fix(mcp-common): harden error handling — reportToSentry, info leakage, parse ordering

- Set reportToSentry=false for 4xx errors (was true everywhere, contradicting
  PR intent to reduce Sentry noise from expected client errors)
- Stop forwarding raw upstream error bodies to clients in fetchCloudflareApi;
  use generic client-facing message, preserve raw detail in internalMessage
- Map OAuth error codes to safe messages in cloudflare-auth instead of
  forwarding raw error_description from upstream token endpoint
- Remove security mechanism names (CSRF, PKCE) from OAuthError descriptions
  returned to clients; use generic messages
- Reorder getUserAndAccounts to check response.ok before Zod parsing,
  preventing ZodError from masking the new status-aware error handling
- Add safeStatusCode() helper to clamp non-standard HTTP status codes to
  valid ContentfulStatusCode values instead of unsafe 'as' casts
- Rewrite sentry.spec.ts to test actual production code paths instead of
  tautologically constructing McpError objects with hardcoded flags
- Update all test assertions to match corrected behavior

Author: irvinebroque

packages/mcp-common/src/cloudflare-api.spec.ts

@@ -51,8 +51,9 @@ describe('fetchCloudflareApi', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(404)
-			expect(err.reportToSentry).toBe(true)
-			expect(err.message).toContain('Cloudflare API request failed')
+			expect(err.reportToSentry).toBe(false)
+			expect(err.message).toBe('Cloudflare API request failed')
+			expect(err.internalMessage).toContain('Script not found')
 		}
 	})
 
@@ -72,7 +73,7 @@ describe('fetchCloudflareApi', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(403)
-			expect(err.reportToSentry).toBe(true)
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 
@@ -92,7 +93,7 @@ describe('fetchCloudflareApi', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(429)
-			expect(err.reportToSentry).toBe(true)
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 
@@ -140,7 +141,7 @@ describe('fetchCloudflareApi', () => {
 		}
 	})
 
-	it('preserves error text in the McpError message', async () => {
+	it('preserves error text in internalMessage (not user-facing message)', async () => {
 		const errorBody = '{"errors":[{"message":"Worker not found","code":10007}]}'
 		fetchMock
 			.get('https://api.cloudflare.com')
@@ -156,7 +157,8 @@ describe('fetchCloudflareApi', () => {
 		} catch (e) {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
-			expect(err.message).toContain('Worker not found')
+			expect(err.message).toBe('Cloudflare API request failed')
+			expect(err.internalMessage).toContain('Worker not found')
 		}
 	})
 })

packages/mcp-common/src/cloudflare-api.ts

@@ -1,9 +1,8 @@
 import { Cloudflare } from 'cloudflare'
 import { env } from 'cloudflare:workers'
 
-import { McpError } from './mcp-error'
+import { McpError, safeStatusCode } from './mcp-error'
 
-import type { ContentfulStatusCode } from 'hono/utils/http-status'
 import type { z } from 'zod'
 
 export function getCloudflareClient(apiToken: string) {
@@ -62,10 +61,10 @@ export async function fetchCloudflareApi<T>({
 		const is5xx = response.status >= 500 && response.status <= 599
 
 		throw new McpError(
-			is5xx ? 'Upstream Cloudflare API unavailable' : `Cloudflare API request failed: ${error}`,
-			(is5xx ? 502 : response.status) as ContentfulStatusCode,
+			is5xx ? 'Upstream Cloudflare API unavailable' : 'Cloudflare API request failed',
+			safeStatusCode(is5xx ? 502 : response.status),
 			{
-				reportToSentry: true,
+				reportToSentry: is5xx,
 				internalMessage: `Cloudflare API ${response.status}: ${error}`,
 			}
 		)

packages/mcp-common/src/cloudflare-auth.spec.ts

@@ -67,9 +67,10 @@ describe('getAuthToken', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(400)
-			expect(err.message).toBe('The authorization code has expired')
-			expect(err.reportToSentry).toBe(true)
+			expect(err.message).toBe('Authorization grant is invalid, expired, or revoked')
+			expect(err.reportToSentry).toBe(false)
 			expect(err.internalMessage).toContain('Upstream 400')
+			expect(err.internalMessage).toContain('The authorization code has expired')
 		}
 	})
 
@@ -92,8 +93,8 @@ describe('getAuthToken', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(401)
-			expect(err.message).toBe('Invalid client credentials')
-			expect(err.reportToSentry).toBe(true)
+			expect(err.message).toBe('Client authentication failed')
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 
@@ -116,7 +117,8 @@ describe('getAuthToken', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(403)
-			expect(err.reportToSentry).toBe(true)
+			expect(err.message).toBe('Access denied')
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 
@@ -139,7 +141,7 @@ describe('getAuthToken', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(429)
-			expect(err.reportToSentry).toBe(true)
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 
@@ -193,7 +195,7 @@ describe('getAuthToken', () => {
 			const err = e as McpError
 			expect(err.code).toBe(400)
 			expect(err.message).toBe('Token exchange failed')
-			expect(err.reportToSentry).toBe(true)
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 })
@@ -235,9 +237,10 @@ describe('refreshAuthToken', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(400)
-			expect(err.message).toBe('The refresh token has expired')
-			expect(err.reportToSentry).toBe(true)
+			expect(err.message).toBe('Authorization grant is invalid, expired, or revoked')
+			expect(err.reportToSentry).toBe(false)
 			expect(err.internalMessage).toContain('Upstream 400')
+			expect(err.internalMessage).toContain('The refresh token has expired')
 		}
 	})
 
@@ -260,7 +263,7 @@ describe('refreshAuthToken', () => {
 			expect(e).toBeInstanceOf(McpError)
 			const err = e as McpError
 			expect(err.code).toBe(401)
-			expect(err.reportToSentry).toBe(true)
+			expect(err.reportToSentry).toBe(false)
 		}
 	})
 
@@ -282,11 +285,11 @@ describe('refreshAuthToken', () => {
 		}
 	})
 
-	it('uses fallback message when upstream error has no error_description', async () => {
+	it('uses fallback message when upstream error code is unknown', async () => {
 		fetchMock
 			.get('https://dash.cloudflare.com')
 			.intercept({ path: '/oauth2/token', method: 'POST' })
-			.reply(400, JSON.stringify({ error: 'invalid_grant' }))
+			.reply(400, JSON.stringify({ error: 'some_unknown_error' }))
 
 		try {
 			await refreshAuthToken(baseParams)
@@ -296,6 +299,31 @@ describe('refreshAuthToken', () => {
 			const err = e as McpError
 			expect(err.code).toBe(400)
 			expect(err.message).toBe('Token refresh failed')
+			expect(err.reportToSentry).toBe(false)
+		}
+	})
+
+	it('maps known error codes to safe messages instead of forwarding error_description', async () => {
+		fetchMock
+			.get('https://dash.cloudflare.com')
+			.intercept({ path: '/oauth2/token', method: 'POST' })
+			.reply(
+				400,
+				JSON.stringify({
+					error: 'invalid_grant',
+					error_description: 'Internal: token xyz expired at 2024-01-01',
+				})
+			)
+
+		try {
+			await refreshAuthToken(baseParams)
+			expect.unreachable()
+		} catch (e) {
+			expect(e).toBeInstanceOf(McpError)
+			const err = e as McpError
+			expect(err.message).toBe('Authorization grant is invalid, expired, or revoked')
+			// Raw upstream detail preserved in internalMessage only
+			expect(err.internalMessage).toContain('Internal: token xyz expired')
 		}
 	})
 })

packages/mcp-common/src/cloudflare-auth.ts

@@ -1,9 +1,19 @@
 import { z } from 'zod'
 
-import { McpError } from './mcp-error'
+import { McpError, safeStatusCode } from './mcp-error'
 
 import type { AuthRequest } from '@cloudflare/workers-oauth-provider'
-import type { ContentfulStatusCode } from 'hono/utils/http-status'
+
+/** Maps known OAuth error codes to safe client-facing messages */
+const SAFE_TOKEN_ERROR_MESSAGES: Record<string, string> = {
+	invalid_grant: 'Authorization grant is invalid, expired, or revoked',
+	invalid_client: 'Client authentication failed',
+	invalid_request: 'Invalid token request',
+	unauthorized_client: 'Client is not authorized for this grant type',
+	unsupported_grant_type: 'Unsupported grant type',
+	invalid_scope: 'Requested scope is invalid',
+	access_denied: 'Access denied',
+}
 
 // Constants
 const PKCE_CHARSET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~'
@@ -163,10 +173,10 @@ export async function getAuthToken({
 
 		if (resp.status >= 400 && resp.status < 500) {
 			throw new McpError(
-				upstreamError.error_description || 'Token exchange failed',
-				resp.status as ContentfulStatusCode,
+				SAFE_TOKEN_ERROR_MESSAGES[upstreamError.error || ''] || 'Token exchange failed',
+				safeStatusCode(resp.status),
 				{
-					reportToSentry: true,
+					reportToSentry: false,
 					internalMessage: `Upstream ${resp.status}: ${body}`,
 				}
 			)
@@ -216,10 +226,10 @@ export async function refreshAuthToken({
 
 		if (resp.status >= 400 && resp.status < 500) {
 			throw new McpError(
-				upstreamError.error_description || 'Token refresh failed',
-				resp.status as ContentfulStatusCode,
+				SAFE_TOKEN_ERROR_MESSAGES[upstreamError.error || ''] || 'Token refresh failed',
+				safeStatusCode(resp.status),
 				{
-					reportToSentry: true,
+					reportToSentry: false,
 					internalMessage: `Upstream ${resp.status}: ${body}`,
 				}
 			)

packages/mcp-common/src/cloudflare-oauth-handler.spec.ts

@@ -55,7 +55,7 @@ describe('handleTokenExchangeCallback', () => {
 				const err = e as McpError
 				expect(err.code).toBe(400)
 				expect(err.message).toBe('Account tokens cannot be refreshed')
-				expect(err.reportToSentry).toBe(true)
+				expect(err.reportToSentry).toBe(false)
 			}
 		})
 	})
@@ -78,7 +78,7 @@ describe('handleTokenExchangeCallback', () => {
 				const err = e as McpError
 				expect(err.code).toBe(400)
 				expect(err.message).toBe('No refresh token available for this grant')
-				expect(err.reportToSentry).toBe(true)
+				expect(err.reportToSentry).toBe(false)
 			}
 		})
 	})
@@ -114,8 +114,8 @@ describe('handleTokenExchangeCallback', () => {
 	describe('propagates upstream errors from refreshAuthToken', () => {
 		it('propagates McpError 400 from expired upstream refresh token', async () => {
 			mockRefreshAuthToken.mockRejectedValueOnce(
-				new McpError('The refresh token has expired', 400, {
-					reportToSentry: true,
+				new McpError('Authorization grant is invalid, expired, or revoked', 400, {
+					reportToSentry: false,
 					internalMessage: 'Upstream 400: {"error":"invalid_grant"}',
 				})
 			)
@@ -135,7 +135,7 @@ describe('handleTokenExchangeCallback', () => {
 				expect(e).toBeInstanceOf(McpError)
 				const err = e as McpError
 				expect(err.code).toBe(400)
-				expect(err.reportToSentry).toBe(true)
+				expect(err.reportToSentry).toBe(false)
 			}
 		})
 

packages/mcp-common/src/cloudflare-oauth-handler.ts

@@ -9,7 +9,7 @@ import {
 	getAuthToken,
 	refreshAuthToken,
 } from './cloudflare-auth'
-import { McpError } from './mcp-error'
+import { McpError, safeStatusCode } from './mcp-error'
 import { useSentry } from './sentry'
 import { V4Schema } from './v4-api'
 import {
@@ -30,7 +30,6 @@ import type {
 	TokenExchangeCallbackResult,
 } from '@cloudflare/workers-oauth-provider'
 import type { Context } from 'hono'
-import type { ContentfulStatusCode } from 'hono/utils/http-status'
 import type { MetricsTracker } from '../../mcp-observability/src'
 import type { BaseHonoContext } from './sentry'
 
@@ -99,35 +98,55 @@ export async function getUserAndAccounts(
 		}),
 	])
 
-	const { result: user } = V4Schema(UserSchema).parse(await userResponse.json())
+	// Check response status before parsing to avoid Zod errors on non-V4 error bodies
+	if (!accountsResponse.ok) {
+		const status = accountsResponse.status
+		const is5xx = status >= 500 && status <= 599
+		throw new McpError(
+			is5xx ? 'Upstream accounts service unavailable' : 'Failed to fetch accounts',
+			safeStatusCode(is5xx ? 502 : status),
+			{
+				reportToSentry: is5xx,
+				internalMessage: `Upstream /accounts returned ${status}`,
+			}
+		)
+	}
+
 	const { result: accounts } = V4Schema(AccountsSchema).parse(await accountsResponse.json())
-	if (!user || !userResponse.ok) {
-		// If accounts is present, then assume that we have an account scoped token
+
+	if (!userResponse.ok) {
+		// If accounts is present, assume we have an account-scoped token
 		if (accounts !== null) {
 			return { user: null, accounts }
 		}
 		const status = userResponse.status
 		const is5xx = status >= 500 && status <= 599
 		throw new McpError(
 			is5xx ? 'Upstream user service unavailable' : 'Failed to fetch user',
-			(is5xx ? 502 : status) as ContentfulStatusCode,
+			safeStatusCode(is5xx ? 502 : status),
 			{
-				reportToSentry: true,
+				reportToSentry: is5xx,
 				internalMessage: `Upstream /user returned ${status}`,
 			}
 		)
 	}
-	if (!accounts || !accountsResponse.ok) {
-		const status = accountsResponse.status
-		const is5xx = status >= 500 && status <= 599
-		throw new McpError(
-			is5xx ? 'Upstream accounts service unavailable' : 'Failed to fetch accounts',
-			(is5xx ? 502 : status) as ContentfulStatusCode,
-			{
-				reportToSentry: true,
-				internalMessage: `Upstream /accounts returned ${status}`,
-			}
-		)
+
+	const { result: user } = V4Schema(UserSchema).parse(await userResponse.json())
+	if (!user) {
+		// User parse succeeded but result was null — fall back to accounts if available
+		if (accounts !== null) {
+			return { user: null, accounts }
+		}
+		throw new McpError('Failed to fetch user', 500, {
+			reportToSentry: true,
+			internalMessage: 'Upstream /user returned null result with 200 status',
+		})
+	}
+	if (!accounts) {
+		throw new McpError('Failed to fetch accounts', 500, {
+			reportToSentry: true,
+			internalMessage: 'Upstream /accounts returned null result with 200 status',
+		})
 	}
 
 	return { user, accounts }
@@ -180,12 +199,12 @@ export async function handleTokenExchangeCallback(
 		if (props.type === 'account_token') {
 			// Account tokens cannot be refreshed — this is a client error, not a server error
 			throw new McpError('Account tokens cannot be refreshed', 400, {
-				reportToSentry: true,
+				reportToSentry: false,
 			})
 		}
 		if (!props.refreshToken) {
 			throw new McpError('No refresh token available for this grant', 400, {
-				reportToSentry: true,
+				reportToSentry: false,
 			})
 		}