More lenient OAuth error parsing in token endpoint client

[reinkrul]

Remote OAuth2 server responses were only interpreted as OAuth2 error responses, if the status code is 400 Bad Request. However, in practice we see all kind of response codes (often 500) when OAuth2 errors are returned. We should make this more lenient.

Summary

• Treat any JSON response with an error field from the token endpoint as an OAuth error, regardless of status code (previously only HTTP 400 was recognized).
• Cap error response body reads at 1 MB via io.LimitReader in core.TestResponseCodeWithLog to prevent DoS from malicious upstream servers; log a warning when truncation occurs.
• Replace unsafe type assertion on wrapped error with errors.AsType[core.HttpError] (Go 1.26).

Test plan

• go test ./auth/client/iam/ -run TestHTTPClient_AccessToken
• go test ./core/ -run TestTestResponseCode
• New tests: OAuth error with non-400 status, non-JSON error body, JSON error without code, response body truncation at max size.

🤖 Generated with Claude Code

[qltysh]

1 new issue

Tool	Category	Rule	Count
qlty	Structure	Function with many returns (count = 8): AccessToken	1

[qltysh]

Coverage Impact

⬇️ Merging this pull request will decrease total coverage on master by 0.02%.

Modified Files with Diff Coverage (2)

Rating	File	% Diff	Uncovered Line #s
	core/http_client.go	100.0%
	auth/client/iam/client.go	100.0%
	Total	100.0%

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.