fix(oauth): Prevent validation errors from orphaned client tokens

Because:

* Sentry showed ValidationError: "[0].name" is required
* OAuth token queries use LEFT OUTER JOIN with clients table
* When a client is deleted but tokens remain (orphaned), the JOIN returns NULL
* This may be converted to undefined, which fails Joi validation

This commit:

* Add nullish coalescing (?? null) in authorized_clients.js to convert undefined → null at source
* Add nullish coalescing in factories.ts when merging OAuth client names
* Fix shared reference bug in getDefaultClientFields() to return copy of defaults
* Add Sentry warning reporting for orphaned tokens with clientId, tokenId, and timestamps
* Add regression test for undefined client_name handling

Closes #FXA-13132

Author: vpomerleau

packages/fxa-auth-server/lib/oauth/authorized_clients.js

@@ -5,15 +5,33 @@
 const { OauthError } = require('@fxa/accounts/errors');
 const oauthDB = require('./db');
 const ScopeSet = require('fxa-shared').oauth.scopes;
+const { reportSentryMessage } = require('../sentry');
 
 // Helper function to render each returned record in the expected form.
 function serialize(clientIdHex, token) {
   const createdTime = token.createdAt.getTime();
   const lastAccessTime = token.lastUsedAt.getTime();
+
+  // Report orphaned tokens to Sentry (tokens whose client was deleted)
+  // This can happen when a client is deleted without first deleting its tokens.
+  if (token.clientName === null || token.clientName === undefined) {
+    reportSentryMessage('Orphaned OAuth token detected', {
+      level: 'warning',
+      extra: {
+        clientId: clientIdHex,
+        tokenId: token.tokenId ? token.tokenId.toString('hex') : 'unknown',
+        tokenType: token.tokenId ? 'refresh' : 'access',
+        createdAt: createdTime,
+        lastAccessTime: lastAccessTime,
+      },
+    });
+  }
+
   return {
     client_id: clientIdHex,
     refresh_token_id: token.tokenId ? token.tokenId.toString('hex') : undefined,
-    client_name: token.clientName,
+    // clientName may be null if the client was deleted
+    client_name: token.clientName ?? null,
     created_time: createdTime,
     last_access_time: lastAccessTime,
     // Sort the scopes alphabetically, for consistent output.

packages/fxa-shared/connected-services/factories.ts

@@ -257,7 +257,7 @@ export class ConnectedServicesFactory {
       // We fill in a default device name from the OAuth client name,
       // but individual clients can override this in their device record registration.
       if (!client.name) {
-        client.name = oauthClient.client_name;
+        client.name = oauthClient.client_name ?? null;
       }
       // For now we assume that all oauth clients that register a device record are mobile apps.
       // Ref https://github.com/mozilla/fxa/issues/449
@@ -292,6 +292,6 @@ export class ConnectedServicesFactory {
   }
 
   protected getDefaultClientFields(): AttachedClient {
-    return attachedClientsDefaults;
+    return { ...attachedClientsDefaults };
   }
 }

packages/fxa-shared/test/connected-services/factories.ts

@@ -193,5 +193,23 @@ describe('connected-services/factories', () => {
       Sinon.assert.calledOnce(bStubbed.oauthClients);
       Sinon.assert.calledOnce(bStubbed.sessions);
     });
+
+    it('handles undefined client_name without validation errors', async () => {
+      oauthClients = [
+        {
+          refresh_token_id: 'test-oauth',
+          created_time: Date.now(),
+          last_access_time: Date.now(),
+          client_name: undefined as any, // Simulate undefined from database
+        } as AttachedOAuthClient,
+      ];
+      deviceList = [];
+      sessions = [];
+
+      const results = await factory.build('1234', 'en');
+
+      // Verify name is null, not undefined (required for validation)
+      assert.strictEqual(results[0].name, null);
+    });
   });
 });