klieo_auth_common/error.rs
1//! Failure cases for authentication.
2
3use thiserror::Error;
4
5/// Failure cases for authentication.
6///
7/// `Missing` and `Malformed` describe transport-level rejections (no
8/// header / wrong scheme); `Rejected` carries an authenticator-supplied
9/// diagnostic string that MUST stay server-side — handlers map this to
10/// a JSON-RPC `-32001 Unauthenticated` envelope on the wire without
11/// echoing the inner message.
12#[derive(Debug, Error)]
13#[non_exhaustive]
14pub enum AuthError {
15 /// The `Authorization` header was not present on the request.
16 #[error("missing Authorization header")]
17 Missing,
18 /// The header is present but does not match the expected format
19 /// (e.g. wrong scheme prefix).
20 #[error("malformed Authorization header")]
21 Malformed,
22 /// The verifier rejected the credential (bad signature, expired
23 /// token, revoked, etc.). The string is included for log diagnostics
24 /// and never returned to the caller.
25 #[error("verification failed: {0}")]
26 Rejected(String),
27}