fix(github): surface GitHub invalid_grant as OAuthInvalidGrantError (#405)

When GitHub responds to a refresh-token exchange with `invalid_grant` or
`bad_refresh_token` (the user revoked the app, or the refresh_token was
rotated out), throw the typed `OAuthInvalidGrantError` from
`@decocms/runtime` instead of a generic `Error`. The runtime's `/token`
handler maps this to a spec-compliant `400 invalid_grant`, which lets the
mesh evict the dead refresh_token and prompt the user to reconnect.
Transient failures (5xx, network) keep throwing a plain `Error` and
surface as `500`, so mesh leaves the cached row intact for retry.

Bumps `@decocms/runtime` to ^1.6.0 (the version that exports
`OAuthInvalidGrantError`).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tlgimenes

bun.lock

@@ -7,18 +7,20 @@
   "scripts": {
     "dev": "bunx wrangler dev",
     "check": "tsc --noEmit",
+    "test": "bun test",
     "build": "bunx wrangler deploy --dry-run --outdir=dist",
     "deploy": "bunx wrangler deploy"
   },
   "dependencies": {
     "@decocms/bindings": "^1.4.0",
-    "@decocms/runtime": "1.5.0",
+    "@decocms/runtime": "^1.6.0",
     "@modelcontextprotocol/sdk": "^1.27.1",
     "zod": "^4.0.0"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20251014.0",
     "@decocms/mcps-shared": "1.0.0",
+    "@types/bun": "^1.2.14",
     "@types/node": "^22.0.0",
     "typescript": "^5.7.2",
     "wrangler": "^4.28.0"

github/package.json

@@ -0,0 +1,151 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { OAuthInvalidGrantError } from "@decocms/runtime";
+import { refreshAccessToken } from "./github-client.ts";
+
+const realFetch = globalThis.fetch;
+
+type FetchMock = (
+  input: Request | URL | string,
+  init?: RequestInit,
+) => Promise<Response>;
+
+function mockFetch(impl: FetchMock) {
+  globalThis.fetch = impl as typeof globalThis.fetch;
+}
+
+describe("refreshAccessToken", () => {
+  beforeEach(() => {
+    globalThis.fetch = realFetch;
+  });
+
+  afterEach(() => {
+    globalThis.fetch = realFetch;
+  });
+
+  test("throws OAuthInvalidGrantError when GitHub returns 200 with error=invalid_grant", async () => {
+    mockFetch(
+      async () =>
+        new Response(
+          JSON.stringify({
+            error: "invalid_grant",
+            error_description:
+              "The refresh token has expired or has been revoked",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+    );
+
+    let caught: unknown;
+    try {
+      await refreshAccessToken("rt", "client_id", "client_secret");
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(OAuthInvalidGrantError);
+    const typed = caught as OAuthInvalidGrantError;
+    expect(typed.error).toBe("invalid_grant");
+    expect(typed.errorDescription).toBe(
+      "The refresh token has expired or has been revoked",
+    );
+  });
+
+  test("throws OAuthInvalidGrantError when GitHub returns error=bad_refresh_token", async () => {
+    mockFetch(
+      async () =>
+        new Response(JSON.stringify({ error: "bad_refresh_token" }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+    );
+
+    let caught: unknown;
+    try {
+      await refreshAccessToken("rt", "client_id", "client_secret");
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(OAuthInvalidGrantError);
+    expect((caught as OAuthInvalidGrantError).error).toBe("bad_refresh_token");
+  });
+
+  test("throws OAuthInvalidGrantError on 400 invalid_grant", async () => {
+    mockFetch(
+      async () =>
+        new Response(JSON.stringify({ error: "invalid_grant" }), {
+          status: 400,
+          headers: { "Content-Type": "application/json" },
+        }),
+    );
+
+    let caught: unknown;
+    try {
+      await refreshAccessToken("rt", "client_id", "client_secret");
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(OAuthInvalidGrantError);
+  });
+
+  test("throws plain Error (not OAuthInvalidGrantError) on 5xx", async () => {
+    mockFetch(
+      async () =>
+        new Response("Bad Gateway", {
+          status: 502,
+          headers: { "Content-Type": "text/plain" },
+        }),
+    );
+
+    let caught: unknown;
+    try {
+      await refreshAccessToken("rt", "client_id", "client_secret");
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(Error);
+    expect(caught).not.toBeInstanceOf(OAuthInvalidGrantError);
+  });
+
+  test("propagates plain Error on network failure", async () => {
+    mockFetch(async () => {
+      throw new Error("network down");
+    });
+
+    let caught: unknown;
+    try {
+      await refreshAccessToken("rt", "client_id", "client_secret");
+    } catch (err) {
+      caught = err;
+    }
+
+    expect(caught).toBeInstanceOf(Error);
+    expect(caught).not.toBeInstanceOf(OAuthInvalidGrantError);
+    expect((caught as Error).message).toBe("network down");
+  });
+
+  test("returns token response on success", async () => {
+    mockFetch(
+      async () =>
+        new Response(
+          JSON.stringify({
+            access_token: "new-access",
+            token_type: "Bearer",
+            expires_in: 28800,
+            refresh_token: "new-refresh",
+            refresh_token_expires_in: 15897600,
+            scope: "repo",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+    );
+
+    const result = await refreshAccessToken("rt", "client_id", "client_secret");
+
+    expect(result.access_token).toBe("new-access");
+    expect(result.refresh_token).toBe("new-refresh");
+    expect(result.scope).toBe("repo");
+  });
+});

github/server/lib/github-client.test.ts

@@ -2,6 +2,8 @@
  * GitHub OAuth helpers
  */
 
+import { OAuthInvalidGrantError } from "@decocms/runtime";
+
 export interface GitHubTokenResponse {
   access_token: string;
   token_type: string;
@@ -83,16 +85,63 @@ export function exchangeCodeForToken(
 /**
  * Exchange a refresh token for a new access token.
  * Only works for GitHub Apps that issue expiring user tokens.
+ *
+ * Throws `OAuthInvalidGrantError` for the spec-compliant permanent-failure
+ * cases (`invalid_grant` / `bad_refresh_token`) so the runtime's `/token`
+ * handler can map it to `400 invalid_grant` and let mesh evict the cached
+ * refresh_token. Anything else (5xx, network, malformed body) propagates
+ * as a plain `Error` and surfaces as `500` — treated as transient by mesh.
  */
-export function refreshAccessToken(
+export async function refreshAccessToken(
   refreshToken: string,
   clientId: string,
   clientSecret: string,
 ): Promise<GitHubTokenResponse> {
-  return postToGitHub({
-    client_id: clientId,
-    client_secret: clientSecret,
-    grant_type: "refresh_token",
-    refresh_token: refreshToken,
+  const response = await fetch(GITHUB_TOKEN_ENDPOINT, {
+    method: "POST",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/json",
+      "User-Agent": "deco-cms-github-mcp",
+    },
+    body: JSON.stringify({
+      client_id: clientId,
+      client_secret: clientSecret,
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+    }),
   });
+
+  // Per RFC 6749 §5.2 the canonical signal is the body's `error` field, not
+  // the HTTP status — and GitHub historically returns `200 { error: "..." }`
+  // when `Accept: application/json` is set. Read the body before branching
+  // on status so we can recognise the typed error in either shape.
+  const data = (await response.json().catch(() => ({}))) as
+    | RawGitHubTokenResponse
+    | Record<string, never>;
+
+  if (data.error === "invalid_grant" || data.error === "bad_refresh_token") {
+    throw new OAuthInvalidGrantError(data.error, data.error_description);
+  }
+
+  if (!response.ok) {
+    throw new Error(
+      `GitHub OAuth failed: ${response.status} - ${data.error ?? "unknown"}`,
+    );
+  }
+
+  if (data.error) {
+    throw new Error(
+      `GitHub OAuth error: ${data.error_description || data.error}`,
+    );
+  }
+
+  return {
+    access_token: data.access_token,
+    token_type: data.token_type || "Bearer",
+    expires_in: data.expires_in,
+    refresh_token: data.refresh_token,
+    refresh_token_expires_in: data.refresh_token_expires_in,
+    scope: data.scope,
+  };
 }

github/server/lib/github-client.ts

@@ -24,7 +24,8 @@
     /* Types */
     "types": [
       "@types/node",
-      "@cloudflare/workers-types"
+      "@cloudflare/workers-types",
+      "bun"
     ]
   },
   "include": [