Users able to deploy without running flyctl auth login

Hey folks, my partner was able to deploy an application into my account without running flyctl auth login. They downloaded flyctl and then ran flyctl launch (just those two commands, no auth), and despite having their own account, the application showed up in my dashboard. We tried resolving this by having them run flyctl auth login, having me destroy their application, and having them re-launch. The output for flyctl orgs list used to show my organization but after running flyctl auth login it shows theirs. However, even after logging in with their account the application is deployed into my organization.

It looks like some entries in ~/.fly/config.yml still reference my account (interestingly, my old email, not the email currently associated with my account). What’s the preferred method of resolution? Would it suffice to delete their ~/.fly directory and re-install flyctl?

Hi. Can you share the output of flyctl version? Running flyctl auth logout should clear your tokens from the configuration and stop the running agent. In older versions of flyctl, the background agent would frequently re-write its token to the configuration file, causing authentication changes to be randomly reverted.

To be extra sure, you could run flyctl auth logout, flyctl agent stop, and then delete the ~/.fly directory.

Thanks for the reply! My partner and I are both using flyctl version 0.1.131. I’ll let them know about restarting the agent and possibly deleting their ~/.fly directory.

I’m still curious how their flyctl initially set them up to deploy into my organization without having to authenticate. Is there any way I can prevent this from happening in the future?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.