Skip to content

fix(auth): reject gateway reauth account mismatch#69

Open
michiosw wants to merge 1 commit intofeat/cli-verbose-diagnosticsfrom
feat/cli-gateway-account-safety
Open

fix(auth): reject gateway reauth account mismatch#69
michiosw wants to merge 1 commit intofeat/cli-verbose-diagnosticsfrom
feat/cli-gateway-account-safety

Conversation

@michiosw
Copy link
Copy Markdown
Contributor

@michiosw michiosw commented Apr 16, 2026
edited
Loading

Summary

  • Compares gateway-only browser auth against the active CLI session using issuer#subject.
  • Stops before credential retries when the browser account differs from the CLI account.
  • Does not persist or replace the CLI session during gateway-only authorization.

Why

Hosted connect can open a browser that is signed into a different Kontext account. When that happens, retrying credentials is misleading and can point the user at the wrong account, so the CLI now stops with a clear mismatch message.

Before / After Terminal Capture

Before, a second browser login could silently switch the hosted-connect account while the CLI kept using the original session:

Session missing gateway access. Opening browser to authorize this CLI session...
Hosted connect is available for: linear
Press Enter after connecting...
Retrying LINEAR_API_KEY (1/3)... skipped

After, account drift is caught before retrying credentials:

Session missing gateway access. Opening browser to authorize this CLI session...
Error: browser authorization used a different account (active CLI account: active@example.com; browser account: browser@example.com). Run `kontext login` with the account you want to use, then retry

Verification

  • Ran go test ./... on this branch.

@michiosw michiosw mentioned this pull request Apr 16, 2026
Open
@michiosw Graphite App
Copy link
Copy Markdown
Contributor Author

michiosw commented Apr 16, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced Apr 16, 2026
Open
Open
Open
Open
@michiosw michiosw marked this pull request as ready for review April 16, 2026 21:56
devin-ai-integration[bot]
devin-ai-integration bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

Open in Devin Review

@michiosw michiosw force-pushed the feat/cli-gateway-account-safety branch from 78f4ff9 to cf72a15 Compare April 17, 2026 07:02
@michiosw michiosw force-pushed the feat/cli-verbose-diagnostics branch from f049192 to 258cfb8 Compare April 17, 2026 07:02
@michiosw michiosw requested a review from tumberger April 17, 2026 07:08
@michiosw michiosw force-pushed the feat/cli-verbose-diagnostics branch from 258cfb8 to 7f700ff Compare April 17, 2026 07:12
@michiosw michiosw force-pushed the feat/cli-gateway-account-safety branch 2 times, most recently from 61cef06 to f4565b5 Compare April 17, 2026 07:20
@michiosw michiosw force-pushed the feat/cli-verbose-diagnostics branch from 7f700ff to 2b3a4fc Compare April 17, 2026 07:20
@michiosw michiosw force-pushed the feat/cli-gateway-account-safety branch from f4565b5 to 6651771 Compare April 17, 2026 07:22
@michiosw michiosw force-pushed the feat/cli-verbose-diagnostics branch from 2b3a4fc to d01266e Compare April 17, 2026 07:22
chatgpt-codex-connector[bot]

This comment was marked as resolved.

Sign in to view

chatgpt-codex-connector[bot]

This comment was marked as resolved.

Sign in to view

@michiosw michiosw force-pushed the feat/cli-verbose-diagnostics branch from d01266e to 168c746 Compare April 17, 2026 07:29
@michiosw michiosw force-pushed the feat/cli-gateway-account-safety branch from 6651771 to 346c1db Compare April 17, 2026 07:29
@michiosw michiosw force-pushed the feat/cli-verbose-diagnostics branch from 168c746 to 2f9f9c5 Compare April 17, 2026 07:31
@michiosw michiosw force-pushed the feat/cli-gateway-account-safety branch from 346c1db to 30ae407 Compare April 17, 2026 07:31
tumberger
tumberger requested changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tumberger tumberger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michiosw

This detects the account mismatch, but the caller still treats it as a recoverable hosted-connect failure.

fetchConnectURLWithGatewayLoginFallback(...) returns the mismatch, but resolveCredentials(...) goes through the connectErr warning path, prints the warning, and then returns resolved, nil, so kontext start continues launching without those providers.

That doesn’t match the PR intent in the title/body (“reject gateway reauth account mismatch”) or the sample Error: behavior. I think this mismatch should be promoted to a hard failure instead of being swallowed as a warning-only connect error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@tumberger tumberger tumberger requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michiosw @tumberger