Skip to content

DF0036: RPC Call Rejected — Not Authorized

Message

RPC call to "{name}" was rejected: the caller is not authorized.

Cause

startHttpAndWs was configured with an authorize gate (either directly, or via a DevframeAuthHandler passed as auth) and the calling session hasn't satisfied it — the call is neither to an anonymous:-prefixed method (see isAnonymousRpcMethod) nor made by a trusted session.

Example

ts
import { startHttpAndWs } from 'devframe/node'
import { createInteractiveAuth } from 'devframe/recipes/interactive-auth'

const auth = createInteractiveAuth(ctx)

await startHttpAndWs({ context: ctx, port: 9999, auth })

// A browser that hasn't completed the handshake yet can still reach the
// handshake methods themselves…
await client.call('anonymous:devframe:auth', { authToken: '', ua, origin })

// …but any other method throws DF0036 until the handshake succeeds.
await client.call('some-plugin:do-something') // ✗ throws DF0036

Fix

  • Complete the auth handshake — call anonymous:devframe:auth with a previously-issued token, or anonymous:devframe:auth:exchange with a one-time code — before calling a trusted method.
  • Connect with a static/pre-shared token (createInteractiveAuth's clientAuthTokens option) for CI or shared-machine setups that should skip the interactive prompt.
  • If you supplied a custom authorize function, verify it allows the method you expect — it receives the raw method name and the session's meta (isTrusted, clientAuthToken, …).

Source

Released under the MIT License.