Rely on the secrets API + Refactorings

Author: EhabY

src/commands.ts

@@ -107,12 +107,9 @@ export class Commands {
 		await this.mementoManager.setUrl(url);
 		await this.secretsManager.setSessionToken(label, {
 			url,
-			sessionToken: result.token,
+			token: result.token,
 		});
 
-		// Store on disk for CLI
-		await this.cliManager.configure(label, url, result.token);
-
 		// Update contexts
 		this.contextManager.set("coder.authenticated", true);
 		if (result.user.roles.some((role) => role.name === "owner")) {

src/core/cliManager.ts

@@ -721,8 +721,7 @@ export class CliManager {
 	): Promise<void> {
 		if (url) {
 			const urlPath = this.pathResolver.getUrlPath(label);
-			await fs.mkdir(path.dirname(urlPath), { recursive: true });
-			await fs.writeFile(urlPath, url);
+			await this.atomicWriteFile(urlPath, url);
 		}
 	}
 
@@ -739,30 +738,27 @@ export class CliManager {
 	) {
 		if (token !== null) {
 			const tokenPath = this.pathResolver.getSessionTokenPath(label);
-			await fs.mkdir(path.dirname(tokenPath), { recursive: true });
-			await fs.writeFile(tokenPath, token ?? "");
+			await this.atomicWriteFile(tokenPath, token ?? "");
 		}
 	}
 
 	/**
-	 * Read the CLI config for a deployment with the provided label.
-	 *
-	 * IF a config file does not exist, return an empty string.
-	 *
-	 * If the label is empty, read the old deployment-unaware config.
+	 * Atomically write content to a file by writing to a temporary file first,
+	 * then renaming it.
 	 */
-	public async readConfig(
-		label: string,
-	): Promise<{ url: string; token: string }> {
-		const urlPath = this.pathResolver.getUrlPath(label);
-		const tokenPath = this.pathResolver.getSessionTokenPath(label);
-		const [url, token] = await Promise.allSettled([
-			fs.readFile(urlPath, "utf8"),
-			fs.readFile(tokenPath, "utf8"),
-		]);
-		return {
-			url: url.status === "fulfilled" ? url.value.trim() : "",
-			token: token.status === "fulfilled" ? token.value.trim() : "",
-		};
+	private async atomicWriteFile(
+		filePath: string,
+		content: string,
+	): Promise<void> {
+		await fs.mkdir(path.dirname(filePath), { recursive: true });
+		const tempPath =
+			filePath + ".temp-" + Math.random().toString(36).substring(8);
+		try {
+			await fs.writeFile(tempPath, content);
+			await fs.rename(tempPath, filePath);
+		} catch (err) {
+			await fs.rm(tempPath, { force: true }).catch(() => {});
+			throw err;
+		}
 	}
 }

src/core/secretsManager.ts

@@ -22,16 +22,18 @@ export type StoredOAuthTokens = Omit<TokenResponse, "expires_in"> & {
 
 export interface SessionAuth {
 	url: string;
-	sessionToken: string;
+	token: string;
 }
 
 export interface OAuthData {
 	oauthClientRegistration?: ClientRegistrationResponse;
 	oauthTokens?: StoredOAuthTokens;
 }
 
-export type SessionAuthMap = Record<string, SessionAuth>;
-export type OAuthDataMap = Record<string, OAuthData>;
+// TODO not sure if I love this bulk saving of data
+// How do we clear out outdated info? How do we deal with race conditions across windows?
+type SessionAuthMap = Record<string, SessionAuth>;
+type OAuthDataMap = Record<string, OAuthData>;
 
 interface OAuthCallbackData {
 	state: string;
@@ -59,7 +61,7 @@ export class SecretsManager {
 		// Initialize previous session tokens
 		this.getSessionAuthMap().then((map) => {
 			for (const [label, auth] of Object.entries(map)) {
-				this.previousSessionTokens.set(label, auth.sessionToken);
+				this.previousSessionTokens.set(label, auth.token);
 			}
 		});
 	}
@@ -162,7 +164,7 @@ export class SecretsManager {
 	): Disposable {
 		return this.onDidChangeSessionAuthMap(async (map) => {
 			const auth = map[label];
-			const newToken = auth?.sessionToken ?? "";
+			const newToken = auth?.token ?? "";
 			const previousToken = this.previousSessionTokens.get(label) ?? "";
 
 			// Only fire listener if session token actually changed
@@ -199,15 +201,23 @@ export class SecretsManager {
 	 */
 	public async getSessionToken(label: string): Promise<string | undefined> {
 		const map = await this.getSessionAuthMap();
-		return map[label]?.sessionToken;
+		return map[label]?.token;
+	}
+
+	/**
+	 * Get URL for a specific deployment.
+	 */
+	public async getUrl(label: string): Promise<string | undefined> {
+		const map = await this.getSessionAuthMap();
+		return map[label]?.url;
 	}
 
 	/**
 	 * Set session token for a specific deployment.
 	 */
 	public async setSessionToken(
 		label: string,
-		auth: { url: string; sessionToken: string } | undefined,
+		auth: { url: string; token: string } | undefined,
 	): Promise<void> {
 		await this.updateSessionAuthMap((map) => {
 			if (auth === undefined) {
@@ -406,7 +416,7 @@ export class SecretsManager {
 			const sessionAuthMap: SessionAuthMap = {
 				[label]: {
 					url: url,
-					sessionToken: oldToken,
+					token: oldToken,
 				},
 			};
 

src/extension.ts

@@ -153,20 +153,12 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 		output.debug("Registering auth listener for deployment", deploymentLabel);
 		authChangeDisposable = secretsManager.onDidChangeDeploymentAuth(
 			deploymentLabel,
-			async (auth) => {
-				const token = auth?.sessionToken ?? "";
+			(auth) => {
+				const token = auth?.token ?? "";
 				client.setSessionToken(token);
 
 				// Update authentication context for current deployment
 				contextManager.set("coder.authenticated", auth !== undefined);
-
-				output.debug("Session token changed, syncing state");
-
-				if (auth?.url) {
-					const cliManager = serviceContainer.getCliManager();
-					await cliManager.configure(deploymentLabel, auth.url, token);
-					output.debug("Updated CLI config with new token");
-				}
 			},
 		);
 	};
@@ -187,7 +179,6 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 				return;
 			}
 
-			const cliManager = serviceContainer.getCliManager();
 			if (uri.path === "/open") {
 				const owner = params.get("owner");
 				const workspace = params.get("workspace");
@@ -234,13 +225,10 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 					client.setSessionToken(token);
 					await secretsManager.setSessionToken(label, {
 						url,
-						sessionToken: token,
+						token,
 					});
 				}
 
-				// Store on disk to be used by the cli.
-				await cliManager.configure(toSafeHost(url), url, token);
-
 				vscode.commands.executeCommand(
 					"coder.open",
 					owner,
@@ -313,8 +301,13 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 					? params.get("token")
 					: (params.get("token") ?? "");
 
-				// Store on disk to be used by the cli.
-				await cliManager.configure(toSafeHost(url), url, token);
+				if (token) {
+					client.setSessionToken(token);
+					await secretsManager.setSessionToken(label, {
+						url,
+						token,
+					});
+				}
 
 				vscode.commands.executeCommand(
 					"coder.openDevContainer",

src/login/loginCoordinator.ts

@@ -65,13 +65,8 @@ export class LoginCoordinator {
 		options: LoginOptions,
 	): Promise<LoginResult> {
 		return this.executeWithGuard(options.label, () => {
-			const {
-				url,
-				label,
-				detailPrefix: reason,
-				message,
-				oauthSessionManager,
-			} = options;
+			const { url, label, detailPrefix, message, oauthSessionManager } =
+				options;
 
 			// Show dialog promise
 			const dialogPromise = this.vscodeProposed.window
@@ -81,8 +76,8 @@ export class LoginCoordinator {
 						modal: true,
 						useCustom: true,
 						detail:
-							(reason || `Authentication needed for ${label}`) +
-							" If you've already logged in, you may close this dialog.",
+							(detailPrefix || `Authentication needed for ${label}.`) +
+							"\n\nIf you've already logged in, you may close this dialog.",
 					},
 					"Login",
 				)
@@ -91,13 +86,22 @@ export class LoginCoordinator {
 						// User clicked login - proceed with login flow
 						const existingToken =
 							await this.secretsManager.getSessionToken(label);
-						return this.attemptLogin(
+						const result = await this.attemptLogin(
 							label,
 							url,
 							existingToken,
 							false,
 							oauthSessionManager,
 						);
+
+						if (result.success && result.token) {
+							await this.secretsManager.setSessionToken(label, {
+								url,
+								token: result.token,
+							});
+						}
+
+						return result;
 					} else {
 						// User cancelled
 						return { success: false };
@@ -139,9 +143,9 @@ export class LoginCoordinator {
 			const disposable = this.secretsManager.onDidChangeDeploymentAuth(
 				label,
 				(auth) => {
-					if (auth?.sessionToken) {
+					if (auth?.token) {
 						disposable.dispose();
-						resolve({ success: true });
+						resolve({ success: true, token: auth.token });
 					}
 				},
 			);

src/oauth/sessionManager.ts

@@ -140,8 +140,7 @@ export class OAuthSessionManager implements vscode.Disposable {
 
 	private async clearTokenState(): Promise<void> {
 		this.clearInMemoryTokens();
-		await this.secretsManager.setOAuthTokens(this.label, undefined);
-		await this.secretsManager.setOAuthClientRegistration(this.label, undefined);
+		await this.secretsManager.clearOAuthData(this.label);
 	}
 
 	private clearInMemoryTokens(): void {
@@ -274,6 +273,9 @@ export class OAuthSessionManager implements vscode.Disposable {
 	}
 
 	public async setDeployment(label: string, url: string): Promise<void> {
+		if (label === this.label && url === this.deploymentUrl) {
+			return; // Nothing to do
+		}
 		this.logger.debug("Switching OAuth deployment", { label, url });
 		this.label = label;
 		this.deploymentUrl = url;
@@ -601,7 +603,7 @@ export class OAuthSessionManager implements vscode.Disposable {
 		await this.secretsManager.setOAuthTokens(this.label, tokens);
 		await this.secretsManager.setSessionToken(this.label, {
 			url: this.deploymentUrl,
-			sessionToken: tokenResponse.access_token,
+			token: tokenResponse.access_token,
 		});
 
 		this.logger.info("Tokens saved", {
@@ -719,19 +721,12 @@ export class OAuthSessionManager implements vscode.Disposable {
 		await this.clearTokenState();
 		await this.secretsManager.setSessionToken(this.label, undefined);
 
-		const result = await this.loginCoordinator.promptForLoginWithDialog({
+		await this.loginCoordinator.promptForLoginWithDialog({
 			url: this.deploymentUrl,
 			label: this.label,
 			detailPrefix: errorMessage,
 			oauthSessionManager: this,
 		});
-
-		if (result.token) {
-			await this.secretsManager.setSessionToken(this.label, {
-				url: this.deploymentUrl,
-				sessionToken: result.token,
-			});
-		}
 	}
 
 	/**