fix: improve error message for revoked API tokens with --reach (#1145)

* fix: improve error message for revoked API tokens with --reach

When using `socket scan create --reach` with an invalid or revoked API
token, the CLI now shows a clear "Authentication failed" message instead
of the misleading "Unable to verify plan permissions" error. Also splits
401/403 handling in the API layer so unauthorized tokens get a distinct
message from insufficient permissions.

Bumps @coana-tech/cli from 14.12.200 to 14.12.201 and Socket CLI to
v1.1.77.

* fix: respect silence parameter in fetchOrganization error logging

The logger.fail call was running unconditionally, causing unwanted
output for callers that pass silence: true (e.g. getDefaultOrgSlug)
and double error messages in the 401 reachability flow.

Author: mtorp

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.77](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.77) - 2026-04-01
+
+### Fixed
+- Improved error message when using `--reach` with an invalid, expired, or revoked API token. Previously showed a misleading "Unable to verify plan permissions" error; now clearly indicates the authentication failure.
+
+### Changed
+- Updated the Coana CLI to v `14.12.201`.
+
 ## [1.1.74](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.74) - 2026-03-19
 
 ### Fixed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.76",
+  "version": "1.1.77",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -97,7 +97,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.200",
+    "@coana-tech/cli": "14.12.201",
     "@cyclonedx/cdxgen": "12.1.2",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

pnpm-lock.yaml

@@ -1,3 +1,5 @@
+import { logger } from '@socketsecurity/registry/lib/logger'
+
 import { handleApiCall } from '../../utils/api.mts'
 import { setupSdk } from '../../utils/sdk.mts'
 
@@ -54,6 +56,9 @@ export async function fetchOrganization(
     silence,
   })
   if (!orgsCResult.ok) {
+    if (!silence) {
+      logger.fail(orgsCResult.message, orgsCResult.cause)
+    }
     return orgsCResult
   }
 

src/commands/organization/fetch-organization-list.mts

@@ -75,6 +75,15 @@ export async function performReachabilityAnalysis(
   // Check if user has enterprise plan for reachability analysis.
   const orgsCResult = await fetchOrganization()
   if (!orgsCResult.ok) {
+    const httpCode = (orgsCResult.data as { code?: number } | undefined)?.code
+    if (httpCode === constants.HTTP_STATUS_UNAUTHORIZED) {
+      return {
+        ok: false,
+        message: 'Authentication failed',
+        cause:
+          'Your API token appears to be invalid, expired, or revoked. Please check your token and try again.',
+      }
+    }
     return {
       ok: false,
       message: 'Unable to verify plan permissions',

src/commands/scan/perform-reachability-analysis.mts

@@ -248,7 +248,10 @@ export async function getErrorMessageForHttpStatusCode(code: number) {
   if (code === HTTP_STATUS_BAD_REQUEST) {
     return 'One of the options passed might be incorrect'
   }
-  if (code === HTTP_STATUS_FORBIDDEN || code === HTTP_STATUS_UNAUTHORIZED) {
+  if (code === HTTP_STATUS_UNAUTHORIZED) {
+    return 'Your Socket API token appears to be invalid, expired, or revoked. Please verify your token is correct and active'
+  }
+  if (code === HTTP_STATUS_FORBIDDEN) {
     return 'Your Socket API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API token you are logged in with'
   }
   if (code === HTTP_STATUS_NOT_FOUND) {