Improve push failure error message for package ID scope mismatch

Copilot · chabiss · chabiss · commit 36ae755d38fc · 2026-04-17T11:31:08.000-07:00
Agent-Logs-Url: https://github.com/NuGet/NuGetGallery/sessions/aa085293-31cc-41ec-b433-e820261dd577 Co-authored-by: chabiss <14151258+chabiss@users.noreply.github.com>
diff --git a/src/NuGetGallery/Controllers/ApiController.cs b/src/NuGetGallery/Controllers/ApiController.cs
@@ -1227,7 +1227,11 @@ private HttpStatusCodeWithBodyResult GetHttpResultFromFailedApiScopeEvaluationHe
             }
 
             string message;
-            if (result.PermissionsCheckResult == PermissionsCheckResult.Allowed && !result.IsOwnerConfirmed)
+            if (!result.ScopesAreValid)
+            {
+                message = Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch;
+            }
+            else if (result.PermissionsCheckResult == PermissionsCheckResult.Allowed && !result.IsOwnerConfirmed)
             {
                 message = Strings.ApiKeyOwnerUnconfirmed;
             }
diff --git a/src/NuGetGallery/Strings.resx b/src/NuGetGallery/Strings.resx
@@ -138,6 +138,9 @@
   <data name="ApiKeyNotAuthorized" xml:space="preserve">
     <value>The specified API key is invalid, has expired, or does not have permission to access the specified package.</value>
   </data>
+  <data name="ApiKeyNotAuthorized_PackageIdScopeMismatch" xml:space="preserve">
+    <value>The specified API key does not have permission to push to this package. The API key may have a package ID scope that does not include this package ID.</value>
+  </data>
   <data name="PackageExistsAndCannotBeModified" xml:space="preserve">
     <value>A package with ID '{0}' and version '{1}' already exists and cannot be modified.</value>
   </data>
diff --git a/tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs
@@ -205,7 +205,7 @@ public static IEnumerable<object[]> InvalidScopes_Data
         {
             get
             {
-                yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized);
+                yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch);
 
                 foreach (var result in Enum.GetValues(typeof(PermissionsCheckResult)).Cast<PermissionsCheckResult>())
                 {

Original file line number	Diff line number	Diff line change
`@@ -1227,7 +1227,11 @@ private HttpStatusCodeWithBodyResult GetHttpResultFromFailedApiScopeEvaluationHe`
`1227`	`1227`	`}`
`1228`	`1228`
`1229`	`1229`	`string message;`
`1230`		`- if (result.PermissionsCheckResult == PermissionsCheckResult.Allowed && !result.IsOwnerConfirmed)`
	`1230`	`+ if (!result.ScopesAreValid)`
	`1231`	`+ {`
	`1232`	`+ message = Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch;`
	`1233`	`+ }`
	`1234`	`+ else if (result.PermissionsCheckResult == PermissionsCheckResult.Allowed && !result.IsOwnerConfirmed)`
`1231`	`1235`	`{`
`1232`	`1236`	`message = Strings.ApiKeyOwnerUnconfirmed;`
`1233`	`1237`	`}`
Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ public static IEnumerable<object[]> InvalidScopes_Data`
`205`	`205`	`{`
`206`	`206`	`get`
`207`	`207`	`{`
`208`		`- yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized);`
	`208`	`+ yield return MemberDataHelper.AsData(new ApiScopeEvaluationResult(null, PermissionsCheckResult.Unknown, scopesAreValid: false), HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized_PackageIdScopeMismatch);`
`209`	`209`
`210`	`210`	`foreach (var result in Enum.GetValues(typeof(PermissionsCheckResult)).Cast<PermissionsCheckResult>())`
`211`	`211`	`{`