firebase · falahat · Jun 3, 2026 · Jun 3, 2026 · Jun 12, 2026 · Jun 16, 2026
diff --git a/src/apiv2.spec.ts b/src/apiv2.spec.ts
@@ -2,7 +2,7 @@
 import { expect } from "chai";
 import * as nock from "nock";
 import AbortController from "abort-controller";
 const proxySetup = require("proxy");

 import { Client, CLI_OAUTH_PROJECT_NUMBER } from "./apiv2";
 import { FirebaseError } from "./error";
@@ -162,6 +162,20 @@
       expect(nock.isDone()).to.be.true;
     });
 
+    it("should handle non-JSON error responses gracefully even when responseType is json", async () => {
+      const xml =
+        "<?xml version='1.0' encoding='UTF-8'?><Error><Code>BillingDisabled</Code></Error>";
+      nock("https://example.com").get("/path/to/foo").reply(403, xml);
+
+      const c = new Client({ urlPrefix: "https://example.com" });
+      const r = c.request({
+        method: "GET",
+        path: "/path/to/foo",
+      });
+      await expect(r).to.eventually.be.rejectedWith(FirebaseError, /BillingDisabled/);
+      expect(nock.isDone()).to.be.true;
+    });
+
     it("should error with a FirebaseError if an error happens", async () => {
       nock("https://example.com").get("/path/to/foo").replyWithError("boom");
 
@@ -488,7 +502,7 @@
      let targetServer: Server;
      let oldProxy: string | undefined;
      before(async () => {
        proxyServer = proxySetup(createServer());
        targetServer = createServer((req, res) => {
          res.writeHead(200, { "content-type": "application/json" });
          res.end(JSON.stringify({ proxied: true }));

diff --git a/src/apiv2.ts b/src/apiv2.ts
@@ -16,8 +16,8 @@

 // Using import would require resolveJsonModule, which seems to break the
 // build/output format.
 const pkg = require("../package.json");
 const CLI_VERSION: string = pkg.version;

 export const standardHeaders: () => Record<string, string> = () => {
  const agent = detectAIAgent();
@@ -134,7 +134,7 @@

 /**
 * Gets a singleton access token
 * @returns An access token
 */
 export async function getAccessToken(): Promise<string> {
  const valid = auth.haveValidTokens(refreshToken, []);
@@ -239,7 +239,7 @@
   * Makes a request as specified by the options.
   * By default, this will:
   *   - use content-type: application/json
   *   - assume the HTTP GET method
   *
   * @example
   * const res = apiv2.request<ResourceType>({
@@ -477,7 +477,11 @@
               } catch (err: unknown) {
                 // JSON-parse errors are useless. Log the response for better debugging.
                 this.logResponse(res, text, options);
-                throw new FirebaseError(`Unable to parse JSON: ${err}`);
+                if (res.status >= 400) {
+                  body = text as unknown as ResT;
+                } else {
+                  throw new FirebaseError(`Unable to parse JSON: ${err}`);
+                }
-                if (res.status >= 400) {
-                  body = text as unknown as ResT;
-                } else {
-                  throw new FirebaseError(`Unable to parse JSON: ${err}`);
-                }
+                if (res.status >= 400) {
+                  body = { error: { message: text } } as unknown as ResT;
+                } else {
+                  throw new FirebaseError(`Unable to parse JSON: ${err}`);
+                }
-                if (res.status >= 400) {
-                  body = text as unknown as ResT;
-                } else {
-                  throw new FirebaseError(`Unable to parse JSON: ${err}`);
-                }
+                if (res.status >= 400) {
+                  body = { error: { message: text } } as unknown as ResT;
+                } else {
+                  throw new FirebaseError(`Unable to parse JSON: ${err}`);
+                }
               }
             }
           } else if (options.responseType === "xml") {

diff --git a/src/apphosting/secrets/index.spec.ts b/src/apphosting/secrets/index.spec.ts
@@ -189,6 +189,24 @@
         undefined,
       );
     });
+
+    it("appends original message for 403 errors", async () => {
+      gcsm.getSecret.withArgs("project", "secret").rejects(new Error("Forbidden"));
+
+      await expect(secrets.upsertSecret("project", "secret")).to.be.rejectedWith("Unexpected error loading secret: Forbidden");
+    });
+
+    it("appends original message for 400 errors", async () => {
+      gcsm.getSecret.withArgs("project", "secret").rejects(new Error("Bad Request"));
+
+      await expect(secrets.upsertSecret("project", "secret")).to.be.rejectedWith("Unexpected error loading secret: Bad Request");
+    });
+
+    it("appends original message for other errors", async () => {
+      gcsm.getSecret.withArgs("project", "secret").rejects(new Error("Internal Error"));
+
+      await expect(secrets.upsertSecret("project", "secret")).to.be.rejectedWith("Unexpected error loading secret: Internal Error");
+    });
   });
 
   describe("toMulti", () => {

diff --git a/src/apphosting/secrets/index.ts b/src/apphosting/secrets/index.ts
@@ -198,7 +198,8 @@ export async function upsertSecret(
     existing = await gcsm.getSecret(project, secret);
   } catch (err: unknown) {
     if (getErrStatus(err) !== 404) {
-      throw new FirebaseError("Unexpected error loading secret", { original: getError(err) });
+      const original = getError(err);
+      throw new FirebaseError(`Unexpected error loading secret: ${original.message}`, { original });
     }
     await gcsm.createSecret(project, secret, gcsm.labels("apphosting"), location);
     return true;

diff --git a/src/error.ts b/src/error.ts
@@ -117,7 +117,8 @@ export function isBillingError(e: {
   return !!e.context?.body?.error?.details?.find((d) => {
     return (
       d.violations?.find((v) => v.type === "serviceusage/billing-enabled") ||
-      d.reason === "UREQ_PROJECT_BILLING_NOT_FOUND"
+      d.reason === "UREQ_PROJECT_BILLING_NOT_FOUND" ||
+      d.reason === "BILLING_DISABLED"
     );
   });
 }