fix(chat): handle EasyAuth 302 redirect and improve auth error detection in useAgentCard

[ccastrotrejo]

Commit Type

• feature - New functionality
• fix - Bug fix
• refactor - Code restructuring without behavior change
• perf - Performance improvement
• docs - Documentation update
• test - Test-related changes
• chore - Maintenance/tooling

Risk Level

• Low - Minor changes, limited scope
• Medium - Moderate changes, some user impact
• High - Major changes, significant user/system impact

What & Why

When Azure EasyAuth is enabled and the user's session expires, the server returns a 302 redirect to the login page instead of a 401. Because the fetch API follows redirects by default and the login page is on a different origin, this results in a CORS error (opaque redirect / TypeError: Failed to fetch) rather than a meaningful HTTP status code. The useAgentCard hook did not handle this scenario, causing it to surface a generic network error instead of triggering the onUnauthorized callback.

Additionally, authentication detection relied on comparing response.statusText === 'Unauthorized', which is fragile and does not cover 403 Forbidden responses.

Changes

• Handle network/CORS errors as auth failures: Wrapped the fetch() call in a try/catch block so that TypeError: Failed to fetch (caused by EasyAuth 302 redirects or CORS blocks) triggers the onUnauthorized callback and throws an Unauthorized error.
• Use HTTP status codes for auth detection: Replaced response.statusText === 'Unauthorized' check with response.status === 401 || response.status === 403 for robust authentication failure detection.
• Extract handleUnauthorized helper: Consolidated the duplicated unauthorized handling logic (calling onUnauthorized callback + throwing error) into a reusable handleUnauthorized async function.
• Improve error messages: Updated non-auth error messages to include the HTTP status code (e.g., Failed to fetch agent card: 500 Internal Server Error).
• Add comprehensive tests: Added tests for EasyAuth redirect handling, 403 Forbidden responses, and network failure without onUnauthorized callback. Updated existing test mocks to include status property.

Impact of Change

• Users: Users behind EasyAuth will now be properly redirected to re-authenticate when their session expires, instead of seeing a generic network error.
• Developers: No API changes. The onUnauthorized callback now also fires on network/CORS errors and 403 responses.
• System: No performance or architecture impact. Only affects the iframe-app's useAgentCard hook.

Test Plan

• Unit tests added/updated
• E2E tests added/updated
• Manual testing completed
• Tested in: EasyAuth-enabled Azure environment with expired session

Contributors

Screenshots/Videos

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: fix(chat): handle EasyAuth 302 redirect and improve auth error detection in useAgentCard
• Issue: None — the title is clear, uses a conventional commit-style prefix, and specifies the area and intent of the fix.
• Recommendation: No change required.

---

✅ Commit Type

• Properly selected (fix).
• Only one commit type selected which is correct for this change.

---

✅ Risk Level

• The PR body selects Low and the repo has the risk:low label applied.
• Assessment: The code changes are limited to the iframe-app useAgentCard hook and associated unit tests (2 files changed, focused logic changes and tests). Advised risk: low (matches submitter).

---

✅ What & Why

• Current: The description clearly explains EasyAuth 302 -> CORS/network failures and the fragile statusText check, and lists the concrete changes made.
• Issue: None.
• Recommendation: Consider adding a one-line pointer to the changed file(s) (e.g., apps/iframe-app/src/hooks/useAgentCard.ts and tests) — optional since the body already describes the hook.

---

✅ Impact of Change

• Impact section is present and accurate.
• Recommendation: Good. Concise impact for Users, Developers, and System is already provided and matches the diff.
  • Users: Users behind EasyAuth will now get redirected to re-authenticate instead of seeing a generic network error.
  • Developers: onUnauthorized may now fire for network/CORS errors and 403 responses; no API change otherwise.
  • System: No perf/architecture impact.

---

✅ Test Plan

• Unit tests added/updated: Verified in diff — new tests cover EasyAuth redirect (network/CORS), 403 handling, and non-auth error message content.
• E2E tests: Not added (acceptable for this small, focused hook change). If you have an EasyAuth-enabled environment for manual testing, consider listing the environment in the Test Plan Tested in: line (optional).
• Manual testing completed: checked in PR body.

---

⚠️ Contributors

• Currently blank.
• Recommendation: If others (PMs, designers, reviewers) contributed, consider tagging them in Contributors so credit is visible. This is optional and will not block the PR.

---

⚠️ Screenshots/Videos

• No visual changes — this is fine.
• Recommendation: None required.

---

Summary Table

Section	Status	Recommendation
Title	✅	None
Commit Type	✅	None
Risk Level	✅	None (advised risk: low)
What & Why	✅	Optionally mention changed file paths
Impact of Change	✅	None
Test Plan	✅	Consider noting the manual/EasyAuth test env
Contributors	⚠️	Add contributor tags if applicable
Screenshots/Videos	⚠️	Not applicable

---

Final Notes

• The code diff shows sensible, minimal changes: extraction of a small helper handleUnauthorized, wrapping fetch in a try/catch to treat network/CORS errors as auth failures, switching to checking numeric HTTP status codes (401/403), and improving error messages. Unit tests were added/updated to cover the new behavior. Everything aligns with the PR body and the risk:low label.
• No changes are required to pass this PR review. If you want to be extra thorough you can:
  • Add contributor tags if relevant.
  • Optionally update the Test Plan with a short note about the environment used for manual testing (e.g., Tested in: EasyAuth-enabled Azure environment with expired session) if you completed that test.

Please update only if you want to include contributor credits or the explicit test environment note. Otherwise this PR looks ready to merge. Thanks for the clear description and tests!

---

Last updated: Tue, 17 Feb 2026 20:18:32 GMT

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[Copilot]

Pull request overview

This PR updates the iframe-app’s useAgentCard hook to better handle Azure App Service EasyAuth scenarios where unauthenticated requests can result in a 302 redirect (often surfacing as an opaque redirect / status 0 in the browser), and to funnel those cases through the existing onUnauthorized flow.

Changes:

• Adds a shared handleUnauthorized helper to centralize onUnauthorized invocation + error throwing.
• Forces fetch to use redirect: 'manual' and treats opaque redirects / status === 0 as unauthorized.
• Treats fetch rejection (e.g., network/CORS failures) as unauthorized.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

📊 Coverage Check

🎉 All changed files have adequate test coverage!