Skip to content

feat(auth): enforce one session per org name#602

Open
srosenthal-dd wants to merge 4 commits into
DataDog:mainfrom
srosenthal-dd:stephen.rosenthal/pup-session-one-per-name
Open

feat(auth): enforce one session per org name#602
srosenthal-dd wants to merge 4 commits into
DataDog:mainfrom
srosenthal-dd:stephen.rosenthal/pup-session-one-per-name

Conversation

@srosenthal-dd

@srosenthal-dd srosenthal-dd commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Member

Depends on #600 (merge that first -- they both touch README.md and will conflict).

Summary

  • Enforces one-session-per-name invariant for named sessions, extending the single-slot guarantee that already applies to unnamed sessions (from fix(auth): resolve default-session site for bare commands (#592) #596)
  • save_session: deduplicates by org name alone instead of (site, org)
  • find_session: looks up by org alone, drops the now-redundant site parameter
  • find_session_site: simplified -- no ambiguity path possible
  • remove_session: filters by org alone
  • README: removes the named-session multi-site disambiguation paragraph (no longer applicable)

@srosenthal-dd
docs: remove stale multi-session guidance
5dff521 
PR DataDog#596 enforced a single-slot invariant for unnamed sessions --
`prune_other_default_sessions` ensures a bare `pup auth login` always
overwrites the existing default session. Two doc sites hadn't caught up:

- docs/OAUTH2.md logout section: remove the DD_SITE logout example and
  the note that `pup auth logout` doesn't accept `--site`
- docs/OAUTH2.md site selection: drop the "multiple unnamed sessions on
  different sites, set DD_SITE to pick one" sentence
- README.md site selection: same sentence removed
@datadog-datadog-prod-us1

This comment has been minimized.

Sign in to view
@srosenthal-dd
feat(auth): enforce one session per org name
1715cf6 
Previously the session registry key was (site, org), so the same org
name could appear on multiple sites as separate entries. This caused
ambiguity in find_session_site when a user logged in as the same name
on datadoghq.com and datadoghq.eu.

The unnamed (default) session already had a single-slot invariant
enforced by prune_other_default_sessions. This extends the same
invariant to named sessions: save_session now deduplicates on org
alone, so logging in as --org foo on a new site silently replaces the
prior entry rather than accumulating a second one.

find_session now looks up by org alone (no site parameter), and
find_session_site is simplified to a single .find() since the registry
is guaranteed to hold at most one entry per name.

Legacy sessions.json files with duplicate named-org rows self-heal on
the next pup auth login for that org name.
@srosenthal-dd
fix: cargo fmt
406b9ad
@srosenthal-dd srosenthal-dd force-pushed the stephen.rosenthal/pup-session-one-per-name branch from 3a27245 to 406b9ad Compare June 18, 2026 15:41
@platinummonkey

platinummonkey commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

would there be a case where someone wants myorg-readonly and myorg-readwrite and myorg-workflow-action-run-only setups?

@srosenthal-dd

srosenthal-dd commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

would there be a case where someone wants myorg-readonly and myorg-readwrite and myorg-workflow-action-run-only setups?

@platinummonkey we should still be able to do that!

Datadog "org" = an account
pup "--org" == a named session (maybe should have picked a different word)

This PR makes it so pup doesn't reuse the same name for multiple sessions. Some users might have two "prod" named sessions for two different sites, and now they'll have to use separate names like --org prod-us and --org prod-eu. The benefit is less ambiguity.

It's still possible to have multiple pup named-sessions (--orgs) pointing to the same Datadog org, potentially with different scopes. I tested with a --org ddstaging and --org ddstaging-ro, where one can create a notebook and the other can't. They'll just have to use different names.

@srosenthal-dd srosenthal-dd marked this pull request as ready for review June 18, 2026 16:14
@srosenthal-dd srosenthal-dd requested a review from a team as a code owner June 18, 2026 16:14
platinummonkey
platinummonkey previously approved these changes Jun 18, 2026
View reviewed changes
@srosenthal-dd srosenthal-dd dismissed platinummonkey’s stale review June 18, 2026 16:59

The merge-base changed after approval.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@platinummonkey platinummonkey platinummonkey left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srosenthal-dd @platinummonkey