fix: accept nullable user fields in OAuth token response (#468)

The Sentry API can return `null` for `user.name` in the OAuth token
response. The Zod schema had `name: z.string()` which rejected null,
causing `safeParse()` to fail and login to throw 'Unexpected response
from token endpoint'.

- Make `name` and `email` nullable in `TokenResponseSchema`
- Make `name` nullish in `SentryUserSchema` for consistency
- Convert null → undefined at the UserInfo/LoginResult boundary
- Add focused schema tests for nullable user fields

Closes #468

Author: BYK

AGENTS.md

@@ -175,9 +175,9 @@ export const loginCommand = buildCommand({
           userId: user.id,
           email: user.email,
           username: user.username,
-          name: user.name,
+          name: user.name ?? undefined,
         });
-        result.user = user;
+        result.user = { ...user, name: user.name ?? undefined };
       } catch {
         // Non-fatal: user info is supplementary. Token remains stored and valid.
       }

src/commands/auth/login.ts

@@ -59,7 +59,7 @@ export const whoamiCommand = buildCommand({
         userId: user.id,
         email: user.email,
         username: user.username,
-        name: user.name,
+        name: user.name ?? undefined,
       });
     } catch {
       // Cache update failure is non-essential — user identity was already fetched.

src/commands/auth/whoami.ts

@@ -163,8 +163,8 @@ export async function runInteractiveLogin(
       try {
         setUserInfo({
           userId: user.id,
-          email: user.email,
-          name: user.name,
+          email: user.email ?? undefined,
+          name: user.name ?? undefined,
         });
       } catch (error) {
         // Report to Sentry but don't block auth - user info is not critical
@@ -178,7 +178,11 @@ export async function runInteractiveLogin(
       expiresIn: tokenResponse.expires_in,
     };
     if (user) {
-      result.user = user;
+      result.user = {
+        id: user.id,
+        name: user.name ?? undefined,
+        email: user.email ?? undefined,
+      };
     }
     return result;
   } catch (err) {

src/lib/interactive-login.ts

@@ -34,8 +34,8 @@ export const TokenResponseSchema = z
     user: z
       .object({
         id: z.string(),
-        name: z.string(),
-        email: z.string(),
+        name: z.string().nullable(),
+        email: z.string().nullable(),
       })
       .passthrough()
       .optional(),

src/types/oauth.ts

@@ -215,7 +215,7 @@ export const SentryUserSchema = z
     id: z.string(),
     email: z.string().optional(),
     username: z.string().optional(),
-    name: z.string().optional(),
+    name: z.string().nullish(),
   })
   .passthrough();
 

src/types/sentry.ts

@@ -0,0 +1,87 @@
+/**
+ * OAuth Schema Tests
+ *
+ * Validates that Zod schemas correctly handle real-world API responses,
+ * including nullable fields that the Sentry API may return.
+ */
+
+import { describe, expect, test } from "bun:test";
+import { TokenResponseSchema } from "../../src/types/oauth.js";
+
+describe("TokenResponseSchema", () => {
+  const baseTokenResponse = {
+    access_token: "sntrys_abc123",
+    refresh_token: "sntryr_def456",
+    expires_in: 2_591_999,
+    token_type: "Bearer",
+    scope: "event:read event:write member:read org:read project:admin",
+  };
+
+  test("accepts response with user.name as null (GH-468)", () => {
+    const response = {
+      ...baseTokenResponse,
+      expires_at: "2026-04-18T09:03:59.747189Z",
+      user: { id: "48168", name: null, email: "user@example.com" },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.user?.name).toBeNull();
+      expect(result.data.user?.email).toBe("user@example.com");
+    }
+  });
+
+  test("accepts response with user.email as null", () => {
+    const response = {
+      ...baseTokenResponse,
+      user: { id: "48168", name: "Jane Doe", email: null },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.user?.name).toBe("Jane Doe");
+      expect(result.data.user?.email).toBeNull();
+    }
+  });
+
+  test("accepts response with both name and email as null", () => {
+    const response = {
+      ...baseTokenResponse,
+      user: { id: "48168", name: null, email: null },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+  });
+
+  test("accepts response without user field", () => {
+    const result = TokenResponseSchema.safeParse(baseTokenResponse);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.user).toBeUndefined();
+    }
+  });
+
+  test("accepts response with extra fields in user (passthrough)", () => {
+    const response = {
+      ...baseTokenResponse,
+      user: {
+        id: "48168",
+        name: "Jane",
+        email: "jane@example.com",
+        avatar_url: "https://example.com/avatar.png",
+      },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+  });
+
+  test("rejects response missing access_token", () => {
+    const { access_token: _, ...noToken } = baseTokenResponse;
+    const result = TokenResponseSchema.safeParse(noToken);
+    expect(result.success).toBe(false);
+  });
+});