fix(cloudflare): keep oauth system failures issue-worthy

Treat generated OAuth request failures and unknown upstream HTTP failures as system-side auth outages so the Cloudflare callback still captures Sentry issues and surfaces event IDs.

Co-Authored-By: Codex CLI Agent <noreply@openai.com>

Author: dcramer

packages/mcp-cloudflare/src/server/oauth/callback.test.ts

@@ -314,6 +314,39 @@ describe("oauth callback routes", () => {
       expect(exchangeCodeForAccessToken).not.toHaveBeenCalled();
     });
 
+    it("treats invalid_request callback errors as system failures", async () => {
+      logIssue.mockReturnValue("oauth-invalid-request-event-id");
+
+      const testEnv = createTestEnv();
+      const oauthApp = createTestApp();
+      const client = await createClient(testEnv);
+      const cookie = await approveClient(oauthApp, testEnv, client.clientId);
+      const state = await createSignedCallbackState(client.clientId);
+
+      const response = await callCallback(oauthApp, testEnv, {
+        state,
+        cookie,
+        error: "invalid_request",
+      });
+
+      const body = await response.text();
+      expect(response.status).toBe(502);
+      expect(body).toContain(
+        "The authorization request was rejected. Please try again.",
+      );
+      expect(body).toContain(
+        "Event ID:</strong> <code>oauth-invalid-request-event-id</code>",
+      );
+      expect(logIssue).toHaveBeenCalledWith(
+        "[oauth] Upstream authorization callback error",
+        expect.objectContaining({
+          loggerScope: ["cloudflare", "oauth", "callback"],
+        }),
+      );
+      expect(logWarn).not.toHaveBeenCalled();
+      expect(exchangeCodeForAccessToken).not.toHaveBeenCalled();
+    });
+
     it("renders a safe error page when the callback is missing a code", async () => {
       const testEnv = createTestEnv();
       const oauthApp = createTestApp();

packages/mcp-cloudflare/src/server/oauth/helpers.test.ts

@@ -14,6 +14,7 @@ vi.mock("@sentry/mcp-core/telem/logging", () => ({
 import {
   createResourceValidationError,
   exchangeCodeForAccessToken,
+  getOAuthFailureDetails,
   tokenExchangeCallback,
   validateResourceParameter,
 } from "./helpers";
@@ -351,6 +352,63 @@ describe("exchangeCodeForAccessToken", () => {
     );
     expect(logWarn).not.toHaveBeenCalled();
   });
+
+  it("returns an event ID for unknown upstream http failures", async () => {
+    logIssue.mockReturnValue("oauth-forbidden-event-id");
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(
+      new Response("<title>403</title>403 Forbidden", {
+        status: 403,
+        statusText: "Forbidden",
+        headers: { "Content-Type": "text/html; charset=UTF-8" },
+      }),
+    );
+
+    const [payload, response] = await exchangeCodeForAccessToken({
+      client_id: "test-client-id",
+      client_secret: "test-client-secret",
+      code: "test-code",
+      upstream_url: "https://sentry.io/oauth/token",
+      redirect_uri: "https://mcp.sentry.dev/oauth/callback",
+    });
+
+    expect(payload).toBeNull();
+    expect(response).not.toBeNull();
+    expect(response!.status).toBe(502);
+
+    const body = await response!.text();
+    expect(body).toContain(
+      "There was an internal error authenticating your account. Please try again shortly.",
+    );
+    expect(body).toContain(
+      "Event ID:</strong> <code>oauth-forbidden-event-id</code>",
+    );
+    expect(logIssue).toHaveBeenCalledWith(
+      "[oauth] Failed to exchange code for access token",
+      expect.objectContaining({
+        loggerScope: ["cloudflare", "oauth", "callback"],
+      }),
+    );
+    expect(logWarn).not.toHaveBeenCalled();
+  });
+});
+
+describe("getOAuthFailureDetails", () => {
+  it("treats invalid_scope as a system failure", () => {
+    expect(getOAuthFailureDetails({ oauthError: "invalid_scope" })).toEqual({
+      message: "The requested permissions were invalid. Please try again.",
+      status: 502,
+      shouldLogIssue: true,
+    });
+  });
+
+  it("treats unknown upstream http failures as system failures", () => {
+    expect(getOAuthFailureDetails({ upstreamStatus: 403 })).toEqual({
+      message:
+        "There was an internal error authenticating your account. Please try again shortly.",
+      status: 502,
+      shouldLogIssue: true,
+    });
+  });
 });
 
 describe("validateResourceParameter", () => {

packages/mcp-cloudflare/src/server/oauth/helpers.ts

@@ -37,6 +37,12 @@ export function getOAuthFailureDetails({
   status: number;
   shouldLogIssue: boolean;
 } {
+  const systemFailure = (message: string, status = 502) => ({
+    message,
+    status,
+    shouldLogIssue: true,
+  });
+
   switch (oauthError) {
     case "access_denied":
       return {
@@ -46,25 +52,18 @@ export function getOAuthFailureDetails({
         shouldLogIssue: false,
       };
     case "temporarily_unavailable":
-      return {
-        message:
-          "Sentry OAuth is temporarily unavailable. Please try again shortly.",
-        status: 503,
-        shouldLogIssue: true,
-      };
+      return systemFailure(
+        "Sentry OAuth is temporarily unavailable. Please try again shortly.",
+        503,
+      );
     case "server_error":
-      return {
-        message:
-          "Sentry OAuth encountered an internal error. Please try again.",
-        status: 502,
-        shouldLogIssue: true,
-      };
+      return systemFailure(
+        "Sentry OAuth encountered an internal error. Please try again.",
+      );
     case "invalid_request":
-      return {
-        message: "The authorization request was rejected. Please try again.",
-        status: 400,
-        shouldLogIssue: false,
-      };
+      return systemFailure(
+        "The authorization request was rejected. Please try again.",
+      );
     case "invalid_grant":
       return {
         message:
@@ -73,36 +72,34 @@ export function getOAuthFailureDetails({
         shouldLogIssue: false,
       };
     case "invalid_scope":
-      return {
-        message: "The requested permissions were invalid. Please try again.",
-        status: 400,
-        shouldLogIssue: false,
-      };
+      return systemFailure(
+        "The requested permissions were invalid. Please try again.",
+      );
     case "invalid_client":
     case "unauthorized_client":
     case "unsupported_grant_type":
-      return {
-        message:
-          "There was an internal configuration issue completing authentication. Please try again later.",
-        status: 500,
-        shouldLogIssue: true,
-      };
+      return systemFailure(
+        "There was an internal configuration issue completing authentication. Please try again later.",
+        500,
+      );
     default:
-      if (typeof upstreamStatus === "number" && upstreamStatus >= 500) {
-        return {
-          message:
+      if (typeof upstreamStatus === "number") {
+        if (upstreamStatus >= 500) {
+          return systemFailure(
             "There was an internal error authenticating your account. Please try again shortly.",
-          status: 502,
-          shouldLogIssue: true,
-        };
+          );
+        }
+
+        // Any upstream HTTP failure outside explicit user-correctable OAuth errors
+        // points to our configuration, the upstream service, or edge protection.
+        return systemFailure(
+          "There was an internal error authenticating your account. Please try again shortly.",
+        );
       }
 
-      return {
-        message:
-          "There was an issue authenticating your account. Please try again.",
-        status: 400,
-        shouldLogIssue: false,
-      };
+      return systemFailure(
+        "There was an internal error authenticating your account. Please try again shortly.",
+      );
   }
 }