|
7 | 7 | const OAuthError = require('./oauth-error'); |
8 | 8 |
|
9 | 9 | /** |
| 10 | + * Thrown when an argument to a function or constructor is missing or of the |
| 11 | + * wrong type — i.e. a programming or configuration error in the code that |
| 12 | + * integrates this library (for example, a missing server option, or a `model` |
| 13 | + * that does not implement a required method). |
| 14 | + * |
| 15 | + * `InvalidArgumentError` is **not** an OAuth 2.0 protocol error: its |
| 16 | + * `invalid_argument` code (HTTP 500) is not one of the error codes defined by |
| 17 | + * RFC 6749 and must never be sent to an OAuth client. How it surfaces therefore |
| 18 | + * depends on *when* it is raised: |
| 19 | + * |
| 20 | + * - **At construction / configuration time** (missing options, a `model` missing |
| 21 | + * a required method, or `request`/`response` not being instances of this |
| 22 | + * library's `Request`/`Response`) it is thrown to your code unchanged, before |
| 23 | + * any response is produced — so you can catch it while wiring up the server. |
| 24 | + * - **While handling a request** (for example, when a `model` returns malformed |
| 25 | + * token data) the `token` and `authorize` handlers normalise it to a |
| 26 | + * `ServerError` (`server_error`) before the response reaches the client, |
| 27 | + * preserving the original error as `.inner`. So when you `catch` errors from |
| 28 | + * `OAuth2Server#token` or `OAuth2Server#authorize`, expect a `ServerError` |
| 29 | + * (inspect its `.inner`) for these cases — not an `InvalidArgumentError`. |
| 30 | + * |
10 | 31 | * @class |
11 | | - * @classDesc "An argument to a function or constructor is missing or of wrong type" |
12 | 32 | */ |
13 | 33 |
|
14 | 34 | class InvalidArgumentError extends OAuthError { |
|
0 commit comments