The AuthManager Bug: How a Missing Method Cost Us Three Days

By Samuel Appiah Kubi · 08 Jul 2026

The AuthManager Bug: How a Missing Method Cost Us Three Days

Between 5 and 7 July 2026, we spent three days debugging a download failure that had nothing to do with our code, our credentials, or the Copernicus server. The root cause was a single missing method in PyGeoFetch's AuthManager class.

The Symptoms

After calling client.add_credentials('copernicus', username=..., password=...) and running client.download(), every download returned:

Authentication failed for copernicus. Please re-authenticate with: pygeofetch auth login

The search worked. The credentials appeared to be stored. The token obtained manually from the Copernicus OAuth2 endpoint (2,403 characters) was valid. But downloads failed immediately with 0 bytes downloaded in 0.0 seconds.

The Trace

PyGeoFetchEngine.add_credentials() calls self.auth.add_credentials(provider, creds) on line 270 of engine.py. AuthManager has list(), test(), and remove() methods — but not add_credentials(). The method raises AttributeError. Our try/except catches it silently, stores credentials in pygeovision's in-memory dict, and logs a debug message. So the credentials appear stored. But PyGeoFetch's engine session is never authenticated — it has no Bearer token for downloads.

The Fix

In pygeovision's fetch.py, when PyGeoFetch's engine.download() returns "Authentication failed", we now catch that specific error and retry using our own OAuth2 token obtained directly from the Copernicus Identity Service. We construct the OData download URL from the product UUID and download directly with Bearer auth, bypassing the engine's broken session entirely.

We have formally reported this to the PyGeoFetch team with an exact stack trace, required method signature, and integration contract specification. The fix should be a 10-line addition to auth.py.

The Lesson

Silent failures are the most dangerous bugs. A method that raises AttributeError which gets caught and ignored, leaving the system in a partially initialised state, will waste days of debugging time. Every credential storage operation should have an explicit success/failure return value and a verification step.