Skip to content

Standardize middleware error responses; handle unprovisioned users and expired sessions#362

Merged
danielbowne merged 2 commits into
mainfrom
feature/standardize-middleware-errors
Jun 23, 2026
Merged

Standardize middleware error responses; handle unprovisioned users and expired sessions#362
danielbowne merged 2 commits into
mainfrom
feature/standardize-middleware-errors

Conversation

@danielbowne

@danielbowne danielbowne commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Rehome of #360 onto an in-repo branch so Snyk/CI run. Original work and credit: @tarratsco (Onix Tarrats Calderon); his commit is preserved as-authored.

What this does

Middleware now returns a single standardized JSON error shape ({ "error": ..., "code": ... }) on every rejection, replacing the prior plaintext http.Error responses. This lets the frontend interceptor branch on a stable code rather than parsing status alone (see ztmf-ui#403).

Rejection cases are now distinguished:

  • Missing/invalid session: 401 UNAUTHORIZED ("your session has expired")
  • Authenticated identity with no ZTMF account, or a soft-deleted account: 403 ACCOUNT_NOT_PROVISIONED (terminal "contact your administrator", no retry loop)
  • CSRF origin mismatch: 403 FORBIDDEN_ORIGIN
  • Upstream lookup failure (DB blip, decode error): 500 with an opaque body and no code, so a transient failure never triggers the terminal provisioning copy

Previously a not-found user and a DB error both collapsed into 401, which the frontend could not tell apart from an expired session.

Changes layered on top of the original PR

  • Added test(emberfall): the no-auth 401 assertion on /users/current was matching the old plaintext unauthorized body; updated it to match the new JSON code field. (The original fork PR could not run the E2E suite because Snyk/CI org secrets are unavailable on forks, so this drift was not caught there.)

Testing

  • make test-unit (auth package): pass, 8/8 including the new TestMiddleware cases
  • make test-e2e (isolated ephemeral DB): pass, 118/118

Closes #360

Onix Tarrats Calderon and others added 2 commits June 23, 2026 15:45
@danielbowne
enhancement(middleware): Standardize error responses in Middleware. A…
3a34e6a 
…dd case for unprovisioned users and session expiration
@danielbowne
test(emberfall): match JSON error body on no-auth 401
1e5ea31 
Middleware now returns a standardized JSON error body instead of the
plaintext "unauthorized". Update the no-auth /users/current assertion
to match on the JSON code field.
@danielbowne danielbowne self-assigned this Jun 23, 2026
@danielbowne danielbowne mentioned this pull request Jun 23, 2026
Closed
7 tasks
a-dipietro
a-dipietro approved these changes Jun 23, 2026
View reviewed changes

@a-dipietro a-dipietro left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

MackOverflow
MackOverflow approved these changes Jun 23, 2026
View reviewed changes

@MackOverflow MackOverflow left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, no notes

@danielbowne danielbowne merged commit 5370a0b into main Jun 23, 2026
9 checks passed
@danielbowne danielbowne deleted the feature/standardize-middleware-errors branch June 23, 2026 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MackOverflow MackOverflow MackOverflow approved these changes
@a-dipietro a-dipietro a-dipietro approved these changes

Assignees

@danielbowne danielbowne

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danielbowne @MackOverflow @a-dipietro