Doppler CLI Windows 11 invalid auth tokens

On one of my windows boxes I am constantly getting “Invalid Auth Token”. It seems that any auth token scoped to C:\ gets corrupted upon initiation. If I login again without login out I get the option to scope a new token to the directory I’m in, and then it works.

C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts>doppler secrets
Unable to fetch secrets
Doppler Error: Invalid Auth token

C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts>doppler logout

? Revoke auth token scoped to C:\? Yes
Auth token has been revokedto C:\? (y/N) y

C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts>doppler login   

? Open the authorization page in your browser? Yes
Complete authorization at https://dashboard.doppler.com/workplace/auth/cli
Your auth code is:
xxx_yyy_aaa_redacted_bbb_ccc

Waiting...

Welcome, Siggi

C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts>doppler secrets
Unable to fetch secrets
Doppler Error: Invalid Auth token

C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts>

Hi @siggib007!

Welcome to the Doppler Community!

This is sounding very similar to a Windows issue we had with our VS Code extension (see here). Could you check the .doppler.yaml file in the .doppler directory of your user home directory to see what the paths look like there? It’s possible there’s a case-sensitivity issue cropping up here.

Regards,
-Joel

Just getting back to this, I’m not a full time dev so I haven’t had a chance to look into this before. The paths look normal to me. Here they are for your reference.

scoped:
    C:\:
        api-host: https://api.doppler.com
        dashboard-host: https://dashboard.doppler.com
    C:\Users\SiggiBjarnason:
        token: secret-xxxxx
        api-host: https://api.doppler.com
        dashboard-host: https://dashboard.doppler.com
    C:\Users\SiggiBjarnason\OneDrive - Nanitor\mkdocs\knowledgebase:
        token: secret-xxxx
        api-host: https://api.doppler.com
        dashboard-host: https://dashboard.doppler.com
        enclave.project: nanitor
        enclave.config: demo_bench
    C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts:
        token: secret-xxx
        api-host: https://api.doppler.com
        dashboard-host: https://dashboard.doppler.com
        enclave.project: nanitor
        enclave.config: demo_issueexport
    C:\scripts:
        enclave.project: perftest
        enclave.config: dev_elephant

I did some further testing and found something curious, don’t know if it is by design or not. I was in one of the scoped directories and did a doppler logout, which eliminated the root token, but the scoped token remained and worked fine while in the scope. When I tried to logout again it complained about invalid token.
While I use VSCode heavily I’m not using the extension to my knowledge, working this all in the terminal.
I’m going to delete the yaml file and do some more testing to see how that looks.

I deleted everything out of my .doppler directory, reinstalled the CLI via winget, revoked all the existing tokens and logged in again. Things seem to be working as expected now. Here is the yml for reference.

scoped:
    C:\:
        token: top-secret-need-to-know
        api-host: https://api.doppler.com
        dashboard-host: https://dashboard.doppler.com
    C:\Users\SiggiBjarnason\OneDrive - Nanitor\mkdocs\knowledgebase:
        enclave.project: nanitor
        enclave.config: demo_bench
    C:\Users\SiggiBjarnason\OneDrive - Nanitor\public-scripts:
        enclave.project: nanitor
        enclave.config: demo_issueexport
version-check:
    latest-version: v3.66.3
    checked-at: 2023-11-16T11:21:32.335677Z
analytics:
    disable: false
tui:
    introVersionSeen: 0

@siggib007 What you’re seeing there is correct. The initial doppler login you do is globally scoped. You can then do subsequent logins that are scoped to specific directories (e.g., if you have projects in different Doppler workplaces). If you logout of the global scope, it doesn’t logout any of the more tightly scoped logins. This is sounding like maybe there were some unintended logins scoped in unexpected ways (note that the scope is cascading, so anything under the scope location inherits the new auth).

In any case, you can always reset this (similar to deleting the .doppler.yaml file) by running doppler configure reset.

1 Like