Skip to content

Keep separate environment logins from breaking each other#237

Merged
scotwells merged 1 commit into
mainfrom
fix/auth-session-token-isolation
Jul 9, 2026
Merged

Keep separate environment logins from breaking each other#237
scotwells merged 1 commit into
mainfrom
fix/auth-session-token-isolation

Conversation

@scotwells

@scotwells scotwells commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Fixes #238

What this fixes

Signing in to two Datum Cloud environments — say production and staging — with the same email address quietly broke authentication.

Both logins were stored under one credential slot, so the second sign-in overwrote the first. Everything looked fine (datumctl auth list still showed both accounts), but after datumctl auth switch the CLI would send one environment's token to the other's API and fail with:

error: You must be logged in to the server (the server has asked for the client to provide credentials)

To the user it looked like switching accounts randomly corrupted their login.

What changed

Logins are now kept separate per environment. Signing in to production and staging no longer share (and clobber) one stored credential. Switching accounts, automatic token refresh, and logout all stay scoped to the right environment.

Existing installs heal themselves. The first time an already-signed-in user runs a command that authenticates, their stored logins are upgraded in place — no manual steps. The migration is non-destructive: it never deletes a token it can't first preserve. The one account whose token was already overwritten before this fix simply needs a single fresh datumctl login (its old token was unrecoverable).

datumctl auth switch now shows the active account. The account you're currently signed in as is labelled (active) and the picker opens on it, so it's clear what you're switching from:

Which login session?
> swells@datum.net  (api.staging.env.datum.net)  (active)
  swells@datum.net  (api.datum.net)

How it was verified

  • New unit tests cover the collision-recovery, idempotency, and already-migrated cases.
  • Exercised end-to-end against a real two-environment config: the surviving environment kept working immediately, and the overwritten one correctly resolved to its own (empty) credential and prompted for re-login instead of silently borrowing the wrong token.
  • go build ./..., go vet, go test, and go install ./... all pass.

Upgrade notes for users

  • No action needed for the environment whose token is currently active — it keeps working.
  • The other environment needs one re-login: datumctl login --hostname <that env's auth host>.

🤖 Generated with Claude Code

Logging into more than one Datum Cloud environment (for example
production and staging) with the same email used to store both
under a single credential slot, so the second login silently
overwrote the first. Switching back to the earlier account then
sent the wrong environment's token to the API, producing confusing
"you must be logged in to the server" errors even though the
account still showed up in `datumctl auth list`.

Each login is now stored per environment, so accounts stay
independent — switching, automatic token refresh, and logout no
longer interfere across environments. Existing installs are
upgraded automatically the first time they authenticate; the one
account whose token was already overwritten just needs a single
fresh `datumctl login`.

`datumctl auth switch` now marks the account you're currently
signed in as with "(active)" and opens the picker on it, so it's
clear what you're switching from.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@scotwells scotwells requested review from a team and privateip and removed request for a team July 9, 2026 00:52
@scotwells scotwells marked this pull request as ready for review July 9, 2026 00:52
@scotwells scotwells enabled auto-merge July 9, 2026 00:53
@scotwells scotwells requested a review from a team July 9, 2026 00:53
@scotwells scotwells merged commit a7a080f into main Jul 9, 2026
4 checks passed
@scotwells scotwells deleted the fix/auth-session-token-isolation branch July 9, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

auth switch breaks sign-in when the same email is used in two environments

2 participants