From f20967fd6108ec96ee131999dbfc9e620ef60a34 Mon Sep 17 00:00:00 2001
From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com>
Date: Thu, 14 May 2026 11:41:39 +0530
Subject: [PATCH] warn: oauth2 without --app saves token to credential-less app
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When a user registers an app with client credentials and runs
'xurl auth oauth2' without --app, the token lands in the built-in
'default' profile which has no stored client_id/client_secret.
Every subsequent API call fails with a cryptic 401 Unauthorized,
and nothing in the error message points to the missing --app.

Before running the OAuth2 flow, check whether the target app has
stored client credentials. If the default app doesn't but another
registered app does, print a warning to stderr with the exact fix.

The OAuth flow still runs — users intentionally using the default
app with env-var or manual credentials are not blocked.
---
 cli/auth.go | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/cli/auth.go b/cli/auth.go
index e237d3b..ab9c776 100644
--- a/cli/auth.go
+++ b/cli/auth.go
@@ -65,6 +65,35 @@ func createAuthOAuth2Cmd(a *auth.Auth) *cobra.Command {
 			if len(args) > 0 {
 				username = args[0]
 			}
+
+			// Warn when --app is not specified and the default app has no
+			// client credentials but another registered app does.  Tokens
+			// saved to a credential-less app cannot be refreshed, causing
+			// cryptic 401 errors on all subsequent API calls.
+			if a.AppName() == "" {
+				defaultApp := a.TokenStore.GetApp("")
+				hasCredentials := defaultApp != nil && defaultApp.ClientID != ""
+				if !hasCredentials {
+					var credentialed []string
+					for _, name := range a.TokenStore.ListApps() {
+						app := a.TokenStore.GetApp(name)
+						if app != nil && app.ClientID != "" {
+							credentialed = append(credentialed, name)
+						}
+					}
+					if len(credentialed) > 0 {
+						fmt.Fprintf(os.Stderr, "\033[33m⚠️  No --app specified. The OAuth2 token will be saved to the \"default\" app,\n")
+						fmt.Fprintf(os.Stderr, "    which has no client credentials stored. API calls will fail with 401 errors.\n\n")
+						fmt.Fprintf(os.Stderr, "    App(s) with credentials available:\n")
+						for _, name := range credentialed {
+							app := a.TokenStore.GetApp(name)
+							fmt.Fprintf(os.Stderr, "      --app %s  [client_id: %s…]\n", name, truncate(app.ClientID, 8))
+						}
+						fmt.Fprintf(os.Stderr, "\n    Run instead:  xurl auth oauth2 --app %s\n\n", credentialed[0])
+					}
+				}
+			}
+
 			_, err := a.OAuth2Flow(username)
 			if err != nil {
 				fmt.Println("OAuth2 authentication failed:", err)