More login synchronization issues

Author: EhabY

src/extension.ts

@@ -343,7 +343,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 			registerAuthListener(deployment?.label);
 
 			// Update context
-			contextManager.set("coder.authenticated", deployment !== undefined);
+			contextManager.set("coder.authenticated", Boolean(deployment));
 
 			// Refresh workspaces
 			myWorkspacesProvider.fetchAndRefresh();

src/login/loginCoordinator.ts

@@ -179,17 +179,28 @@ export class LoginCoordinator {
 		isAutoLogin: boolean,
 		oauthSessionManager: OAuthSessionManager,
 	): Promise<LoginResult> {
-		const token = await this.secretsManager.getSessionToken(deployment.label);
-		const client = CoderApi.create(deployment.url, token, this.logger);
 		const needsToken = needToken(vscode.workspace.getConfiguration());
-		if (!needsToken || token) {
-			try {
-				const user = await client.getAuthenticatedUser();
-				// For non-token auth, we write a blank token since the `vscodessh`
-				// command currently always requires a token file.
-				// For token auth, we have valid access so we can just return the user here
-				return { success: true, token: needsToken && token ? token : "", user };
-			} catch (err) {
+		const client = CoderApi.create(deployment.url, "", this.logger);
+
+		let storedToken: string | undefined;
+		if (needsToken) {
+			storedToken = await this.secretsManager.getSessionToken(deployment.label);
+			if (storedToken) {
+				client.setSessionToken(storedToken);
+			}
+		}
+
+		// Attempt authentication with current credentials (token or mTLS)
+		try {
+			const user = await client.getAuthenticatedUser();
+			// Return the token that was used (empty string for mTLS since
+			// the `vscodessh` command currently always requires a token file)
+			return { success: true, token: storedToken ?? "", user };
+		} catch (err) {
+			if (needsToken) {
+				// For token auth: silently continue to prompt for new credentials
+			} else {
+				// For mTLS: show error and abort (no credentials to prompt for)
 				const message = getErrorMessage(err, "no response from the server");
 				if (isAutoLogin) {
 					this.logger.warn("Failed to log in to Coder server:", message);
@@ -203,7 +214,6 @@ export class LoginCoordinator {
 						},
 					);
 				}
-				// Invalid certificate, most likely.
 				return { success: false };
 			}
 		}
@@ -212,12 +222,8 @@ export class LoginCoordinator {
 		switch (authMethod) {
 			case "oauth":
 				return this.loginWithOAuth(client, oauthSessionManager, deployment);
-			case "legacy": {
-				const initialToken =
-					token ||
-					(await this.secretsManager.getSessionToken(deployment.label));
-				return this.loginWithToken(client, initialToken);
-			}
+			case "legacy":
+				return this.loginWithToken(client);
 			case undefined:
 				return { success: false }; // User aborted
 		}
@@ -226,10 +232,7 @@ export class LoginCoordinator {
 	/**
 	 * Session token authentication flow.
 	 */
-	private async loginWithToken(
-		client: CoderApi,
-		initialToken: string | undefined,
-	): Promise<LoginResult> {
+	private async loginWithToken(client: CoderApi): Promise<LoginResult> {
 		const url = client.getAxiosInstance().defaults.baseURL;
 		if (!url) {
 			throw new Error("No base URL set on REST client");
@@ -246,7 +249,6 @@ export class LoginCoordinator {
 			title: "Coder API Key",
 			password: true,
 			placeHolder: "Paste your API key.",
-			value: initialToken,
 			ignoreFocusOut: true,
 			validateInput: async (value) => {
 				if (!value) {
@@ -315,10 +317,15 @@ export class LoginCoordinator {
 				user,
 			};
 		} catch (error) {
-			this.logger.error("OAuth authentication failed:", error);
-			vscode.window.showErrorMessage(
-				`OAuth authentication failed: ${getErrorMessage(error, "Unknown error")}`,
-			);
+			const title = "OAuth authentication failed";
+			this.logger.error(title, error);
+			if (error instanceof CertificateError) {
+				error.showNotification(title);
+			} else {
+				vscode.window.showErrorMessage(
+					`${title}: ${getErrorMessage(error, "Unknown error")}`,
+				);
+			}
 			return { success: false };
 		}
 	}

src/oauth/sessionManager.ts

@@ -132,7 +132,8 @@ export class OAuthSessionManager implements vscode.Disposable {
 				stored: tokens.deployment_url,
 				current: this.deployment.url,
 			});
-			await this.clearOAuthState();
+			this.clearInMemoryTokens();
+			await this.secretsManager.clearOAuthData(this.deployment.label);
 			return;
 		}
 
@@ -144,6 +145,7 @@ export class OAuthSessionManager implements vscode.Disposable {
 					required_scopes: DEFAULT_OAUTH_SCOPES,
 				},
 			);
+			this.clearInMemoryTokens();
 			await this.secretsManager.clearOAuthTokens(this.deployment.label);
 			return;
 		}
@@ -152,13 +154,6 @@ export class OAuthSessionManager implements vscode.Disposable {
 		this.logger.info(`Loaded stored OAuth tokens for ${this.deployment.label}`);
 	}
 
-	private async clearOAuthState(): Promise<void> {
-		this.clearInMemoryTokens();
-		if (this.deployment) {
-			await this.secretsManager.clearOAuthData(this.deployment.label);
-		}
-	}
-
 	private clearInMemoryTokens(): void {
 		this.storedTokens = undefined;
 		this.refreshPromise = null;
@@ -714,13 +709,15 @@ export class OAuthSessionManager implements vscode.Disposable {
 		// Revoke refresh token (which also invalidates access token per RFC 7009)
 		if (this.storedTokens?.refresh_token) {
 			try {
+				// TODO what if other windows are using this?
+				// We should only revoke if we are clearing the OAuth data
 				await this.revokeToken(this.storedTokens.refresh_token);
 			} catch (error) {
 				this.logger.warn("Token revocation failed during logout:", error);
 			}
 		}
 
-		await this.clearOAuthState();
+		this.clearInMemoryTokens();
 		this.deployment = undefined;
 
 		this.logger.info("OAuth logout complete");