fix(cloudflare): Treat OAuth probe 4xx as expired (#862)

dcramer · codex · web-flow · commit 930ddd03eb7b · 2026-03-25T21:37:12.000-07:00
Treat the refresh-token probe's client-side failures as an expected sign
that the stored Sentry token is no longer usable.

While investigating MCP-SERVER-F9Q, the upstream \/auth\/ probe was
returning 400 for invalid or expired bearer tokens. The refresh path
only treated 401 authentication failures as expected, so these 400
responses were being logged as issues even though they should fall
through to re-auth.

This broadens the probe guard to all ApiClientError responses and keeps
the regression coverage focused on the 400 probe behavior without
asserting on telemetry internals.

Fixes MCP-SERVER-F9Q

Co-authored-by: OpenAI Codex &lt;noreply@openai.com&gt;
diff --git a/packages/mcp-cloudflare/src/server/oauth/helpers.test.ts b/packages/mcp-cloudflare/src/server/oauth/helpers.test.ts
@@ -77,6 +77,23 @@ describe("tokenExchangeCallback", () => {
     expect(result).toBeUndefined();
   });
 
+  it("should treat 400 probe failures as expired", async () => {
+    const pastExpiry = Date.now() - 60 * 1000;
+    const options = createRefreshOptions({
+      accessTokenExpiresAt: pastExpiry,
+    });
+
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(
+      new Response(JSON.stringify({ detail: "Invalid token" }), {
+        status: 400,
+        statusText: "Bad Request",
+      }),
+    );
+
+    const result = await tokenExchangeCallback(options, TEST_ENV);
+    expect(result).toBeUndefined();
+  });
+
   it("should return undefined when upstream probe fails with network error", async () => {
     const pastExpiry = Date.now() - 60 * 1000;
     const options = createRefreshOptions({
diff --git a/packages/mcp-cloudflare/src/server/oauth/helpers.ts b/packages/mcp-cloudflare/src/server/oauth/helpers.ts
@@ -3,10 +3,7 @@ import type {
   TokenExchangeCallbackResult,
 } from "@cloudflare/workers-oauth-provider";
 import type { z } from "zod";
-import {
-  ApiAuthenticationError,
-  SentryApiService,
-} from "@sentry/mcp-core/api-client";
+import { ApiClientError, SentryApiService } from "@sentry/mcp-core/api-client";
 import { logError, logIssue } from "@sentry/mcp-core/telem/logging";
 import { TokenResponseSchema } from "./constants";
 import type { WorkerProps } from "../types";
@@ -319,7 +316,10 @@ export async function tokenExchangeCallback(
     }
   }
 
-  // Probe upstream to check if the token is actually still valid
+  // Probe upstream to check if the token is actually still valid. Sentry can
+  // report invalid/expired bearer tokens here as 400 or 401, so treat any 4xx
+  // as an expected probe failure and fall back to re-auth without creating an
+  // issue.
   try {
     const api = new SentryApiService({
       accessToken: props.accessToken,
@@ -334,7 +334,7 @@ export async function tokenExchangeCallback(
       accessTokenTTL: 60 * 60,
     };
   } catch (error) {
-    if (!(error instanceof ApiAuthenticationError)) {
+    if (!(error instanceof ApiClientError)) {
       logIssue(error, {
         loggerScope: ["cloudflare", "oauth", "refresh"],
       });
