Skip to main content

SecurityError

fraiseql_core::security::errors

Enum SecurityError 

Source 
pub enum SecurityError {

Show 21 variants    RateLimitExceeded {
        retry_after: u64,
        limit: usize,
        window_secs: u64,
    },
    QueryTooDeep {
        depth: usize,
        max_depth: usize,
    },
    QueryTooComplex {
        complexity: usize,
        max_complexity: usize,
    },
    QueryTooLarge {
        size: usize,
        max_size: usize,
    },
    OriginNotAllowed(String),
    MethodNotAllowed(String),
    HeaderNotAllowed(String),
    InvalidCSRFToken(String),
    CSRFSessionMismatch,
    AuditLogFailure(String),
    SecurityConfigError(String),
    TlsRequired {
        detail: String,
    },
    TlsVersionTooOld {
        current: TlsVersion,
        required: TlsVersion,
    },
    MtlsRequired {
        detail: String,
    },
    InvalidClientCert {
        detail: String,
    },
    AuthRequired,
    InvalidToken,
    TokenExpired {
        expired_at: DateTime<Utc>,
    },
    TokenMissingClaim {
        claim: String,
    },
    InvalidTokenAlgorithm {
        algorithm: String,
    },
    IntrospectionDisabled {
        detail: String,
    },

}
Expand description

Main security error type for all security operations.

Covers rate limiting, query validation, CORS, CSRF, audit logging, and security configuration errors.

Variants§

§

RateLimitExceeded

Rate limiting exceeded - client has made too many requests.

Contains:

  • retry_after: Seconds to wait before retrying
  • limit: Maximum allowed requests
  • window_secs: Time window in seconds

Fields

§retry_after: u64

Seconds to wait before retrying

§limit: usize

Maximum allowed requests

§window_secs: u64

Time window in seconds

§

QueryTooDeep

Query validation: depth exceeds maximum allowed.

GraphQL queries can nest arbitrarily deep, which can cause excessive database queries or resource consumption.

Fields

§depth: usize

Actual query depth

§max_depth: usize

Maximum allowed depth

§

QueryTooComplex

Query validation: complexity exceeds configured limit.

Complexity is calculated as a weighted sum of field costs, accounting for pagination and nested selections.

Fields

§complexity: usize

Actual query complexity score

§max_complexity: usize

Maximum allowed complexity

§

QueryTooLarge

Query validation: size exceeds maximum allowed bytes.

Very large queries can consume memory or cause DoS.

Fields

§size: usize

Actual query size in bytes

§max_size: usize

Maximum allowed size in bytes

§

OriginNotAllowed(String)

CORS origin not in allowed list.

§

MethodNotAllowed(String)

CORS HTTP method not allowed.

§

HeaderNotAllowed(String)

CORS header not in allowed list.

§

InvalidCSRFToken(String)

CSRF token validation failed.

§

CSRFSessionMismatch

CSRF token session ID mismatch.

§

AuditLogFailure(String)

Audit log write failure.

Audit logging to the database failed. The underlying reason is captured in the error string.

§

SecurityConfigError(String)

Security configuration error.

The security configuration is invalid or incomplete.

§

TlsRequired

TLS/HTTPS required but connection is not secure.

The security profile requires all connections to be HTTPS/TLS, but an HTTP connection was received.

Fields

§detail: String

Description of what was required

§

TlsVersionTooOld

TLS version is below the minimum required version.

The connection uses TLS but the version is too old. For example, if TLS 1.3 is required but the connection uses TLS 1.2.

Fields

§current: TlsVersion

The TLS version actually used

§required: TlsVersion

The minimum TLS version required

§

MtlsRequired

Mutual TLS (client certificate) required but not provided.

The security profile requires mTLS, meaning clients must present a valid X.509 certificate, but none was provided.

Fields

§detail: String

Description of what was required

§

InvalidClientCert

Client certificate validation failed.

A client certificate was presented, but it failed validation. This could be due to an invalid signature, expired certificate, revoked certificate, or other validation errors.

Fields

§detail: String

Description of why validation failed

§

AuthRequired

Authentication is required but none was provided.

Used in auth middleware when authentication is required (configured or policy enforces it) but no valid credentials were found in the request.

§

InvalidToken

Authentication token is invalid or malformed.

The provided authentication token (e.g., JWT) failed to parse or validate. Could be due to invalid signature, bad format, etc.

§

TokenExpired

Authentication token has expired.

The authentication token has an ‘exp’ claim and that timestamp has passed. The user needs to re-authenticate.

Fields

§expired_at: DateTime<Utc>

The time when the token expired

§

TokenMissingClaim

Authentication token is missing a required claim.

The authentication token doesn’t have a required claim like ‘sub’, ‘exp’, etc.

Fields

§claim: String

The name of the claim that’s missing

§

InvalidTokenAlgorithm

Authentication token algorithm doesn’t match expected algorithm.

The token was signed with a different algorithm than expected (e.g., token used HS256 but system expects RS256).

Fields

§algorithm: String

The algorithm used in the token

§

IntrospectionDisabled

GraphQL introspection query is not allowed.

The security policy disallows introspection queries (__schema, __type), typically in production to prevent schema information leakage.

Fields

§detail: String

Description of why introspection is disabled

Trait Implementations§

Source§

impl Clone for SecurityError

Source§

fn clone(&self) -> SecurityError

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for SecurityError

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for SecurityError

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Error for SecurityError

1.30.0 · Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0: use the Display impl or to_string()
Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0: replaced by Error::source, which can support downcasting
Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more
Source§

impl PartialEq for SecurityError

Source§

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for SecurityError

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T> ToStringFallible for T
where T: Display,

Source§

fn try_to_string(&self) -> Result<String, TryReserveError>

ToString::to_string, but without panic on OOM.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more