fix(auth): clear stale credentials before OAuth flow, not after

Kai Armstrongrequested to merge
karmstrong/fix-8250-oauth-clear-fields-before-flow into main

Summary

oauth2.StartFlow calls marshal() internally, which writes is_oauth2, oauth2_refresh_token, oauth2_expiry_date, and token to the config. The ClearAuthFields call introduced in 8acb8487 was placed after StartFlow, which immediately erased those fields — leaving only the access token with is_oauth2 unset.

When the API client later built its auth source it saw is_oauth2 != "true" and fell into the PAT branch, sending Private-Token: instead of Authorization: Bearer. GitLab rejects OAuth2 access tokens via that header, causing a 401 on every web login.

Fix: move the re-split and ClearAuthFields to before the token/OAuth if-else block. Stale credentials are cleared before any new credentials are written, so marshal()'s output is never immediately overwritten. The original intent (clearing stale fields when switching auth methods) is preserved for both paths.

Test plan

  • glab auth login via web flow completes without 401
  • Re-authenticating from OAuth to PAT (and vice versa) leaves no stale fields
  • Existing auth login unit tests pass

Closes #8250 (closed)

Merge request reports