Sdks 5097

[vatsalparikh]

JIRA Ticket

pingidentity.atlassian.net/browse/SDKS-5097

Note

This is just a continuation of the #574 PR.

Description

While working on the Journey Client migration, I noticed that when AM returns a failure response (e.g., unauthorized / invalid credentials), the Journey Client was returning a generic “no data” error and the LoginFailure path in createJourneyObject() was effectively never reached. This PR closes that gap by ensuring LoginFailure is triggered and a JourneyLoginFailure is returned when the server provides a failure payload with a code.

Ryan shared his closed PR that was trying to fix this issue: #541. Will use this as a reference.

Edit

Added an Either effect type to handle errors in journey client

What changed

• start() / next() now map RTK Query error responses that include a code into createJourneyObject(), which returns JourneyLoginFailure (hitting the previously-unreached LoginFailure branch).
• Added unit coverage for the LoginFailure mapping.
• Updated the journey-app e2e consumer to avoid throwing on LoginFailure and instead renders the LoginFailure error message.
• Added a changeset for @forgerock/journey-client.

How to test

• Build and start the e2e/journey-app
• Go to http://localhost:5829/?clientId=tenant and enter incorrect credentials
• You should see 'Login Failure' with the change in this PR. When you remove the error handling logic, you should see unknown node in console, which means login failure is not handled as a step.

Summary by CodeRabbit

• Bug Fixes
  • Journey client now properly returns JourneyLoginFailure when a failure payload with a login-failure code is received, fixing a previously unreached code path.
  • Improved error display during login failures by preserving existing error messages while processing new errors.

[changeset-bot]

🦋 Changeset detected

Latest commit: 7bac6f3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 12 packages

Name	Type
@forgerock/journey-client	Patch
@forgerock/davinci-client	Patch
@forgerock/device-client	Patch
@forgerock/oidc-client	Patch
@forgerock/protect	Patch
@forgerock/sdk-types	Patch
@forgerock/sdk-utilities	Patch
@forgerock/iframe-manager	Patch
@forgerock/sdk-logger	Patch
@forgerock/sdk-oidc	Patch
@forgerock/sdk-request-middleware	Patch
@forgerock/storage	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Warning

Review limit reached

@vatsalparikh, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d3f63de-4cf9-4780-b303-62c98b5d8011

📥 Commits

Reviewing files that changed from the base of the PR and between e5badbe and 7bac6f3.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• packages/journey-client/api-report/journey-client.api.md
• packages/journey-client/api-report/journey-client.types.api.md
• packages/journey-client/package.json
• packages/journey-client/src/lib/client.store.ts
• packages/journey-client/src/lib/journey.utils.test.ts
• packages/journey-client/src/lib/journey.utils.ts
• packages/journey-client/src/types.ts

📝 Walkthrough

Walkthrough

This PR refactors login-failure response handling in the journey client. It introduces a new response parsing layer using the Effect library's Either type, moves the JourneyResult type to a utils module, updates the client's start() and next() methods to use the parser, and extends the E2E app to properly manage error display state during login failures.

Changes

Login failure response handling

Layer / File(s)	Summary
Response parsing utilities and infrastructure packages/journey-client/package.json, packages/journey-client/src/lib/journey.utils.ts, packages/journey-client/src/lib/journey.utils.test.ts	Adds effect dependency, defines exported JourneyResult union type, changes createJourneyObject to export function form, and adds parseJourneyResponse to convert RTK Query responses into Either<Step, GenericError> with comprehensive test coverage for error statuses and success cases.
Client store refactoring and test coverage packages/journey-client/src/lib/client.store.ts, packages/journey-client/src/lib/client.store.test.ts, packages/journey-client/src/types.ts	Refactors start() and next() to use parseJourneyResponse with Either.match for error/success handling; updates test fixtures to accept authenticateStatus parameter; adds start_401WithStepPayload_ReturnsLoginFailure and next_401WithStepPayload_ReturnsLoginFailure tests; moves JourneyResult import source from client.store to journey.utils.
Public API surface and re-exports packages/journey-client/src/types.ts, packages/journey-client/api-report/journey-client.api.md, packages/journey-client/api-report/journey-client.types.api.md	Adds WellknownResponse re-export from @forgerock/sdk-types in types.ts; updates JourneyResult re-export source to journey.utils.js; propagates changes to both API report markdown files with new imports, exports, and annotation updates from @public to @public (undocumented) for JourneyResult.
E2E integration and changelog e2e/journey-app/main.ts, .changeset/whole-mangos-find.md	Updates LoginFailure handler to snapshot error element HTML, render the error, restart the journey, and restore prior HTML; documents patch release in changeset describing the login-failure code routing fix.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ForgeRock/ping-javascript-sdk#545: Refines JourneyResult type semantics by removing undefined and aligning with the new response parsing logic introduced here.
• ForgeRock/ping-javascript-sdk#524: Modifies journey-client error-handling in start/next return types and underlying parsing logic in the same modules being refactored.

Suggested reviewers

• ryanbas21
• ancheetah
• cerebrl

Poem

🐰 A journey client hops with glee,
Parsing failures through Either's decree,
Login defeats now reach the light,
With states preserved, the HTML stays tight,
Effect-powered, clean, and free! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Sdks 5097' is vague and does not clearly summarize the main change; it only references a JIRA ticket ID without conveying what was actually fixed or changed.	Consider using a more descriptive title such as 'Handle LoginFailure responses in Journey Client' or 'Map AM failure responses to JourneyLoginFailure' to better reflect the core change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description comprehensively covers the JIRA ticket, problem context, fixes implemented, test coverage, and instructions for testing; all required template sections are present and well-documented.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sdks-5097

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit e5badbe

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test typecheck e2e-ci	✅ Succeeded	2m 2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-04 16:42:29 UTC

[nx-cloud]

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud is proposing a fix for your failed CI:

We moved the numeric-status FetchBaseQueryError branch before the !res.data guard in parseJourneyResponse, so AM failure payloads carried in error.data are now correctly routed to createJourneyObject as LoginFailure. Previously, data being undefined (the RTK Query behaviour for non-2xx responses) caused the function to short-circuit at no_response_data before the numeric-status branch was ever reached. This fix ensures the LoginFailure path introduced by the PR is reachable and all four related tests pass.

Tip

✅ We verified this fix by re-running @forgerock/journey-client:test.

Suggested Fix changes

diff --git a/packages/journey-client/src/lib/journey.utils.ts b/packages/journey-client/src/lib/journey.utils.ts
index 22c77d5..f0340e2 100644
--- a/packages/journey-client/src/lib/journey.utils.ts
+++ b/packages/journey-client/src/lib/journey.utils.ts
@@ -86,6 +86,21 @@ export function parseJourneyResponse(res: {
     });
   }
 
+  // https://redux-toolkit.js.org/rtk-query/api/fetchBaseQuery#signature
+  // FetchBaseQueryError with numeric status = AM failure step over HTTP error
+  if (res.error && 'status' in res.error && typeof res.error.status === 'number') {
+    if (typeof res.error.data === 'object' && res.error.data !== null) {
+      // Object body = valid AM failure payload, treat as a Step to classify
+      return right(res.error.data as Step);
+    }
+    // Non-object body = unexpected response format
+    return left({
+      error: 'request_failed',
+      message: 'Request failed with server error',
+      type: 'unknown_error',
+    });
+  }
+
   if (!res.data) {
     return left({
       error: 'no_response_data',
@@ -94,17 +109,5 @@ export function parseJourneyResponse(res: {
     });
   }
 
-  // https://redux-toolkit.js.org/rtk-query/api/fetchBaseQuery#signature
-  // FetchBaseQueryError with numeric status + object body = AM failure step over HTTP error
-  if (
-    res.error &&
-    'status' in res.error &&
-    typeof res.error.status === 'number' &&
-    typeof res.error.data === 'object' &&
-    res.error.data !== null
-  ) {
-    return right(res.error.data);
-  }
-
   return right(res.data);
 }

  

Or Apply changes locally with:

npx nx-cloud apply-locally o4xt-x66H

Apply fix locally with your editor ↗   View interactive diff ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@e2e/journey-app/main.ts`:
- Around line 211-213: The call to journeyClient.start({ journey: journeyName })
can return non-Step results, so guard the result before calling renderForm();
check the returned value (the variable step) is a valid Step (e.g., truthy and
has the expected method/property your flow relies on) and only call renderForm()
when that check passes; if the result is not a valid Step, set errorEl.innerHTML
= errorHtml (or update the UI appropriately) and bail out/return to avoid
throwing during retry handling. Ensure you reference the journeyClient.start
call and the step variable when adding the conditional guard around
renderForm().

In `@packages/journey-client/src/lib/client.store.ts`:
- Around line 159-162: The parser parseJourneyResponse currently returns a
no_response_data branch before it inspects error.data, which prevents
createJourneyObject from receiving error payloads (e.g., LoginFailure); update
parseJourneyResponse in journey.utils.ts to check and parse error.data
(extracting the payload/error body) before falling back to the no_response_data
case so the onRight path can yield the proper error-based JourneyResult; apply
the same reorder/fix to the other similar branch referenced in the review so
both parsing paths prioritize error.data parsing ahead of the no-data return.

In `@packages/journey-client/src/lib/journey.utils.ts`:
- Around line 89-107: The HTTP-error branch that checks res.error with a numeric
status and object body (the block that returns right(res.error.data)) must be
moved above the no-data guard that currently returns left({ error:
'no_response_data', ... }); update the logic in journey.utils.ts so the
numeric-status/object-data check (the res.error && 'status' in res.error &&
typeof res.error.status === 'number' && typeof res.error.data === 'object' &&
res.error.data !== null) runs before the if (!res.data) guard, ensuring HTTP
error bodies are returned via right(...) instead of being swallowed by the
no_response_data branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 45f63ebb-1565-4bb0-a212-035f2eca3bb3

📥 Commits

Reviewing files that changed from the base of the PR and between d947ac2 and e5badbe.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .changeset/whole-mangos-find.md
• e2e/journey-app/main.ts
• packages/journey-client/api-report/journey-client.api.md
• packages/journey-client/api-report/journey-client.types.api.md
• packages/journey-client/package.json
• packages/journey-client/src/lib/client.store.test.ts
• packages/journey-client/src/lib/client.store.ts
• packages/journey-client/src/lib/journey.utils.test.ts
• packages/journey-client/src/lib/journey.utils.ts
• packages/journey-client/src/types.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard the restart result before calling renderForm().

journeyClient.start() can return non-Step results. Calling renderForm() unconditionally can throw and break the submit flow on retry failures.

🧰 Tools

🪛 ast-grep (0.43.0)

[warning] 212-212: Direct modification of innerHTML or outerHTML properties detected. Modifying these properties with unsanitized user input can lead to XSS vulnerabilities. Use safe alternatives or sanitize content first.
Context: errorEl.innerHTML = errorHtml
Note: [CWE-79] Improper Neutralization of Input During Web Page Generation [REFERENCES]
- https://owasp.org/www-community/xss-filter-evasion-cheatsheet
- https://cwe.mitre.org/data/definitions/79.html

(dom-content-modification)

---

[warning] 212-212: Direct HTML content assignment detected. Modifying innerHTML, outerHTML, or using document.write with unsanitized content can lead to XSS vulnerabilities. Use secure alternatives like textContent or sanitize HTML with libraries like DOMPurify.
Context: errorEl.innerHTML = errorHtml
Note: [CWE-79] Improper Neutralization of Input During Web Page Generation [REFERENCES]
- https://www.dhairyashah.dev/posts/why-innerhtml-is-a-bad-idea-and-how-to-avoid-it/
- https://cwe.mitre.org/data/definitions/79.html

(unsafe-html-content-assignment)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/journey-app/main.ts` around lines 211 - 213, The call to
journeyClient.start({ journey: journeyName }) can return non-Step results, so
guard the result before calling renderForm(); check the returned value (the
variable step) is a valid Step (e.g., truthy and has the expected
method/property your flow relies on) and only call renderForm() when that check
passes; if the result is not a valid Step, set errorEl.innerHTML = errorHtml (or
update the UI appropriately) and bail out/return to avoid throwing during retry
handling. Ensure you reference the journeyClient.start call and the step
variable when adding the conditional guard around renderForm().

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/@forgerock/davinci-client@670

@forgerock/device-client

pnpm add https://pkg.pr.new/@forgerock/device-client@670

@forgerock/journey-client

pnpm add https://pkg.pr.new/@forgerock/journey-client@670

@forgerock/oidc-client

pnpm add https://pkg.pr.new/@forgerock/oidc-client@670

@forgerock/protect

pnpm add https://pkg.pr.new/@forgerock/protect@670

@forgerock/sdk-types

pnpm add https://pkg.pr.new/@forgerock/sdk-types@670

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/@forgerock/sdk-utilities@670

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/@forgerock/iframe-manager@670

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/@forgerock/sdk-logger@670

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/@forgerock/sdk-oidc@670

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/@forgerock/sdk-request-middleware@670

@forgerock/storage

pnpm add https://pkg.pr.new/@forgerock/storage@670

commit: 7bac6f3

[github-actions]

Deployed 02e0085 to https://ForgeRock.github.io/ping-javascript-sdk/pr-670/02e008591d5cd72c7879bd87a6066c17ffbd847c branch gh-pages in ForgeRock/ping-javascript-sdk

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.54%. Comparing base (eafe277) to head (7bac6f3).
⚠️ Report is 26 commits behind head on main.

❌ Your project status has failed because the head coverage (20.54%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #670      +/-   ##
==========================================
+ Coverage   18.07%   20.54%   +2.47%     
==========================================
  Files         155      154       -1     
  Lines       24398    24825     +427     
  Branches     1203     1371     +168     
==========================================
+ Hits         4410     5101     +691     
+ Misses      19988    19724     -264     

Files with missing lines	Coverage Δ
packages/journey-client/src/lib/client.store.ts	83.42% <100.00%> (+2.90%)	⬆️
packages/journey-client/src/lib/journey.utils.ts	93.05% <100.00%> (+16.38%)	⬆️
packages/journey-client/src/types.ts	100.00% <ø> (+96.77%)	⬆️

... and 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🆕 New Packages

🆕 @forgerock/protect - 144.6 KB (new)
🆕 @forgerock/sdk-types - 7.9 KB (new)
🆕 @forgerock/device-client - 10.0 KB (new)
🆕 @forgerock/device-client - 0.0 KB (new)
🆕 @forgerock/iframe-manager - 2.4 KB (new)
🆕 @forgerock/storage - 1.5 KB (new)
🆕 @forgerock/sdk-request-middleware - 4.6 KB (new)
🆕 @forgerock/sdk-logger - 1.6 KB (new)
🆕 @forgerock/sdk-oidc - 5.7 KB (new)
🆕 @forgerock/journey-client - 92.6 KB (new)
🆕 @forgerock/journey-client - 0.0 KB (new)
🆕 @forgerock/sdk-utilities - 11.2 KB (new)
🆕 @forgerock/davinci-client - 54.0 KB (new)
🆕 @forgerock/oidc-client - 30.5 KB (new)

---

14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}