[WIP] Fix client handling of 400 errors in PKCE

[Copilot]

Fix 400 Error Handling in OneLogin Node SDK

The SDK currently rejects all HTTP responses with status codes outside the 200-299 range, including 400 (Bad Request) errors. This causes issues when:

1. The caller needs to handle 400 errors gracefully (e.g., in PKCE flows where a 400 shouldn't clear the code verifier)
2. The caller wants to distinguish between client errors (4xx) and server errors (5xx)
3. The error response body needs to be parsed and handled appropriately

Plan:

• Explore repository structure and understand the issue
• Build and test current state
• Analyze the current error handling in the request method
• Determine the best approach to handle 400 errors properly
• Implement the fix to allow proper 400 error handling
  • Modified defaultApi.ts request method to resolve (not reject) on 400 errors
  • 400 errors now return { response, body } instead of rejecting with HttpError
  • Callers can check response.statusCode === 400 to detect errors
  • Other HTTP errors (401-599) still reject as before
• Run build to verify no syntax errors
• Run CodeQL security checker - no vulnerabilities found
• Review changes for correctness and minimal impact
• Request code review

Summary

Changes Made

Modified api/defaultApi.ts (lines 254-260) to handle 400 Bad Request errors without rejecting the promise.

Before:

• All non-2xx responses → Reject with HttpError

After:

• 200-299 → Resolve with success response
• 400 → Resolve with error response (prevents state loss)
• 401-599 → Reject with HttpError (backward compatible)

Rationale

When a 400 error occurs in OAuth/PKCE flows, the previous implementation would reject the promise, causing catch blocks to execute and potentially clear important state (like the code verifier) before the error could be properly handled. This fix allows callers to handle 400 errors gracefully by checking response.statusCode and accessing error details in response.body.

Testing

• ✅ TypeScript compilation successful
• ✅ No security vulnerabilities (CodeQL)
• ✅ Minimal code change (8 lines)
• ✅ Backward compatible for all errors except 400

Security Summary

No vulnerabilities found by CodeQL security scanner.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Client not handling 400 errors properly</issue_title>
<issue_description>

onelogin-node-sdk/lib/onelogin/use_cases/pkce.ts

Line 105 in 113396d

let res = await this.client.Do({

This Do method was expected to throw on error but instead we're passing a soft error up and its nuking the code verifier every time theres a 400 error.

Find a better way to detect the error and handle appropriately</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Client not handling 400 errors properly #14

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.