Skip to content

[wrangler] fix: show env-var hint when /memberships returns code 9106 (bad credentials)#13839

Merged
ascorbic merged 3 commits into
cloudflare:mainfrom
matingathani:fix/auth-error-hint-env-var
May 19, 2026
Merged

[wrangler] fix: show env-var hint when /memberships returns code 9106 (bad credentials)#13839
ascorbic merged 3 commits into
cloudflare:mainfrom
matingathani:fix/auth-error-hint-env-var

Conversation

@matingathani

@matingathani matingathani commented May 7, 2026

Copy link
Copy Markdown
Contributor

Fixes #13656.

When /memberships returns error code 9106 ("Authentication failed") and /accounts is also empty (no usable accounts), Wrangler previously showed a generic "incorrect permissions" message. This PR surfaces a more actionable hint that an environment variable like CLOUDFLARE_API_TOKEN may be set to an invalid value.

Context: PR #13858 added 9106 to MEMBERSHIPS_INACCESSIBLE_CODES — a valid Account API Token returns 9106 on /memberships since that endpoint is user-level. When /accounts has data, the existing fallback works correctly. This PR handles the edge case where 9106 is returned AND /accounts is also empty, which can happen when an env-var credential is malformed.

Change: Inside the isMembershipsInaccessible block, when code is specifically 9106 and no accounts are available, throw a UserError that names the env-var candidates (CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY, CLOUDFLARE_EMAIL) and suggests wrangler logout && wrangler login.


  • Tests
    • Tests included/updated
  • Public documentation
    • Documentation not necessary because: error message improvement only, no public API or behavior change

Copilot AI review requested due to automatic review settings May 7, 2026 00:30
@changeset-bot

changeset-bot Bot commented May 7, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: b8e3f6b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@workers-devprod workers-devprod requested review from a team and ascorbic and removed request for a team May 7, 2026 00:31
@workers-devprod

workers-devprod commented May 7, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/workers-kv
  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/fix-auth-error-hint-env-var.md: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/kv/key.test.ts: [@cloudflare/workers-kv @cloudflare/wrangler]
  • packages/wrangler/src/tests/user.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/fetch-accounts.ts: [@cloudflare/wrangler]

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves Wrangler’s handling of Cloudflare API /memberships failures by recognizing error code 9106 (“Missing X-Auth-Key, X-Auth-Email or Authorization headers”) as a bad-credentials scenario and surfacing an actionable UserError that points users to relevant credential environment variables and re-auth steps.

Changes:

  • Add a /memberships “bad credentials” code list (9106) and helper to detect it.
  • Throw a targeted UserError with env-var guidance and suggested wrangler logout / wrangler login steps when 9106 occurs.
  • Add a regression test asserting the improved hint is shown, plus a changeset entry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
packages/wrangler/src/user/fetch-accounts.ts Detect 9106 as bad credentials and throw a more actionable UserError.
packages/wrangler/src/__tests__/user.test.ts Add coverage ensuring the new env-var hint appears for 9106 from /memberships.
.changeset/fix-auth-error-hint-env-var.md Publish a patch changeset describing the improved error messaging.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
@matingathani

Copy link
Copy Markdown
Contributor Author

@NuroDev @penalosa @dario-piotrowicz — all Copilot review comments have been addressed. This PR is ready for review.

@matingathani matingathani force-pushed the fix/auth-error-hint-env-var branch from c9a4e7d to 671ef7e Compare May 10, 2026 07:06
@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 10, 2026
@pkg-pr-new

pkg-pr-new Bot commented May 10, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13839

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13839

miniflare

npm i https://pkg.pr.new/miniflare@13839

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13839

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13839

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13839

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13839

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13839

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13839

wrangler

npm i https://pkg.pr.new/wrangler@13839

commit: b8e3f6b

@workers-devprod workers-devprod requested a review from a team May 11, 2026 02:04
@matingathani

Copy link
Copy Markdown
Contributor Author

The CI failures in job 75276344917 are in Miniflare's browser plugin test suite (test/plugins/browser/index.spec.ts) — all 9 failures trace back to the browser session timing out on the Windows runner (first test: it creates a browser session times out after 20 s; subsequent tests then receive an error string instead of the expected response, causing JSON parse errors). This is unrelated to the Wrangler /memberships authentication handling this PR modifies. My changes only affect Wrangler error propagation and messaging logic (fetch-accounts.ts) and its tests. Could a maintainer re-run the Windows job or confirm this is a known flake on main?

@dario-piotrowicz dario-piotrowicz left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @matingathani 🙂

The PR generally looks good to me, I just left a few small comments

Also the browser test keeps failing, could you maybe try rebasing the PR and see if that helps? 🙂

Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
@workers-devprod

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/workers-kv
  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/fix-auth-error-hint-env-var.md: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/kv/key.test.ts: [@cloudflare/workers-kv @cloudflare/wrangler]
  • packages/wrangler/src/tests/user.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/fetch-accounts.ts: [@cloudflare/wrangler]

…edentials)

When the Cloudflare API returns code 9106 ("Missing X-Auth-Key, X-Auth-Email
or Authorization headers"), Wrangler now emits a UserError explaining that
an environment variable such as CLOUDFLARE_API_TOKEN may be set to an invalid
value, and suggests running `wrangler logout` / `wrangler login` to re-authenticate.

Previously the raw API error was rethrown with no guidance, leaving users
confused about why their credentials were rejected.

Fixes cloudflare#13656
… use it in isMembershipsInaccessible, remove "also" from comment
@matingathani matingathani force-pushed the fix/auth-error-hint-env-var branch from 04f419c to b8e3f6b Compare May 13, 2026 00:33
@matingathani

Copy link
Copy Markdown
Contributor Author

New CI failure (Tests, macOS, fixtures) is in @fixture/unbound-durable-object — unrelated to the /memberships auth changes in this PR. Could a maintainer re-run the failed job?

@matingathani

Copy link
Copy Markdown
Contributor Author

All three comments addressed ("also" removed, using getMembershipsErrorCode, renamed to getErrorCode). Rebased on main — the browser test failure should be cleared now.

@ascorbic ascorbic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing all the comments. Looking good now!

@workers-devprod

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/workers-kv
  • ✅ @cloudflare/wrangler
Show detailed file reviewers
  • packages/wrangler/src/tests/kv/key.test.ts: [@cloudflare/workers-kv]

@ascorbic ascorbic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners Bypass

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 19, 2026
@ascorbic ascorbic merged commit 735852d into cloudflare:main May 19, 2026
63 of 64 checks passed
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 19, 2026
@ascorbic

Copy link
Copy Markdown
Contributor

Skipped KV review, as it was just a test snapshot change

penalosa pushed a commit that referenced this pull request May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

/memberships returns status: 400 (code: 9106) — how should wrangler react?

5 participants