fix: accept nullable user fields in OAuth token response (#468)

BYK · BYK · commit f2b2554c8fa3 · 2026-03-19T11:00:27.000Z
The Sentry API can return `null` for `user.name` in the OAuth token response. The Zod schema had `name: z.string()` which rejected null, causing `safeParse()` to fail and login to throw 'Unexpected response from token endpoint'. - Make `name` and `email` nullable in `TokenResponseSchema` - Make `name` nullish in `SentryUserSchema` for consistency - Convert null → undefined at the UserInfo/LoginResult boundary - Add focused schema tests for nullable user fields Closes #468
diff --git a/AGENTS.md b/AGENTS.md
diff --git a/src/commands/auth/login.ts b/src/commands/auth/login.ts
@@ -175,9 +175,9 @@ export const loginCommand = buildCommand({
           userId: user.id,
           email: user.email,
           username: user.username,
-          name: user.name,
+          name: user.name ?? undefined,
         });
-        result.user = user;
+        result.user = { ...user, name: user.name ?? undefined };
       } catch {
         // Non-fatal: user info is supplementary. Token remains stored and valid.
       }
diff --git a/src/commands/auth/whoami.ts b/src/commands/auth/whoami.ts
@@ -59,7 +59,7 @@ export const whoamiCommand = buildCommand({
         userId: user.id,
         email: user.email,
         username: user.username,
-        name: user.name,
+        name: user.name ?? undefined,
       });
     } catch {
       // Cache update failure is non-essential — user identity was already fetched.
diff --git a/src/lib/interactive-login.ts b/src/lib/interactive-login.ts
@@ -163,8 +163,8 @@ export async function runInteractiveLogin(
       try {
         setUserInfo({
           userId: user.id,
-          email: user.email,
-          name: user.name,
+          email: user.email ?? undefined,
+          name: user.name ?? undefined,
         });
       } catch (error) {
         // Report to Sentry but don't block auth - user info is not critical
@@ -178,7 +178,11 @@ export async function runInteractiveLogin(
       expiresIn: tokenResponse.expires_in,
     };
     if (user) {
-      result.user = user;
+      result.user = {
+        id: user.id,
+        name: user.name ?? undefined,
+        email: user.email ?? undefined,
+      };
     }
     return result;
   } catch (err) {
diff --git a/src/types/oauth.ts b/src/types/oauth.ts
@@ -34,8 +34,8 @@ export const TokenResponseSchema = z
     user: z
       .object({
         id: z.string(),
-        name: z.string(),
-        email: z.string(),
+        name: z.string().nullable(),
+        email: z.string().nullable(),
       })
       .passthrough()
       .optional(),
diff --git a/src/types/sentry.ts b/src/types/sentry.ts
@@ -215,7 +215,7 @@ export const SentryUserSchema = z
     id: z.string(),
     email: z.string().optional(),
     username: z.string().optional(),
-    name: z.string().optional(),
+    name: z.string().nullish(),
   })
   .passthrough();
 
diff --git a/test/commands/auth/login.test.ts b/test/commands/auth/login.test.ts
@@ -182,6 +182,37 @@ describe("loginCommand.func --token path", () => {
     expect(out).toContain("Jane Doe");
   });
 
+  test("--token: null user.name is converted to undefined in setUserInfo", async () => {
+    isAuthenticatedSpy.mockResolvedValue(false);
+    setAuthTokenSpy.mockResolvedValue(undefined);
+    getUserRegionsSpy.mockResolvedValue([]);
+    getCurrentUserSpy.mockResolvedValue({
+      id: "5",
+      name: null,
+      email: "x@y.com",
+      username: "xuser",
+    });
+    setUserInfoSpy.mockReturnValue(undefined);
+
+    const { context, getStdout } = createContext();
+    await func.call(context, {
+      token: "valid-token",
+      force: false,
+      timeout: 900,
+    });
+
+    expect(setUserInfoSpy).toHaveBeenCalledWith({
+      userId: "5",
+      email: "x@y.com",
+      username: "xuser",
+      name: undefined,
+    });
+    const out = getStdout();
+    expect(out).toContain("Authenticated");
+    // With null name, formatUserIdentity falls back to email
+    expect(out).toContain("x@y.com");
+  });
+
   test("--token: invalid token clears auth and throws AuthError", async () => {
     isAuthenticatedSpy.mockResolvedValue(false);
     setAuthTokenSpy.mockResolvedValue(undefined);
diff --git a/test/lib/interactive-login.test.ts b/test/lib/interactive-login.test.ts
@@ -1,13 +1,40 @@
 /**
- * Tests for buildDeviceFlowDisplay — the extracted display logic from the
- * interactive login flow's onUserCode callback.
+ * Tests for interactive login flow.
+ *
+ * - buildDeviceFlowDisplay: extracted display logic (pure function)
+ * - runInteractiveLogin: full OAuth device flow with mocked dependencies
  *
  * Uses SENTRY_PLAIN_OUTPUT=1 to get predictable raw markdown output
  * (no ANSI codes) for string assertions.
  */
 
-import { afterAll, beforeAll, describe, expect, test } from "bun:test";
-import { buildDeviceFlowDisplay } from "../../src/lib/interactive-login.js";
+import {
+  afterAll,
+  afterEach,
+  beforeAll,
+  beforeEach,
+  describe,
+  expect,
+  spyOn,
+  test,
+} from "bun:test";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as browser from "../../src/lib/browser.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as clipboard from "../../src/lib/clipboard.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbInstance from "../../src/lib/db/index.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as dbUser from "../../src/lib/db/user.js";
+import {
+  buildDeviceFlowDisplay,
+  runInteractiveLogin,
+} from "../../src/lib/interactive-login.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as oauth from "../../src/lib/oauth.js";
+// biome-ignore lint/performance/noNamespaceImport: needed for spyOn mocking
+import * as qrcode from "../../src/lib/qrcode.js";
+import type { TokenResponse } from "../../src/types/index.js";
 
 // Force plain output for predictable string matching
 let origPlain: string | undefined;
@@ -84,3 +111,134 @@ describe("buildDeviceFlowDisplay", () => {
     expect(withoutBrowser.length).toBeGreaterThan(withBrowser.length);
   });
 });
+
+describe("runInteractiveLogin", () => {
+  let performDeviceFlowSpy: ReturnType<typeof spyOn>;
+  let completeOAuthFlowSpy: ReturnType<typeof spyOn>;
+  let openBrowserSpy: ReturnType<typeof spyOn>;
+  let generateQRCodeSpy: ReturnType<typeof spyOn>;
+  let setupCopyKeyListenerSpy: ReturnType<typeof spyOn>;
+  let setUserInfoSpy: ReturnType<typeof spyOn>;
+  let getDbPathSpy: ReturnType<typeof spyOn>;
+
+  /** Helper to build a mock TokenResponse with a user whose fields may be null. */
+  function makeTokenResponse(user?: {
+    id: string;
+    name: string | null;
+    email: string | null;
+  }): TokenResponse {
+    return {
+      access_token: "sntrys_test_token",
+      token_type: "Bearer",
+      expires_in: 3600,
+      ...(user ? { user } : {}),
+    };
+  }
+
+  beforeEach(() => {
+    completeOAuthFlowSpy = spyOn(oauth, "completeOAuthFlow").mockResolvedValue(
+      undefined
+    );
+    openBrowserSpy = spyOn(browser, "openBrowser").mockResolvedValue(false);
+    generateQRCodeSpy = spyOn(qrcode, "generateQRCode").mockResolvedValue(
+      "[QR]"
+    );
+    setupCopyKeyListenerSpy = spyOn(
+      clipboard,
+      "setupCopyKeyListener"
+    ).mockReturnValue(() => {
+      // no-op cleanup
+    });
+    setUserInfoSpy = spyOn(dbUser, "setUserInfo").mockReturnValue(undefined);
+    getDbPathSpy = spyOn(dbInstance, "getDbPath").mockReturnValue("/tmp/db");
+  });
+
+  afterEach(() => {
+    performDeviceFlowSpy.mockRestore();
+    completeOAuthFlowSpy.mockRestore();
+    openBrowserSpy.mockRestore();
+    generateQRCodeSpy.mockRestore();
+    setupCopyKeyListenerSpy.mockRestore();
+    setUserInfoSpy.mockRestore();
+    getDbPathSpy.mockRestore();
+  });
+
+  test("null user.name is converted to undefined in result and setUserInfo", async () => {
+    performDeviceFlowSpy = spyOn(oauth, "performDeviceFlow").mockImplementation(
+      async (callbacks) => {
+        await callbacks.onUserCode(
+          "ABCD",
+          "https://sentry.io/auth/device/",
+          "https://sentry.io/auth/device/?user_code=ABCD"
+        );
+        return makeTokenResponse({
+          id: "48168",
+          name: null,
+          email: "user@example.com",
+        });
+      }
+    );
+
+    const result = await runInteractiveLogin({ timeout: 1000 });
+
+    expect(result).not.toBeNull();
+    expect(result!.user).toBeDefined();
+    expect(result!.user!.name).toBeUndefined();
+    expect(result!.user!.email).toBe("user@example.com");
+    expect(result!.user!.id).toBe("48168");
+
+    expect(setUserInfoSpy).toHaveBeenCalledWith({
+      userId: "48168",
+      email: "user@example.com",
+      name: undefined,
+    });
+  });
+
+  test("null user.email is converted to undefined in result", async () => {
+    performDeviceFlowSpy = spyOn(oauth, "performDeviceFlow").mockImplementation(
+      async (callbacks) => {
+        await callbacks.onUserCode(
+          "EFGH",
+          "https://sentry.io/auth/device/",
+          "https://sentry.io/auth/device/?user_code=EFGH"
+        );
+        return makeTokenResponse({
+          id: "123",
+          name: "Jane Doe",
+          email: null,
+        });
+      }
+    );
+
+    const result = await runInteractiveLogin({ timeout: 1000 });
+
+    expect(result).not.toBeNull();
+    expect(result!.user!.name).toBe("Jane Doe");
+    expect(result!.user!.email).toBeUndefined();
+
+    expect(setUserInfoSpy).toHaveBeenCalledWith({
+      userId: "123",
+      email: undefined,
+      name: "Jane Doe",
+    });
+  });
+
+  test("no user in token response: result.user is undefined, setUserInfo not called", async () => {
+    performDeviceFlowSpy = spyOn(oauth, "performDeviceFlow").mockImplementation(
+      async (callbacks) => {
+        await callbacks.onUserCode(
+          "WXYZ",
+          "https://sentry.io/auth/device/",
+          "https://sentry.io/auth/device/?user_code=WXYZ"
+        );
+        return makeTokenResponse(); // no user
+      }
+    );
+
+    const result = await runInteractiveLogin({ timeout: 1000 });
+
+    expect(result).not.toBeNull();
+    expect(result!.user).toBeUndefined();
+    expect(setUserInfoSpy).not.toHaveBeenCalled();
+  });
+});
diff --git a/test/types/oauth.test.ts b/test/types/oauth.test.ts
@@ -0,0 +1,87 @@
+/**
+ * OAuth Schema Tests
+ *
+ * Validates that Zod schemas correctly handle real-world API responses,
+ * including nullable fields that the Sentry API may return.
+ */
+
+import { describe, expect, test } from "bun:test";
+import { TokenResponseSchema } from "../../src/types/oauth.js";
+
+describe("TokenResponseSchema", () => {
+  const baseTokenResponse = {
+    access_token: "sntrys_abc123",
+    refresh_token: "sntryr_def456",
+    expires_in: 2_591_999,
+    token_type: "Bearer",
+    scope: "event:read event:write member:read org:read project:admin",
+  };
+
+  test("accepts response with user.name as null (GH-468)", () => {
+    const response = {
+      ...baseTokenResponse,
+      expires_at: "2026-04-18T09:03:59.747189Z",
+      user: { id: "48168", name: null, email: "user@example.com" },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.user?.name).toBeNull();
+      expect(result.data.user?.email).toBe("user@example.com");
+    }
+  });
+
+  test("accepts response with user.email as null", () => {
+    const response = {
+      ...baseTokenResponse,
+      user: { id: "48168", name: "Jane Doe", email: null },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.user?.name).toBe("Jane Doe");
+      expect(result.data.user?.email).toBeNull();
+    }
+  });
+
+  test("accepts response with both name and email as null", () => {
+    const response = {
+      ...baseTokenResponse,
+      user: { id: "48168", name: null, email: null },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+  });
+
+  test("accepts response without user field", () => {
+    const result = TokenResponseSchema.safeParse(baseTokenResponse);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.user).toBeUndefined();
+    }
+  });
+
+  test("accepts response with extra fields in user (passthrough)", () => {
+    const response = {
+      ...baseTokenResponse,
+      user: {
+        id: "48168",
+        name: "Jane",
+        email: "jane@example.com",
+        avatar_url: "https://example.com/avatar.png",
+      },
+    };
+
+    const result = TokenResponseSchema.safeParse(response);
+    expect(result.success).toBe(true);
+  });
+
+  test("rejects response missing access_token", () => {
+    const { access_token: _, ...noToken } = baseTokenResponse;
+    const result = TokenResponseSchema.safeParse(noToken);
+    expect(result.success).toBe(false);
+  });
+});
