From 1ca4712cafe095755d430386e94b6d6048fd9c50 Mon Sep 17 00:00:00 2001 From: Dan Lynch Date: Wed, 15 Apr 2026 10:03:10 +0000 Subject: [PATCH 1/2] feat: add missing SAFE_ERROR_CODES for rate limiting and auth errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add error codes that are raised by constructive-db deployed functions but were missing from the production error masking allowlist: - IP_RATE_LIMITED (new — from rate_limits_module IP throttling) - PASSWORD_RESET_LOCKED_EXCEED_ATTEMPTS (password reset lockout) - CSRF_TOKEN_REQUIRED, INVALID_CSRF_TOKEN (CSRF validation) - TOTP_NOT_ENABLED (TOTP verification) - NULL_VALUES_DISALLOWED (reset_password validation) - OBJECT_NOT_FOUND (invite/object lookups) - LIMIT_REACHED (membership/invite limits) - REQUIRES_ONE_OWNER (ownership constraints) Without these, production clients would receive masked 'INTERNAL_SERVER_ERROR' instead of the actionable error codes. --- graphql/server/src/middleware/graphile.ts | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/graphql/server/src/middleware/graphile.ts b/graphql/server/src/middleware/graphile.ts index 354247f33..1d32fe497 100644 --- a/graphql/server/src/middleware/graphile.ts +++ b/graphql/server/src/middleware/graphile.ts @@ -36,6 +36,19 @@ const SAFE_ERROR_CODES = new Set([ 'INVITE_LIMIT', 'INVITE_EMAIL_NOT_FOUND', 'INVALID_CREDENTIALS', + // CSRF + 'CSRF_TOKEN_REQUIRED', + 'INVALID_CSRF_TOKEN', + // Rate limiting / throttling + 'IP_RATE_LIMITED', + 'PASSWORD_RESET_LOCKED_EXCEED_ATTEMPTS', + // TOTP + 'TOTP_NOT_ENABLED', + // Account / resource operations + 'NULL_VALUES_DISALLOWED', + 'OBJECT_NOT_FOUND', + 'LIMIT_REACHED', + 'REQUIRES_ONE_OWNER', // PublicKeySignature 'FEATURE_DISABLED', 'INVALID_PUBLIC_KEY', From 8aab1a409e1c7ed2526152dfde1a31d023bdd7b9 Mon Sep 17 00:00:00 2001 From: Dan Lynch Date: Wed, 15 Apr 2026 18:32:32 +0000 Subject: [PATCH 2/2] refactor: rename IP_RATE_LIMITED to TOO_MANY_REQUESTS --- graphql/server/src/middleware/graphile.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/graphql/server/src/middleware/graphile.ts b/graphql/server/src/middleware/graphile.ts index 1d32fe497..aa365e17a 100644 --- a/graphql/server/src/middleware/graphile.ts +++ b/graphql/server/src/middleware/graphile.ts @@ -40,7 +40,7 @@ const SAFE_ERROR_CODES = new Set([ 'CSRF_TOKEN_REQUIRED', 'INVALID_CSRF_TOKEN', // Rate limiting / throttling - 'IP_RATE_LIMITED', + 'TOO_MANY_REQUESTS', 'PASSWORD_RESET_LOCKED_EXCEED_ATTEMPTS', // TOTP 'TOTP_NOT_ENABLED',