Skip to content

fix(auth): short-circuit whoami for org auth tokens (CLI-1AZ)#841

Merged
BYK merged 3 commits intomainfrom
byk/cli-1az-whoami-400
Apr 25, 2026
Merged

fix(auth): short-circuit whoami for org auth tokens (CLI-1AZ)#841
BYK merged 3 commits intomainfrom
byk/cli-1az-whoami-400

Conversation

@BYK
Copy link
Copy Markdown
Member

@BYK BYK commented Apr 24, 2026
edited
Loading

Summary

Fix CLI-1AZ: sentry auth whoami throws a confusing empty-detail ApiError: API request failed: 400 Bad Request when the active token is an organization auth token (sntrys_...).

The Sentry backend's /auth/ endpoint (AuthIndexEndpoint) doesn't accept org auth tokens — UserAuthTokenAuthentication.accepts_auth explicitly rejects the sntrys_ prefix, and OrgAuthTokenAuthentication was never added to this endpoint (getsentry/sentry#112853 added user-token auth only). Even if it did, whoami is semantically meaningless for org tokens — they aren't tied to a single user. The CLI should detect this client-side and tell the user clearly, not let them hit a 400.

What this PR does

  1. Org-token short-circuit (src/commands/auth/whoami.ts): before any API call, inspect the effective token via getAuthToken(). If it's sntrys_..., throw a ResolutionError pointing to sentry auth status and sentry org list. No request, no confusing 400, no auto-login loop.

  2. Response-header telemetry (src/lib/api/infrastructure.ts): on every 4xx/5xx in apiRequestToRegion, attach an allow-listed subset of response headers (content-type, content-length, server, cf-ray, x-sentry-error, www-authenticate) to the Sentry scope as api_response_headers context. Lets future empty-detail 4xx events be triaged without user-side repro — Sentry-app 4xx (JSON body) vs CDN / WAF / proxy 4xx (HTML or empty body) is visible at a glance. Useful diagnostic for any future auth-class anomaly.

  3. New classifySentryToken() helper (src/lib/token-type.ts): literal-prefix classification returning "org-auth-token" / "user-auth-token" / "oauth-or-legacy". Tiny, reusable, property-tested.

Background

Most events on CLI-1AZ pre-date the server-side rollout of getsentry/sentry#112853 (merged Apr 20, shipped 26.4.1). That PR added UserAuthTokenAuthentication to the /auth/ endpoint, fixing 400s for OAuth and user PATs (sntryu_...). Now that the rollout is complete, the only persistent 400 cause on /auth/ is org auth tokens — addressed by the short-circuit above.

Verification

  • bun x tsc --noEmit — clean.
  • bun run script/check-error-patterns.ts — no anti-patterns.
  • bun test test/commands/auth/whoami.test.ts — 13/13 pass (org-token short-circuit + error message + sntryu_ passes through, plus existing happy-path coverage).
  • bun test test/lib/token-type.property.test.ts — 10/10 pass (fast-check properties + case sensitivity + boundary cases).
  • bun test test/lib/api/infrastructure.test.ts — 5/5 pass (telemetry addition doesn't regress).

Manual repro

# Org-token short-circuit (no API call, clear message)
SENTRY_AUTH_TOKEN='sntrys_fake' bun run src/bin.ts auth whoami

# Normal happy path (unchanged)
bun run src/bin.ts auth whoami

Refs

@BYK
fix(auth): translate whoami 400 + short-circuit org auth tokens (CLI-1AZ
3fae341 
)

GET /api/0/auth/ historically returned 400 Bad Request for valid Bearer
tokens because Sentry's AuthIndexEndpoint excluded UserAuthTokenAuthentication,
so tokens were silently ignored and the handler returned 400 with an empty
body. Fixed server-side by getsentry/sentry#112853 (shipped 26.4.1), but
CLIs in the wild must still degrade gracefully during rollout — and org auth
tokens (sntrys_...) continue to hit this 400 forever because the fix only
added UserAuthTokenAuthentication (not OrgAuthTokenAuthentication) and
UserAuthTokenAuthentication.accepts_auth explicitly rejects the sntrys_ prefix.

- Short-circuit whoami when the active token is an org auth token —
  whoami is semantically meaningless for org-scoped tokens (no user to
  return). Emit a clear CliError pointing to auth status / org list
  before any API call.
- Translate ApiError(400) from /auth/ into AuthError('invalid') with
  skipAutoAuth: true and a helpful message (sentry auth login,
  sentry auth status). Silent refresh wouldn't help (token is valid,
  endpoint is refusing to parse it); triggering auto-login on whoami
  itself would loop.
- Add allowlisted response-header capture in apiRequestToRegion 4xx/5xx
  path (content-type, content-length, server, cf-ray, x-sentry-error,
  www-authenticate) so future empty-detail 400s are triageable without
  a user-side repro.
- New src/lib/token-type.ts helper with classifySentryToken() for
  prefix-based classification (org-auth-token / user-auth-token /
  oauth-or-legacy).

Drives Sentry issue CLI-1AZ down to zero once rollout completes and keeps
org-token users on a clear path forever.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026
edited
Loading

PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://cli.sentry.dev/_preview/pr-841/

Built to branch gh-pages at 2026-04-25 14:50 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026
edited
Loading

Codecov Results 📊

5933 passed | Total: 5933 | Pass Rate: 100% | Execution Time: 0ms

📊 Comparison with Base Branch

Metric Change
Total Tests 📈 +13
Passed Tests 📈 +13
Failed Tests
Skipped Tests

All tests are passing successfully.

❌ Patch coverage is 79.49%. Project has 13047 uncovered lines.
❌ Project coverage is 75.14%. Comparing base (base) to head (head).

Files with missing lines (1)
File Patch % Lines
src/commands/auth/whoami.ts 65.22% ⚠️ 8 Missing
Coverage diff 
@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
- Coverage    75.16%    75.14%    -0.02%
==========================================
  Files          284       285        +1
  Lines        52437     52490       +53
  Branches         0         0         —
==========================================
+ Hits         39412     39443       +31
- Misses       13025     13047       +22
- Partials         0         0         —

Generated by Codecov Action

BYK added 2 commits April 24, 2026 17:26
@BYK
fix(auth): use ResolutionError for org-token short-circuit
ba2c958 
CI's check:errors linter rejects CliError with ad-hoc 'Try:' strings —
switch to ResolutionError (which already has structured headline/hint/
suggestions semantics) per AGENTS.md error hierarchy guidance.
@BYK
fix(auth): drop vestigial 400 translation in whoami
b05de76 
The server-side fix (getsentry/sentry#112853) is rolled out — OAuth and
user PAT 400s on /auth/ are no longer happening. The only persistent
400 case is org auth tokens, which we already short-circuit before the
API call. The 400 → AuthError translation was both unhelpful (the
'rolling out' claim is no longer accurate) and unreachable in normal
operation.

Anomalous future 400s remain diagnosable via the response-header
telemetry context added to apiRequestToRegion in this PR.
@BYK BYK changed the title fix(auth): translate whoami 400 + short-circuit org auth tokens (CLI-1AZ) fix(auth): short-circuit whoami for org auth tokens (CLI-1AZ) Apr 25, 2026
@BYK BYK merged commit 075b039 into main Apr 25, 2026
26 checks passed
@BYK BYK deleted the byk/cli-1az-whoami-400 branch April 25, 2026 18:12
@sentry-release-bot sentry-release-bot Bot mentioned this pull request Apr 29, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK