- Companion
- class
Type members
Classlikes
Default messages for DecodeResult.Failure s.
Default messages for DecodeResult.Failure s.
Default messages when the decode failure is due to a validation error.
Default messages when the decode failure is due to a validation error.
Value members
Concrete methods
- Value Params
- badRequestOnPathErrorIfPathShapeMatches
Should a status 400 be returned if the shape of the path of the request matches, but decoding some path segment fails with a DecodeResult.Error.
- badRequestOnPathInvalidIfPathShapeMatches
Should a status 400 be returned if the shape of the path of the request matches, but decoding some path segment fails with a DecodeResult.InvalidValue.
Concrete fields
The default implementation of the DecodeFailureHandler.
The default implementation of the DecodeFailureHandler.
A 400 (bad request) is returned if a query, header or body input can't be decoded (for any reason), or if decoding a path capture causes a validation error.
A 401 (unauthorized) is returned when an authentication input (created using Tapir.auth) cannot be decoded. The appropriate
WWW-Authenticate
headers are included.
Otherwise (e.g. if the method, a path segment, or path capture is missing, there's a mismatch or a decode error), None
is returned,
which is a signal to try the next endpoint.
The error messages contain information about the source of the decode error, and optionally the validation error detail that caused the failure.
This is only used for failures that occur when decoding inputs, not for exceptions that happen when the server logic is invoked.
A default handler which responds with a 404 Not Found
, instead of a 401 Unauthorized
or 400 Bad Request
, in case any input
fails to decode, and the endpoint contains authentication inputs (created using Tapir.auth). No WWW-Authenticate
headers are
sent.
A default handler which responds with a 404 Not Found
, instead of a 401 Unauthorized
or 400 Bad Request
, in case any input
fails to decode, and the endpoint contains authentication inputs (created using Tapir.auth). No WWW-Authenticate
headers are
sent.
Hence, the information if the endpoint exists, but needs authentication is hidden from the client. However, the existence of the endpoint might still be revealed using timing attacks.