Review comments

EhabY · EhabY · commit cb586a5ef8cb · 2025-12-11T14:19:12.000+03:00
diff --git a/src/commands.ts b/src/commands.ts
@@ -79,7 +79,6 @@ export class Commands {
 	 */
 	public async login(args?: {
 		url?: string;
-		safeHostname?: string;
 		autoLogin?: boolean;
 	}): Promise<void> {
 		if (this.deploymentManager.isAuthenticated()) {
@@ -94,25 +93,27 @@ export class Commands {
 			currentDeployment?.url,
 		);
 		if (!url) {
-			return;
+			return; // The user aborted.
 		}
 
-		// It is possible that we are trying to log into an old-style host, in which
-		// case we want to write with the provided blank hostname instead of
-		// generating one.
-		const safeHostname = args?.safeHostname ?? toSafeHost(url);
+		const safeHostname = toSafeHost(url);
 		this.logger.info("Using hostname", safeHostname);
 
-		const result = await this.loginCoordinator.promptForLogin({
+		const result = await this.loginCoordinator.ensureLoggedIn({
 			safeHostname,
 			url,
 			autoLogin: args?.autoLogin,
 		});
 
-		if (!result.success || !result.user || result.token === undefined) {
+		if (!result.success) {
 			return;
 		}
 
+		if (!result.user) {
+			// Login might have happened in another process/window so we do not have the user yet.
+			result.user = await this.extensionClient.getAuthenticatedUser();
+		}
+
 		await this.deploymentManager.changeDeployment({
 			url,
 			safeHostname,
@@ -171,7 +172,7 @@ export class Commands {
 
 		this.logger.info("Logging out");
 
-		await this.deploymentManager.logout();
+		await this.deploymentManager.clearDeployment();
 
 		vscode.window
 			.showInformationMessage("You've been logged out of Coder!", "Login")
diff --git a/src/core/cliManager.ts b/src/core/cliManager.ts
@@ -757,7 +757,9 @@ export class CliManager {
 			await fs.writeFile(tempPath, content);
 			await fs.rename(tempPath, filePath);
 		} catch (err) {
-			await fs.rm(tempPath, { force: true }).catch(() => {});
+			await fs.rm(tempPath, { force: true }).catch((rmErr) => {
+				this.output.warn("Failed to delete temp file", tempPath, rmErr);
+			});
 			throw err;
 		}
 	}
diff --git a/src/core/secretsManager.ts b/src/core/secretsManager.ts
@@ -98,9 +98,9 @@ export class SecretsManager {
 		safeHostname: string,
 		listener: (auth: SessionAuth | undefined) => void | Promise<void>,
 	): Disposable {
-		const key = `${SESSION_KEY_PREFIX}${safeHostname}`;
+		const sessionKey = this.getSessionKey(safeHostname);
 		return this.secrets.onDidChange(async (e) => {
-			if (e.key !== key) {
+			if (e.key !== sessionKey) {
 				return;
 			}
 			const auth = await this.getSessionAuth(safeHostname);
@@ -115,14 +115,9 @@ export class SecretsManager {
 	public async getSessionAuth(
 		safeHostname: string,
 	): Promise<SessionAuth | undefined> {
-		if (!safeHostname) {
-			return undefined;
-		}
-
+		const sessionKey = this.getSessionKey(safeHostname);
 		try {
-			const data = await this.secrets.get(
-				`${SESSION_KEY_PREFIX}${safeHostname}`,
-			);
+			const data = await this.secrets.get(sessionKey);
 			if (!data) {
 				return undefined;
 			}
@@ -136,22 +131,18 @@ export class SecretsManager {
 		safeHostname: string,
 		auth: SessionAuth,
 	): Promise<void> {
-		if (!safeHostname) {
-			return;
-		}
-
-		await this.secrets.store(
-			`${SESSION_KEY_PREFIX}${safeHostname}`,
-			JSON.stringify(auth),
-		);
+		const sessionKey = this.getSessionKey(safeHostname);
+		await this.secrets.store(sessionKey, JSON.stringify(auth));
 		await this.recordDeploymentAccess(safeHostname);
 	}
 
 	private async clearSessionAuth(safeHostname: string): Promise<void> {
-		if (!safeHostname) {
-			return;
-		}
-		await this.secrets.delete(`${SESSION_KEY_PREFIX}${safeHostname}`);
+		const sessionKey = this.getSessionKey(safeHostname);
+		await this.secrets.delete(sessionKey);
+	}
+
+	private getSessionKey(safeHostname: string): string {
+		return `${SESSION_KEY_PREFIX}${safeHostname || "<legacy>"}`;
 	}
 
 	/**
diff --git a/src/deployment/deploymentManager.ts b/src/deployment/deploymentManager.ts
@@ -78,7 +78,7 @@ export class DeploymentManager implements vscode.Disposable {
 	public async changeDeployment(
 		deployment: DeploymentWithAuth & { user: User },
 	): Promise<void> {
-		this.setDeploymentCore(deployment);
+		this.setDeployment(deployment);
 
 		this.refreshWorkspaces();
 		await this.persistDeployment(deployment);
@@ -89,15 +89,15 @@ export class DeploymentManager implements vscode.Disposable {
 	 * Immediately tries to fetch user and upgrade to authenticated state.
 	 * Use this for startup or when you don't have the user yet.
 	 */
-	public async setDeploymentWithoutAuth(
+	public async setDeploymentAndValidate(
 		deployment: Deployment & { token?: string },
 	): Promise<void> {
-		this.setDeploymentCore({ ...deployment });
+		this.setDeployment({ ...deployment });
 
 		await this.tryFetchAndUpgradeUser();
 	}
 
-	private setDeploymentCore(deployment: DeploymentWithAuth): void {
+	private setDeployment(deployment: DeploymentWithAuth): void {
 		if (deployment.token === undefined) {
 			this.client.setHost(deployment.url);
 		} else {
@@ -109,9 +109,9 @@ export class DeploymentManager implements vscode.Disposable {
 	}
 
 	/**
-	 * Log out from the current deployment.
+	 * Clears the current deployment.
 	 */
-	public async logout(): Promise<void> {
+	public async clearDeployment(): Promise<void> {
 		this.client.setCredentials(undefined, undefined);
 
 		this.authListenerDisposable?.dispose();
@@ -142,7 +142,7 @@ export class DeploymentManager implements vscode.Disposable {
 						const auth = await this.secretsManager.getSessionAuth(
 							deployment.safeHostname,
 						);
-						await this.setDeploymentWithoutAuth({
+						await this.setDeploymentAndValidate({
 							...deployment,
 							token: auth?.token,
 						});
@@ -162,17 +162,18 @@ export class DeploymentManager implements vscode.Disposable {
 		this.authListenerDisposable = this.secretsManager.onDidChangeSessionAuth(
 			safeHostname,
 			async (auth) => {
+				if (this.currentDeployment?.safeHostname !== safeHostname) {
+					return;
+				}
 				if (auth) {
-					if (this.currentDeployment?.safeHostname !== safeHostname) {
-						return;
-					}
-
-					this.client.setCredentials(this.currentDeployment.url, auth.token);
+					this.client.setCredentials(auth.url, auth.token);
 
 					// If we don't have a user yet, try to fetch one
 					if (!this.currentDeployment?.user) {
 						await this.tryFetchAndUpgradeUser();
 					}
+				} else {
+					await this.clearDeployment();
 				}
 			},
 		);
@@ -186,9 +187,20 @@ export class DeploymentManager implements vscode.Disposable {
 			return;
 		}
 
+		const safeHostname = this.currentDeployment.safeHostname;
+
 		try {
 			const user = await this.client.getAuthenticatedUser();
-			this.currentDeployment = { ...this.currentDeployment, user };
+
+			// Re-validate deployment hasn't changed during await
+			if (this.currentDeployment?.safeHostname !== safeHostname) {
+				this.logger.debug(
+					"Deployment changed during user fetch, discarding result",
+				);
+				return;
+			}
+
+			this.currentDeployment.user = user;
 			this.updateAuthContexts(user);
 			this.refreshWorkspaces();
 
diff --git a/src/extension.ts b/src/extension.ts
@@ -313,7 +313,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 				ctx.subscriptions.push(details);
 
 				// Will automatically fetch the user and upgrade the deployment
-				await deploymentManager.setDeploymentWithoutAuth({
+				await deploymentManager.setDeploymentAndValidate({
 					safeHostname: details.safeHostname,
 					url: details.url,
 					token: details.token,
@@ -365,7 +365,7 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 		output.info(`Initializing deployment: ${deployment.url}`);
 		const auth = await secretsManager.getSessionAuth(deployment.safeHostname);
 		deploymentManager
-			.setDeploymentWithoutAuth({ ...deployment, token: auth?.token })
+			.setDeploymentAndValidate({ ...deployment, token: auth?.token })
 			.then(() => {
 				if (deploymentManager.isAuthenticated()) {
 					output.info("Credentials are valid");
@@ -478,7 +478,7 @@ async function setupDeploymentFromUri(
 	}
 
 	// Will automatically fetch the user and upgrade the deployment
-	await deploymentManager.setDeploymentWithoutAuth({
+	await deploymentManager.setDeploymentAndValidate({
 		safeHostname: safeHost,
 		url,
 		token,
diff --git a/src/login/loginCoordinator.ts b/src/login/loginCoordinator.ts
@@ -1,3 +1,4 @@
+import { isAxiosError } from "axios";
 import { getErrorMessage } from "coder/site/src/api/errors";
 import * as vscode from "vscode";
 
@@ -13,11 +14,9 @@ import type { SecretsManager } from "../core/secretsManager";
 import type { Deployment } from "../deployment/types";
 import type { Logger } from "../logging/logger";
 
-interface LoginResult {
-	success: boolean;
-	user?: User;
-	token?: string;
-}
+type LoginResult =
+	| { success: false }
+	| { success: true; user?: User; token: string };
 
 interface LoginOptions {
 	safeHostname: string;
@@ -42,7 +41,7 @@ export class LoginCoordinator {
 	 * Direct login - for user-initiated login via commands.
 	 * Stores session auth and URL history on success.
 	 */
-	public async promptForLogin(
+	public async ensureLoggedIn(
 		options: LoginOptions & { url: string },
 	): Promise<LoginResult> {
 		const { safeHostname, url } = options;
@@ -61,11 +60,11 @@ export class LoginCoordinator {
 	/**
 	 * Shows dialog then login - for system-initiated auth (remote).
 	 */
-	public async promptForLoginWithDialog(
+	public async ensureLoggedInWithDialog(
 		options: LoginOptions & { message?: string; detailPrefix?: string },
 	): Promise<LoginResult> {
 		const { safeHostname, url, detailPrefix, message } = options;
-		return this.executeWithGuard(safeHostname, () => {
+		return this.executeWithGuard(safeHostname, async () => {
 			// Show dialog promise
 			const dialogPromise = this.vscodeProposed.window
 				.showErrorMessage(
@@ -103,15 +102,20 @@ export class LoginCoordinator {
 						return result;
 					} else {
 						// User cancelled
-						return { success: false };
+						return { success: false } as const;
 					}
 				});
 
 			// Race between user clicking login and cross-window detection
-			return Promise.race([
-				dialogPromise,
-				this.waitForCrossWindowLogin(safeHostname),
-			]);
+			const {
+				promise: crossWindowPromise,
+				dispose: disposeCrossWindowListener,
+			} = this.waitForCrossWindowLogin(safeHostname);
+			try {
+				return await Promise.race([dialogPromise, crossWindowPromise]);
+			} finally {
+				disposeCrossWindowListener();
+			}
 		});
 	}
 
@@ -121,7 +125,7 @@ export class LoginCoordinator {
 		url: string,
 	): Promise<void> {
 		// Empty token is valid for mTLS
-		if (result.success && result.token !== undefined) {
+		if (result.success) {
 			await this.secretsManager.setSessionAuth(safeHostname, {
 				url,
 				token: result.token,
@@ -154,21 +158,28 @@ export class LoginCoordinator {
 
 	/**
 	 * Waits for login detected from another window.
+	 * Returns a promise and a dispose function to clean up the listener.
 	 */
-	private async waitForCrossWindowLogin(
-		safeHostname: string,
-	): Promise<LoginResult> {
-		return new Promise((resolve) => {
-			const disposable = this.secretsManager.onDidChangeSessionAuth(
+	private waitForCrossWindowLogin(safeHostname: string): {
+		promise: Promise<LoginResult>;
+		dispose: () => void;
+	} {
+		let disposable: vscode.Disposable | undefined;
+		const promise = new Promise<LoginResult>((resolve) => {
+			disposable = this.secretsManager.onDidChangeSessionAuth(
 				safeHostname,
 				(auth) => {
 					if (auth?.token) {
-						disposable.dispose();
+						disposable?.dispose();
 						resolve({ success: true, token: auth.token });
 					}
 				},
 			);
 		});
+		return {
+			promise,
+			dispose: () => disposable?.dispose(),
+		};
 	}
 
 	/**
@@ -197,15 +208,18 @@ export class LoginCoordinator {
 
 		// Attempt authentication with current credentials (token or mTLS)
 		try {
-			const user = await client.getAuthenticatedUser();
-			// Return the token that was used (empty string for mTLS since
-			// the `vscodessh` command currently always requires a token file)
-			return { success: true, token: storedToken ?? "", user };
+			if (!needsToken || storedToken) {
+				const user = await client.getAuthenticatedUser();
+				// Return the token that was used (empty string for mTLS since
+				// the `vscodessh` command currently always requires a token file)
+				return { success: true, token: storedToken ?? "", user };
+			}
 		} catch (err) {
-			if (needsToken) {
-				// For token auth: silently continue to prompt for new credentials
+			const is401 = isAxiosError(err) && err.response?.status === 401;
+			if (needsToken && is401) {
+				// For token auth with 401: silently continue to prompt for new credentials
 			} else {
-				// For mTLS: show error and abort (no credentials to prompt for)
+				// For mTLS or non-401 errors: show error and abort
 				const message = getErrorMessage(err, "no response from the server");
 				if (isAutoLogin) {
 					this.logger.warn("Failed to log in to Coder server:", message);
diff --git a/src/remote/remote.ts b/src/remote/remote.ts

Original file line number	Diff line number	Diff line change
`@@ -757,7 +757,9 @@ export class CliManager {`
`757`	`757`	`await fs.writeFile(tempPath, content);`
`758`	`758`	`await fs.rename(tempPath, filePath);`
`759`	`759`	`} catch (err) {`
`760`		`- await fs.rm(tempPath, { force: true }).catch(() => {});`
	`760`	`+ await fs.rm(tempPath, { force: true }).catch((rmErr) => {`
	`761`	`+ this.output.warn("Failed to delete temp file", tempPath, rmErr);`
	`762`	`+ });`
`761`	`763`	`throw err;`
`762`	`764`	`}`
`763`	`765`	`}`