Error about auth token when running `fleetctl generate mdm-apple`

[zwass]

Fleet version: fleetctl 4.40.0

---

💥  Actual behavior

$ fleetctl generate mdm-apple --email example@example.com --org 'Example'
Token invalid or session expired. Please log in with: fleetctl login
Error: unauthenticated, or invalid token

🧑‍💻  Steps to reproduce

1. Run the command above (probably needs to have an invalid token stored in the fleetctl config in order to reproduce the error).

🕯️ More info (optional)

IIRC this command doesn't actually need to hit the Fleet server, it only needs to hit fleetdm.com. If that is true, then there shouldn't be a check for a valid auth token for the Fleet server.

[xpkoala]

Confirmed the behavior outlined by Zach.

A similar error will generate if you are not currently logged into fleetctl

reed@reed fleet % sudo ./build/fleetctl generate mdm-apple --email bob@ross.edu --org colorbynumbers
Token missing. Please log in with: fleetctl login
Error: token config value missing

[xpkoala]

@sharon-fdm This should be ready for prioritization.

[sharon-fdm]

@xpkoala @georgekarrv Should this go to MDM team?

[xpkoala]

@sharon-fdm In my haste I assigned to the Endpoint team as that team has taken a majority of the fleetctl work in the past.

@sabrinabuckets is also in agreement this should go to the MDM team; I'll re-assign over there.

[roperzh]

This command hits the server, more precisely this endpoint:

https://github.com/fleetdm/fleet/blob/37ab55c2da4d10ee69690123de40d08e75a740c0/docs/Contributing/API-for-contributors.md?plain=1#L560-L586

I don't recall the details now, but it was necessary for Fleet to act as a reverse proxy for fleetdm.com. We also included the other SCEP certificates in the request since the endpoint is used both by fleetctl and the UI to generate all three certs.

[roperzh]

per the above, I'm closing as this is the expected behavior. Please feel free to reopen!

[fleet-release]

Token check removed, Fleet's path clearer, seamless, In cloud city, we trust.