Enum AuthError 

#[non_exhaustive]
pub enum AuthError {
    InvalidCredentials,
    TokenExpired,
    InvalidToken {
        reason: String,
    },
    ProviderError {
        provider: String,
        message: String,
    },
    InvalidState,
    UserDenied,
    SessionNotFound,
    SessionExpired,
    InsufficientPermissions {
        required: String,
    },
    RefreshTokenInvalid,
    AccountLocked {
        reason: String,
    },
}

Domain-level auth errors for HTTP response mapping.

These are the client-facing auth error variants that get converted to HTTP status codes via RuntimeError. For internal OIDC/JWT processing errors, see fraiseql_auth::AuthError. For wire-protocol SCRAM errors, see fraiseql_wire::auth::AuthError.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

InvalidCredentials

The supplied username/password (or API key) did not match any account.

TokenExpired

The access token has passed its expiry time and must be refreshed.

InvalidToken

The access token is structurally invalid or has been tampered with.

Fields

reason: String

Reason the token was rejected (kept server-side; not forwarded to clients).

ProviderError

An upstream OAuth / OIDC provider returned an error during the flow.

Fields

provider: String

Name of the provider (e.g. "google", "github").

message: String

Provider-supplied error message (kept server-side; not forwarded to clients).

InvalidState

The OAuth state parameter did not match the stored value, indicating a possible CSRF attack or a stale/replayed authorisation request.

UserDenied

The resource owner explicitly declined the authorisation request at the provider’s consent screen.

SessionNotFound

No active session exists for the supplied session identifier.

SessionExpired

The session existed but has expired and can no longer be used.

InsufficientPermissions

The authenticated principal does not have the scopes or roles required to perform the requested operation.

Fields

required: String

The permission or scope that was required but not granted.

RefreshTokenInvalid

The refresh token has been revoked, used more than once, or has expired.

AccountLocked

The account has been administratively locked and cannot be used.

Fields

reason: String

Reason the account was locked.

Implementations

impl AuthError

pub const fn error_code(&self) -> &'static str

Returns a short, stable error code string suitable for API responses and structured logging.

Trait Implementations

impl Debug for AuthError

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for AuthError

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Error for AuthError

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any.

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)

Provides type-based access to context intended for error reports.

impl From<AuthError> for RuntimeError

fn from(source: AuthError) -> Self

Converts to this type from the input type.