYPE html>
+        <html>
+        <head>
+            <title>Profile</title>
+            <style>
+                body {{ font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }}
+                .profile {{ background: #e8f4f8; padding: 20px; border-radius: 4px; margin: 20px 0; }}
+                a {{ color: #0066cc; }}
+            </style>
+        </head>
+        <body>
+            <h1>User Profile</h1>
+            <div class="profile">
+                <h2>{}</h2>
+                <p><strong>ID:</strong> {}</p>
+                <p>This is your protected profile page.</p>
+            </div>
+            <p><a href="/">Back to Home</a> | <a href="/dashboard">View Dashboard</a></p>
+        </body>
+        </html>
+        "#,
+        user.username(),
+        user.user_id()
+    ))
+}
diff --git a/sf-auth-middleware-axum/src/callback.rs b/sf-auth-middleware-axum/src/callback.rs
new file mode 100644
index 0000000..b3dcbba
--- /dev/null
+++ b/sf-auth-middleware-axum/src/callback.rs
@@ -0,0 +1,66 @@
+use axum::{
+    extract::Query,
+    response::{IntoResponse, Response},
+};
+use serde::Deserialize;
+use tower_sessions::Session;
+
+use crate::{client::validate_user, error::SfAuthError};
+
+/// Query parameters received by the callback route
+#[derive(Debug, Deserialize)]
+pub struct CallbackQuery {
+    user_id: String,
+    username: String,
+    key: String,
+}
+
+/// Handler for the authentication callback route.
+///
+/// This route should be mounted at `/auth/callback` in your application.
+/// It receives `user_id`, `username`, and `key` as query parameters,
+/// validates the credentials with the SF authentication server, and
+/// sets the session if validation succeeds.
+///
+/// # Example
+///
+/// ```ignore
+/// use axum::{routing::get, Router};
+/// use sf_auth_middleware_axum::auth_callback;
+///
+/// let app = Router::new()
+///     .route("/auth/callback", get(auth_callback));
+/// ```
+///
+/// # Query Parameters
+///
+/// - `user_id`: The user's ID
+/// - `username`: The user's username
+/// - `key`: The authentication key to validate
+///
+/// # Returns
+///
+/// Returns a 200 OK response with a success message if validation succeeds,
+/// or an error response if validation fails.
+pub async fn auth_callback(
+    session: Session,
+    Query(params): Query<CallbackQuery>,
+) -> Result<Response, SfAuthError> {
+    // Validate the credentials with the SF server
+    let validated_user_id = validate_user(params.user_id.clone(), params.key).await?;
+
+    // Set session values only if validation succeeded
+    session
+        .insert("sf_username", params.username.clone())
+        .await
+        .map_err(|e| SfAuthError::Session(e.to_string()))?;
+
+    session
+        .insert("sf_user_id", validated_user_id)
+        .await
+        .map_err(|e| SfAuthError::Session(e.to_string()))?;
+
+    // Return success response
+    // Note: The SF auth server handles the redirect, so we just confirm success
+    Ok("Authentication successful".into_response())
+}
diff --git a/sf-auth-middleware-axum/src/client.rs b/sf-auth-middleware-axum/src/client.rs
new file mode 100644
index 0000000..3eb2360
--- /dev/null
+++ b/sf-auth-middleware-axum/src/client.rs
@@ -0,0 +1,64 @@
+use serde::{Deserialize, Serialize};
+
+use crate::error::SfAuthError;
+
+const VALIDATION_URL: &str = "https://snazzyfellas.com/api/redirect/validate";
+
+/// Request payload for validation API
+#[derive(Debug, Serialize)]
+struct ValidationRequest {
+    user_id: String,
+    key: String,
+}
+
+/// Response from validation API
+#[derive(Debug, Deserialize)]
+struct ValidationResponse {
+    valid: bool,
+    user_id: String,
+}
+
+/// Validates user credentials with the SF authentication server.
+///
+/// Makes a POST request to the validation endpoint with the user_id and key.
+/// Returns `Ok(user_id)` if validation succeeds, or an error otherwise.
+///
+/// # Arguments
+///
+/// * `user_id` - The user ID to validate
+/// * `key` - The authentication key to validate
+///
+/// # Errors
+///
+/// Returns an error if:
+/// - The HTTP request fails
+/// - The validation response indicates invalid credentials
+/// - The returned user_id doesn't match the requested user_id
+pub(crate) async fn validate_user(user_id: String, key: String) -> Result<String, SfAuthError> {
+    let client = reqwest::Client::new();
+
+    let request_payload = ValidationRequest {
+        user_id: user_id.clone(),
+        key,
+    };
+
+    let response = client
+        .post(VALIDATION_URL)
+        .json(&request_payload)
+        .send()
+        .await?;
+
+    let validation_response: ValidationResponse = response.json().await?;
+
+    // Check if validation succeeded
+    if !validation_response.valid {
+        return Err(SfAuthError::ValidationFailed);
+    }
+
+    // Verify that the returned user_id matches what we sent
+    if validation_response.user_id != user_id {
+        return Err(SfAuthError::UserIdMismatch);
+    }
+
+    Ok(validation_response.user_id)
+}
diff --git a/sf-auth-middleware-axum/src/config.rs b/sf-auth-middleware-axum/src/config.rs
new file mode 100644
index 0000000..f064479
--- /dev/null
+++ b/sf-auth-middleware-axum/src/config.rs
@@ -0,0 +1,41 @@
+/// Configuration for SF authentication middleware
+#[derive(Debug, Clone)]
+pub struct SfAuthConfig {
+    /// The redirect URI to pass to the authentication endpoint.
+    /// This is where users will be redirected after successful authentication.
+    redirect_uri: String,
+}
+
+impl SfAuthConfig {
+    /// Creates a new `SfAuthConfig` with the specified redirect URI.
+    ///
+    /// # Arguments
+    ///
+    /// * `redirect_uri` - The URI where users should be redirected after authentication
+    ///
+    /// # Example
+    ///
+    /// ```ignore
+    /// use sf_auth_middleware_axum::SfAuthConfig;
+    ///
+    /// let config = SfAuthConfig::new("https://myapp.com/dashboard");
+    /// ```
+    pub fn new(redirect_uri: impl Into<String>) -> Self {
+        Self {
+            redirect_uri: redirect_uri.into(),
+        }
+    }
+
+    /// Returns the configured redirect URI
+    pub fn redirect_uri(&self) -> &str {
+        &self.redirect_uri
+    }
+
+    /// Builds the full authentication URL with the redirect_uri query parameter
+    pub(crate) fn auth_url(&self) -> String {
+        format!(
+            "https://snazzyfellas.com/api/redirect/authenticate?redirect_uri={}",
+            urlencoding::encode(&self.redirect_uri)
+        )
+    }
+}
diff --git a/sf-auth-middleware-axum/src/error.rs b/sf-auth-middleware-axum/src/error.rs
new file mode 100644
index 0000000..ac3fb29
--- /dev/null
+++ b/sf-auth-middleware-axum/src/error.rs
@@ -0,0 +1,43 @@
+use axum::{
+    http::StatusCode,
+    response::{IntoResponse, Response},
+};
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum SfAuthError {
+    #[error("Session error: {0}")]
+    Session(String),
+
+    #[error("Validation API request failed: {0}")]
+    ValidationRequest(#[from] reqwest::Error),
+
+    #[error("Validation failed: user not valid")]
+    ValidationFailed,
+
+    #[error("User ID mismatch in validation response")]
+    UserIdMismatch,
+
+    #[error("Missing required query parameter: {0}")]
+    MissingQueryParam(String),
+
+    #[error("Unauthorized: user not authenticated")]
+    Unauthorized,
+}
+
+impl IntoResponse for SfAuthError {
+    fn into_response(self) -> Response {
+        let status = match self {
+            SfAuthError::Unauthorized => StatusCode::UNAUTHORIZED,
+            SfAuthError::MissingQueryParam(_) => StatusCode::BAD_REQUEST,
+            SfAuthError::ValidationFailed | SfAuthError::UserIdMismatch => {
+                StatusCode::FORBIDDEN
+            }
+            _ => StatusCode::INTERNAL_SERVER_ERROR,
+        };
+
+        let body = self.to_string();
+
+        (status, body).into_response()
+    }
+}
diff --git a/sf-auth-middleware-axum/src/extractor.rs b/sf-auth-middleware-axum/src/extractor.rs
new file mode 100644
index 0000000..e754f81
--- /dev/null
+++ b/sf-auth-middleware-axum/src/extractor.rs
@@ -0,0 +1,79 @@
+use axum::{
+    extract::FromRequestParts,
+    http::request::Parts,
+};
+use tower_sessions::Session;
+
+use crate::error::SfAuthError;
+
+/// Authenticated user information extracted from the session.
+///
+/// This extractor can be used in route handlers to access the authenticated user's
+/// username and user ID. If the user is not authenticated (session keys are missing),
+/// the extraction will fail with an `Unauthorized` error.
+///
+/// # Example
+///
+/// ```ignore
+/// use axum::{routing::get, Router};
+/// use sf_auth_middleware_axum::SfUser;
+///
+/// async fn protected_handler(user: SfUser) -> String {
+///     format!("Hello, {}! Your ID: {}", user.username(), user.user_id())
+/// }
+///
+/// let app = Router::new().route("/protected", get(protected_handler));
+/// ```
+#[derive(Debug, Clone)]
+pub struct SfUser {
+    username: String,
+    user_id: String,
+}
+
+impl SfUser {
+    /// Creates a new `SfUser` instance.
+    pub(crate) fn new(username: String, user_id: String) -> Self {
+        Self { username, user_id }
+    }
+
+    /// Returns the authenticated user's username.
+    pub fn username(&self) -> &str {
+        &self.username
+    }
+
+    /// Returns the authenticated user's ID.
+    pub fn user_id(&self) -> &str {
+        &self.user_id
+    }
+}
+
+impl<S> FromRequestParts<S> for SfUser
+where
+    S: Send + Sync,
+{
+    type Rejection = SfAuthError;
+
+    fn from_request_parts(
+        parts: &mut Parts,
+        state: &S,
+    ) -> impl std::future::Future<Output = Result<Self, Self::Rejection>> + Send {
+        async move {
+            // Extract the session from the request
+            let session = Session::from_request_parts(parts, state)
+                .await
+                .map_err(|_| SfAuthError::Session("Failed to extract session".to_string()))?;
+
+            // Get username from session
+            let username: Option<String> = session.get("sf_username").await.unwrap_or(None);
+
+            // Get user_id from session
+            let user_id: Option<String> = session.get("sf_user_id").await.unwrap_or(None);
+
+            // Both must be present for a valid authenticated user
+            match (username, user_id) {
+                (Some(username), Some(user_id)) => Ok(SfUser::new(username, user_id)),
+                _ => Err(SfAuthError::Unauthorized),
+            }
+        }
+    }
+}
diff --git a/sf-auth-middleware-axum/src/lib.rs b/sf-auth-middleware-axum/src/lib.rs
index d1a4365..155bc12 100644
--- a/sf-auth-middleware-axum/src/lib.rs
+++ b/sf-auth-middleware-axum/src/lib.rs
@@ -1,7 +1,73 @@
-async fn auth_middleware(
-    session: Session,
-    req: Request<Body>,
-    next: Next
-) -> Result<Response, StatusCode> {
-    let user_id = Option<String> = session.get("user_id").await.unwrap_or(None);
-}
+//! # SF Auth Middleware for Axum
+//!
+//! This library provides authentication middleware for Axum applications using
+//! the SnazzyFellas authentication service with tower_session for session management.
+//!
+//! ## Features
+//!
+//! - **Middleware**: Automatically redirect unauthenticated users to the SF auth endpoint
+//! - **Extractor**: Type-safe access to authenticated user information
+//! - **Callback Handler**: Ready-to-use route for handling authentication callbacks
+//! - **Session Integration**: Seamless integration with tower_session
+//!
+//! ## Quick Start
+//!
+//! ```no_run
+//! use axum::{routing::get, Router, middleware};
+//! use sf_auth_middleware_axum::{SfAuthConfig, sf_auth_middleware, auth_callback, SfUser};
+//! use tower_session::{SessionManagerLayer, MemoryStore};
+//!
+//! #[tokio::main]
+//! async fn main() {
+//!     // Configure the authentication middleware
+//!     let config = SfAuthConfig::new("https://myapp.com/dashboard");
+//!     
+//!     // Set up session store
+//!     let session_store = MemoryStore::default();
+//!     let session_layer = SessionManagerLayer::new(session_store);
+//!
+//!     // Build your application
+//!     let app = Router::new()
+//!         // Public callback route (no auth required)
+//!         .route("/auth/callback", get(auth_callback))
+//!         // Protected routes
+//!         .route("/protected", get(protected_handler))
+//!         .layer(middleware::from_fn(move |session, req, next| {
+//!             sf_auth_middleware(config.clone(), session, req, next)
+//!         }))
+//!         // Add session layer
+//!         .layer(session_layer);
+//!
+//!     // Run the server
+//!     let listener = tokio::net::TcpListener::bind("0.0.0.0:3000").await.unwrap();
+//!     axum::serve(listener, app).await.unwrap();
+//! }
+//!
+//! async fn protected_handler(user: SfUser) -> String {
+//!     format!("Hello, {}! Your ID: {}", user.username(), user.user_id())
+//! }
+//! ```
+//!
+//! ## How It Works
+//!
+//! 1. **Protection**: Apply the middleware to routes that require authentication
+//! 2. **Check**: The middleware checks for `sf_username` and `sf_user_id` in the session
+//! 3. **Redirect**: If not authenticated, redirects to `https://snazzyfellas.com/api/redirect/authenticate?redirect_uri={your_uri}`
+//! 4. **Callback**: The SF server redirects back to `/auth/callback` with credentials
+//! 5. **Validation**: The callback handler validates credentials with the SF server
+//! 6. **Session**: On success, sets `sf_username` and `sf_user_id` in the session
+//! 7. **Access**: Use the `SfUser` extractor in handlers to access authenticated user data
+
+mod callback;
+mod client;
+mod config;
+mod error;
+mod extractor;
+mod middleware;
+
+// Public exports
+pub use callback::auth_callback;
+pub use config::SfAuthConfig;
+pub use error::SfAuthError;
+pub use extractor::SfUser;
+pub use middleware::sf_auth_middleware;
diff --git a/sf-auth-middleware-axum/src/middleware.rs b/sf-auth-middleware-axum/src/middleware.rs
new file mode 100644
index 0000000..cc25e75
--- /dev/null
+++ b/sf-auth-middleware-axum/src/middleware.rs
@@ -0,0 +1,47 @@
+use axum::{
+    extract::Request,
+    middleware::Next,
+    response::{IntoResponse, Redirect, Response},
+};
+use tower_sessions::Session;
+
+use crate::config::SfAuthConfig;
+
+/// Middleware function that enforces SF authentication.
+///
+/// This middleware checks if the user has valid session credentials (`sf_username` and `sf_user_id`).
+/// If not authenticated, it redirects to the SF authentication endpoint.
+///
+/// # Example
+///
+/// ```ignore
+/// use axum::{routing::get, Router, middleware};
+/// use sf_auth_middleware_axum::{SfAuthConfig, sf_auth_middleware};
+///
+/// let config = SfAuthConfig::new("https://myapp.com/dashboard");
+///
+/// let app = Router::new()
+///     .route("/protected", get(|| async { "Protected!" }))
+///     .layer(middleware::from_fn(move |session, req, next| {
+///         sf_auth_middleware(config.clone(), session, req, next)
+///     }));
+/// ```
+pub async fn sf_auth_middleware(
+    config: SfAuthConfig,
+    session: Session,
+    req: Request,
+    next: Next,
+) -> Response {
+    // Try to get username and user_id from session
+    let username: Option<String> = session.get("sf_username").await.unwrap_or(None);
+    let user_id: Option<String> = session.get("sf_user_id").await.unwrap_or(None);
+
+    // Check if both are present
+    if username.is_some() && user_id.is_some() {
+        // User is authenticated, proceed with the request
+        next.run(req).await
+    } else {
+        // User is not authenticated, redirect to auth endpoint
+        Redirect::to(&config.auth_url()).into_response()
+    }
+}