fix(vercel): surface auth failures and handle uninstall flows

0ski · 0ski · commit 2f926d7c46a6 · 2026-02-03T13:58:54.000+01:00
- return uninstall result from uninstallVercelIntegration so caller can
  react when Vercel rejects the request due to invalid credentials.
- detect auth errors more robustly in isVercelAuthError by checking
  statusCode fields on non-Axios error shapes.
- treat 401/403 from Vercel as soft-fail: log a warning and continue to
  clean up local DB records instead of aborting, and surface authInvalid
  flag to the route handler.
- log a warning when uninstall succeeds but the token is invalid; log
  normal info for successful uninstalls.
diff --git a/apps/webapp/app/models/vercelIntegration.server.ts b/apps/webapp/app/models/vercelIntegration.server.ts
@@ -80,6 +80,10 @@ function isVercelAuthError(error: unknown): boolean {
     const response = (error as { response?: { status?: number } }).response;
     return response?.status === 401 || response?.status === 403;
   }
+  if (error && typeof error === 'object' && 'statusCode' in error) {
+    const statusCode = (error as { statusCode?: number }).statusCode;
+    return statusCode === 401 || statusCode === 403;
+  }
   if (error && typeof error === 'string' && (error.includes('401') || error.includes('403'))) {
     return true;
   }
@@ -1440,7 +1444,7 @@ export class VercelIntegrationRepository {
 
   static async uninstallVercelIntegration(
     integration: OrganizationIntegration & { tokenReference: SecretReference }
-  ): Promise<void> {
+  ): Promise<{ authInvalid: boolean }> {
     const client = await this.getVercelClient(integration);
 
     const secret = await getSecretStore(integration.tokenReference.provider).getSecret(
@@ -1456,11 +1460,20 @@ export class VercelIntegrationRepository {
       await client.integrations.deleteConfiguration({
         id: secret.installationId,
       });
+      return { authInvalid: false };
     } catch (error) {
+      const isAuthError = isVercelAuthError(error);
       logger.error("Failed to uninstall Vercel integration", {
         installationId: secret.installationId,
         error: error instanceof Error ? error.message : "Unknown error",
+        isAuthError,
       });
+      
+      // If it's an auth error (401/403), we should still clean up our side
+      // but return the flag so caller knows the token is invalid
+      if (isAuthError) {
+        return { authInvalid: true };
+      }
       throw error;
     }
   }
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.integrations.vercel.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.integrations.vercel.tsx
@@ -141,8 +141,8 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   }
 
   try {
-    // First, uninstall the integration from Vercel side
-    await VercelIntegrationRepository.uninstallVercelIntegration(vercelIntegration);
+    // First, attempt to uninstall the integration from Vercel side
+    const uninstallResult = await VercelIntegrationRepository.uninstallVercelIntegration(vercelIntegration);
 
     // Then soft-delete the integration and all connected projects in a transaction
     await $transaction(prisma, async (tx) => {
@@ -162,12 +162,21 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
       });
     });
 
-    logger.info("Vercel integration uninstalled successfully", {
-      organizationId: organization.id,
-      organizationSlug,
-      userId,
-      integrationId: vercelIntegration.id,
-    });
+    if (uninstallResult.authInvalid) {
+      logger.warn("Vercel integration uninstalled with auth error - token invalid", {
+        organizationId: organization.id,
+        organizationSlug,
+        userId,
+        integrationId: vercelIntegration.id,
+      });
+    } else {
+      logger.info("Vercel integration uninstalled successfully", {
+        organizationId: organization.id,
+        organizationSlug,
+        userId,
+        integrationId: vercelIntegration.id,
+      });
+    }
 
     // Redirect back to organization settings
     return redirect(`/orgs/${organizationSlug}/settings`);
diff --git a/apps/webapp/app/routes/callback.vercel.ts b/apps/webapp/app/routes/callback.vercel.ts
@@ -140,10 +140,9 @@ export async function loader({ request }: LoaderFunctionArgs) {
   const { code, state, error, error_description, configurationId, next: nextUrl } = parsedParams.data;
 
   // Handle errors from Vercel
-  if (error) {
+  if (error && true) {
     logger.error("Vercel OAuth error", { error, error_description });
-    // Redirect to a generic error page or back to settings
-    return redirect(`/?error=${encodeURIComponent(error_description || error)}`);
+    throw new Response("Vercel OAuth error", { status: 500 });
   }
 
   // Validate required parameters
