fix(oauth): Prevent validation errors from orphaned client tokens

vpomerleau · vpomerleau · commit db71e40508a3 · 2026-02-18T14:41:37.000-08:00
Because: * Sentry showed ValidationError: "[0].name" is required * OAuth token queries use LEFT OUTER JOIN with clients table * When a client is deleted but tokens remain (orphaned), the JOIN returns NULL * This may be converted to undefined, which fails Joi validation This commit: * Add nullish coalescing in factories.ts when merging OAuth client names; Joi validation explicitely allows null * Fix shared reference bug in getDefaultClientFields() to return copy of defaults * Add regression test for undefined client_name handling Closes #FXA-13132
diff --git a/packages/fxa-shared/connected-services/factories.ts b/packages/fxa-shared/connected-services/factories.ts
@@ -257,7 +257,7 @@ export class ConnectedServicesFactory {
       // We fill in a default device name from the OAuth client name,
       // but individual clients can override this in their device record registration.
       if (!client.name) {
-        client.name = oauthClient.client_name;
+        client.name = oauthClient.client_name ?? null;
       }
       // For now we assume that all oauth clients that register a device record are mobile apps.
       // Ref https://github.com/mozilla/fxa/issues/449
@@ -292,6 +292,6 @@ export class ConnectedServicesFactory {
   }
 
   protected getDefaultClientFields(): AttachedClient {
-    return attachedClientsDefaults;
+    return { ...attachedClientsDefaults };
   }
 }
diff --git a/packages/fxa-shared/test/connected-services/factories.ts b/packages/fxa-shared/test/connected-services/factories.ts
@@ -193,5 +193,23 @@ describe('connected-services/factories', () => {
       Sinon.assert.calledOnce(bStubbed.oauthClients);
       Sinon.assert.calledOnce(bStubbed.sessions);
     });
+
+    it('handles undefined client_name without validation errors', async () => {
+      oauthClients = [
+        {
+          refresh_token_id: 'test-oauth',
+          created_time: Date.now(),
+          last_access_time: Date.now(),
+          client_name: undefined as any, // Simulate undefined from database
+        } as AttachedOAuthClient,
+      ];
+      deviceList = [];
+      sessions = [];
+
+      const results = await factory.build('1234', 'en');
+
+      // Verify name is null, not undefined (required for validation)
+      assert.strictEqual(results[0].name, null);
+    });
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,7 @@ export class ConnectedServicesFactory {`
`257`	`257`	`// We fill in a default device name from the OAuth client name,`
`258`	`258`	`// but individual clients can override this in their device record registration.`
`259`	`259`	`if (!client.name) {`
`260`		`- client.name = oauthClient.client_name;`
	`260`	`+ client.name = oauthClient.client_name ?? null;`
`261`	`261`	`}`
`262`	`262`	`// For now we assume that all oauth clients that register a device record are mobile apps.`
`263`	`263`	`// Ref https://github.com/mozilla/fxa/issues/449`
`@@ -292,6 +292,6 @@ export class ConnectedServicesFactory {`
`292`	`292`	`}`
`293`	`293`
`294`	`294`	`protected getDefaultClientFields(): AttachedClient {`
`295`		`- return attachedClientsDefaults;`
	`295`	`+ return { ...attachedClientsDefaults };`
`296`	`296`	`}`
`297`	`297`	`}`