Skip to content

[wrangler] fix: show env-var hint when /memberships returns code 9106 (bad credentials)#13839

Open
matingathani wants to merge 3 commits into
cloudflare:mainfrom
matingathani:fix/auth-error-hint-env-var
Open

[wrangler] fix: show env-var hint when /memberships returns code 9106 (bad credentials)#13839
matingathani wants to merge 3 commits into
cloudflare:mainfrom
matingathani:fix/auth-error-hint-env-var

Conversation

@matingathani
Copy link
Copy Markdown
Contributor

@matingathani matingathani commented May 7, 2026
edited
Loading

Fixes #13656.

When /memberships returns error code 9106 ("Authentication failed") and /accounts is also empty (no usable accounts), Wrangler previously showed a generic "incorrect permissions" message. This PR surfaces a more actionable hint that an environment variable like CLOUDFLARE_API_TOKEN may be set to an invalid value.

Context: PR #13858 added 9106 to MEMBERSHIPS_INACCESSIBLE_CODES — a valid Account API Token returns 9106 on /memberships since that endpoint is user-level. When /accounts has data, the existing fallback works correctly. This PR handles the edge case where 9106 is returned AND /accounts is also empty, which can happen when an env-var credential is malformed.

Change: Inside the isMembershipsInaccessible block, when code is specifically 9106 and no accounts are available, throw a UserError that names the env-var candidates (CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY, CLOUDFLARE_EMAIL) and suggests wrangler logout && wrangler login.

  • Tests
    • Tests included/updated
  • Public documentation
    • Documentation not necessary because: error message improvement only, no public API or behavior change

Copilot AI review requested due to automatic review settings May 7, 2026 00:30
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 7, 2026
edited
Loading

🦋 Changeset detected

Latest commit: b8e3f6b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@workers-devprod workers-devprod requested review from a team and ascorbic and removed request for a team May 7, 2026 00:31
@workers-devprod
Copy link
Copy Markdown
Contributor

workers-devprod commented May 7, 2026
edited
Loading

Codeowners approval required for this PR:

  • @cloudflare/workers-kv
  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/fix-auth-error-hint-env-var.md: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/kv/key.test.ts: [@cloudflare/workers-kv @cloudflare/wrangler]
  • packages/wrangler/src/tests/user.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/fetch-accounts.ts: [@cloudflare/wrangler]

Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves Wrangler’s handling of Cloudflare API /memberships failures by recognizing error code 9106 (“Missing X-Auth-Key, X-Auth-Email or Authorization headers”) as a bad-credentials scenario and surfacing an actionable UserError that points users to relevant credential environment variables and re-auth steps.

Changes:

  • Add a /memberships “bad credentials” code list (9106) and helper to detect it.
  • Throw a targeted UserError with env-var guidance and suggested wrangler logout / wrangler login steps when 9106 occurs.
  • Add a regression test asserting the improved hint is shown, plus a changeset entry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
packages/wrangler/src/user/fetch-accounts.ts Detect 9106 as bad credentials and throw a more actionable UserError.
packages/wrangler/src/__tests__/user.test.ts Add coverage ensuring the new env-var hint appears for 9106 from /memberships.
.changeset/fix-auth-error-hint-env-var.md Publish a patch changeset describing the improved error messaging.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
@matingathani
Copy link
Copy Markdown
Contributor Author

matingathani commented May 7, 2026

@NuroDev @penalosa @dario-piotrowicz — all Copilot review comments have been addressed. This PR is ready for review.

@matingathani matingathani force-pushed the fix/auth-error-hint-env-var branch from c9a4e7d to 671ef7e Compare May 10, 2026 07:06
@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 10, 2026
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 10, 2026
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13839

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13839

miniflare

npm i https://pkg.pr.new/miniflare@13839

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13839

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13839

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13839

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13839

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13839

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13839

wrangler

npm i https://pkg.pr.new/wrangler@13839

commit: b8e3f6b

@workers-devprod workers-devprod requested a review from a team May 11, 2026 02:04
@matingathani
Copy link
Copy Markdown
Contributor Author

matingathani commented May 11, 2026

The CI failures in job 75276344917 are in Miniflare's browser plugin test suite (test/plugins/browser/index.spec.ts) — all 9 failures trace back to the browser session timing out on the Windows runner (first test: it creates a browser session times out after 20 s; subsequent tests then receive an error string instead of the expected response, causing JSON parse errors). This is unrelated to the Wrangler /memberships authentication handling this PR modifies. My changes only affect Wrangler error propagation and messaging logic (fetch-accounts.ts) and its tests. Could a maintainer re-run the Windows job or confirm this is a known flake on main?

dario-piotrowicz
dario-piotrowicz reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dario-piotrowicz dario-piotrowicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @matingathani 🙂

The PR generally looks good to me, I just left a few small comments

Also the browser test keeps failing, could you maybe try rebasing the PR and see if that helps? 🙂

Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
Comment thread packages/wrangler/src/user/fetch-accounts.ts Outdated
@workers-devprod
Copy link
Copy Markdown
Contributor

workers-devprod commented May 12, 2026

Codeowners approval required for this PR:

  • @cloudflare/workers-kv
  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/fix-auth-error-hint-env-var.md: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/kv/key.test.ts: [@cloudflare/workers-kv @cloudflare/wrangler]
  • packages/wrangler/src/tests/user.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/fetch-accounts.ts: [@cloudflare/wrangler]

@matingathani
fix: show actionable hint when /memberships returns code 9106 (bad cr…
069ef9f 
…edentials)

When the Cloudflare API returns code 9106 ("Missing X-Auth-Key, X-Auth-Email
or Authorization headers"), Wrangler now emits a UserError explaining that
an environment variable such as CLOUDFLARE_API_TOKEN may be set to an invalid
value, and suggests running `wrangler logout` / `wrangler login` to re-authenticate.

Previously the raw API error was rethrown with no guidance, leaving users
confused about why their credentials were rejected.

Fixes cloudflare#13656
@matingathani
fix: update kv/key test snapshot for new 9106 env-var hint message
d231ab5
@matingathani
address dario review: rename getMembershipsErrorCode to getErrorCode,…
b8e3f6b 
… use it in isMembershipsInaccessible, remove "also" from comment
@matingathani matingathani force-pushed the fix/auth-error-hint-env-var branch from 04f419c to b8e3f6b Compare May 13, 2026 00:33
@matingathani
Copy link
Copy Markdown
Contributor Author

matingathani commented May 13, 2026

New CI failure (Tests, macOS, fixtures) is in @fixture/unbound-durable-object — unrelated to the /memberships auth changes in this PR. Could a maintainer re-run the failed job?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dario-piotrowicz dario-piotrowicz dario-piotrowicz left review comments

Copilot code review Copilot Copilot left review comments

@workers-devprod workers-devprod Awaiting requested review from workers-devprod workers-devprod is a code owner

@ascorbic ascorbic Awaiting requested review from ascorbic ascorbic was automatically assigned from cloudflare/wrangler

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

workers-sdk
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

/memberships returns status: 400 (code: 9106) — how should wrangler react?

4 participants

@matingathani @workers-devprod @dario-piotrowicz