fix(auth): skip auth-alternative-access when auth-gate-detection fails from fetch errors

dacharyc · dacharyc · commit a7944524007b · 2026-05-02T16:27:30.000-04:00
When all pages fail to fetch (DNS NXDOMAIN, network error, etc.), auth-gate-detection returns 'fail' with details containing fetchErrors but no gated/accessible counts. auth-alternative-access then computed gatedCount=0 and falsely reported "no alternative access paths," triggering the auth-no-alternative critical diagnostic for sites that were simply unreachable rather than auth-gated. Skip auth-alternative-access when gatedCount === 0 && fetchErrors > 0. This combination uniquely identifies the network-error case, since every other non-pass path through auth-gate-detection produces gatedCount > 0. The no-viable-path diagnostic continues to fire correctly for unreachable sites since it is driven by separate signals. Fixes #85
diff --git a/src/checks/authentication/auth-alternative-access.ts b/src/checks/authentication/auth-alternative-access.ts
@@ -7,6 +7,7 @@ interface AuthGateDetails {
   softAuthGate?: number;
   authRedirect?: number;
   testedPages?: number;
+  fetchErrors?: number;
   pageResults?: Array<{
     url: string;
     classification: string;
@@ -59,6 +60,20 @@ async function check(ctx: CheckContext): Promise<CheckResult> {
     (authDetails.authRedirect ?? 0);
   const accessibleCount = authDetails.accessible ?? 0;
   const testedCount = authDetails.testedPages ?? 0;
+  const fetchErrors = authDetails.fetchErrors ?? 0;
+
+  // If auth-gate-detection failed solely because pages couldn't be fetched
+  // (DNS failure, network error, etc.) rather than from detected auth responses,
+  // we have no signal about authentication. Skip rather than imply an auth problem.
+  if (gatedCount === 0 && fetchErrors > 0) {
+    return {
+      id,
+      category,
+      status: 'skip',
+      message:
+        'auth-gate-detection failed due to fetch errors, not detected auth responses; cannot assess alternative access',
+    };
+  }
 
   const detectedPaths: DetectedPath[] = [];
 
diff --git a/test/unit/checks/auth-alternative-access.test.ts b/test/unit/checks/auth-alternative-access.test.ts
@@ -71,6 +71,31 @@ describe('auth-alternative-access', () => {
     expect(result.message).toContain('errored');
   });
 
+  it('skips when auth-gate-detection failed due to fetch errors only', async () => {
+    // Simulates the early-return path in auth-gate-detection where every page
+    // failed to fetch (e.g. DNS NXDOMAIN). Details include fetchErrors but no
+    // gated/accessible counts. We should not emit auth-no-alternative here.
+    const result = await check.run(
+      makeCtx(
+        authGateResult('fail', {
+          totalPages: 1,
+          testedPages: 1,
+          fetchErrors: 1,
+          pageResults: [
+            {
+              url: 'https://example-domain-not-resolving.com',
+              classification: 'accessible',
+              status: null,
+              error: 'fetch failed',
+            },
+          ],
+        }),
+      ),
+    );
+    expect(result.status).toBe('skip');
+    expect(result.message).toContain('fetch errors');
+  });
+
   it('skips when auth-gate-detection was skipped', async () => {
     const result = await check.run(
       makeCtx({
