Skip to content

fix: improve error message for revoked API tokens with --reach#1145

Merged
Martin Torp (mtorp) merged 2 commits intov1.xfrom
fix/reach-revoked-token-error-message
Apr 1, 2026
Merged

fix: improve error message for revoked API tokens with --reach#1145
Martin Torp (mtorp) merged 2 commits intov1.xfrom
fix/reach-revoked-token-error-message

Conversation

@mtorp
Copy link
Copy Markdown
Contributor

@mtorp Martin Torp (mtorp) commented Apr 1, 2026
edited
Loading

Summary

  • When socket scan create --reach is used with a revoked/invalid API token, the CLI now shows "Authentication failed: Your API token appears to be invalid, expired, or revoked" instead of the misleading "Unable to verify plan permissions" error.
  • Splits 401 (Unauthorized) and 403 (Forbidden) handling in getErrorMessageForHttpStatusCode so each gets a distinct, actionable message across all API calls.
  • Bumps @coana-tech/cli from 14.12.200 to 14.12.201 and Socket CLI to v1.1.77.

Test plan

  • Run socket scan create --reach with a revoked API token and verify the error message says "Authentication failed" with token guidance
  • Run socket scan create --reach with a valid token but no enterprise plan and verify the existing "requires an enterprise plan" message still appears
  • Run socket scan create --reach with a valid enterprise token and verify reachability analysis proceeds normally
  • Verify pnpm check (lint + typecheck) passes
  • Verify pnpm test:unit src/commands/scan/cmd-scan-create.test.mts passes (25 tests)

Note

Low Risk
Low risk: changes are limited to error handling/messages for HTTP 401/403 and a minor dependency/version bump, with no behavioral changes to scanning beyond clearer failures.

Overview
Improves CLI error handling when running socket scan create --reach with invalid/revoked tokens by detecting 401 Unauthorized from the organization lookup and returning an explicit Authentication failed message instead of the generic plan-permissions error.

Splits 401 vs 403 messaging in getErrorMessageForHttpStatusCode so token-invalid and permission-denied cases get distinct guidance across API calls, and adds a failure log in fetchOrganization when the org list request fails.

Bumps the CLI version to 1.1.77 and updates @coana-tech/cli to 14.12.201 (lockfile updated accordingly).

Written by Cursor Bugbot for commit 5eac4be. Configure here.

@mtorp
fix: improve error message for revoked API tokens with --reach
5eac4be 
When using `socket scan create --reach` with an invalid or revoked API
token, the CLI now shows a clear "Authentication failed" message instead
of the misleading "Unable to verify plan permissions" error. Also splits
401/403 handling in the API layer so unauthorized tokens get a distinct
message from insufficient permissions.

Bumps @coana-tech/cli from 14.12.200 to 14.12.201 and Socket CLI to
v1.1.77.
@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.200 ⏵ 14.12.20196 +110080 +198100

View full report

cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue.

Comment @cursor review or bugbot run to trigger another review on this PR

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Apr 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.200 ⏵ 14.12.20197 +110080 +197100

View full report

@mtorp
fix: respect silence parameter in fetchOrganization error logging
242ab3e 
The logger.fail call was running unconditionally, causing unwanted
output for callers that pass silence: true (e.g. getDefaultOrgSlug)
and double error messages in the 401 reachability flow.
@mtorp Martin Torp (mtorp) merged commit 33c017a into v1.x Apr 1, 2026
14 of 15 checks passed
@mtorp Martin Torp (mtorp) deleted the fix/reach-revoked-token-error-message branch April 1, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@barslev Benjamin Barslev Nielsen (barslev) barslev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtorp @barslev