containers: Throw a better error when there is no containers scope in the API token (#9731)

Author: gabivlj

.changeset/busy-planets-accept.md

@@ -0,0 +1,5 @@
+---
+"wrangler": patch
+---
+
+containers: Check for container scopes before running a container command to give a better error

packages/wrangler/src/__tests__/cloudchamber/build.test.ts

@@ -40,14 +40,14 @@ describe("buildAndMaybePush", () => {
 	runInTempDir();
 	mockApiToken();
 	mockAccountId();
-	mockAccount();
 
 	beforeEach(() => {
 		vi.clearAllMocks();
 		vi.mocked(dockerImageInspect).mockResolvedValue("53387881 2 []");
 		mkdirSync("./container-context");
 
 		writeFileSync("./container-context/Dockerfile", dockerfile);
+		mockAccount();
 	});
 	afterEach(() => {
 		vi.clearAllMocks();

packages/wrangler/src/__tests__/cloudchamber/utils.ts

@@ -1,6 +1,7 @@
 import * as fs from "node:fs";
 import * as TOML from "@iarna/toml";
 import { http, HttpResponse } from "msw";
+import * as user from "../../user";
 import { msw } from "../helpers/msw";
 import type { CloudchamberConfig } from "../../config/environment";
 
@@ -17,6 +18,9 @@ export function setWranglerConfig(cloudchamber: CloudchamberConfig) {
 }
 
 export function mockAccount() {
+	const spy = vi.spyOn(user, "getScopes");
+	spy.mockImplementationOnce(() => ["cloudchamber:write", "containers:write"]);
+
 	msw.use(
 		http.get(
 			"*/me",
@@ -33,7 +37,10 @@ export function mockAccount() {
 	);
 }
 
-export function mockAccountV4() {
+export function mockAccountV4(scopes: user.Scope[] = ["containers:write"]) {
+	const spy = vi.spyOn(user, "getScopes");
+	spy.mockImplementationOnce(() => scopes);
+
 	msw.use(
 		http.get(
 			"*/me",

packages/wrangler/src/__tests__/containers/info.test.ts

@@ -1,5 +1,6 @@
 import { http, HttpResponse } from "msw";
 import patchConsole from "patch-console";
+import * as user from "../../user";
 import { mockAccount, setWranglerConfig } from "../cloudchamber/utils";
 import { mockAccountId, mockApiToken } from "../helpers/mock-account-id";
 import { mockConsoleMethods } from "../helpers/mock-console";
@@ -45,6 +46,19 @@ describe("containers info", () => {
 		`);
 	});
 
+	it("should show the correct authentication error", async () => {
+		const spy = vi.spyOn(user, "getScopes");
+		spy.mockReset();
+		spy.mockImplementationOnce(() => []);
+		setIsTTY(false);
+		setWranglerConfig({});
+		await expect(
+			runWrangler("containers info asdf")
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: You need 'containers:write', try logging in again or creating an appropiate API token]`
+		);
+	});
+
 	it("should show a single container when given an ID (json)", async () => {
 		setIsTTY(false);
 		setWranglerConfig({});

packages/wrangler/src/__tests__/deploy.test.ts

@@ -9155,6 +9155,56 @@ addEventListener('fetch', event => {});`
 				expect(std.warn).toMatchInlineSnapshot(`""`);
 			});
 
+			it("should error when no scope for containers", async () => {
+				mockContainersAccount([]);
+				writeWranglerConfig({
+					durable_objects: {
+						bindings: [
+							{
+								name: "EXAMPLE_DO_BINDING",
+								class_name: "ExampleDurableObject",
+							},
+						],
+					},
+					containers: [
+						{
+							image: "docker.io/hello:world",
+							name: "my-container",
+							instances: 10,
+							class_name: "ExampleDurableObject",
+						},
+					],
+					migrations: [
+						{ tag: "v1", new_sqlite_classes: ["ExampleDurableObject"] },
+					],
+				});
+				fs.writeFileSync(
+					"index.js",
+					`export class ExampleDurableObject {}; export default{};`
+				);
+				mockSubDomainRequest();
+				mockLegacyScriptData({
+					scripts: [{ id: "test-name", migration_tag: "v1" }],
+				});
+				mockUploadWorkerRequest({
+					expectedBindings: [
+						{
+							class_name: "ExampleDurableObject",
+							name: "EXAMPLE_DO_BINDING",
+							type: "durable_object_namespace",
+						},
+					],
+					useOldUploadApi: true,
+					expectedContainers: [{ class_name: "ExampleDurableObject" }],
+				});
+
+				await expect(
+					runWrangler("deploy index.js")
+				).rejects.toThrowErrorMatchingInlineSnapshot(
+					`[Error: You need 'containers:write', try logging in again or creating an appropiate API token]`
+				);
+			});
+
 			it("should support durable objects and D1", async () => {
 				writeWranglerConfig({
 					main: "index.js",

packages/wrangler/src/cloudchamber/common.ts

@@ -17,7 +17,7 @@ import { getCloudflareApiBaseUrl } from "../environment-variables/misc-variables
 import { UserError } from "../errors";
 import { isNonInteractiveOrCI } from "../is-interactive";
 import { logger } from "../logger";
-import { requireApiToken, requireAuth } from "../user";
+import { getScopes, printScopes, requireApiToken, requireAuth } from "../user";
 import { printWranglerBanner } from "../wrangler-banner";
 import { parseByteSize } from "./../parse";
 import { wrap } from "./helpers/wrap";
@@ -200,6 +200,15 @@ export async function fillOpenAPIConfiguration(
 
 	const accountId = await requireAuth(config);
 	const auth = requireApiToken();
+	const scopes = getScopes();
+	if (!scopes?.includes(scope)) {
+		logger.error(`You don't have '${scope}' in your list of scopes`);
+		printScopes(scopes ?? []);
+		throw new UserError(
+			`You need '${scope}', try logging in again or creating an appropiate API token`
+		);
+	}
+
 	addAuthorizationHeaderIfUnspecified(headers, auth);
 	addUserAgent(headers);
 

packages/wrangler/src/user/user.ts

@@ -1206,11 +1206,7 @@ export async function logout(): Promise<void> {
 
 export function listScopes(message = "💁 Available scopes:"): void {
 	logger.log(message);
-	const data = DefaultScopeKeys.map((scope: Scope) => ({
-		Scope: scope,
-		Description: DefaultScopes[scope],
-	}));
-	logger.table(data);
+	printScopes(DefaultScopeKeys);
 	// TODO: maybe a good idea to show usage here
 }
 
@@ -1324,6 +1320,15 @@ export function getScopes(): Scope[] | undefined {
 	return LocalState.scopes;
 }
 
+export function printScopes(scopes: Scope[]) {
+	const data = scopes.map((scope: Scope) => ({
+		Scope: scope,
+		Description: DefaultScopes[scope],
+	}));
+
+	logger.table(data);
+}
+
 /**
  * Make a request to the Cloudflare OAuth endpoint to get a token.
  *