RHINENG-25551 fix(cost-management): surface SSO auth errors instead of silent failures (#2826)

* RHINENG-25551 fix(cost-management): surface SSO auth errors instead of silent failures

When the plugin is configured with invalid hybrid cloud service account
credentials, the UI previously showed a generic "Bad Gateway" or empty
table instead of an actionable error message.

- tokenUtil: extract SSO error details (error_description/error) from
  the response body instead of throwing bare HTTP status text
- secureProxy: return 502 with credential-specific message when SSO
  authentication fails, distinguishing it from other proxy errors
- OptimizationsClient & CostManagementSlimClient: read the error field
  from JSON response bodies on non-OK responses so the frontend
  displays the backend's descriptive message

Made-with: Cursor

* RHINENG-25551 refactor(cost-management): use custom error class for SSO auth failures

Replace brittle string-prefix matching with SsoAuthenticationError
class so secureProxy detects auth failures via instanceof instead of
message.startsWith(), making the contract compile-time enforced.

Made-with: Cursor

Author: PreetiW

workspaces/cost-management/plugins/cost-management-backend/src/routes/secureProxy.ts

@@ -25,7 +25,7 @@ import {
   costPluginPermissions,
 } from '@red-hat-developer-hub/plugin-cost-management-common/permissions';
 import { AuthorizeResult } from '@backstage/plugin-permission-common';
-import { getTokenFromApi } from '../util/tokenUtil';
+import { getTokenFromApi, SsoAuthenticationError } from '../util/tokenUtil';
 import { DEFAULT_COST_MANAGEMENT_PROXY_BASE_URL } from '../util/constant';
 import { resolveActor, emitAuditLog } from '../util/auditLog';
 
@@ -410,6 +410,15 @@ export const secureProxy: (options: RouterOptions) => RequestHandler =
       return res.send(await upstreamResponse.text());
     } catch (error) {
       options.logger.error('Secure proxy error', error);
+
+      if (error instanceof SsoAuthenticationError) {
+        return res.status(502).json({
+          error:
+            'Unable to authenticate with the hybrid cloud console. ' +
+            'Please check your service account credentials (clientId/clientSecret) in the RHDH Cost Management configuration.',
+        });
+      }
+
       return res.status(500).json({ error: 'Internal proxy error' });
     }
   };

workspaces/cost-management/plugins/cost-management-backend/src/util/tokenUtil.ts

@@ -18,6 +18,13 @@ import assert from 'assert';
 import { RouterOptions } from '../models/RouterOptions';
 import { DEFAULT_SSO_BASE_URL } from './constant';
 
+export class SsoAuthenticationError extends Error {
+  constructor(message: string, public readonly statusCode: number) {
+    super(message);
+    this.name = 'SsoAuthenticationError';
+  }
+}
+
 // Cache key for token storage
 const TOKEN_CACHE_KEY = 'sso_access_token';
 
@@ -100,7 +107,18 @@ export const getTokenFromApi = async (options: RouterOptions) => {
 
     logger.info(`Token cached, expires in ${expires_in} seconds`);
   } else {
-    throw new Error(rhSsoResponse.statusText);
+    let detail = '';
+    try {
+      const body = await rhSsoResponse.json();
+      detail = body.error_description || body.error || '';
+    } catch {
+      // response may not be JSON
+    }
+    const message = detail
+      ? `SSO authentication failed: ${detail}`
+      : `SSO authentication failed with status ${rhSsoResponse.status} (${rhSsoResponse.statusText})`;
+    logger.error(message);
+    throw new SsoAuthenticationError(message, rhSsoResponse.status);
   }
 
   return accessToken;

workspaces/cost-management/plugins/cost-management-common/src/clients/cost-management/CostManagementSlimClient.ts

@@ -88,7 +88,14 @@ export class CostManagementSlimClient implements CostManagementSlimApi {
     });
 
     if (!response.ok) {
-      throw new Error(response.statusText);
+      let message = response.statusText;
+      try {
+        const body = (await response.json()) as any;
+        if (body.error) message = body.error;
+      } catch {
+        // response may not be JSON
+      }
+      throw new Error(message);
     }
 
     // Get the response data
@@ -518,7 +525,14 @@ export class CostManagementSlimClient implements CostManagementSlimApi {
     });
 
     if (!response.ok) {
-      throw new Error(response.statusText);
+      let message = response.statusText;
+      try {
+        const body = (await response.json()) as any;
+        if (body.error) message = body.error;
+      } catch {
+        // response may not be JSON
+      }
+      throw new Error(message);
     }
 
     return {
@@ -544,7 +558,14 @@ export class CostManagementSlimClient implements CostManagementSlimApi {
     });
 
     if (!response.ok) {
-      throw new Error(response.statusText);
+      let message = response.statusText;
+      try {
+        const body = (await response.json()) as any;
+        if (body.error) message = body.error;
+      } catch {
+        // response may not be JSON
+      }
+      throw new Error(message);
     }
 
     return {

workspaces/cost-management/plugins/cost-management-common/src/clients/optimizations/OptimizationsClient.ts

@@ -98,7 +98,14 @@ export class OptimizationsClient implements OptimizationsApi {
     );
 
     if (!response.ok) {
-      throw new Error(response.statusText);
+      let message = response.statusText;
+      try {
+        const body = (await response.json()) as any;
+        if (body.error) message = body.error;
+      } catch {
+        // response may not be JSON
+      }
+      throw new Error(message);
     }
 
     return {
@@ -133,7 +140,14 @@ export class OptimizationsClient implements OptimizationsApi {
     );
 
     if (!response.ok) {
-      throw new Error(response.statusText);
+      let message = response.statusText;
+      try {
+        const body = (await response.json()) as any;
+        if (body.error) message = body.error;
+      } catch {
+        // response may not be JSON
+      }
+      throw new Error(message);
     }
 
     return {