refactor: replace generic Error('Unauthorized') with UnauthorizedError (#14879)

AlessioGr · web-flow · commit c9a8aa03440c · 2025-12-10T11:07:42.000-06:00
Refactors all auth checks to throw `UnauthorizedError` instead of the
generic `Error('Unauthorized')`. This ensures consistent unauthorized
errors being thrown
diff --git a/docs/local-api/server-functions.mdx b/docs/local-api/server-functions.mdx
@@ -512,9 +512,11 @@ Using server functions helps prevent direct exposure of Local API operations to
 Example of restricting access based on user role:
 
 ```ts
+import { UnauthorizedError } from 'payload'
+
 export async function deletePost(postId, user) {
   if (!user || user.role !== 'admin') {
-    throw new Error('Unauthorized')
+    throw new UnauthorizedError()
   }
 
   const payload = await getPayload({ config })
diff --git a/packages/payload/src/utilities/canAccessAdmin.ts b/packages/payload/src/utilities/canAccessAdmin.ts
@@ -1,5 +1,7 @@
 import type { PayloadRequest } from '../types/index.js'
 
+import { UnauthorizedError } from '../errors/UnauthorizedError.js'
+
 /**
  * Protects admin-only routes, server functions, etc.
  * The requesting user must either:
@@ -19,11 +21,11 @@ export const canAccessAdmin = async ({ req }: { req: PayloadRequest }) => {
       const canAccess = await adminAccessFn({ req })
 
       if (!canAccess) {
-        throw new Error('Unauthorized')
+        throw new UnauthorizedError()
       }
       // Match the user collection to the global admin config
     } else if (adminUserSlug !== incomingUserSlug) {
-      throw new Error('Unauthorized')
+      throw new UnauthorizedError()
     }
   } else {
     const hasUsers = await req.payload.find({
@@ -35,7 +37,7 @@ export const canAccessAdmin = async ({ req }: { req: PayloadRequest }) => {
 
     // If there are users, we should not allow access because of `/create-first-user`
     if (hasUsers.docs.length) {
-      throw new Error('Unauthorized')
+      throw new UnauthorizedError()
     }
   }
 }
diff --git a/packages/ui/src/forms/fieldSchemasToFormState/serverFunctions/renderFieldServerFn.ts b/packages/ui/src/forms/fieldSchemasToFormState/serverFunctions/renderFieldServerFn.ts
@@ -1,4 +1,10 @@
-import { deepMerge, type Field, type FieldState, type ServerFunction } from 'payload'
+import {
+  deepMerge,
+  type Field,
+  type FieldState,
+  type ServerFunction,
+  UnauthorizedError,
+} from 'payload'
 
 import { getClientConfig } from '../../../utilities/getClientConfig.js'
 import { getClientSchemaMap } from '../../../utilities/getClientSchemaMap.js'
@@ -44,7 +50,7 @@ export const _internal_renderFieldHandler: ServerFunction<
   // eslint-disable-next-line @typescript-eslint/require-await
 > = async ({ field: fieldArg, initialValue, path, req, schemaPath }) => {
   if (!req.user) {
-    throw new Error('Unauthorized')
+    throw new UnauthorizedError()
   }
 
   const [entityType, entitySlug, ...fieldPath] = schemaPath.split('.')
diff --git a/packages/ui/src/utilities/buildFormState.ts b/packages/ui/src/utilities/buildFormState.ts
@@ -7,7 +7,7 @@ import type {
   ServerFunction,
 } from 'payload'
 
-import { canAccessAdmin, formatErrors } from 'payload'
+import { canAccessAdmin, formatErrors, UnauthorizedError } from 'payload'
 import { getSelectMode, reduceFieldsToValues } from 'payload/shared'
 
 import { fieldSchemasToFormState } from '../forms/fieldSchemasToFormState/index.js'
@@ -70,7 +70,7 @@ export const buildFormStateHandler: ServerFunction<
     }
 
     if (err.message === 'Unauthorized') {
-      throw new Error('Unauthorized')
+      throw new UnauthorizedError()
     }
 
     return formatErrors(err)

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,7 @@`
`1`	`1`	`import type { PayloadRequest } from '../types/index.js'`
`2`	`2`
	`3`	`+import { UnauthorizedError } from '../errors/UnauthorizedError.js'`
	`4`	`+`
`3`	`5`	`/**`
`4`	`6`	`* Protects admin-only routes, server functions, etc.`
`5`	`7`	`* The requesting user must either:`
`@@ -19,11 +21,11 @@ export const canAccessAdmin = async ({ req }: { req: PayloadRequest }) => {`
`19`	`21`	`const canAccess = await adminAccessFn({ req })`
`20`	`22`
`21`	`23`	`if (!canAccess) {`
`22`		`- throw new Error('Unauthorized')`
	`24`	`+ throw new UnauthorizedError()`
`23`	`25`	`}`
`24`	`26`	`// Match the user collection to the global admin config`
`25`	`27`	`} else if (adminUserSlug !== incomingUserSlug) {`
`26`		`- throw new Error('Unauthorized')`
	`28`	`+ throw new UnauthorizedError()`
`27`	`29`	`}`
`28`	`30`	`} else {`
`29`	`31`	`const hasUsers = await req.payload.find({`
`@@ -35,7 +37,7 @@ export const canAccessAdmin = async ({ req }: { req: PayloadRequest }) => {`
`35`	`37`
`36`	`38`	// If there are users, we should not allow access because of `/create-first-user`
`37`	`39`	`if (hasUsers.docs.length) {`
`38`		`- throw new Error('Unauthorized')`
	`40`	`+ throw new UnauthorizedError()`
`39`	`41`	`}`
`40`	`42`	`}`
`41`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import type {`
`7`	`7`	`ServerFunction,`
`8`	`8`	`} from 'payload'`
`9`	`9`
`10`		`-import { canAccessAdmin, formatErrors } from 'payload'`
	`10`	`+import { canAccessAdmin, formatErrors, UnauthorizedError } from 'payload'`
`11`	`11`	`import { getSelectMode, reduceFieldsToValues } from 'payload/shared'`
`12`	`12`
`13`	`13`	`import { fieldSchemasToFormState } from '../forms/fieldSchemasToFormState/index.js'`
`@@ -70,7 +70,7 @@ export const buildFormStateHandler: ServerFunction<`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`if (err.message === 'Unauthorized') {`
`73`		`- throw new Error('Unauthorized')`
	`73`	`+ throw new UnauthorizedError()`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`return formatErrors(err)`