Fix integration proxy endpoint to properly forward upstream error status codes

Copilot · JoshFerge · Copilot · commit 95e94d37d713 · 2026-03-12T22:31:01.000Z
Fixes SENTRY-5K7H

When the integration proxy endpoint (Relay's forward endpoint) forwards
requests to upstream services like GitHub and those services return error
status codes (e.g. 403 Forbidden due to IP allow-list restrictions),
Relay was converting those errors to 500 Internal Server Error responses
instead of passing through the actual status code.

The root cause was in `UpstreamRequestError::IntoResponse` where the
wildcard catch-all `_ =&gt; StatusCode::INTERNAL_SERVER_ERROR` was matching
`ResponseError(status, _)` and `RateLimited(_)` variants, discarding the
actual upstream status code.

Fix: Explicitly handle `ResponseError` and `RateLimited` before the
wildcard so that:
- `ResponseError(status, _)` returns the actual upstream HTTP status code
- `RateLimited(_)` returns 429 Too Many Requests
- Internal errors (`NoCredentials`, `ChannelClosed`, `AuthDenied`) still
  return 500 via the wildcard

Co-authored-by: JoshFerge &lt;1976777+JoshFerge@users.noreply.github.com&gt;
diff --git a/relay-server/src/services/upstream.rs b/relay-server/src/services/upstream.rs
@@ -226,6 +226,11 @@ impl IntoResponse for UpstreamRequestError {
                     StatusCode::BAD_GATEWAY.into_response()
                 }
             }
+            // Proxy the upstream status code so clients receive the actual error (e.g. a 403
+            // from GitHub) rather than a generic 500.
+            Self::RateLimited(_) => StatusCode::TOO_MANY_REQUESTS.into_response(),
+            Self::ResponseError(status, _) => status.into_response(),
+            // NoCredentials, ChannelClosed, and AuthDenied are all internal errors.
             _ => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
         }
     }
diff --git a/tests/integration/test_forwarding.py b/tests/integration/test_forwarding.py
@@ -118,3 +118,26 @@ def hi():
 
     response = relay.get("/api/test/timeout")
     assert response.status_code == 504
+
+
+@pytest.mark.parametrize(
+    "upstream_status",
+    [403, 404, 429, 500, 503],
+    ids=["forbidden", "not_found", "rate_limited", "server_error", "service_unavailable"],
+)
+def test_forwarding_error_status_codes(upstream_status, mini_sentry, relay):
+    """Test that Relay forwards error status codes from the upstream without converting them to 500."""
+    mini_sentry.fail_on_relay_error = False
+
+    @mini_sentry.app.route("/api/test/error-status")
+    def error_response():
+        return Response(
+            b'{"detail": "upstream error"}',
+            status=upstream_status,
+            content_type="application/json",
+        )
+
+    relay = relay(mini_sentry)
+
+    response = relay.get("/api/test/error-status")
+    assert response.status_code == upstream_status

Original file line number	Diff line number	Diff line change
`@@ -226,6 +226,11 @@ impl IntoResponse for UpstreamRequestError {`
`226`	`226`	`StatusCode::BAD_GATEWAY.into_response()`
`227`	`227`	`}`
`228`	`228`	`}`
	`229`	`+ // Proxy the upstream status code so clients receive the actual error (e.g. a 403`
	`230`	`+ // from GitHub) rather than a generic 500.`
	`231`	`+ Self::RateLimited(_) => StatusCode::TOO_MANY_REQUESTS.into_response(),`
	`232`	`+ Self::ResponseError(status, _) => status.into_response(),`
	`233`	`+ // NoCredentials, ChannelClosed, and AuthDenied are all internal errors.`
`229`	`234`	`_ => StatusCode::INTERNAL_SERVER_ERROR.into_response(),`
`230`	`235`	`}`
`231`	`236`	`}`