Handle GitHub OAuth failures in /auth/callback without a 500#54
Merged
Conversation
The login callback called raise_for_status() on the GitHub /user request, so any non-2xx from GitHub (seen in prod as a 401 "Bad credentials" on a freshly-issued token) bubbled up as an unhandled httpx.HTTPStatusError and Starlette returned a bare 500 Internal Server Error to the user. Each GitHub step in the callback (token exchange, /user, and the derived allow-list check) now logs GitHub's own status/body and redirects to /login?error=<code> instead. login.html turns the code into a readable message (github_auth_failed / invalid_oauth_state / not_allowed) so the user sees "couldn't verify your sign-in, please try again" rather than a 500. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A user hit Internal Server Error on
https://serge.huggingface.tech/logintoday. The OAuth roundtrip got through the token exchange but GitHub rejected the freshly-issued token onGET /user:auth_callbackcalleduser_resp.raise_for_status(), so the 401 bubbled up as an unhandledhttpx.HTTPStatusError→ bare 500 with no logging of why.Change
Each GitHub step in the callback (token exchange,
/user, and the org-membership-derived allow-list check) now:/login?error=<code>instead of raising.login.htmlmaps the code to a readable message:github_auth_failed— "GitHub couldn't verify your sign-in. This is usually temporary — please try again."invalid_oauth_state— expired/reused sign-in linknot_allowed— account not on the allow-listTesting
Drove the real 401 path with a FastAPI
TestClient+ mocked GitHub responses: the/user401 now yields302 → /login?error=github_auth_failed(no 500), and the log line readsoauth /user lookup failed: github returned 401: {"message":"Bad credentials"}.ruff format/checkclean; no tests referenced the old error strings.Note: the underlying 401 on a just-minted token is most likely transient (or an OAuth App
client_secretdrift) — this PR is the UX/robustness fix so it surfaces cleanly instead of a 500.🤖 Generated with Claude Code