Make sure to consume HTTP error response bodies (#1173)

GreenStage · Eduardo Gomes · felixweinberger · web-flow · commit 466483f25df5 · 2025-11-26T15:52:56.000Z
Co-authored-by: Eduardo Gomes &lt;egomes@cloudflare.com&gt;
Co-authored-by: Felix Weinberger &lt;fweinberger@anthropic.com&gt;
Co-authored-by: Felix Weinberger &lt;3823880+felixweinberger@users.noreply.github.com&gt;
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -625,10 +625,12 @@ export async function discoverOAuthProtectedResourceMetadata(
     });
 
     if (!response || response.status === 404) {
+        await response?.body?.cancel();
         throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
     }
 
     if (!response.ok) {
+        await response.body?.cancel();
         throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
     }
     return OAuthProtectedResourceMetadataSchema.parse(await response.json());
@@ -756,10 +758,12 @@ export async function discoverOAuthMetadata(
     });
 
     if (!response || response.status === 404) {
+        await response?.body?.cancel();
         return undefined;
     }
 
     if (!response.ok) {
+        await response.body?.cancel();
         throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
     }
 
@@ -869,6 +873,7 @@ export async function discoverAuthorizationServerMetadata(
         }
 
         if (!response.ok) {
+            await response.body?.cancel();
             // Continue looking for any 4xx response code.
             if (response.status >= 400 && response.status < 500) {
                 continue; // Try next URL
diff --git a/src/client/sse.ts b/src/client/sse.ts
@@ -253,6 +253,8 @@ export class SSEClientTransport implements Transport {
 
             const response = await (this._fetch ?? fetch)(this._endpoint, init);
             if (!response.ok) {
+                const text = await response.text().catch(() => null);
+
                 if (response.status === 401 && this._authProvider) {
                     const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);
                     this._resourceMetadataUrl = resourceMetadataUrl;
@@ -272,7 +274,6 @@ export class SSEClientTransport implements Transport {
                     return this.send(message);
                 }
 
-                const text = await response.text().catch(() => null);
                 throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
             }
         } catch (error) {
diff --git a/src/client/streamableHttp.test.ts b/src/client/streamableHttp.test.ts
@@ -582,11 +582,13 @@ describe('StreamableHTTPClientTransport', () => {
                 ok: false,
                 status: 401,
                 statusText: 'Unauthorized',
-                headers: new Headers()
+                headers: new Headers(),
+                text: async () => Promise.reject('dont read my body')
             })
             .mockResolvedValue({
                 ok: false,
-                status: 404
+                status: 404,
+                text: async () => Promise.reject('dont read my body')
             });
 
         await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
@@ -883,7 +885,8 @@ describe('StreamableHTTPClientTransport', () => {
             ok: false,
             status: 401,
             statusText: 'Unauthorized',
-            headers: new Headers()
+            headers: new Headers(),
+            text: async () => Promise.reject('dont read my body')
         };
         (global.fetch as Mock)
             // Initial connection
@@ -936,7 +939,8 @@ describe('StreamableHTTPClientTransport', () => {
             ok: false,
             status: 401,
             statusText: 'Unauthorized',
-            headers: new Headers()
+            headers: new Headers(),
+            text: async () => Promise.reject('dont read my body')
         };
         (global.fetch as Mock)
             // Initial connection
@@ -962,7 +966,8 @@ describe('StreamableHTTPClientTransport', () => {
             // Fallback should fail to complete the flow
             .mockResolvedValue({
                 ok: false,
-                status: 404
+                status: 404,
+                text: async () => Promise.reject('dont read my body')
             });
 
         await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
@@ -987,7 +992,8 @@ describe('StreamableHTTPClientTransport', () => {
             ok: false,
             status: 401,
             statusText: 'Unauthorized',
-            headers: new Headers()
+            headers: new Headers(),
+            text: async () => Promise.reject('dont read my body')
         };
         (global.fetch as Mock)
             // Initial connection
@@ -1013,7 +1019,8 @@ describe('StreamableHTTPClientTransport', () => {
             // Fallback should fail to complete the flow
             .mockResolvedValue({
                 ok: false,
-                status: 404
+                status: 404,
+                text: async () => Promise.reject('dont read my body')
             });
 
         await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
@@ -1026,7 +1033,8 @@ describe('StreamableHTTPClientTransport', () => {
                 ok: false,
                 status: 401,
                 statusText: 'Unauthorized',
-                headers: new Headers()
+                headers: new Headers(),
+                text: async () => Promise.reject('dont read my body')
             };
 
             // Create custom fetch
@@ -1328,7 +1336,8 @@ describe('StreamableHTTPClientTransport', () => {
                 ok: false,
                 status: 401,
                 statusText: 'Unauthorized',
-                headers: new Headers()
+                headers: new Headers(),
+                text: async () => Promise.reject('dont read my body')
             };
 
             (global.fetch as Mock)
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
@@ -223,6 +223,8 @@ export class StreamableHTTPClientTransport implements Transport {
             });
 
             if (!response.ok) {
+                await response.body?.cancel();
+
                 if (response.status === 401 && this._authProvider) {
                     // Need to authenticate
                     return await this._authThenStart();
@@ -463,6 +465,8 @@ export class StreamableHTTPClientTransport implements Transport {
             }
 
             if (!response.ok) {
+                const text = await response.text().catch(() => null);
+
                 if (response.status === 401 && this._authProvider) {
                     // Prevent infinite recursion when server returns 401 after successful auth
                     if (this._hasCompletedAuthFlow) {
@@ -525,7 +529,6 @@ export class StreamableHTTPClientTransport implements Transport {
                     }
                 }
 
-                const text = await response.text().catch(() => null);
                 throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
             }
 
@@ -535,6 +538,7 @@ export class StreamableHTTPClientTransport implements Transport {
 
             // If the response is 202 Accepted, there's no body to process
             if (response.status === 202) {
+                await response.body?.cancel();
                 // if the accepted notification is initialized, we start the SSE stream
                 // if it's supported by the server
                 if (isInitializedNotification(message)) {
@@ -609,6 +613,7 @@ export class StreamableHTTPClientTransport implements Transport {
             };
 
             const response = await (this._fetch ?? fetch)(this._url, init);
+            await response.body?.cancel();
 
             // We specifically handle 405 as a valid response according to the spec,
             // meaning the server does not support explicit session termination
diff --git a/src/examples/server/elicitationUrlExample.ts b/src/examples/server/elicitationUrlExample.ts
@@ -253,7 +253,8 @@ const tokenVerifier = {
         });
 
         if (!response.ok) {
-            throw new Error(`Invalid or expired token: ${await response.text()}`);
+            const text = await response.text().catch(() => null);
+            throw new Error(`Invalid or expired token: ${text}`);
         }
 
         const data = await response.json();
diff --git a/src/examples/server/simpleStreamableHttp.ts b/src/examples/server/simpleStreamableHttp.ts
@@ -485,7 +485,8 @@ if (useOAuth) {
             });
 
             if (!response.ok) {
-                throw new Error(`Invalid or expired token: ${await response.text()}`);
+                const text = await response.text().catch(() => null);
+                throw new Error(`Invalid or expired token: ${text}`);
             }
 
             const data = await response.json();
diff --git a/src/server/auth/providers/proxyProvider.ts b/src/server/auth/providers/proxyProvider.ts
@@ -84,6 +84,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
                     },
                     body: params.toString()
                 });
+                await response.body?.cancel();
 
                 if (!response.ok) {
                     throw new ServerError(`Token revocation failed: ${response.status}`);
@@ -107,6 +108,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
                     });
 
                     if (!response.ok) {
+                        await response.body?.cancel();
                         throw new ServerError(`Client registration failed: ${response.status}`);
                     }
 
@@ -181,6 +183,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
         });
 
         if (!response.ok) {
+            await response.body?.cancel();
             throw new ServerError(`Token exchange failed: ${response.status}`);
         }
 
@@ -221,6 +224,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
         });
 
         if (!response.ok) {
+            await response.body?.cancel();
             throw new ServerError(`Token refresh failed: ${response.status}`);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -625,10 +625,12 @@ export async function discoverOAuthProtectedResourceMetadata(`
`625`	`625`	`});`
`626`	`626`
`627`	`627`	`if (!response \|\| response.status === 404) {`
	`628`	`+ await response?.body?.cancel();`
`628`	`629`	throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
`629`	`630`	`}`
`630`	`631`
`631`	`632`	`if (!response.ok) {`
	`633`	`+ await response.body?.cancel();`
`632`	`634`	throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
`633`	`635`	`}`
`634`	`636`	`return OAuthProtectedResourceMetadataSchema.parse(await response.json());`
`@@ -756,10 +758,12 @@ export async function discoverOAuthMetadata(`
`756`	`758`	`});`
`757`	`759`
`758`	`760`	`if (!response \|\| response.status === 404) {`
	`761`	`+ await response?.body?.cancel();`
`759`	`762`	`return undefined;`
`760`	`763`	`}`
`761`	`764`
`762`	`765`	`if (!response.ok) {`
	`766`	`+ await response.body?.cancel();`
`763`	`767`	throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
`764`	`768`	`}`
`765`	`769`
`@@ -869,6 +873,7 @@ export async function discoverAuthorizationServerMetadata(`
`869`	`873`	`}`
`870`	`874`
`871`	`875`	`if (!response.ok) {`
	`876`	`+ await response.body?.cancel();`
`872`	`877`	`// Continue looking for any 4xx response code.`
`873`	`878`	`if (response.status >= 400 && response.status < 500) {`
`874`	`879`	`continue; // Try next URL`
Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,8 @@ export class SSEClientTransport implements Transport {`
`253`	`253`
`254`	`254`	`const response = await (this._fetch ?? fetch)(this._endpoint, init);`
`255`	`255`	`if (!response.ok) {`
	`256`	`+ const text = await response.text().catch(() => null);`
	`257`	`+`
`256`	`258`	`if (response.status === 401 && this._authProvider) {`
`257`	`259`	`const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);`
`258`	`260`	`this._resourceMetadataUrl = resourceMetadataUrl;`
`@@ -272,7 +274,6 @@ export class SSEClientTransport implements Transport {`
`272`	`274`	`return this.send(message);`
`273`	`275`	`}`
`274`	`276`
`275`		`- const text = await response.text().catch(() => null);`
`276`	`277`	throw new Error(`Error POSTing to endpoint (HTTP ${response.status}): ${text}`);
`277`	`278`	`}`
`278`	`279`	`} catch (error) {`
Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,8 @@ const tokenVerifier = {`
`253`	`253`	`});`
`254`	`254`
`255`	`255`	`if (!response.ok) {`
`256`		- throw new Error(`Invalid or expired token: ${await response.text()}`);
	`256`	`+ const text = await response.text().catch(() => null);`
	`257`	+ throw new Error(`Invalid or expired token: ${text}`);
`257`	`258`	`}`
`258`	`259`
`259`	`260`	`const data = await response.json();`
Original file line number	Diff line number	Diff line change
`@@ -485,7 +485,8 @@ if (useOAuth) {`
`485`	`485`	`});`
`486`	`486`
`487`	`487`	`if (!response.ok) {`
`488`		- throw new Error(`Invalid or expired token: ${await response.text()}`);
	`488`	`+ const text = await response.text().catch(() => null);`
	`489`	+ throw new Error(`Invalid or expired token: ${text}`);
`489`	`490`	`}`
`490`	`491`
`491`	`492`	`const data = await response.json();`