WIP refactoring

Author: EhabY

src/commands.ts

@@ -13,7 +13,7 @@ export class MementoManager {
 	 * If the URL is falsey, then remove it as the last used URL and do not touch
 	 * the history.
 	 */
-	public async setUrl(url?: string): Promise<void> {
+	public async setUrl(url: string | undefined): Promise<void> {
 		await this.memento.update("url", url);
 		if (url) {
 			const history = this.withUrlHistory(url);

src/core/mementoManager.ts

@@ -15,6 +15,7 @@ const OAUTH_TOKENS_KEY = "oauthTokens";
 
 export type StoredOAuthTokens = Omit<TokenResponse, "expires_in"> & {
 	expiry_timestamp: number;
+	deployment_url: string;
 };
 
 export enum AuthAction {
@@ -29,7 +30,9 @@ export class SecretsManager {
 	/**
 	 * Set or unset the last used token.
 	 */
-	public async setSessionToken(sessionToken?: string): Promise<void> {
+	public async setSessionToken(
+		sessionToken: string | undefined,
+	): Promise<void> {
 		if (sessionToken) {
 			await this.secrets.store(SESSION_TOKEN_KEY, sessionToken);
 		} else {
@@ -160,11 +163,4 @@ export class SecretsManager {
 		}
 		return undefined;
 	}
-
-	/**
-	 * Clear OAuth token data.
-	 */
-	public async clearOAuthTokens(): Promise<void> {
-		await this.secrets.delete(OAUTH_TOKENS_KEY);
-	}
 }

src/core/secretsManager.ts

@@ -12,7 +12,7 @@ import { Commands } from "./commands";
 import { ServiceContainer } from "./core/container";
 import { AuthAction } from "./core/secretsManager";
 import { CertificateError, getErrorDetail } from "./error";
-import { activateCoderOAuth } from "./oauth/oauthHelper";
+import { OAuthSessionManager } from "./oauth/sessionManager";
 import { CALLBACK_PATH } from "./oauth/utils";
 import { Remote } from "./remote/remote";
 import { toSafeHost } from "./util";
@@ -123,13 +123,13 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 		ctx.subscriptions,
 	);
 
-	const oauthHelper = await activateCoderOAuth(
+	const oauthSessionManager = await OAuthSessionManager.create(
 		url || "",
 		secretsManager,
 		output,
 		ctx,
 	);
-	ctx.subscriptions.push(oauthHelper);
+	ctx.subscriptions.push(oauthSessionManager);
 
 	// Listen for session token changes and sync state across all components
 	ctx.subscriptions.push(
@@ -162,7 +162,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 				const code = params.get("code");
 				const state = params.get("state");
 				const error = params.get("error");
-				oauthHelper.handleCallback(code, state, error);
+				oauthSessionManager.handleCallback(code, state, error);
 				return;
 			}
 
@@ -316,7 +316,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 
 	// Register globally available commands.  Many of these have visibility
 	// controlled by contexts, see `when` in the package.json.
-	const commands = new Commands(serviceContainer, client, oauthHelper);
+	const commands = new Commands(serviceContainer, client, oauthSessionManager);
 	ctx.subscriptions.push(
 		vscode.commands.registerCommand(
 			"coder.login",

src/extension.ts

@@ -0,0 +1,111 @@
+import type { AxiosInstance } from "axios";
+
+import type { SecretsManager } from "../core/secretsManager";
+import type { Logger } from "../logging/logger";
+
+import type {
+	ClientRegistrationRequest,
+	ClientRegistrationResponse,
+	OAuthServerMetadata,
+} from "./types";
+
+const AUTH_GRANT_TYPE = "authorization_code" as const;
+const RESPONSE_TYPE = "code" as const;
+const OAUTH_METHOD = "client_secret_post" as const;
+const CLIENT_NAME = "VS Code Coder Extension";
+
+/**
+ * Manages OAuth client registration and persistence.
+ */
+export class OAuthClientRegistry {
+	private registration: ClientRegistrationResponse | undefined;
+
+	constructor(
+		private readonly axiosInstance: AxiosInstance,
+		private readonly secretsManager: SecretsManager,
+		private readonly logger: Logger,
+	) {}
+
+	/**
+	 * Load existing client registration from secure storage.
+	 * Should be called during initialization.
+	 */
+	async load(): Promise<void> {
+		const registration = await this.secretsManager.getOAuthClientRegistration();
+		if (registration) {
+			this.registration = registration;
+			this.logger.info("Loaded existing OAuth client:", registration.client_id);
+		}
+	}
+
+	/**
+	 * Get the current client registration if one exists.
+	 */
+	get(): ClientRegistrationResponse | undefined {
+		return this.registration;
+	}
+
+	/**
+	 * Register a new OAuth client or return existing if still valid.
+	 * Re-registers if redirect URI has changed.
+	 */
+	async register(
+		metadata: OAuthServerMetadata,
+		redirectUri: string,
+	): Promise<ClientRegistrationResponse> {
+		if (this.registration?.client_id) {
+			if (this.registration.redirect_uris.includes(redirectUri)) {
+				this.logger.info(
+					"Using existing client registration:",
+					this.registration.client_id,
+				);
+				return this.registration;
+			}
+			this.logger.info("Redirect URI changed, re-registering client");
+		}
+
+		if (!metadata.registration_endpoint) {
+			throw new Error("Server does not support dynamic client registration");
+		}
+
+		// "web" type since VS Code Secrets API allows secure client_secret storage (confidential client)
+		const registrationRequest: ClientRegistrationRequest = {
+			redirect_uris: [redirectUri],
+			application_type: "web",
+			grant_types: [AUTH_GRANT_TYPE],
+			response_types: [RESPONSE_TYPE],
+			client_name: CLIENT_NAME,
+			token_endpoint_auth_method: OAUTH_METHOD,
+		};
+
+		const response = await this.axiosInstance.post<ClientRegistrationResponse>(
+			metadata.registration_endpoint,
+			registrationRequest,
+		);
+
+		await this.save(response.data);
+
+		return response.data;
+	}
+
+	/**
+	 * Save client registration to secure storage.
+	 */
+	private async save(registration: ClientRegistrationResponse): Promise<void> {
+		await this.secretsManager.setOAuthClientRegistration(registration);
+		this.registration = registration;
+		this.logger.info(
+			"Saved OAuth client registration:",
+			registration.client_id,
+		);
+	}
+
+	/**
+	 * Clear the current client registration from memory and storage.
+	 */
+	async clear(): Promise<void> {
+		await this.secretsManager.setOAuthClientRegistration(undefined);
+		this.registration = undefined;
+		this.logger.info("Cleared OAuth client registration");
+	}
+}

src/oauth/clientRegistry.ts

@@ -0,0 +1,137 @@
+import type { AxiosInstance } from "axios";
+
+import type { Logger } from "../logging/logger";
+
+import type { OAuthServerMetadata } from "./types";
+
+const OAUTH_DISCOVERY_ENDPOINT = "/.well-known/oauth-authorization-server";
+
+const AUTH_GRANT_TYPE = "authorization_code" as const;
+const REFRESH_GRANT_TYPE = "refresh_token" as const;
+const RESPONSE_TYPE = "code" as const;
+const OAUTH_METHOD = "client_secret_post" as const;
+const PKCE_CHALLENGE_METHOD = "S256" as const;
+
+const REQUIRED_GRANT_TYPES = [AUTH_GRANT_TYPE, REFRESH_GRANT_TYPE] as const;
+
+/**
+ * Client for discovering and validating OAuth server metadata.
+ */
+export class OAuthMetadataClient {
+	constructor(
+		private readonly axiosInstance: AxiosInstance,
+		private readonly logger: Logger,
+	) {}
+
+	/**
+	 * Check if a server supports OAuth by attempting to fetch the well-known endpoint.
+	 */
+	async checkOAuthSupport(): Promise<boolean> {
+		try {
+			await this.axiosInstance.get(OAUTH_DISCOVERY_ENDPOINT);
+			this.logger.debug("Server supports OAuth");
+			return true;
+		} catch (error) {
+			this.logger.debug("Server does not support OAuth:", error);
+			return false;
+		}
+	}
+
+	/**
+	 * Fetch and validate OAuth server metadata.
+	 * Throws detailed errors if server doesn't meet OAuth 2.1 requirements.
+	 */
+	async getMetadata(): Promise<OAuthServerMetadata> {
+		this.logger.info("Discovering OAuth endpoints...");
+
+		const response = await this.axiosInstance.get<OAuthServerMetadata>(
+			OAUTH_DISCOVERY_ENDPOINT,
+		);
+
+		const metadata = response.data;
+
+		this.validateRequiredEndpoints(metadata);
+		this.validateGrantTypes(metadata);
+		this.validateResponseTypes(metadata);
+		this.validateAuthMethods(metadata);
+		this.validatePKCEMethods(metadata);
+
+		this.logger.debug("OAuth endpoints discovered:", {
+			authorization: metadata.authorization_endpoint,
+			token: metadata.token_endpoint,
+			registration: metadata.registration_endpoint,
+			revocation: metadata.revocation_endpoint,
+		});
+
+		return metadata;
+	}
+
+	private validateRequiredEndpoints(metadata: OAuthServerMetadata): void {
+		if (
+			!metadata.authorization_endpoint ||
+			!metadata.token_endpoint ||
+			!metadata.issuer
+		) {
+			throw new Error(
+				"OAuth server metadata missing required endpoints: " +
+					JSON.stringify(metadata),
+			);
+		}
+	}
+
+	private validateGrantTypes(metadata: OAuthServerMetadata): void {
+		if (
+			!includesAllTypes(metadata.grant_types_supported, REQUIRED_GRANT_TYPES)
+		) {
+			throw new Error(
+				`Server does not support required grant types: ${REQUIRED_GRANT_TYPES.join(", ")}. Supported: ${metadata.grant_types_supported?.join(", ") || "none"}`,
+			);
+		}
+	}
+
+	private validateResponseTypes(metadata: OAuthServerMetadata): void {
+		if (!includesAllTypes(metadata.response_types_supported, [RESPONSE_TYPE])) {
+			throw new Error(
+				`Server does not support required response type: ${RESPONSE_TYPE}. Supported: ${metadata.response_types_supported?.join(", ") || "none"}`,
+			);
+		}
+	}
+
+	private validateAuthMethods(metadata: OAuthServerMetadata): void {
+		if (
+			!includesAllTypes(metadata.token_endpoint_auth_methods_supported, [
+				OAUTH_METHOD,
+			])
+		) {
+			throw new Error(
+				`Server does not support required auth method: ${OAUTH_METHOD}. Supported: ${metadata.token_endpoint_auth_methods_supported?.join(", ") || "none"}`,
+			);
+		}
+	}
+
+	private validatePKCEMethods(metadata: OAuthServerMetadata): void {
+		if (
+			!includesAllTypes(metadata.code_challenge_methods_supported, [
+				PKCE_CHALLENGE_METHOD,
+			])
+		) {
+			throw new Error(
+				`Server does not support required PKCE method: ${PKCE_CHALLENGE_METHOD}. Supported: ${metadata.code_challenge_methods_supported?.join(", ") || "none"}`,
+			);
+		}
+	}
+}
+
+/**
+ * Check if an array includes all required types.
+ * If the array is undefined, returns true (server didn't specify, assume all allowed).
+ */
+function includesAllTypes(
+	arr: string[] | undefined,
+	requiredTypes: readonly string[],
+): boolean {
+	if (arr === undefined) {
+		return true;
+	}
+	return requiredTypes.every((type) => arr.includes(type));
+}