Class: Otto::Security::Authentication::AuthorizationFailure

Inherits:

Data

• Object
• Data
• Otto::Security::Authentication::AuthorizationFailure

Defined in:

lib/otto/security/authentication/authorization_failure.rb

Overview

Result for AUTHORIZATION failures (authenticated, but not permitted).

This is distinct from AuthFailure, which represents an AUTHENTICATION failure (no/invalid/expired credential). A strategy that performs both authentication and authorization in one pass (e.g. a token strategy that also enforces a role/permission encoded in the route requirement) returns:

* AuthFailure          -> credential missing/invalid  -> 401 Unauthorized
* AuthorizationFailure -> credential valid, but denied -> 403 Forbidden

Without this type a combined strategy could only return AuthFailure, and RouteAuthWrapper would collapse an authorization denial to 401 — leaving a client unable to distinguish “authenticate again” from “you lack this permission.” The wrapper maps this type to ResponseBuilder#forbidden (403); see RouteAuthWrapper#handle_all_strategies_failed.

NOTE: Otto’s built-in Layer-1 role check (RoleAuthorization, driven by the ‘role=` route token) already yields 403 for role mismatches on a successful StrategyResult. This type covers the complementary case: a strategy that owns authorization itself (including permission tiers, which Layer-1 does not model) and needs to signal a 403 directly.

Instance Attribute Summary

• #auth_method ⇒ Object readonly

  Returns the value of attribute auth_method.

• #failure_reason ⇒ Object readonly

  Returns the value of attribute failure_reason.

Instance Method Summary

• #anonymous? ⇒ Boolean

  True (no user context attached to a denial).

• #authenticated? ⇒ Boolean

  Authorization failures are not an authenticated request state.

• #inspect ⇒ String

  Debug representation.

• #user_context ⇒ Hash

  Empty hash.

Instance Attribute Details

#auth_method ⇒ Object (readonly)

Returns the value of attribute auth_method

Returns:

• (Object) —

  the current value of auth_method

# File 'lib/otto/security/authentication/authorization_failure.rb', line 29

def auth_method
  @auth_method
end

#failure_reason ⇒ Object (readonly)

Returns the value of attribute failure_reason

Returns:

• (Object) —

  the current value of failure_reason

# File 'lib/otto/security/authentication/authorization_failure.rb', line 29

def failure_reason
  @failure_reason
end

Instance Method Details

#anonymous? ⇒ Boolean

Returns True (no user context attached to a denial).

Returns:

• (Boolean) —

  True (no user context attached to a denial)

# File 'lib/otto/security/authentication/authorization_failure.rb', line 40

def anonymous?
  true
end

#authenticated? ⇒ Boolean

Authorization failures are not an authenticated request state. The request never reaches the handler, so handler-facing predicates report the same “no user context” shape AuthFailure does.

Returns:

• (Boolean) —

  False

# File 'lib/otto/security/authentication/authorization_failure.rb', line 35

def authenticated?
  false
end

#inspect ⇒ String

Returns Debug representation.

Returns:

• (String) —

  Debug representation

# File 'lib/otto/security/authentication/authorization_failure.rb', line 50

def inspect
  "#<AuthorizationFailure reason=#{failure_reason.inspect} method=#{auth_method}>"
end

#user_context ⇒ Hash

Returns Empty hash.

Returns:

• (Hash) —

  Empty hash

# File 'lib/otto/security/authentication/authorization_failure.rb', line 45

def user_context
  {}
end