fix(cli): fail gracefully on invalid scope:team format

serhalp · serhalp · commit 857a668a0a1f · 2026-01-25T18:55:38.000-05:00
The `/team/:scopeTeam/users` endpoint was letting validation errors from `validateScopeTeam` bubble up
as an unhandled 500 response with an unhandled rejection logged to the console. Now it catches and
returns a proper 400 with a helpful message, and logs the full error.
diff --git a/cli/src/server.ts b/cli/src/server.ts
@@ -3,6 +3,7 @@ import { H3, HTTPError, handleCors, type H3Event } from 'h3-next'
 import type { CorsOptions } from 'h3-next'
 
 import type { ConnectorState, PendingOperation, OperationType, ApiResponse } from './types.ts'
+import { logWarning } from './logger.ts'
 import {
   getNpmUser,
   orgAddUser,
@@ -20,6 +21,7 @@ import {
   ownerAdd,
   ownerRemove,
   packageInit,
+  validateScopeTeam,
   type NpmExecResult,
 } from './npm-client.ts'
 
@@ -447,6 +449,18 @@ export function createConnectorApp(expectedToken: string) {
     // Decode the team name (handles encoded colons like nuxt%3Adevelopers)
     const scopeTeam = decodeURIComponent(scopeTeamRaw)
 
+    try {
+      validateScopeTeam(scopeTeam)
+    } catch (err) {
+      logWarning(
+        `Invalid scope:team format: ${scopeTeam} - ${err instanceof Error ? err.message : err}`,
+      )
+      throw new HTTPError({
+        statusCode: 400,
+        message: `Invalid scope:team format: ${scopeTeam}. Expected @scope:team`,
+      })
+    }
+
     const result = await teamListUsers(scopeTeam)
     if (result.exitCode !== 0) {
       return {
diff --git a/test/unit/cli-server.spec.ts b/test/unit/cli-server.spec.ts
@@ -0,0 +1,32 @@
+import { describe, expect, it } from 'vitest'
+import { createConnectorApp } from '../../cli/src/server.ts'
+
+const TEST_TOKEN = 'test-token-123'
+
+describe('connector server', () => {
+  describe('GET /team/:scopeTeam/users', () => {
+    it('returns 400 for invalid scope:team format (missing @ prefix)', async () => {
+      const app = createConnectorApp(TEST_TOKEN)
+
+      const response = await app.fetch(
+        new Request('http://localhost/team/netlify%3Adevelopers/users', {
+          headers: { Authorization: `Bearer ${TEST_TOKEN}` },
+        }),
+      )
+
+      expect(response.status).toBe(400)
+      const body = await response.json()
+      expect(body.message).toContain('Invalid scope:team format')
+    })
+
+    it('returns 401 without auth token', async () => {
+      const app = createConnectorApp(TEST_TOKEN)
+
+      const response = await app.fetch(
+        new Request('http://localhost/team/@netlify%3Adevelopers/users'),
+      )
+
+      expect(response.status).toBe(401)
+    })
+  })
+})
