Should be able to "un-deny" an auth grant from the Manage Trusted Extensions UI

[eamodio]

Currently if you choose to Deny and auth grant prompt, you can still see the extension (as unchecked) in the Manage Trusted Extensions UI (👍), but if you attempt to check it and save, nothing happens. And if you re-open that UI it will be un-checked again.

I think we should allow undoing the denial from that UI.

[TylerLeonhardt]

Looks like this was just a code bug. The intent was that this quick pick would allow you to check on/off which extensions you trust.

[rzhao271]

I'm not familiar with that UI, and wasn't able to find it in the command palette. @TylerLeonhardt can you provide some verification steps?

[TylerLeonhardt]

It's like:

• Open vscode (it's easier with an empty data dir): code-insiders --user-data-dir='/tmp/foo' (on non-Windows or pick a diff path for Windows)
• install copilot if you haven't
• You might see something like this already (if not lmk):
  
• click it
• deny
• Manage trusted extensions
  
• copilot should be unchecked
• check it
• Ok
• go back to manage trusted extensions and verify it's checked
• ^ that's enough to verify but maybe try to see if copilot will make a suggestion anyway

[lramos15]

Maybe I did something wrong but if I deny every extension they all seem to work fine and all the git actions still work.

[TylerLeonhardt]

@lramos15 that's #104008

this issue is only talking about when you "un-deny" an extension from when you denied it in the "Grant access..." modal.

[lramos15]

It still seems pretty broken to me, but I'll leave it up to someone else.
I created a new data dir, and then denied extensions and checked and unchecked them. Sometimes it was able to use my account without another allow dialog or me granting it a token. One point it said no extensions wanted to use my account when it wasn't true, but the check box state did update correctly which is what the verification steps asked for.

[TylerLeonhardt]

Sometimes it was able to use my account without another allow dialog or me granting it a token.

In the case of the GitHub Pull Request extension, it basically logs in once and then maintains an Octokit object for all future GitHub API calls:
https://github.com/microsoft/vscode-pull-request-github/blob/c9911fffef4fa09330cdda57fc4d130af67636ac/src/github/credentials.ts#L170-L171

there isn't a mechanism, today at least, that would invalidate that access token that was given to the client. It will eventually expire and then calling getSession again will not give you a session if you have unchecked the check box. This is why the GHPR extension continues to work fine after you deny it... but once you reload, it will stop working (I wonder if this is something we should do... similar to Workspace Trust's model of reloading)

One point it said no extensions wanted to use my account when it wasn't true

Got some repro steps for this?

[lramos15]

Got some repro steps for this?

Sorry I don't.
I clicked deny to git lens, github pr, codespaces, and copilot then toggled them back on and off a bunch in the trusted extensions quick pick. I then would try to execute something such as opening a repo with git lens and click deny again. This is when I saw that some extensions didn't care to ask me again and just used a token. I also tried to get back to the trusted extensions view and couldn't because it said no extensions wanted to use my account.

[TylerLeonhardt]

I then would try to execute something such as opening a repo with git lens and click deny again.

How do I open a repo with GitLens? Also, I assume when you tried this, you already had GitLens denied, is that right?

[lramos15]

I played around with it a bit more and I couldn't get it to repo again. I'll call this verified for now and test it out again once #104008 is fixed as I assume theres just some auth state issues going on.

[TylerLeonhardt]

Yeah as I think about it some more I think we may have to reload the window if auth is denied to ensure that an access token is no longer used. This would mean that #104008 would no longer make sense but we can continue this discussion there. Thanks for the feedback!