Add new ForbiddenRequestError (#339)

Paul Asjes · web-flow · commit c71db3657153 · 2025-01-06T15:12:26.000+01:00
diff --git a/lib/workos.rb b/lib/workos.rb
@@ -88,6 +88,7 @@ def self.key
   autoload :APIError, 'workos/errors'
   autoload :AuthenticationError, 'workos/errors'
   autoload :InvalidRequestError, 'workos/errors'
+  autoload :ForbiddenRequestError, 'workos/errors'
   autoload :SignatureVerificationError, 'workos/errors'
   autoload :TimeoutError, 'workos/errors'
   autoload :NotFoundError, 'workos/errors'
diff --git a/lib/workos/client.rb b/lib/workos/client.rb
@@ -109,6 +109,14 @@ def handle_error_response(response:)
           http_status: http_status,
           request_id: response['x-request-id'],
         )
+      when 403
+        raise ForbiddenRequestError.new(
+          message: json['message'],
+          http_status: http_status,
+          request_id: response['x-request-id'],
+          code: json['code'],
+          data: json,
+        )
       when 404
         raise NotFoundError.new(
           message: json['message'],
diff --git a/lib/workos/errors.rb b/lib/workos/errors.rb
@@ -64,6 +64,10 @@ class AuthenticationError < WorkOSError; end
   # parameters.
   class InvalidRequestError < WorkOSError; end
 
+  # ForbiddenError is raised when a request is forbidden, likely due to missing a step
+  # (i.e. verifying email ownership before authenticating).
+  class ForbiddenRequestError < WorkOSError; end
+
   # SignatureVerificationError is raised when the signature verification for a
   # webhook fails
   class SignatureVerificationError < WorkOSError; end
diff --git a/spec/lib/workos/user_management_spec.rb b/spec/lib/workos/user_management_spec.rb
@@ -404,6 +404,20 @@
         end
       end
     end
+
+    context 'with an unverified user' do
+      it 'raises a ForbiddenRequestError' do
+        VCR.use_cassette('user_management/authenticate_with_password/unverified') do
+          expect do
+            WorkOS::UserManagement.authenticate_with_password(
+              email: 'unverified@workos.app',
+              password: '7YtYic00VWcXatPb',
+              client_id: 'client_123',
+            )
+          end.to raise_error(WorkOS::ForbiddenRequestError, /Email ownership must be verified before authentication/)
+        end
+      end
+    end
   end
 
   describe '.authenticate_with_code' do
diff --git a/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/unverified.yml b/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/unverified.yml
