fix: actionable error for wrong-org permission failures on database tools#329
Open
barryroodt wants to merge 1 commit into
Open
Conversation
…ools A 403 from the Management API on database operations (execute_sql, list_tables, migrations) previously surfaced as a bare 'You do not have permission to perform this action', giving users and LLM clients no hint that the access token was scoped to the wrong organization. Map project-scoped 403s on database operations to a message that names the project and suggests re-authenticating with the organization that owns it. Other endpoints are intentionally untouched, since a 403 there can mean plan or role restrictions. Fixes AI-178
Coverage Report for CI Build 29317867758Coverage increased (+0.008%) to 96.251%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Authenticating to the wrong organization (e.g. selecting the wrong org during OAuth login) makes database tools (
list_tables,execute_sql, migrations) fail with a bare:Nothing indicates that org selection is the cause — hard to debug for users, and useless to the LLM driving the session.
Linear: AI-178
Change
New
assertProjectScopedSuccess(response, fallbackMessage, projectId)inmanagement-api/index.ts: intercepts 403 only, preserves the upstream API message when present, and appends:All non-403 errors fall through to the existing
assertSuccess.Wired into the three database platform ops (
executeSql,listMigrations,applyMigration), which backexecute_sql,list_tables,list_extensions,list_migrations, andapply_migration.Intentionally not applied to other endpoints (billing/admin/project ops), where a 403 can mean plan or role restrictions and org-selection advice would mislead. JSDoc on the helper documents this.
Note: the target project's org can't be named in the message — with a wrong-org token the project lookup itself returns 403, so the org is unknowable. The message names the project ref and the likely cause instead.
Verification
All commands run from
packages/mcp-server-supabase:TDD: added two tool-level regression tests (
execute_sqlandlist_tablesagainst an MSW 403 override on/v1/projects/:ref/database/query). Ranpnpm vitest run src/server.test.ts -t "permission denied"before the fix — both failed with the raw upstream message (You do not have permission to perform this action) — and after:pnpm test:unit— 166/166 passed (10 files)pnpm typecheck(tsc --noEmit) — cleanpnpm biome check src/management-api/index.ts src/platform/api-platform.ts src/server.test.ts— cleanOut of scope
The timeout variant from the original user report is gateway-side (tracked as AUTH-871 in the Remote MCP (HTTP API) project) and is not addressed here.
🤖 AI-assisted; human-reviewed per CONTRIBUTING.md.