fix: detect invalid OAuth credentials at startup#194
Closed
bobbyg603 wants to merge 1 commit into
Closed
Conversation
The BugSplat server now returns HTTP 400 with `{ message: "Unknown
clientId ..." }` for bad client credentials, which slips past the
js-api-client OAuth login checks (it only treats 401 or
`error: 'invalid_client'` as auth failure). Login silently succeeds with
an undefined access token and every upload then hits
`Failed to parse URL from undefined` in S3 — retried forever.
Validate credentials explicitly in createBugSplatClient via a dedicated
src/auth helper so we fail fast with a BugSplatAuthenticationError and
exit with code 1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds an explicit OAuth credential validation step to prevent the CLI from entering an infinite retry loop when BugSplat returns “successful” OAuth responses that lack an access token, ensuring authentication failures are detected and surfaced immediately at startup.
Changes:
- Introduces
validateOAuthCredentialsto proactively verifyclientId/clientSecretby checking for a returnedaccess_token. - Calls the new validation during OAuth-based client creation before constructing the
@bugsplat/js-api-clientOAuth client. - Adds a new Vitest suite covering success and multiple failure modes (400 unknown clientId payload, 200 without token, non-JSON body, fetch failure).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/auth.ts | Adds explicit OAuth credential validation and throws BugSplatAuthenticationError on failure. |
| spec/auth.spec.ts | Adds tests for the new credential validation logic. |
| bin/index.ts | Runs OAuth credential validation before creating the OAuth authenticated API client. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+25
to
+26
| throw new BugSplatAuthenticationError( | ||
| `Could not reach ${url} to authenticate: ${(cause as Error).message}` |
Comment on lines
+30
to
+41
| let payload: { access_token?: string } | null = null; | ||
| try { | ||
| payload = (await response.json()) as { access_token?: string }; | ||
| } catch { | ||
| // empty/non-JSON body is treated as auth failure below | ||
| } | ||
|
|
||
| if (!response.ok || !payload?.access_token) { | ||
| throw new BugSplatAuthenticationError( | ||
| 'Could not authenticate, check clientId and clientSecret and try again' | ||
| ); | ||
| } |
daveplunkett
approved these changes
May 18, 2026
bobbyg603
commented
May 18, 2026
| try { | ||
| payload = (await response.json()) as { access_token?: string }; | ||
| } catch { | ||
| // empty/non-JSON body is treated as auth failure below |
Member
Author
|
I think we tried this fix because bugsplat-android was attempting to upload a file using 10.1.7 and getting stuck in a retry loop because that version doesn't support scoped tokens. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
{ message: "Unknown clientId ..." }for bad OAuth credentials. The@bugsplat/js-api-clientOAuth login only treats HTTP 401 or a JSON body containingerror: 'invalid_client'as auth failure, so login silently "succeeds" with an undefined access token. Every subsequent/symsrv/uploadUrlcall returns HTTP 200 with{ error: 'access_denied' }(also unrecognized as auth failure), sogetPresignedUrlreturnsundefinedand S3 throws a generic"Failed to parse URL from undefined"thatworker.tsretries forever.createBugSplatClientbefore constructing the library client. Bad creds throwBugSplatAuthenticationError, which the existing top-level handler logs and exits 1 on.Test plan
npx vitest run— full suite passes (49 tests including 5 new auth tests)npm run build— clean TypeScript buildSYMBOL_UPLOAD_CLIENT_ID/SYMBOL_UPLOAD_CLIENT_SECRETnow exit in <1s withCould not authenticate, check clientId and clientSecret and try againinstead of looping🤖 Generated with Claude Code