fix(oauth): read SENTRY_CLIENT_ID at call time instead of module load

BYK · BYK · commit 3a4cfafe4c9d · 2026-02-13T16:33:17.000Z
The test preload deletes process.env.SENTRY_CLIENT_ID before oauth.ts
loads, causing the module-level constant to capture an empty string.
Tests that later set SENTRY_CLIENT_ID in beforeEach had no effect since
the constant was already captured. This caused refreshAccessToken to
throw ConfigError (not AuthError), which the ky afterResponse hook
caught silently, preventing 401 retry from working.

Replace the module-level constant with a getClientId() function that
reads process.env at call time.
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
@@ -24,12 +24,20 @@ const SENTRY_URL = process.env.SENTRY_URL ?? "https://sentry.io";
  * Build-time: Injected via Bun.build({ define: { SENTRY_CLIENT_ID: "..." } })
  * Runtime: Can be overridden via SENTRY_CLIENT_ID env var (for self-hosted)
  *
+ * Read at call time (not module load time) so tests can set process.env.SENTRY_CLIENT_ID
+ * after module initialization.
+ *
  * @see script/build.ts
  */
 declare const SENTRY_CLIENT_ID_BUILD: string | undefined;
-const SENTRY_CLIENT_ID =
-  process.env.SENTRY_CLIENT_ID ??
-  (typeof SENTRY_CLIENT_ID_BUILD !== "undefined" ? SENTRY_CLIENT_ID_BUILD : "");
+function getClientId(): string {
+  return (
+    process.env.SENTRY_CLIENT_ID ??
+    (typeof SENTRY_CLIENT_ID_BUILD !== "undefined"
+      ? SENTRY_CLIENT_ID_BUILD
+      : "")
+  );
+}
 
 // OAuth scopes requested for the CLI
 const SCOPES = [
@@ -85,7 +93,8 @@ async function fetchWithConnectionError(
 
 /** Request a device code from Sentry's device authorization endpoint */
 function requestDeviceCode() {
-  if (!SENTRY_CLIENT_ID) {
+  const clientId = getClientId();
+  if (!clientId) {
     throw new ConfigError(
       "SENTRY_CLIENT_ID is required for authentication",
       "Set SENTRY_CLIENT_ID environment variable or use a pre-built binary"
@@ -99,7 +108,7 @@ function requestDeviceCode() {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
-          client_id: SENTRY_CLIENT_ID,
+          client_id: clientId,
           scope: SCOPES,
         }),
       }
@@ -142,7 +151,7 @@ function pollForToken(deviceCode: string): Promise<TokenResponse> {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
-          client_id: SENTRY_CLIENT_ID,
+          client_id: getClientId(),
           device_code: deviceCode,
           grant_type: "urn:ietf:params:oauth:grant-type:device_code",
         }),
@@ -313,7 +322,8 @@ export async function setApiToken(token: string): Promise<void> {
 export function refreshAccessToken(
   refreshToken: string
 ): Promise<TokenResponse> {
-  if (!SENTRY_CLIENT_ID) {
+  const clientId = getClientId();
+  if (!clientId) {
     throw new ConfigError(
       "SENTRY_CLIENT_ID is required for token refresh",
       "Set SENTRY_CLIENT_ID environment variable or use a pre-built binary"
@@ -327,7 +337,7 @@ export function refreshAccessToken(
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body: new URLSearchParams({
-          client_id: SENTRY_CLIENT_ID,
+          client_id: clientId,
           grant_type: "refresh_token",
           refresh_token: refreshToken,
         }),
