fix(xaa): make the issuer-mismatch abort visible and actionable#3042
Conversation
The fail-closed issuer check in server-side XAA discovery returned 502, which Cloudflare replaces with its branded Bad Gateway HTML in hosted — users saw a fake infrastructure outage instead of the diagnostic (the exact report we got from the field). Switch the deliberate abort to 409 VALIDATION_ERROR so the body survives the edge, name both the requested and advertised issuers in the message (plus the schemeOnly proxy hint), and forward WebRouteError details through the /proxy/token and /negative-tests error responses. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_6d90e03d-4e92-471f-a420-a42cdc150c73) |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Internal previewPreview URL: https://mcp-inspector-pr-3042.up.railway.app |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughThis change alters how issuer mismatches are handled during server-target token discovery, replacing a 502 SERVER_UNREACHABLE error with a 409 VALIDATION_ERROR that includes structured details (requestedIssuer, advertisedIssuer, schemeOnly) and an expanded error message. Two WebRouteError catch blocks in the routes file now forward the Changes
Related PRs: None identified. Suggested labels: bug, security, tests Suggested reviewers: None identified. Poem Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
mcpjam-inspector/server/routes/mcp/__tests__/xaa-server-target.test.tsOops! Something went wrong! :( ESLint: 8.57.1 Error: ESLint configuration in --config is invalid:
mcpjam-inspector/server/routes/mcp/xaa.tsOops! Something went wrong! :( ESLint: 8.57.1 Error: ESLint configuration in --config is invalid:
mcpjam-inspector/server/services/xaa-mint.tsOops! Something went wrong! :( ESLint: 8.57.1 Error: ESLint configuration in --config is invalid:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What
When a server-backed XAA run (stored client secret) re-discovers the authorization server, a mismatch between the stored issuer and the metadata's advertised issuer triggers a deliberate fail-closed abort — the secret is never posted. Two DX bugs made that abort indistinguishable from an outage:
requestedvsadvertised(including the scheme-only http-behind-https-proxy case) and threw both away.Changes
409 VALIDATION_ERRORinstead of502 SERVER_UNREACHABLE— a 4xx passes through CDN edges untouched, and this is a config conflict, not an unreachable upstream (genuine unreachable/timeout errors keep their 502/504).requestedIssuer/advertisedIssuer/schemeOnlyride indetails, and the/proxy/token+/negative-testsWebRouteError handlers now forwarddetailsonto the JSON response.Security
No change to the fail-closed behavior itself: the secret is still never posted on mismatch (regression test asserts no token POST occurs). The advertised issuer included in the error comes from metadata the caller could already fetch themselves — no new information exposure. Connect-path consumers of the same guard log-and-rethrow without status branching, so the 409 is safe there too.
Tests
VALIDATION_ERROR, message contains both issuers,detailscarries the structured values, and the stored secret is never posted.xaa-server-target,xaa,xaa-mint,xaa-discovery).🤖 Generated with Claude Code
Note
Cursor Bugbot is generating a summary for commit f1a7bff. Configure here.
Summary by cubic
Make issuer-mismatch errors in server-backed XAA discovery visible and actionable by returning 409 and including both issuers, so users see a clear config conflict instead of a Cloudflare 502 page. The secret is still never posted on mismatch.
VALIDATION_ERRORfor issuer mismatch; real upstream outages keep 502/504.details(requestedIssuer,advertisedIssuer,schemeOnly) and forward them in/proxy/tokenand/negative-tests; regression test asserts 409, message contents, details, and no token POST.Written for commit f1a7bff. Summary will update on new commits.