Self-review of OAuth logic

Author: EhabY

src/core/secretsManager.ts

@@ -15,9 +15,10 @@ const SESSION_KEY_PREFIX = "coder.session.";
 const OAUTH_TOKENS_PREFIX = "coder.oauth.tokens.";
 const OAUTH_CLIENT_PREFIX = "coder.oauth.client.";
 
-const CURRENT_DEPLOYMENT_KEY = "coder.currentDeployment";
 const OAUTH_CALLBACK_KEY = "coder.oauthCallback";
 
+const CURRENT_DEPLOYMENT_KEY = "coder.currentDeployment";
+
 const DEPLOYMENT_USAGE_KEY = "coder.deploymentUsage";
 const DEFAULT_MAX_DEPLOYMENTS = 10;
 
@@ -115,38 +116,6 @@ export class SecretsManager {
 		});
 	}
 
-	/**
-	 * Write an OAuth callback result to secrets storage.
-	 * Used for cross-window communication when OAuth callback arrives in a different window.
-	 */
-	public async setOAuthCallback(data: OAuthCallbackData): Promise<void> {
-		await this.secrets.store(OAUTH_CALLBACK_KEY, JSON.stringify(data));
-	}
-
-	/**
-	 * Listen for OAuth callback results from any VS Code window.
-	 * The listener receives the state parameter, code (if success), and error (if failed).
-	 */
-	public onDidChangeOAuthCallback(
-		listener: (data: OAuthCallbackData) => void,
-	): Disposable {
-		return this.secrets.onDidChange(async (e) => {
-			if (e.key !== OAUTH_CALLBACK_KEY) {
-				return;
-			}
-
-			try {
-				const data = await this.secrets.get(OAUTH_CALLBACK_KEY);
-				if (data) {
-					const parsed = JSON.parse(data) as OAuthCallbackData;
-					listener(parsed);
-				}
-			} catch {
-				// Ignore parse errors
-			}
-		});
-	}
-
 	/**
 	 * Listen for changes to a specific deployment's session auth.
 	 */
@@ -203,77 +172,6 @@ export class SecretsManager {
 		return `${SESSION_KEY_PREFIX}${safeHostname || "<legacy>"}`;
 	}
 
-	public async getOAuthTokens(
-		safeHostname: string,
-	): Promise<StoredOAuthTokens | undefined> {
-		try {
-			const data = await this.secrets.get(
-				`${OAUTH_TOKENS_PREFIX}${safeHostname}`,
-			);
-			if (!data) {
-				return undefined;
-			}
-			return JSON.parse(data) as StoredOAuthTokens;
-		} catch {
-			return undefined;
-		}
-	}
-
-	public async setOAuthTokens(
-		safeHostname: string,
-		tokens: StoredOAuthTokens,
-	): Promise<void> {
-		await this.secrets.store(
-			`${OAUTH_TOKENS_PREFIX}${safeHostname}`,
-			JSON.stringify(tokens),
-		);
-		await this.recordDeploymentAccess(safeHostname);
-	}
-
-	public async clearOAuthTokens(safeHostname: string): Promise<void> {
-		await this.secrets.delete(`${OAUTH_TOKENS_PREFIX}${safeHostname}`);
-	}
-
-	public async getOAuthClientRegistration(
-		safeHostname: string,
-	): Promise<ClientRegistrationResponse | undefined> {
-		try {
-			const data = await this.secrets.get(
-				`${OAUTH_CLIENT_PREFIX}${safeHostname}`,
-			);
-			if (!data) {
-				return undefined;
-			}
-			return JSON.parse(data) as ClientRegistrationResponse;
-		} catch {
-			return undefined;
-		}
-	}
-
-	public async setOAuthClientRegistration(
-		safeHostname: string,
-		registration: ClientRegistrationResponse,
-	): Promise<void> {
-		await this.secrets.store(
-			`${OAUTH_CLIENT_PREFIX}${safeHostname}`,
-			JSON.stringify(registration),
-		);
-		await this.recordDeploymentAccess(safeHostname);
-	}
-
-	public async clearOAuthClientRegistration(
-		safeHostname: string,
-	): Promise<void> {
-		await this.secrets.delete(`${OAUTH_CLIENT_PREFIX}${safeHostname}`);
-	}
-
-	public async clearOAuthData(safeHostname: string): Promise<void> {
-		await Promise.all([
-			this.clearOAuthTokens(safeHostname),
-			this.clearOAuthClientRegistration(safeHostname),
-		]);
-	}
-
 	/**
 	 * Record that a deployment was accessed, moving it to the front of the LRU list.
 	 * Prunes deployments beyond maxCount, clearing their auth data.
@@ -359,4 +257,107 @@ export class SecretsManager {
 
 		return safeHostname;
 	}
+
+	/**
+	 * Write an OAuth callback result to secrets storage.
+	 * Used for cross-window communication when OAuth callback arrives in a different window.
+	 */
+	public async setOAuthCallback(data: OAuthCallbackData): Promise<void> {
+		await this.secrets.store(OAUTH_CALLBACK_KEY, JSON.stringify(data));
+	}
+
+	/**
+	 * Listen for OAuth callback results from any VS Code window.
+	 * The listener receives the state parameter, code (if success), and error (if failed).
+	 */
+	public onDidChangeOAuthCallback(
+		listener: (data: OAuthCallbackData) => void,
+	): Disposable {
+		return this.secrets.onDidChange(async (e) => {
+			if (e.key !== OAUTH_CALLBACK_KEY) {
+				return;
+			}
+
+			try {
+				const data = await this.secrets.get(OAUTH_CALLBACK_KEY);
+				if (data) {
+					const parsed = JSON.parse(data) as OAuthCallbackData;
+					listener(parsed);
+				}
+			} catch {
+				// Ignore parse errors
+			}
+		});
+	}
+
+	public async getOAuthTokens(
+		safeHostname: string,
+	): Promise<StoredOAuthTokens | undefined> {
+		try {
+			const data = await this.secrets.get(
+				`${OAUTH_TOKENS_PREFIX}${safeHostname}`,
+			);
+			if (!data) {
+				return undefined;
+			}
+			return JSON.parse(data) as StoredOAuthTokens;
+		} catch {
+			return undefined;
+		}
+	}
+
+	public async setOAuthTokens(
+		safeHostname: string,
+		tokens: StoredOAuthTokens,
+	): Promise<void> {
+		await this.secrets.store(
+			`${OAUTH_TOKENS_PREFIX}${safeHostname}`,
+			JSON.stringify(tokens),
+		);
+		await this.recordDeploymentAccess(safeHostname);
+	}
+
+	public async clearOAuthTokens(safeHostname: string): Promise<void> {
+		await this.secrets.delete(`${OAUTH_TOKENS_PREFIX}${safeHostname}`);
+	}
+
+	public async getOAuthClientRegistration(
+		safeHostname: string,
+	): Promise<ClientRegistrationResponse | undefined> {
+		try {
+			const data = await this.secrets.get(
+				`${OAUTH_CLIENT_PREFIX}${safeHostname}`,
+			);
+			if (!data) {
+				return undefined;
+			}
+			return JSON.parse(data) as ClientRegistrationResponse;
+		} catch {
+			return undefined;
+		}
+	}
+
+	public async setOAuthClientRegistration(
+		safeHostname: string,
+		registration: ClientRegistrationResponse,
+	): Promise<void> {
+		await this.secrets.store(
+			`${OAUTH_CLIENT_PREFIX}${safeHostname}`,
+			JSON.stringify(registration),
+		);
+		await this.recordDeploymentAccess(safeHostname);
+	}
+
+	public async clearOAuthClientRegistration(
+		safeHostname: string,
+	): Promise<void> {
+		await this.secrets.delete(`${OAUTH_CLIENT_PREFIX}${safeHostname}`);
+	}
+
+	public async clearOAuthData(safeHostname: string): Promise<void> {
+		await Promise.all([
+			this.clearOAuthTokens(safeHostname),
+			this.clearOAuthClientRegistration(safeHostname),
+		]);
+	}
 }

src/deployment/deploymentManager.ts

@@ -89,12 +89,6 @@ export class DeploymentManager implements vscode.Disposable {
 	public async setDeploymentIfValid(
 		deployment: Deployment & { token?: string },
 	): Promise<boolean> {
-		// TODO used to trigger
-		/**
-		 * this.oauthSessionManager.refreshIfAlmostExpired().catch((error) => {
-			this.logger.warn("Setup token refresh failed:", error);
-		});
-		 */
 		const auth = await this.secretsManager.getSessionAuth(
 			deployment.safeHostname,
 		);
@@ -134,11 +128,14 @@ export class DeploymentManager implements vscode.Disposable {
 		} else {
 			this.client.setCredentials(deployment.url, deployment.token);
 		}
-		await this.oauthSessionManager.setDeployment(deployment);
 
+		// Register auth listener before setDeployment so background token refresh
+		// can update client credentials via the listener
 		this.registerAuthListener();
 		this.updateAuthContexts();
 		this.refreshWorkspaces();
+
+		await this.oauthSessionManager.setDeployment(deployment);
 		await this.persistDeployment(deployment);
 	}
 
@@ -158,13 +155,6 @@ export class DeploymentManager implements vscode.Disposable {
 		await this.secretsManager.setCurrentDeployment(undefined);
 	}
 
-	/**
-	 * Clear OAuth state for a deployment when switching to token auth.
-	 */
-	public async clearOAuthState(label: string): Promise<void> {
-		await this.oauthSessionManager.clearOAuthState(label);
-	}
-
 	public dispose(): void {
 		this.#authListenerDisposable?.dispose();
 		this.#crossWindowSyncDisposable?.dispose();

src/extension.ts

@@ -172,11 +172,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 					throw new Error("workspace must be specified as a query parameter");
 				}
 
-				await setupDeploymentFromUri(
-					params,
-					serviceContainer,
-					deploymentManager,
-				);
+				await setupDeploymentFromUri(params, serviceContainer);
 
 				await commands.open(
 					owner,
@@ -230,11 +226,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 					);
 				}
 
-				await setupDeploymentFromUri(
-					params,
-					serviceContainer,
-					deploymentManager,
-				);
+				await setupDeploymentFromUri(params, serviceContainer);
 
 				await commands.openDevContainer(
 					workspaceOwner,
@@ -460,7 +452,6 @@ async function showTreeViewSearch(id: string): Promise<void> {
 async function setupDeploymentFromUri(
 	params: URLSearchParams,
 	serviceContainer: ServiceContainer,
-	deploymentManager: DeploymentManager,
 ): Promise<void> {
 	const secretsManager = serviceContainer.getSecretsManager();
 	const mementoManager = serviceContainer.getMementoManager();
@@ -495,8 +486,8 @@ async function setupDeploymentFromUri(
 		}
 	} else {
 		await secretsManager.setSessionAuth(safeHost, { url, token });
-		// Clear OAuth state since we're using a non-OAuth token
-		await deploymentManager.clearOAuthState(safeHost);
+		// Clear OAuth tokens since we're using a non-OAuth token
+		await secretsManager.clearOAuthTokens(safeHost);
 	}
 }
 

src/login/loginCoordinator.ts

@@ -251,7 +251,7 @@ export class LoginCoordinator {
 				const result = await this.loginWithToken(client);
 				if (result.success) {
 					// Clear OAuth state since user explicitly chose token auth
-					await oauthSessionManager.clearOAuthState(deployment.safeHostname);
+					await oauthSessionManager.clearOAuthState();
 				}
 				return result;
 			}

src/oauth/sessionManager.ts

@@ -152,8 +152,7 @@ export class OAuthSessionManager implements vscode.Disposable {
 					required_scopes: DEFAULT_OAUTH_SCOPES,
 				},
 			);
-			this.clearInMemoryTokens();
-			await this.secretsManager.clearOAuthTokens(this.deployment.safeHostname);
+			await this.clearOAuthState();
 			return;
 		}
 
@@ -322,6 +321,19 @@ export class OAuthSessionManager implements vscode.Disposable {
 		this.deployment = deployment;
 		this.clearInMemoryTokens();
 		await this.loadTokens();
+
+		// Refresh tokens if needed to prevent 401s
+		if (this.isTokenExpired()) {
+			try {
+				await this.refreshToken();
+			} catch (error) {
+				this.logger.warn("Token refresh failed (expired):", error);
+			}
+		} else {
+			this.refreshIfAlmostExpired().catch((error) => {
+				this.logger.warn("Background token refresh failed:", error);
+			});
+		}
 	}
 
 	public clearDeployment(): void {
@@ -695,6 +707,16 @@ export class OAuthSessionManager implements vscode.Disposable {
 		return timeUntilExpiry < TOKEN_REFRESH_THRESHOLD_MS;
 	}
 
+	/**
+	 * Check if token is expired.
+	 */
+	private isTokenExpired(): boolean {
+		if (!this.storedTokens) {
+			return false;
+		}
+		return Date.now() >= this.storedTokens.expiry_timestamp;
+	}
+
 	public async revokeRefreshToken(): Promise<void> {
 		if (!this.storedTokens?.refresh_token) {
 			this.logger.info("No refresh token to revoke");
@@ -754,9 +776,11 @@ export class OAuthSessionManager implements vscode.Disposable {
 	 * Clears in-memory state and OAuth tokens from storage.
 	 * Preserves client registration for potential future OAuth use.
 	 */
-	public async clearOAuthState(label: string): Promise<void> {
+	public async clearOAuthState(): Promise<void> {
 		this.clearInMemoryTokens();
-		await this.secretsManager.clearOAuthTokens(label);
+		if (this.deployment) {
+			await this.secretsManager.clearOAuthTokens(this.deployment.safeHostname);
+		}
 	}
 
 	/**