Expired session error with UPSUN_CLI_TOKEN #299
Description
Issue
When setting the UPSUN_CLI_TOKEN environment variable to an API token in the shell profile (~/.zshrc), commands initially work.
However, it seems like it creates a session that then expires at some point.
And after that session has expired, it sees the token, but seems unable to use it to authenticate again, persistently showing the following error:
Your session has expired. You have been logged out.
Authentication is required.
Environment info
| CLI | upsun |
| Version | 5.9.0 |
| Source | Homebrew (platformsh/tap) |
| Platform | Upsun Fixed |
| OS | Mac OSX (Silicon) |
Troubleshooting
Here's what I've tried so far/poked around at to try and collect some info.
- I tried a series of different commands to verify behavior and see if I could get any different responses/change, but was unsuccessful:
# Get a list of projects
upsun project:listYour session has expired. You have been logged out.
Authentication is required.
Log in via a browser? [Y/n] n
[RequestException]
Authentication is required.
# Prompt SSH cert generation
upsun ssh-cert:load --no-interactionYour session has expired. You have been logged out.
[RequestException]
Authentication is required.
# Validate set API token
upsun auth:api-token-loginGenerating SSH certificate...
Your session has expired. You have been logged out.
[RequestException]
Authentication is required.
# Attempt a browser login while the token is set
upsun login
# Log in via a browser? [Y/n] YCannot log in via the browser, because an API token is set via config.
# "Logout"
upsun logoutWarning: an API token is set via config
You are now logged out.
# Retry getting projects list after "logging out"
upsun project:listYour session has expired. You have been logged out.
Authentication is required.
Log in via a browser? [Y/n] n
[RequestException]
Authentication is required.
- I tried creating and setting a new API token to
UPSUN_CLI_TOKEN, and was successful:
# ~/.zshrc
# Previous API token, was recently created
# export UPSUN_CLI_TOKEN="xxxx"
# New test API token
export UPSUN_CLI_TOKEN="yyyy"# In a new terminal window
upsun project:listYour projects are:
...
- Comparing the
~/.upsun-cli/between the "session expired" token and the fresh token:
- Both:
.session/,.tunnels/are empty - Both:
locks/has same 2 files (refresh--sess-cli-default.lock,ssh-cert--sess-cli-default.lock) - Different:
cache/is empty for the "session expired" token, while the fresh token generated a subdir with axxx.doctrinecache.datafile to help cache the successful projects query ./credential-helperhas same ownership/group, but no group perms (owner only for rwx/0700)
- I use another API token with DDEV, settings its global config
web_environmentto theUPSUN_CLI_TOKENvariable, and that appears to work -- so seems like there's something stale in the non-containerized environment (i.e., my laptop) that's confusing the CLI