feat: interactive SSO callback as last resort on 401 auth failure

When all automated auth methods fail (JEE, JAS, Basic, programmatic SSO)
and the server still returns 401, invoke ssoCallback with the resource URL
as a last resort. This handles servers like Codebeamer where SSO is available
but not discoverable from response headers — the user authenticates
interactively via a browser window.

Also: properly reject with AUTH_EXHAUSTED when 401 persists after all
attempted methods, instead of returning the raw 401 response.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jamsden

OSLCClient.js

@@ -330,7 +330,36 @@ export default class OSLCClient {
             }
         }
 
-        // No authentication challenge — return response as-is
+        // 5. Interactive SSO callback as last resort — when all automated methods
+        // failed (or none matched) and we still have an auth failure, let the user
+        // authenticate interactively via browser window.
+        if (status === 401 && this.ssoCallback && !attempted.includes('sso-interactive')) {
+            attempted.push('sso-interactive');
+            try {
+                const resourceUrl = originalRequest.url;
+                console.log(`[OSLCClient] Trying interactive SSO callback for ${resourceUrl?.substring(0, 80)}`);
+                const callbackResult = await this.ssoCallback(resourceUrl);
+                if (callbackResult) {
+                    if (isNodeEnvironment && CookieJar && callbackResult instanceof CookieJar) {
+                        this.jar = callbackResult;
+                    }
+                    originalRequest._oslcAuthHandled = true;
+                    delete originalRequest.auth; // Remove failed Basic auth
+                    const retryResponse = await this.client.request(originalRequest);
+                    return this._handleAuthDispatch(retryResponse, cycle + 1, attempted);
+                }
+            } catch (ssoError) {
+                oslcClientLogHttpError('Interactive SSO callback failed', ssoError);
+            }
+        }
+
+        // No authentication challenge or all methods already attempted
+        if (status === 401 && attempted.length > 0) {
+            // Still 401 after trying auth methods — all failed
+            return this._createAuthExhaustedRejection(response, attempted);
+        }
+
+        // Non-401 response (success, or no auth challenge) — return as-is
         return response;
     }
 

__tests__/OSLCClient.auth.test.js

@@ -256,21 +256,23 @@ describe('auth dispatch', () => {
             data: 'Unauthorized',
         };
 
-        // Basic auth retry also returns 401 — since 'basic' is already in
-        // attempted, dispatch won't retry it and falls through to no-challenge
-        // (returning the 401 response as-is from the re-dispatch)
+        // Basic auth retry also returns 401
         client.client.request = jest.fn(async () => ({
             status: 401,
             headers: {},
             config: originalConfig,
             data: 'Unauthorized',
         }));
 
-        // Basic auth is tried once, fails, re-dispatch sees 401 with basic
-        // already attempted → returns the 401 response (no more methods to try)
-        const result = await client._handleAuthDispatch(unauthorizedResponse, 0);
-        expect(result.status).toBe(401);
-        expect(client.client.request).toHaveBeenCalledTimes(1);
+        // Basic auth tried once, fails → still 401 with methods attempted → AUTH_EXHAUSTED
+        try {
+            await client._handleAuthDispatch(unauthorizedResponse, 0);
+            throw new Error('Should have rejected');
+        } catch (error) {
+            expect(error.code).toBe('AUTH_EXHAUSTED');
+            expect(error.attempted).toContain('basic');
+            expect(client.client.request).toHaveBeenCalledTimes(1);
+        }
     });
 
     test('SSO detection — dispatches on 3xx redirect to IdP URL', async () => {