From c89b425fc4e29e8a0f84dd221aec213174bc3606 Mon Sep 17 00:00:00 2001
From: "tembo[bot]" <208362400+tembo[bot]@users.noreply.github.com>
Date: Sat, 18 Apr 2026 07:52:19 +0000
Subject: [PATCH] chore(graphile): add more safe GraphQL error codes for auth
 and account issues

Co-authored-by: Dan <pyramation@gmail.com>
---
 graphql/server/src/middleware/graphile.ts | 52 ++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/graphql/server/src/middleware/graphile.ts b/graphql/server/src/middleware/graphile.ts
index 4e3bb64e4..e6ccb3cf7 100644
--- a/graphql/server/src/middleware/graphile.ts
+++ b/graphql/server/src/middleware/graphile.ts
@@ -24,31 +24,81 @@ const SAFE_ERROR_CODES = new Set([
   'PERSISTED_QUERY_NOT_SUPPORTED',
   // Auth
   'UNAUTHENTICATED',
+  'NOT_AUTHENTICATED',
+  'USER_NOT_AUTHENTICATED',
   'FORBIDDEN',
   'BAD_USER_INPUT',
   'INCORRECT_PASSWORD',
   'PASSWORD_INSECURE',
+  'ACCOUNT_LOCKED',
   'ACCOUNT_LOCKED_EXCEED_ATTEMPTS',
   'ACCOUNT_DISABLED',
   'ACCOUNT_EXISTS',
+  'ACCOUNT_NOT_FOUND',
+  'USER_NOT_FOUND',
+  'INVALID_USER',
+  'INVALID_TOKEN',
+  'INVALID_CODE',
+  'NO_PRIMARY_EMAIL',
+  'NO_CREDENTIALS',
   'PASSWORD_LEN',
   'INVITE_NOT_FOUND',
   'INVITE_LIMIT',
   'INVITE_EMAIL_NOT_FOUND',
   'INVALID_CREDENTIALS',
+  // Auth method toggles (app-level allow_* settings)
+  'SIGN_UP_DISABLED',
+  'PASSWORD_SIGN_IN_DISABLED',
+  'PASSWORD_SIGN_UP_DISABLED',
+  'SSO_SIGN_IN_DISABLED',
+  'SSO_SIGN_UP_DISABLED',
+  'SSO_ACCOUNT_NOT_FOUND',
+  'CONNECTED_ACCOUNT_NOT_FOUND',
+  'MAGIC_LINK_SIGN_IN_DISABLED',
+  'MAGIC_LINK_SIGN_UP_DISABLED',
+  'EMAIL_OTP_SIGN_IN_DISABLED',
+  'SMS_SIGN_IN_DISABLED',
+  'SMS_SIGN_UP_DISABLED',
   // CSRF
   'CSRF_TOKEN_REQUIRED',
   'INVALID_CSRF_TOKEN',
   // Rate limiting / throttling
   'TOO_MANY_REQUESTS',
   'PASSWORD_RESET_LOCKED_EXCEED_ATTEMPTS',
-  // TOTP
+  // TOTP / MFA / step-up
   'TOTP_NOT_ENABLED',
+  'TOTP_ALREADY_ENABLED',
+  'TOTP_SETUP_NOT_INITIATED',
+  'MFA_REQUIRED',
+  'MFA_CHALLENGE_EXPIRED',
+  'INVALID_MFA_CHALLENGE',
+  'STEP_UP_REQUIRED',
+  'STEP_UP_REQUIRED_PASSWORD',
+  'STEP_UP_REQUIRED_PASSWORD_OR_MFA',
+  // Sessions / API keys
+  'SESSION_NOT_FOUND',
+  'API_KEY_NOT_FOUND',
+  'CANNOT_DISCONNECT_LAST_AUTH_METHOD',
+  'CANNOT_REVOKE_CURRENT_SESSION',
   // Account / resource operations
+  'NOT_FOUND',
   'NULL_VALUES_DISALLOWED',
   'OBJECT_NOT_FOUND',
+  'OBJECT_NO_UPDATE',
   'LIMIT_REACHED',
   'REQUIRES_ONE_OWNER',
+  'DELETE_FIRST',
+  'REF_NOT_FOUND',
+  'CROSS_DATABASE_REF',
+  'GROUPS_REQ_ENTITIES',
+  'ALREADY_SCHEDULED',
+  'SINGLETON_TABLE',
+  // Entity/field immutability
+  'IMMUTABLE_FIELD',
+  'IMMUTABLE_PROPS',
+  'IMMUTABLE_PEOPLESTAMPS',
+  'IMMUTABLE_TIMESTAMPS',
+  'CONST_TYPE_FIELDS_IMMUTABLE',
   // PublicKeySignature
   'FEATURE_DISABLED',
   'INVALID_PUBLIC_KEY',