Description
doctl auth switch --context default silently injects default: "true" into the auth-contexts map in ~/.config/doctl/config.yaml. This entry is not a real token — it's a side effect of how RunAuthSwitch validates the requested context.
The bogus entry can break subsequent context switches because doctl may resolve the default context against auth-contexts (finding "true") instead of the top-level access-token.
Steps to reproduce
# Start with a clean config that has a named context
doctl auth init # sets top-level access-token
doctl auth init --context teamadf # adds teamadf under auth-contexts
# Confirm no "default" key under auth-contexts
grep -A3 '^auth-contexts:' ~/.config/doctl/config.yaml
# Switch to default — this creates the bogus entry
doctl auth switch --context default
# Now check again
grep -A3 '^auth-contexts:' ~/.config/doctl/config.yaml
Expected:
auth-contexts:
teamadf: dop_v1_abc123...
Actual:
auth-contexts:
default: "true"
teamadf: dop_v1_abc123...
The default: "true" entry appears every time you switch to the default context.
Root cause
In commands/auth.go → RunAuthSwitch, the default context is temporarily added to the auth-contexts map for validation:
contextsAvail := viper.GetStringMap("auth-contexts")
contextsAvail[doctl.ArgDefaultContext] = trueLater, viper's state (now containing default: true) is serialized back to the config file via writeConfig(). The temporary validation entry is never removed before the write.
Impact
- The
default context resolves to the string "true" instead of the top-level access-token, which can cause API calls to silently use the wrong token or fail.
- Users managing multiple contexts (e.g. switching between teams) get stale results because all contexts fall back to the same top-level token.
- The entry reappears after every
doctl auth switch --context default, so manually removing it doesn't stick.
Suggested fix
Remove the default key from the map after validation, before writing the config. Something like:
contextsAvail := viper.GetStringMap("auth-contexts")
contextsAvail[doctl.ArgDefaultContext] = true // for validation only
// ... validation logic ...
// Clean up before persisting
delete(contextsAvail, doctl.ArgDefaultContext)Workaround
Strip the bogus entry after switching:
# Wrapper function
doswitch() {
local ctx="${1:-default}"
doctl auth switch --context "$ctx"
sed -i '/^ default: "true"$/d' "${HOME}/.config/doctl/config.yaml" 2>/dev/null
}Environment
- doctl version: 1.110.0-release
- OS: Linux (WSL2)
- Shell: bash
Description
doctl auth switch --context defaultsilently injectsdefault: "true"into theauth-contextsmap in~/.config/doctl/config.yaml. This entry is not a real token — it's a side effect of howRunAuthSwitchvalidates the requested context.The bogus entry can break subsequent context switches because doctl may resolve the
defaultcontext againstauth-contexts(finding"true") instead of the top-levelaccess-token.Steps to reproduce
Expected:
Actual:
The
default: "true"entry appears every time you switch to the default context.Root cause
In
commands/auth.go→RunAuthSwitch, the default context is temporarily added to the auth-contexts map for validation:Later, viper's state (now containing
default: true) is serialized back to the config file viawriteConfig(). The temporary validation entry is never removed before the write.Impact
defaultcontext resolves to the string"true"instead of the top-levelaccess-token, which can cause API calls to silently use the wrong token or fail.doctl auth switch --context default, so manually removing it doesn't stick.Suggested fix
Remove the
defaultkey from the map after validation, before writing the config. Something like:Workaround
Strip the bogus entry after switching:
Environment