From 7bba28154dd906838468c6dd47f2f3b6daa9354c Mon Sep 17 00:00:00 2001
From: Eric Gullickson <16152721+ericgullickson@users.noreply.github.com>
Date: Tue, 10 Feb 2026 18:41:34 -0600
Subject: [PATCH] fix: capture Auth0 error response in WIF token script (refs
 #127)

The set -e + curl --fail-with-body inside $() caused the script to exit
with code 22 and empty stderr, hiding the actual Auth0 error. Switch to
writing the body to a temp file and checking HTTP status manually so the
error response is visible in logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 ocr/scripts/fetch-auth0-token.sh | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/ocr/scripts/fetch-auth0-token.sh b/ocr/scripts/fetch-auth0-token.sh
index eb010fb..237d885 100755
--- a/ocr/scripts/fetch-auth0-token.sh
+++ b/ocr/scripts/fetch-auth0-token.sh
@@ -31,7 +31,10 @@ CLIENT_ID=$(cat "$CLIENT_ID_FILE" | tr -d '[:space:]')
 CLIENT_SECRET=$(cat "$CLIENT_SECRET_FILE" | tr -d '[:space:]')
 
 # Request M2M token from Auth0
-RESPONSE=$(curl -s --fail-with-body \
+# Write body to temp file, capture HTTP status code separately.
+# Avoids --fail-with-body + set -e which swallows errors inside $().
+BODY_FILE=$(mktemp)
+HTTP_CODE=$(curl -s -w '%{http_code}' -o "$BODY_FILE" \
   --request POST \
   --url "https://${AUTH0_DOMAIN}/oauth/token" \
   --header 'Content-Type: application/json' \
@@ -40,11 +43,13 @@ RESPONSE=$(curl -s --fail-with-body \
     \"client_secret\": \"${CLIENT_SECRET}\",
     \"audience\": \"${AUDIENCE}\",
     \"grant_type\": \"client_credentials\"
-  }")
+  }") || true
+RESPONSE=$(cat "$BODY_FILE")
+rm -f "$BODY_FILE"
 
-if [ $? -ne 0 ]; then
-  echo "Error: Auth0 token request failed" >&2
-  echo "$RESPONSE" >&2
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "Error: Auth0 token request failed (HTTP $HTTP_CODE)" >&2
+  echo "Response: $RESPONSE" >&2
   exit 1
 fi