Merge branch 'main' into push-oxmlnmluomut

Author: gpanders

.changeset/thick-meals-cheat.md

@@ -0,0 +1,5 @@
+---
+"wrangler": patch
+---
+
+Make Wrangler warn more loudly if you're missing auth scopes

packages/vite-plugin-cloudflare/CHANGELOG.md

@@ -4,6 +4,10 @@
 
 ### Minor Changes
 
+-   [#9535](https://github.com/cloudflare/workers-sdk/pull/9535) [`56dc5c4`](https://github.com/cloudflare/workers-sdk/commit/56dc5c4946417df12688dd6b2374835f60c14be6) Thanks [@penalosa](https://github.com/penalosa)! - In 2023 we announced [breakpoint debugging support](https://blog.cloudflare.com/debugging-cloudflare-workers/) for Workers, which meant that you could easily debug your Worker code in Wrangler's built-in devtools (accessible via the `[d]` hotkey) as well as multiple other devtools clients, [including VSCode](https://developers.cloudflare.com/workers/observability/dev-tools/breakpoints/). For most developers, breakpoint debugging via VSCode is the most natural flow, but until now it's required [manually configuring a `launch.json` file](https://developers.cloudflare.com/workers/observability/dev-tools/breakpoints/#setup-vs-code-to-use-breakpoints), running `wrangler dev`, and connecting via VSCode's built-in debugger.
+
+    Now, using VSCode's built-in [JavaScript Debug Terminals](https://code.visualstudio.com/docs/nodejs/nodejs-debugging#_javascript-debug-terminal), there are just two steps: open a JS debug terminal and run `vite dev` or `vite preview`. VSCode will automatically connect to your running Worker (even if you're running multiple Workers at once!) and start a debugging session.
+
 - [#9803](https://github.com/cloudflare/workers-sdk/pull/9803) [`df04528`](https://github.com/cloudflare/workers-sdk/commit/df0452892dc85133c557c4daff68508d7fdee77a) Thanks [@penalosa](https://github.com/penalosa)! - Support Workers Analytics Engine & Rate Limiting bindings
 
 ### Patch Changes

packages/wrangler/src/__tests__/whoami.test.ts

@@ -246,8 +246,30 @@ describe("whoami", () => {
 			├─┼─┤
 			│ Account Three │ account-3 │
 			└─┴─┘
-			🔓 Token Permissions: If scopes are missing, you may need to logout and re-login.
+			🔓 Token Permissions:
 			Scope (Access)
+
+			▲ [WARNING] Wrangler is missing some expected Oauth scopes. To fix this, run \`wrangler login\` to refresh your token. The missing scopes are:
+
+			  - account:read
+			  - user:read
+			  - workers:write
+			  - workers_kv:write
+			  - workers_routes:write
+			  - workers_scripts:write
+			  - workers_tail:read
+			  - d1:write
+			  - pages:write
+			  - zone:read
+			  - ssl_certs:write
+			  - ai:write
+			  - queues:write
+			  - pipelines:write
+			  - secrets_store:write
+			  - containers:write
+			  - cloudchamber:write
+
+
 			🎢 Membership roles in \\"Account Two\\": Contact account super admin to change your permissions.
 			- Test role"
 		`);
@@ -280,8 +302,30 @@ describe("whoami", () => {
 			├─┼─┤
 			│ Account Three │ account-3 │
 			└─┴─┘
-			🔓 Token Permissions: If scopes are missing, you may need to logout and re-login.
+			🔓 Token Permissions:
 			Scope (Access)
+
+			▲ [WARNING] Wrangler is missing some expected Oauth scopes. To fix this, run \`wrangler login\` to refresh your token. The missing scopes are:
+
+			  - account:read
+			  - user:read
+			  - workers:write
+			  - workers_kv:write
+			  - workers_routes:write
+			  - workers_scripts:write
+			  - workers_tail:read
+			  - d1:write
+			  - pages:write
+			  - zone:read
+			  - ssl_certs:write
+			  - ai:write
+			  - queues:write
+			  - pipelines:write
+			  - secrets_store:write
+			  - containers:write
+			  - cloudchamber:write
+
+
 			🎢 Unable to get membership roles. Make sure you have permissions to read the account. Are you missing the \`User->Memberships->Read\` permission?"
 		`);
 	});

packages/wrangler/src/cloudchamber/build.ts

@@ -190,7 +190,7 @@ export async function buildAndMaybePush(
 		return { image: imageTag, pushed: pushed };
 	} catch (error) {
 		if (error instanceof Error) {
-			throw new UserError(error.message);
+			throw new UserError(error.message, { cause: error });
 		}
 		throw new UserError("An unknown error occurred");
 	}

packages/wrangler/src/index.ts

@@ -1,5 +1,7 @@
+import assert from "node:assert";
 import os from "node:os";
 import { setTimeout } from "node:timers/promises";
+import { ApiError } from "@cloudflare/containers-shared";
 import chalk from "chalk";
 import { ProxyAgent, setGlobalDispatcher } from "undici";
 import makeCLI from "yargs";
@@ -1508,10 +1510,22 @@ export async function main(argv: string[]): Promise<void> {
 			// The workaround is to re-run the parsing with an additional `--help` flag, which will result in the correct help message being displayed.
 			// The `wrangler` object is "frozen"; we cannot reuse that with different args, so we must create a new CLI parser to generate the help message.
 			await createCLIParser([...argv, "--help"]).parse();
-		} else if (isAuthenticationError(e)) {
+		} else if (
+			isAuthenticationError(e) ||
+			// Is this a Containers/Cloudchamber-based auth error?
+			// This is different because it uses a custom OpenAPI-based generated client
+			(e instanceof UserError &&
+				e.cause instanceof ApiError &&
+				e.cause.status === 403)
+		) {
 			mayReport = false;
 			errorType = "AuthenticationError";
-			logger.log(formatMessage(e));
+			if (e.cause instanceof ApiError) {
+				logger.error(e.cause);
+			} else {
+				assert(isAuthenticationError(e));
+				logger.log(formatMessage(e));
+			}
 			const envAuth = getAuthFromEnv();
 			if (envAuth !== undefined && "apiToken" in envAuth) {
 				const message =

packages/wrangler/src/user/whoami.ts

@@ -3,9 +3,10 @@ import { fetchPagedListResult, fetchResult } from "../cfetch";
 import { isAuthenticationError } from "../deploy/deploy";
 import { getCloudflareComplianceRegion } from "../environment-variables/misc-variables";
 import { logger } from "../logger";
+import { formatMessage } from "../parse";
 import { fetchMembershipRoles } from "./membership";
-import { getAPIToken, getAuthFromEnv, getScopes } from ".";
-import type { ApiCredentials } from ".";
+import { DefaultScopeKeys, getAPIToken, getAuthFromEnv, getScopes } from ".";
+import type { ApiCredentials, Scope } from ".";
 import type { ComplianceConfig } from "../environment-variables/misc-variables";
 
 export async function whoami(
@@ -80,13 +81,30 @@ function printTokenPermissions(user: UserInfo) {
 			`🔓 To see token permissions visit https://dash.cloudflare.com/${user.authType === "User API Token" ? "profile" : user.accounts[0].id}/api-tokens.`
 		);
 	}
-	logger.log(
-		`🔓 Token Permissions: If scopes are missing, you may need to logout and re-login.`
-	);
+	logger.log(`🔓 Token Permissions:`);
 	logger.log(`Scope (Access)`);
+
+	// This Set contains all the scopes we expect to see (that Wrangler requests by default)
+	const expectedScopes = new Set(DefaultScopeKeys);
 	for (const [scope, access] of permissions) {
+		// We'll remove scopes from the set of scopes that we expect to see when we see them in the API response
+		expectedScopes.delete(`${scope}:${access}` as Scope);
 		logger.log(`- ${scope} ${access ? `(${access})` : ``}`);
 	}
+
+	// If we've iterated through all scopes in the API response and there are still expected scopes remaining,
+	// then we know that Wrangler may not behave as expected since the current token doesn't have all the expected scopes
+	// Warn, and tell the user how to fix it
+	if (expectedScopes.size > 0) {
+		logger.log("");
+		logger.log(
+			formatMessage({
+				text: "Wrangler is missing some expected Oauth scopes. To fix this, run `wrangler login` to refresh your token. The missing scopes are:",
+				kind: "warning",
+				notes: [...expectedScopes.values()].map((s) => ({ text: `- ${s}` })),
+			})
+		);
+	}
 }
 
 async function printMembershipInfo(