SDK error catching

[feruzm]

Summary by CodeRabbit

• Bug Fixes

  • Improved detection and categorization of authentication errors by checking multiple error fields and prioritizing error codes; expanded recognition of token/authentication failure patterns, including additional HiveSigner cases.

• Tests

  • Added coverage validating the new authentication error cases and resulting categorizations.

• Chores

  • Adapter logic updated to consider an optional authority when determining login type, allowing fallbacks (e.g., when a posting key is absent).
  • Package changelogs and versions bumped.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Adds extraction and prioritization of an errorCode field when parsing chain errors and extends token/auth error detection to include HiveSigner-specific cases (invalid_grant, unauthorized_access) and additional patterns (unauthorized, forbidden). Also updates PlatformAdapter.getLoginType to accept an optional authority parameter and passes that authority into adapter.getLoginType where used.

Changes

Cohort / File(s)	Summary
Error Handling Enhancement packages/sdk/src/modules/core/errors/chain-errors.ts	Extracts errorCode from nested error objects and prioritizes it in pattern matching; expands checks to evaluate errorCode, errorDescription, errorMessage, and fallback errorString; adds HiveSigner-related token/auth patterns (invalid_grant, unauthorized_access, unauthorized, forbidden).
Tests packages/sdk/src/modules/core/errors/chain-errors.spec.ts	Adds tests verifying HiveSigner error variants map to TOKEN_EXPIRED and asserting message contents for invalid_grant and unauthorized_access scenarios.
Adapter Interface packages/sdk/src/modules/core/types/platform-adapter.ts	Updates PlatformAdapter.getLoginType signature to accept optional authority parameter: getLoginType(username, authority?) and updates JSDoc.
Usage Sites (callsites & implementations) packages/sdk/src/modules/core/mutations/use-broadcast-mutation.ts, apps/web/src/providers/sdk/web-broadcast-adapter.ts	Callsite now passes authority into adapter.getLoginType(username, authority); web adapter updated to accept optional authority and to return null for posting-key privateKey cases when posting authority is requested to allow fallback.
Releases / Manifests packages/sdk/CHANGELOG.md, packages/sdk/package.json, packages/wallets/CHANGELOG.md, packages/wallets/package.json	Bumped package versions and added changelog entries for SDK (2.0.5) and wallets (1.5.33) noting the SDK error-catching patch and dependency update.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• SDK error catching #660 — modifies the same error parsing logic in packages/sdk/src/modules/core/errors/chain-errors.ts and its tests (adds errorCode handling and HiveSigner cases).

Suggested labels

patch:sdk

Poem

🐰 I hop through logs and sniff the broken traces,

Found invalid_grant in far-off places.
I nudge the login path with an authority wink,
So broadcasts fall back rather than sink.
Tiny hops, big fixes — I nibble a carrot, think. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'SDK error catching' is vague and overly broad. While error handling is addressed in the changes, the PR includes significant work on authentication flow improvements (authority parameter addition) and HiveSigner-specific error patterns. The title doesn't convey these key details.	Consider a more specific title that captures the main objectives, such as 'Add HiveSigner error handling and authority-aware login type detection' or 'Improve SDK error handling and authentication flow'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sdkerr

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/sdk/src/modules/core/errors/chain-errors.spec.ts (1)

353-361: shouldTriggerAuthFallback tests look consistent with parseChainError tests.

Both invalid_grant and unauthorized_access correctly assert true. One nit: the error_description in line 359 ("The IP is not authorized") differs slightly from line 144 ("The IP 1.2.3.4 is not authorized"). Both should be equivalent for pattern matching, but keeping them identical across tests avoids any future confusion if the pattern ever becomes more specific.

🔧 Align test fixture with the `parseChainError` counterpart

-      const error = { error: "unauthorized_access", error_description: "The IP is not authorized" };
+      const error = { error: "unauthorized_access", error_description: "The IP 1.2.3.4 is not authorized" };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/sdk/src/modules/core/errors/chain-errors.spec.ts` around lines 353 -
361, Update the HiveSigner test fixture so the error_description matches the
parseChainError counterpart: change the error object in the
shouldTriggerAuthFallback test for "unauthorized_access" to use "The IP 1.2.3.4
is not authorized" (keeping tests for shouldTriggerAuthFallback and
parseChainError consistent for pattern matching).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/sdk/src/modules/core/errors/chain-errors.spec.ts`:
- Around line 143-148: The test "should parse HiveSigner unauthorized_access
error" currently only asserts result.type === ErrorType.TOKEN_EXPIRED but omits
result.message; update the spec for parseChainError to assert the expected
message as well (either the IP-restriction phrasing like "Access denied from
this IP" or keep the existing "Authentication token expired. Please log in
again." if that is the intended fallback), referencing the test case name and
the parseChainError result so the assertion verifies both result.type and
result.message and exposes the semantic mismatch between unauthorized_access and
the hardcoded TOKEN_EXPIRED message.

---

Nitpick comments:
In `@packages/sdk/src/modules/core/errors/chain-errors.spec.ts`:
- Around line 353-361: Update the HiveSigner test fixture so the
error_description matches the parseChainError counterpart: change the error
object in the shouldTriggerAuthFallback test for "unauthorized_access" to use
"The IP 1.2.3.4 is not authorized" (keeping tests for shouldTriggerAuthFallback
and parseChainError consistent for pattern matching).

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/sdk/src/modules/core/mutations/use-broadcast-mutation.ts (1)

208-208: ⚠️ Potential issue | 🟠 Major

Broad /\bforbidden\b/i pattern in TOKEN_EXPIRED check risks false auth fallbacks

The implementation at packages/sdk/src/modules/core/errors/chain-errors.ts:193 includes a broad /\bforbidden\b/i pattern that will match any error containing the word "forbidden" and classify it as TOKEN_EXPIRED, triggering auth fallback. While HiveSigner-specific error codes (invalid_grant, unauthorized_access) are properly scoped, this regex pattern will incorrectly match HTTP 403 errors unrelated to authentication—such as rate-limiting errors, banned content messages, or other access denial scenarios. The specific pattern at line 140 ("votes evaluating for comment that is paid out is forbidden") is checked first and returns COMMON, but this only covers one specific case. Any other 403 error containing "forbidden" will incorrectly trigger the auth fallback chain instead of surfacing the actual error.

Consider narrowing the TOKEN_EXPIRED check to explicitly scoped patterns (e.g., HiveSigner error descriptions, "token" or "authorization" keywords in proximity to "forbidden") rather than a word-boundary-only match.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/sdk/src/modules/core/mutations/use-broadcast-mutation.ts` at line
208, The TOKEN_EXPIRED classification is too broad because it treats any error
containing the word "forbidden" as an auth expiration and causes
shouldTriggerAuthFallback to run; narrow the `/\bforbidden\b/i` pattern in
chain-errors.ts (the TOKEN_EXPIRED detection logic) to only match auth-scoped
messages such as HiveSigner descriptors (e.g., "invalid_grant",
"unauthorized_access") or instances where "forbidden" appears near
token/authorization words (e.g., "forbidden.*token|authorization|access token")
or check for a 403 HTTP status combined with auth keywords; update the
TOKEN_EXPIRED regex/conditions accordingly and add/adjust unit tests that
exercise forbidden-but-not-auth errors to ensure non-auth 403s are not
classified as TOKEN_EXPIRED.

🧹 Nitpick comments (1)

packages/sdk/src/modules/core/types/platform-adapter.ts (1)

121-121: Tighten authority type from string to the inline union already used elsewhere in this file

broadcastWithKeychain and broadcastWithHiveAuth both use "posting" | "active" | "owner" | "memo" for the equivalent parameter. Using the same inline union for getLoginType prevents implementations from accidentally handling arbitrary strings and keeps the interface self-documenting without needing an external import.

♻️ Proposed tightening

-  getLoginType: (username: string, authority?: string) => Promise<string | null | undefined>;
+  getLoginType: (username: string, authority?: 'posting' | 'active' | 'owner' | 'memo') => Promise<string | null | undefined>;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/sdk/src/modules/core/types/platform-adapter.ts` at line 121, The
getLoginType signature currently accepts authority?: string; tighten it to the
same inline union used elsewhere ("posting" | "active" | "owner" | "memo") to
prevent arbitrary strings and keep the interface self-documenting: change the
getLoginType declaration (function name getLoginType in platform-adapter.ts) to
use authority?: "posting" | "active" | "owner" | "memo"; and update any local
callers/implementations to accept/return the narrowed type accordingly so types
remain consistent with broadcastWithKeychain and broadcastWithHiveAuth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/sdk/src/modules/core/mutations/use-broadcast-mutation.ts`:
- Line 185: The web adapter's getLoginType currently ignores the authority
parameter which can return incorrect login types; update the
web-broadcast-adapter.ts implementation of getLoginType to accept the signature
getLoginType(username: string, authority?: string) and use the authority value
to return the correct method (e.g., return 'key' for 'active' authority and
'hivesigner' or 'posting' for posting authority) so
adapter.getLoginType(username, authority) yields authority-aware results; adjust
any internal logic or branching in getLoginType and ensure callers like
broadcastWithMethod continue to receive the correct login type for later checks.

---

Outside diff comments:
In `@packages/sdk/src/modules/core/mutations/use-broadcast-mutation.ts`:
- Line 208: The TOKEN_EXPIRED classification is too broad because it treats any
error containing the word "forbidden" as an auth expiration and causes
shouldTriggerAuthFallback to run; narrow the `/\bforbidden\b/i` pattern in
chain-errors.ts (the TOKEN_EXPIRED detection logic) to only match auth-scoped
messages such as HiveSigner descriptors (e.g., "invalid_grant",
"unauthorized_access") or instances where "forbidden" appears near
token/authorization words (e.g., "forbidden.*token|authorization|access token")
or check for a 403 HTTP status combined with auth keywords; update the
TOKEN_EXPIRED regex/conditions accordingly and add/adjust unit tests that
exercise forbidden-but-not-auth errors to ensure non-auth 403s are not
classified as TOKEN_EXPIRED.

---

Nitpick comments:
In `@packages/sdk/src/modules/core/types/platform-adapter.ts`:
- Line 121: The getLoginType signature currently accepts authority?: string;
tighten it to the same inline union used elsewhere ("posting" | "active" |
"owner" | "memo") to prevent arbitrary strings and keep the interface
self-documenting: change the getLoginType declaration (function name
getLoginType in platform-adapter.ts) to use authority?: "posting" | "active" |
"owner" | "memo"; and update any local callers/implementations to accept/return
the narrowed type accordingly so types remain consistent with
broadcastWithKeychain and broadcastWithHiveAuth.