fix(oauth): check for oauth error responses even when status code is 200

Certain providers (**cough** GitHub **cough**) return HTTP 200 responses
with an error in the body for their OAuth token exchange and
token refresh endpoints. Previously, we only checked for non-200 status
codes, which could lead to us missing the errors, attempting to
unmarshal the body as a token, failing to detect the error, and even
saving the empty token.

This commit attempts to unmarshal the body as an OAuth error response
even when the status code is 200. If the body is not an OAuth error
response, we fall back to the previous behavior.

Author: sd2k

client/transport/oauth.go

@@ -246,8 +246,21 @@ func (h *OAuthHandler) refreshToken(ctx context.Context, refreshToken string) (*
 		return nil, extractOAuthError(body, resp.StatusCode, "refresh token request failed")
 	}
 
+	// Read the response body for parsing
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read token response body: %w", err)
+	}
+
+	// GitHub returns HTTP 200 even for errors, with error details in the JSON body
+	// Check if the response contains an error field before parsing as Token
+	var oauthErr OAuthError
+	if err := json.Unmarshal(body, &oauthErr); err == nil && oauthErr.ErrorCode != "" {
+		return nil, extractOAuthError(body, resp.StatusCode, "refresh token request failed")
+	}
+
 	var tokenResp Token
-	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+	if err := json.Unmarshal(body, &tokenResp); err != nil {
 		return nil, fmt.Errorf("failed to decode token response: %w", err)
 	}
 
@@ -279,6 +292,17 @@ func (h *OAuthHandler) GetClientID() string {
 	return h.config.ClientID
 }
 
+// truncateToken returns first 10 chars of token for logging, or "(empty)" if empty
+func truncateToken(token string) string {
+	if token == "" {
+		return "(empty)"
+	}
+	if len(token) > 10 {
+		return token[:10]
+	}
+	return token
+}
+
 // extractOAuthError attempts to parse an OAuth error response from the response body
 func extractOAuthError(body []byte, statusCode int, context string) error {
 	// Try to parse the error as an OAuth error response
@@ -679,8 +703,21 @@ func (h *OAuthHandler) ProcessAuthorizationResponse(ctx context.Context, code, s
 		return extractOAuthError(body, resp.StatusCode, "token request failed")
 	}
 
+	// Read the response body for parsing
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read token response body: %w", err)
+	}
+
+	// GitHub returns HTTP 200 even for errors, with error details in the JSON body
+	// Check if the response contains an error field before parsing as Token
+	var oauthErr OAuthError
+	if err := json.Unmarshal(body, &oauthErr); err == nil && oauthErr.ErrorCode != "" {
+		return extractOAuthError(body, resp.StatusCode, "token request failed")
+	}
+
 	var tokenResp Token
-	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+	if err := json.Unmarshal(body, &tokenResp); err != nil {
 		return fmt.Errorf("failed to decode token response: %w", err)
 	}