feat(wrangler): add warning when account_id mismatch detected on auth error (#11683)

* feat(wrangler): add warning when account_id mismatch detected on auth error

When a 401 authentication error occurs, display a warning if the account_id
in the Wrangler configuration does not match any of the user's authenticated
accounts. This helps users identify configuration issues where they may have
the wrong account ID set in their wrangler.toml file.

Fixes #9358

Co-Authored-By: mkane@cloudflare.com <m@mk.gg>

* refactor: simplify complianceConfig initialization

Move the default value assignment to the variable declaration instead of
the catch block. This is a minor simplification as the full optional
chaining approach doesn't work due to type constraints - ComplianceConfig
doesn't include account_id, only the full Config type does.

Co-Authored-By: mkane@cloudflare.com <m@mk.gg>

* chore: address review feedback

- Update changeset to mention both wrangler.toml and wrangler.jsonc
- Convert inline comment to JSDoc for printAccountIdMismatchWarning function

Co-Authored-By: mkane@cloudflare.com <m@mk.gg>

* chore: add JSDoc to whoami function

Address vicb's review feedback to add JSDoc documentation.

Co-Authored-By: mkane@cloudflare.com <m@mk.gg>

* Minor `whoami` JSDoc tweaks

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Ben <4991309+NuroDev@users.noreply.github.com>

Author: 3 people

.changeset/account-id-mismatch-warning.md

@@ -0,0 +1,5 @@
+---
+"wrangler": patch
+---
+
+Display a warning when authentication errors occur and the `account_id` in your Wrangler configuration does not match any of your authenticated accounts. This helps identify configuration issues where you may have the wrong account ID set in your `wrangler.toml` or `wrangler.jsonc` file.

packages/wrangler/src/__tests__/whoami.test.ts

@@ -225,6 +225,42 @@ describe("whoami", () => {
 		msw.use(...mswSuccessOauthHandlers, ...mswSuccessUserHandlers);
 	});
 
+	it("should display a warning when account_id in config does not match authenticated accounts", async () => {
+		writeAuthConfigFile({ oauth_token: "some-oauth-token" });
+		const { whoami } = await import("../user/whoami");
+		await whoami(
+			COMPLIANCE_REGION_CONFIG_UNKNOWN,
+			"unknownaccountid",
+			"unknownaccountid"
+		);
+		expect(std.out).toContain(
+			"The `account_id` in your Wrangler configuration (unknownaccountid) does not match any of your authenticated accounts."
+		);
+		expect(std.out).toContain("This may be causing the authentication error.");
+	});
+
+	it("should not display a warning when account_id matches an authenticated account", async () => {
+		writeAuthConfigFile({ oauth_token: "some-oauth-token" });
+		const { whoami } = await import("../user/whoami");
+		await whoami(COMPLIANCE_REGION_CONFIG_UNKNOWN, "account-1", "account-1");
+		expect(std.out).not.toContain(
+			"does not match any of your authenticated accounts"
+		);
+	});
+
+	it("should not display a warning when accountFilter and configAccountId don't match", async () => {
+		writeAuthConfigFile({ oauth_token: "some-oauth-token" });
+		const { whoami } = await import("../user/whoami");
+		await whoami(
+			COMPLIANCE_REGION_CONFIG_UNKNOWN,
+			"differentaccountid",
+			"unknownaccountid"
+		);
+		expect(std.out).not.toContain(
+			"does not match any of your authenticated accounts"
+		);
+	});
+
 	it("should display membership roles if --account flag is given", async () => {
 		writeAuthConfigFile({ oauth_token: "some-oauth-token" });
 		msw.use(

packages/wrangler/src/core/handle-errors.ts

@@ -113,15 +113,18 @@ export async function handleError(
 			logger.log(chalk.yellow(message));
 		}
 		const accountTag = (e as APIError)?.accountTag;
-		let complianceConfig: ComplianceConfig;
+		let complianceConfig: ComplianceConfig = COMPLIANCE_REGION_CONFIG_UNKNOWN;
+		let configAccountId: string | undefined;
 		try {
-			complianceConfig = await readConfig(args, {
+			const config = await readConfig(args, {
 				hideWarnings: true,
 			});
+			complianceConfig = config;
+			configAccountId = config.account_id;
 		} catch {
-			complianceConfig = COMPLIANCE_REGION_CONFIG_UNKNOWN;
+			// Ignore errors reading config
 		}
-		await whoami(complianceConfig, accountTag);
+		await whoami(complianceConfig, accountTag, configAccountId);
 	} else if (e instanceof ParseError) {
 		e.notes.push({
 			text: "\nIf you think this is a bug, please open an issue at: https://github.com/cloudflare/workers-sdk/issues/new/choose",

packages/wrangler/src/user/whoami.ts

@@ -9,9 +9,17 @@ import { DefaultScopeKeys, getAPIToken, getAuthFromEnv, getScopes } from ".";
 import type { ApiCredentials, Scope } from ".";
 import type { ComplianceConfig } from "@cloudflare/workers-utils";
 
+/**
+ * Displays information about the currently authenticated user, including their
+ * email, accounts, token permissions, and membership roles.
+ *
+ * When called with `accountFilter` and `configAccountId`, also checks for potential
+ * `account_id` mismatches that could cause authentication errors.
+ */
 export async function whoami(
 	complianceConfig: ComplianceConfig,
-	accountFilter?: string
+	accountFilter?: string,
+	configAccountId?: string
 ) {
 	logger.log("Getting User settings...");
 	const user = await getUserInfo(complianceConfig);
@@ -30,6 +38,7 @@ export async function whoami(
 	}
 	printComplianceRegion(complianceConfig);
 	printAccountList(user);
+	printAccountIdMismatchWarning(user, accountFilter, configAccountId);
 	printTokenPermissions(user);
 	await printMembershipInfo(complianceConfig, user, accountFilter);
 }
@@ -73,6 +82,50 @@ function printAccountList(user: UserInfo) {
 	);
 }
 
+/**
+ * Prints a warning if the account_id in the Wrangler configuration does not match
+ * any of the user's authenticated accounts.
+ *
+ * Only shows warning if:
+ * 1. We have an accountFilter (the account ID from the failed request)
+ * 2. We have a configAccountId (the account_id from the wrangler config)
+ * 3. The accountFilter matches the configAccountId (meaning the config account_id was used)
+ * 4. The accountFilter is NOT in the user's accounts list
+ */
+function printAccountIdMismatchWarning(
+	user: UserInfo,
+	accountFilter?: string,
+	configAccountId?: string
+) {
+	if (!accountFilter || !configAccountId) {
+		return;
+	}
+
+	// Check if the account ID from the failed request matches the configured account_id
+	if (accountFilter !== configAccountId) {
+		return;
+	}
+
+	// Check if the configured account_id is in the user's accounts
+	const accountInUserAccounts = user.accounts.some(
+		(account) => account.id === accountFilter
+	);
+
+	if (!accountInUserAccounts) {
+		logger.log(
+			formatMessage({
+				text: `The \`account_id\` in your Wrangler configuration (${chalk.blue(configAccountId)}) does not match any of your authenticated accounts.`,
+				kind: "warning",
+				notes: [
+					{
+						text: "This may be causing the authentication error. Check your Wrangler configuration file and ensure the `account_id` is correct for your account.",
+					},
+				],
+			})
+		);
+	}
+}
+
 function printTokenPermissions(user: UserInfo) {
 	const permissions =
 		user.tokenPermissions?.map((scope) => scope.split(":")) ?? [];