Summary
When openshell gateway add fails to authenticate (OIDC timeout, browser cookie error, Cloudflare callback failure), the gateway registration is left on disk. This causes stale entries to accumulate over time, especially when users retry with different flags or names while debugging auth issues.
The root cause: store_gateway_metadata() and save_active_gateway() are called before the auth attempt. When auth fails, the code prints "Authentication skipped" but never cleans up the registration.
Steps to Reproduce
# Register a gateway where auth will fail (e.g., OIDC issuer is unreachable)
OPENSHELL_NO_BROWSER=1 openshell gateway add --name broken-gw \
--oidc-issuer http://unreachable:8080/realms/test \
--oidc-client-id test \
https://gateway.example.com
# Output:
# ✓ Gateway 'broken-gw' added and set as active
# ! Authentication skipped: ...
# The registration persists even though it never worked
openshell gateway list # shows broken-gw
Repeating this with different names (gw1, gw2, my-gw, test-gw) leaves orphaned entries that the user must manually clean up.
Proposed Fix
When auth fails during gateway add, roll back the registration by calling the existing remove_gateway_registration() helper and restoring the previously active gateway. The user gets a clean error message suggesting the correct gateway add invocation instead of a broken entry they must manually remove.
The rollback should NOT apply when auth is intentionally skipped (e.g., OPENSHELL_NO_BROWSER=1), since the user may intend to authenticate later with gateway login.
Summary
When
openshell gateway addfails to authenticate (OIDC timeout, browser cookie error, Cloudflare callback failure), the gateway registration is left on disk. This causes stale entries to accumulate over time, especially when users retry with different flags or names while debugging auth issues.The root cause:
store_gateway_metadata()andsave_active_gateway()are called before the auth attempt. When auth fails, the code prints "Authentication skipped" but never cleans up the registration.Steps to Reproduce
Repeating this with different names (
gw1,gw2,my-gw,test-gw) leaves orphaned entries that the user must manually clean up.Proposed Fix
When auth fails during
gateway add, roll back the registration by calling the existingremove_gateway_registration()helper and restoring the previously active gateway. The user gets a clean error message suggesting the correctgateway addinvocation instead of a broken entry they must manually remove.The rollback should NOT apply when auth is intentionally skipped (e.g.,
OPENSHELL_NO_BROWSER=1), since the user may intend to authenticate later withgateway login.