Skip to content

[wrangler] Fix Account API Tokens failing on /memberships#13858

Merged
penalosa merged 3 commits into
mainfrom
penalosa/wrangler/memberships-9106
May 7, 2026
Merged

[wrangler] Fix Account API Tokens failing on /memberships#13858
penalosa merged 3 commits into
mainfrom
penalosa/wrangler/memberships-9106

Conversation

@penalosa

@penalosa penalosa commented May 7, 2026

Copy link
Copy Markdown
Contributor

Fixes #13857.

PR #13770 added a fallback to /accounts when /memberships is inaccessible to the current auth, with code 9109 (Insufficient permissions) cited as the "structural Account API Token case". In practice, /memberships actually returns code 9106 (Authentication failed) for Account API Tokens — /memberships is a user-level endpoint and account-scoped tokens have no user identity, so the API rejects them at this endpoint even though a valid Bearer token is sent. (/user is the endpoint that returns 9109 for the same auth — see getEmail in whoami.ts.)

Result: any user authenticating with an Account API Token saw wrangler whoami (and any non-cached account selection) fail with A request to the Cloudflare API (/memberships) failed. Authentication failed (status: 400) [code: 9106] after upgrading to a Wrangler version with #13770.

This fixes the fallback by replacing 9109 with 9106 in MEMBERSHIPS_INACCESSIBLE_CODES. 10000 (Authentication error) is retained as-is. Tests are updated to assert the corrected code.

Manual testing with account API tokens:

  • CLOUDFLARE_API_TOKEN=... pnpx wrangler@4.88 whoami
  • CLOUDFLARE_API_TOKEN=... pnpx wrangler@4.89.1 whoami
  • CLOUDFLARE_API_TOKEN=... pnpx https://pkg.pr.new/wrangler@9b148fb whoami

  • Tests
    • Tests included/updated
  • Public documentation
    • Documentation not necessary because: bug fix; no public API or behaviour change beyond restoring pre-regression behaviour for Account API Tokens.

The fallback for Account API Tokens in `fetchAllAccounts` was checking
for code 9109, but `/memberships` actually returns 9106 for that case.
Correct the code so the fallback to `/accounts` triggers as intended.

Fixes #13857
@penalosa penalosa requested a review from workers-devprod as a code owner May 7, 2026 17:53
@changeset-bot

changeset-bot Bot commented May 7, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 3ca1ec6

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 7, 2026
@workers-devprod workers-devprod requested review from a team and NuroDev and removed request for a team May 7, 2026 17:53
@workers-devprod

workers-devprod commented May 7, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/workers-kv
  • ✅ @cloudflare/wrangler
Show detailed file reviewers
  • packages/wrangler/src/tests/kv/key.test.ts: [@cloudflare/workers-kv]

@github-actions

github-actions Bot commented May 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Issues found

  • .changeset/all-dolls-think.md — The description is too brief: "Fix Containers SSH config". It does not explain what the bug was, what the symptom was, or what the fix does. Please expand the description to tell users what was broken and how it's now fixed.

@ask-bonk ask-bonk Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor comment about a misleading test comment. The actual code change (9109 → 9106) and the tests look correct to me.

Comment thread packages/wrangler/src/__tests__/whoami.test.ts Outdated
@ask-bonk

ask-bonk Bot commented May 7, 2026

Copy link
Copy Markdown
Contributor

I'm Bonk, and I've done a quick review of your PR.

This PR fixes the /memberships fallback for Account API Tokens by replacing error code 9109 with 9106 in MEMBERSHIPS_INACCESSIBLE_CODES, since /memberships returns 9106 (not 9109) for account-scoped tokens.

One issue found:

  1. Inaccurate test comment (whoami.test.ts:562-563): The updated comment claims fetchAllAccounts tolerates three codes (9106, 9109, and 10000), but the actual MEMBERSHIPS_INACCESSIBLE_CODES array only contains [9106, 10000]. Posted a suggestion to fix this so it matches the source of truth.

github run

Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com>

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 7, 2026
@pkg-pr-new

pkg-pr-new Bot commented May 7, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13858

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13858

miniflare

npm i https://pkg.pr.new/miniflare@13858

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13858

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13858

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13858

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13858

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13858

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13858

wrangler

npm i https://pkg.pr.new/wrangler@13858

commit: 3ca1ec6

@workers-devprod workers-devprod requested a review from a team May 7, 2026 18:16
@penalosa penalosa merged commit e414e56 into main May 7, 2026
52 checks passed
@penalosa penalosa deleted the penalosa/wrangler/memberships-9106 branch May 7, 2026 18:27
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

[ERROR] A request to the Cloudflare API (/memberships) failed.

3 participants