feat(auth): replace WAF "unexpected error" with more meaningful copy

[toufali]

Because

• The WAF (Fastly) returns 406/429 directly with non-JSON bodies, bypassing the auth server. The auth client's JSON.parse fails and the UI falls back to "Unexpected error", giving devs and false-positive users no guidance.

This pull request

• Catches the JSON parse failure on 406/429 and throws an AuthClientError with errno: 125 (REQUEST_BLOCKED) for 406 and errno: 114 (THROTTLED) for 429.
• Reuses existing localized strings (auth-error-125, auth-error-114-generic)
• Adds unit tests covering both status codes, the Sentry tag shape, the non-WAF passthrough, and that auth-server JSON-bodied 429s are not overridden.

Issue that this pull request solves

Closes: FXA-13612

Checklist

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).
• I have manually reviewed all AI generated code.

How to review (Optional)

• Key file: packages/fxa-auth-client/lib/client.ts — the parse-failure branch in AuthClient.request().
• The frontend path is unchanged; verify by reading getLocalizedErrorMessage in packages/fxa-settings/src/lib/error-utils.ts — it looks up by errno, so 114/125 already work.

Other information (Optional)

• Sentry signal change: 406/429-with-non-JSON-body events previously surfaced as "unexpected error" with a SyntaxError extra. They now surface as "WAF-blocked response" with status and errno tags. Intentional, but worth knowing for any saved searches.

[Copilot]

Pull request overview

This PR updates fxa-auth-client request error handling to detect WAF-blocked responses that return non-JSON bodies (notably 406/429) and map them to known FxA errnos so downstream UIs can render localized, actionable error messages instead of a generic “Unexpected error”.

Changes:

• Add special-case handling for non-JSON 406/429 responses to synthesize known errnos (114/125) and emit a targeted Sentry message.
• Extend the auth-client test suite with coverage for WAF-blocked non-JSON bodies and for preserving existing behavior in other non-JSON failure cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
packages/fxa-auth-client/lib/client.ts	Adds WAF detection on JSON parse failure for 406/429 and maps to known errnos with Sentry tagging.
packages/fxa-auth-client/test/client.ts	Adds/updates tests to validate synthesized errno behavior and Sentry capture for WAF-blocked responses.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[LZoog]

I didn't test this locally by trying to throw one of these errors, but code LGTM.

[LZoog]

Is this something we want in Sentry? Seems like it'd be nice, but also don't want it eating our tokens for something we won't ever resolve.

[toufali]

fair point @LZoog ! Removed.

[LZoog]

Maybe we want this in statsd though? Not sure 🙂

[vbudhram]

@toufali Thanks!

[vbudhram]

I don't think we need to surface "WAF'? Don't think many folks will know/care what that is. Maybe just "Request blocked"

[toufali]

@vbudhram -- I believe this is internal only, for dev reviewing logs, sentry, etc. Users should see translated strings instead.

[LZoog]

@toufali you could add a Storybook state for this error too if it's easy to ask Claude to do it. 🤷‍♀️

[toufali]

@LZoog @vbudhram :
https://mozilla.github.io/fxa/storybooks/pr-20677/fxa-settings/?path=/story/pages-settings-secondaryemailverify--resend-error-blocked