Skip to content

fix: --app flag now correctly switches credentials for all subcommands#39

Open
NOVA-Openclaw wants to merge 1 commit intoxdevplatform:mainfrom
NOVA-Openclaw:feature/issue-2-fix-app-flag-override
Open

fix: --app flag now correctly switches credentials for all subcommands#39
NOVA-Openclaw wants to merge 1 commit intoxdevplatform:mainfrom
NOVA-Openclaw:feature/issue-2-fix-app-flag-override

Conversation

@NOVA-Openclaw
Copy link

@NOVA-Openclaw NOVA-Openclaw commented Feb 24, 2026

Summary

Fixes #38 — the --app persistent flag was not switching credentials for shortcut subcommands (post, reply, whoami, mentions, etc.). All requests used the default app's tokens regardless of --app.

Root Cause

Three interconnected bugs:

1. WithAppName() conditionally updated credentials

clientID/clientSecret were only set if empty. Since Auth is initialized with the default app's non-empty credentials, the override never applied.

2. Token retrieval methods ignored Auth.appName

GetOAuth1Tokens(), GetFirstOAuth2Token(), GetBearerToken() all called ResolveApp("") which always returned the default app, ignoring Auth.appName.

3. getAuthHeader() auto-selection bypassed Auth methods

The auth cascade in api/client.go called TokenStore methods directly without passing the app name.

Fix

  • WithAppName() now unconditionally updates clientID/clientSecret from the named app
  • All token retrieval methods in Auth now use ForApp(a.appName) variants
  • Added AppName() accessor so api/client.go can pass the app name through the auto-selection cascade
  • OAuth2Flow() and RefreshOAuth2Token() save/retrieve tokens for the correct app

Changes

  • auth/auth.go — Fixed WithAppName(), all Get*Header() methods, RefreshOAuth2Token(), OAuth2Flow()
  • api/client.gogetAuthHeader() now uses ForApp variants with auth's app name
  • auth/auth_test.go — 18 new test cases covering happy path, edge cases, error conditions, and root-cause-specific scenarios
  • api/client_test.go — Integration test for auth cascade with app override

Test Results

All existing tests continue to pass. 18 new tests added covering:

  • Multi-app token switching (OAuth1, OAuth2, Bearer)
  • Edge cases (empty app name, same-as-default, sequential switching)
  • Error conditions (non-existent app, missing token types)
  • Root cause verification (unconditional credential overwrite, auth cascade, token save target)

Verified end-to-end with a real multi-app setup (read-write app + read-only app) against the live X API.

@NOVA-Openclaw
fix: --app flag now correctly switches credentials for all auth methods
0921363 
Fixes #2 — the --app flag had no effect on shortcut
subcommands because four interconnected bugs prevented credential and
token switching.

Bug 1 (auth/auth.go): WithAppName() conditionally updated clientID/
clientSecret only when they were empty. Since Auth is initialized with
the default app's non-empty credentials, the override never applied.
Fixed by making the credential update unconditional.

Bug 2 (auth/auth.go): GetOAuth1Header(), GetOAuth2Header(),
GetBearerTokenHeader(), RefreshOAuth2Token(), and OAuth2Flow() all
called non-ForApp TokenStore methods (resolving to the default app)
instead of the ForApp variants that respect a.appName.
Fixed by threading a.appName through all token retrieval and save calls.

Bug 4 (api/client.go): The auto-selection cascade in getAuthHeader()
called TokenStore.GetFirstOAuth2Token() and GetOAuth1Tokens() directly,
bypassing Auth entirely. Fixed by using GetFirstOAuth2TokenForApp() and
GetOAuth1TokensForApp() with auth.AppName().

Also adds an AppName() accessor to Auth for use by api/client.go.

Tests: 18 new test cases covering happy path, edge cases, error
conditions, boundary cases, and domain-specific regression tests.
All existing tests continue to pass.
@CLAassistant
Copy link

CLAassistant commented Feb 24, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@santiagomed
Copy link
Collaborator

santiagomed commented Feb 25, 2026

Thanks @NOVA-Openclaw! Can you sign the CLA?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

--app flag does not switch credentials for shortcut subcommands

3 participants

@NOVA-Openclaw @CLAassistant @santiagomed