🐛 BUG: wrangler user (read) scope missing after wrangler login --scopes

[irvinebroque]

Which Cloudflare product(s) does this pertain to?

Wrangler core

What version(s) of the tool(s) are you using?

3.22.1

What version of Node are you using?

21.2.0

What operating system are you using?

Mac

Describe the Bug

It's possible to get into an invalid state where one is missing the user (read) scope in Wrangler. Consider the example below.

Steps to repro

1. npx wrangler@latest logout
2. npx wrangler@latest login --scopes "ai:read" (or any other specific scope)
3. Complete the oAuth dialog
4. npx wrangler@latest r2 bucket create "foo" (or any other wrangler command that you lack permissions for)
5. Observe that this results in an auth error since the user (read) scope is missing:

 ⛅️ wrangler 3.22.1
-------------------

✘ [ERROR] A request to the Cloudflare API (/memberships) failed.

  Authentication error [code: 10000]


Getting User settings...
👋 You are logged in with an OAuth Token. Unable to retrieve email for this user. Are you missing the `User->User Details->Read` permission?

🔓 Token Permissions: If scopes are missing, you may need to logout and re-login.
Scope (Access)
- ai (read)
- offline_access 

6. Observe that this error is not logged to internal error reporting, even if telemetry is enabled
7. Observe that there is no prompt to report this error to Cloudflare

I have seen this error state come up in the past in other instances where the --scopes flag was not used. There may be other paths to reproduce this, but the above is the clearest one I know about.

What might we do about it?

• It seems like we can prompt wrangler login
• Seems like a fatal exception like this, that is unhandled, should be reported back to us when telemetry is enabled?
• Seems like regardless of what is in the --scopes field, wrangler must always request the user (read) scope?
• https://github.com/cloudflare/workers-sdk/pull/4647

Most broadly — how do we help developers recover from this state easily? What should we be doing automatically or telling them to do here?

Please provide a link to a minimal reproduction

No response

Please provide any relevant error logs

No response

[irvinebroque]

Hit this again today:

➜  npx wrangler@latest kv:namespace create FOO
Need to install the following packages:
[email protected]
Ok to proceed? (y) y
 ⛅️ wrangler 3.28.2
-------------------
🌀 Creating namespace with title "test-version-binding-FOO"

✘ [ERROR] A request to the Cloudflare API (/accounts/ID/storage/kv/namespaces) failed.

  Authentication error [code: 10000]


Getting User settings...
👋 You are logged in with an OAuth Token, associated with the email [email protected]!
┌───────────────────────────────────────────────────┬──────────────────────────────────┐
│ Account Name                                      │ Account ID                       │
├───────────────────────────────────────────────────┼──────────────────────────────────┤
│ acct                                       │ j39j3o3jlsfsj3 │

If wrangler sees this error — seems like it should log me out behind the scenes?

[fujohnwang]

same same, logout but can't login anymore...

[auroradanier]

having same issue, i tried many times. Created token will full permission. Still failed to login.

The error message is too simple, doesn't tell anything.