feat: show a clear error when trying to use CAAPI untunnelled in localhost

[fredericoo]

WHY are these changes introduced?

Local development has a bad failure mode for Customer Account OAuth:

When a developer opens /account on localhost without tunneling, the app redirects into the OAuth flow and eventually fails with a redirect URI error from Shopify. The error is late and unclear, so it does not tell developers what they need to do next.

WHAT is this pull request doing?

• throws an error and offers a way out for users:
• zero impact in bundle size: because NODE_ENV is static at build time, we can get rid of the code path entirely when bundling with vite

HOW to test your changes?

1. Install deps and build Hydrogen package:
   • pnpm --dir packages/hydrogen build
2. Run unit tests:
   • pnpm --dir packages/hydrogen test -- src/customer/customer.test.ts
3. Start a dev app without customer-account tunneling and visit:
   • http://localhost:3000/account
4. Verify result:
   • You should not be redirected to Shopify OAuth.
   • You should see a 400 error page with guidance to use --customer-account-push and a *.tryhydrogen.dev URL.
5. Start dev with tunneling (--customer-account-push) and open the provided *.tryhydrogen.dev URL.
6. Verify /account continues into normal Customer Account login flow.

Post-merge steps

None.

Checklist

• I've read the Contributing Guidelines
• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've added a changeset if this PR contains user-facing or noteworthy changes
• I've added tests to cover my changes
• I've added or updated the documentation

[shopify]

Oxygen deployed a preview of your fb-better-feedback-for-cap branch. Details:

Storefront	Status	Preview link	Deployment details	Last update (UTC)
Skeleton (skeleton.hydrogen.shop)	✅ Successful (Logs)	Preview deployment	Inspect deployment	February 26, 2026 6:51 PM

Learn more about Hydrogen's GitHub integration.

[kdaviduik]

massive DX improvement ❤️

[kdaviduik]

I think we should add expect.assertions(3) at the top of this test as a defensive measure. If the code under test were refactored to no longer throw, the catch block would never execute and the test would silently pass with zero assertions.

Suggested change

	it('Throws guidance error in development when request origin is not a tunnel', async () => {
	process.env.NODE_ENV = 'development';
	const customer = createCustomerAccountClient({
	session,
	customerAccountId: 'customerAccountId',
	shopId: '1',
	request: new Request('https://localhost'),
	waitUntil: vi.fn(),
	});
	try {
	await customer.login();
	} catch (error) {
	const response = error as Response & {message?: string};
	expect(response.status).toBe(400);
	expect(response.message).toContain('--customer-account-push');
	expect(response.message).toContain('.tryhydrogen.dev');
	}
	it('Throws guidance error in development when request origin is not a tunnel', async () => {
	expect.assertions(3);
	process.env.NODE_ENV = 'development';
	const customer = createCustomerAccountClient({
	session,
	customerAccountId: 'customerAccountId',
	shopId: '1',
	request: new Request('https://localhost'),
	waitUntil: vi.fn(),
	});
	try {
	await customer.login();
	} catch (error) {
	const response = error as Response & {message?: string};
	expect(response.status).toBe(400);
	expect(response.message).toContain('--customer-account-push');
	expect(response.message).toContain('.tryhydrogen.dev');
	}
	});

Same applies to the handleAuthStatus() test at line 1304. This is a pre-existing pattern throughout the file (~6 other tests use the same try/catch without expect.assertions()), so not unique to this PR - I'm fine with this being a follow-up as long as it gets done :)

[kdaviduik]

(threading) Re: the customAuthStatusHandler asymmetry (lines 137-139) - this check in login() always fires regardless of whether a customAuthStatusHandler is provided, but the check in defaultAuthStatusHandler is bypassed when a custom handler is set.

non-blocking: This asymmetry is actually correct - login() initiates an OAuth redirect that fundamentally requires a publicly reachable URL, so the tunnel check is always relevant. A customAuthStatusHandler might intentionally handle the non-tunnel case differently (e.g., a mock or test double). I think a brief code comment explaining this rationale would help future readers.

[fredericoo]

i’ve added this check whenever ifInvalidCredentialThrowError() is placed. this seems to be the most reliable way: nowhere that needs a valid credential will work without it being tunnelled

do you think this is a good assumption?

[kdaviduik]

yeah that sounds reasonable to me!

[kdaviduik]

note: these commands can also be aliased as just h2 dev rather than shopify hydrogen dev. i don't think the message needs to be updated but if you can think of a good way to communicate that either one works, go for it

[fredericoo]

thats very fair

i made it more generic just mentioning to use the flag. if they got to this screen it means they know how to start the dev server, and however they did, they can just add the flag to the end

[kdaviduik]

yep exactly, i think that's super reasonable!

[kdaviduik]

i trust you, though i'm not able to 🎩 this - i'm seeing this error. both with mock shop and a shop linked. i will investigate more tomorrow - this is also happening to be on main

[fredericoo]

i trust you, though i'm not able to 🎩 this - i'm seeing this error. both with mock shop and a shop linked. i will investigate more tomorrow - this is also happening to be on main

yeah this is a real issue: if you are logged in or have a token you get a 500 instead, working on it!

[binks-code-reviewer]

🤖 Code Review · #projects-dev-ai for questions
React with 👍/👎 or reply — all feedback helps improve the agent.

✅ Complete - No issues

📋 History

✅ No issues → ✅ No issues → ✅ No issues

[fredericoo]

i’ve opted to place all the logic in this function instead of lots of ifs

when vite bundles this it’ll become a noop function so it is fine, although it adds a few bytes to the bundle we will survive

[fredericoo]

this read a little broken english, right?

[kdaviduik]

agreed. "...have valid credentials..." reads even better to me. the singular "credential" feels a bit off to me

[fredericoo]

conversation starter:

this type was wrong. this function is async, and it does not return DataFunctionValue (which includes Response). those things are thrown today

I think i should leave this alone in this PR (revert this change) and we fix it later, with a changelog.

this also is impacting whenever we call handleAuthStatus() which is in many loaders within skeletons. they have a race condition: if they get processed in due time, the response (redirect) will be thrown, otherwise not

[kdaviduik]

I think i should leave this alone in this PR (revert this change) and we fix it later, with a changelog.

nice catch and that sounds great! i'd definitely vote to fix it. i'm fine either way - whether you want to fix it in this PR or as a follow up. but if this gets fixed in this PR the changeset should definitely be updated to mention it

[kdaviduik]

non-blocking: these tests work correctly because the test file globally stubs Response with a mock class at lines 26-38 that stores the constructor's body argument as .message. This is a pre-existing test pattern, not something this PR introduced.

The tests are correct and pass as intended. However, .message is a non-standard property that only exists due to this mock - the standard Response Web API doesn't have it. If the test environment or mock strategy ever changes, these assertions would silently break. Using await response.text() would be the spec-compliant approach, but since this follows the existing pattern throughout the file, I'm fine with this shipping as-is.

[kdaviduik]

non-blocking: I think a brief comment here would help future maintainers understand the coupling between this check and the tunnel infrastructure:

Suggested change

	if (!hostname.endsWith('.tryhydrogen.dev')) {
	// This domain must match the tunnel domain provisioned by --customer-account-push.
	// If the tunnel infrastructure changes domains, update this check.
	if (!hostname.endsWith('.tryhydrogen.dev')) {

Extracting to a named constant (e.g., TUNNEL_DOMAIN_SUFFIX) would also reduce the magic string, but a comment is sufficient for a single-use constant imo

[kdaviduik]

non-blocking, very minor polish: a developer seeing this error has NOT yet started with the --customer-account-push flag. The sequencing might read slightly more naturally as "Restart your development server with the --customer-account-push flag..." since the implicit step is "stop your current server, restart with the flag."

[kdaviduik]

yep exactly, i think that's super reasonable!

[kdaviduik]

yeah that sounds reasonable to me!

[kdaviduik]

I think i should leave this alone in this PR (revert this change) and we fix it later, with a changelog.

nice catch and that sounds great! i'd definitely vote to fix it. i'm fine either way - whether you want to fix it in this PR or as a follow up. but if this gets fixed in this PR the changeset should definitely be updated to mention it