DefaultDecodeFailureHandler

Default messages for DecodeResult.Failure s.

Default messages when the decode failure is due to a validation error.

The names of the product elements

The name of the type

The default implementation of the DecodeFailureHandler.

A 400 (bad request) is returned if a query, header or body input can't be decoded (for any reason), or if decoding a path capture causes a validation error.

A 401 (unauthorized) is returned when an authentication input (created using Tapir.auth) cannot be decoded. The appropriate WWW-Authenticate headers are included.

Otherwise (e.g. if the method, a path segment, or path capture is missing, there's a mismatch or a decode error), None is returned, which is a signal to try the next endpoint.

The error messages contain information about the source of the decode error, and optionally the validation error detail that caused the failure.

The default decode failure handler can be customised by providing alternate functions for deciding whether a response should be sent, creating the error message and creating the response.

Furthermore, how decode failures are handled can be adjusted globally by changing the flags passed to respond. By default, if the shape of the path for an endpoint matches the request, but decoding a path capture causes an error (e.g. a path[Int]("amount") cannot be parsed), the next endpoint is tried. However, if there's a validation error (e.g. a path[Kind]("kind"), where Kind is an enum, and a value outside the enumeration values is provided), a 400 response is sent.

Finally, behavior can be adjusted per-endpoint-input, by setting an attribute. Import the OnDecodeFailure object and use the OnDecodeFailure.RichEndpointTransput.onDecodeFailureNextEndpoint extension method.

This is only used for failures that occur when decoding inputs, not for exceptions that happen when the server logic is invoked. Exceptions can be either handled by the server logic, and converted to an error output value. Uncaught exceptions can be handled using the sttp.tapir.server.interceptor.exception.ExceptionInterceptor.

A default handler which responds with a 404 Not Found, instead of a 401 Unauthorized or 400 Bad Request, in case any input fails to decode, and the endpoint contains authentication inputs (created using Tapir.auth). No WWW-Authenticate headers are sent.

Hence, the information if the endpoint exists, but needs authentication is hidden from the client. However, the existence of the endpoint might still be revealed using timing attacks.