Add AuthMethodDoesNotApplyException to avoid conflating unused auth with failed auth

phpnode · phpnode · commit 0763369838cc · 2025-10-03T15:57:40.000+01:00
diff --git a/packages/nextlove/src/nextjs-exception-middleware/http-exceptions.ts b/packages/nextlove/src/nextjs-exception-middleware/http-exceptions.ts
@@ -77,6 +77,18 @@ export class UnauthorizedException extends HttpException {
   }
 }
 
+export class AuthMethodDoesNotApplyException extends HttpException {
+  constructor(
+    public metadata: HttpExceptionMetadata = {
+      type: "auth_method_does_not_apply",
+      message: "Auth method does not apply",
+    },
+    options?: ThrowingOptions
+  ) {
+    super(401, metadata, options)
+  }
+}
+
 export class NotFoundException extends HttpException {
   constructor(
     public metadata: HttpExceptionMetadata,
diff --git a/packages/nextlove/src/with-route-spec/index.ts b/packages/nextlove/src/with-route-spec/index.ts
@@ -9,6 +9,10 @@ import {
 import withMethods, { HTTPMethods } from "./middlewares/with-methods"
 import withValidation from "./middlewares/with-validation"
 import { z } from "zod"
+import {
+  AuthMethodDoesNotApplyException,
+  UnauthorizedException,
+} from "../nextjs-exception-middleware"
 
 type ParamDef = z.ZodTypeAny | z.ZodEffects<z.ZodTypeAny>
 
@@ -98,36 +102,36 @@ export const createWithRouteSpec: CreateWithRouteSpecFunction = ((
           throw new Error(`Unknown auth type: ${undefinedAuthType}`)
 
         const firstAuthMiddlewareThatSucceeds = (next) => async (req, res) => {
-          let errors: unknown[] = []
-          let didAuthMiddlewareThrow = true
-
           const handleMultipleAuthMiddlewareFailures =
             spec.onMultipleAuthMiddlewareFailures ??
             onMultipleAuthMiddlewareFailures
 
           for (const [name, middleware] of authMiddlewares) {
+            let didAuthMiddlewareThrow = true
             try {
               return await middleware((...args) => {
                 // Otherwise errors unrelated to auth thrown by built-in middleware (withMethods, withValidation) will be caught here
                 didAuthMiddlewareThrow = false
                 return next(...args)
               })(req, res)
             } catch (error: any) {
-              if (didAuthMiddlewareThrow) {
-                error.source_middleware = name
-                errors.push(error)
+              if (error instanceof AuthMethodDoesNotApplyException) {
                 continue
-              } else {
-                throw error
               }
+              error.source_middleware = name
+              if (
+                handleMultipleAuthMiddlewareFailures &&
+                didAuthMiddlewareThrow
+              ) {
+                handleMultipleAuthMiddlewareFailures([error])
+              }
+              throw error
             }
           }
-
-          if (handleMultipleAuthMiddlewareFailures && didAuthMiddlewareThrow) {
-            handleMultipleAuthMiddlewareFailures(errors)
-          }
-
-          throw errors[errors.length - 1]
+          throw new UnauthorizedException({
+            type: "unauthorized",
+            message: "No authentication methods succeeded",
+          })
         }
 
         return wrappers(
