Handle review comments on new PR

Author: EhabY

src/core/secretsManager.ts

@@ -8,8 +8,8 @@ import type { Deployment } from "../deployment/types";
 
 // Each deployment has its own key to ensure atomic operations (multiple windows
 // writing to a shared key could drop data) and to receive proper VS Code events.
-const SESSION_KEY_PREFIX = "coder.session." as const;
-const OAUTH_CLIENT_PREFIX = "coder.oauth.client." as const;
+const SESSION_KEY_PREFIX = "coder.session.";
+const OAUTH_CLIENT_PREFIX = "coder.oauth.client.";
 
 type SecretKeyPrefix = typeof SESSION_KEY_PREFIX | typeof OAUTH_CLIENT_PREFIX;
 
@@ -309,14 +309,22 @@ export class SecretsManager {
 				return;
 			}
 
+			let parsed: OAuthCallbackData;
 			try {
 				const data = await this.secrets.get(OAUTH_CALLBACK_KEY);
-				if (data) {
-					const parsed = JSON.parse(data) as OAuthCallbackData;
-					listener(parsed);
+				if (!data) {
+					return;
 				}
-			} catch {
-				// Ignore parse errors
+				parsed = JSON.parse(data) as OAuthCallbackData;
+			} catch (err) {
+				this.logger.error("Failed to parse OAuth callback data", err);
+				return;
+			}
+
+			try {
+				listener(parsed);
+			} catch (err) {
+				this.logger.error("Error in onDidChangeOAuthCallback listener", err);
 			}
 		});
 	}

src/deployment/deploymentManager.ts

@@ -140,7 +140,7 @@ export class DeploymentManager implements vscode.Disposable {
 		this.refreshWorkspaces();
 
 		await this.oauthSessionManager.setDeployment(deployment);
-		await this.oauthInterceptor.setDeployment(deployment.safeHostname);
+		await this.oauthInterceptor.setDeployment(deployment);
 		await this.persistDeployment(deployment);
 	}
 

src/oauth/authorizer.ts

@@ -7,6 +7,12 @@ import { type SecretsManager } from "../core/secretsManager";
 import { type Deployment } from "../deployment/types";
 import { type Logger } from "../logging/logger";
 
+import {
+	AUTH_GRANT_TYPE,
+	PKCE_CHALLENGE_METHOD,
+	RESPONSE_TYPE,
+	TOKEN_ENDPOINT_AUTH_METHOD,
+} from "./constants";
 import { OAuthMetadataClient } from "./metadataClient";
 import {
 	CALLBACK_PATH,
@@ -23,10 +29,6 @@ import type {
 	TokenResponse,
 } from "./types";
 
-const AUTH_GRANT_TYPE = "authorization_code";
-const RESPONSE_TYPE = "code";
-const PKCE_CHALLENGE_METHOD = "S256";
-
 /**
  * Minimal scopes required by the VS Code extension.
  */
@@ -152,11 +154,10 @@ export class OAuthAuthorizer implements vscode.Disposable {
 
 		const registrationRequest: ClientRegistrationRequest = {
 			redirect_uris: [redirectUri],
-			application_type: "web",
-			grant_types: ["authorization_code"],
-			response_types: ["code"],
+			grant_types: [AUTH_GRANT_TYPE],
+			response_types: [RESPONSE_TYPE],
 			client_name: `Coder for ${vscode.env.appName}`,
-			token_endpoint_auth_method: "client_secret_post",
+			token_endpoint_auth_method: TOKEN_ENDPOINT_AUTH_METHOD,
 		};
 
 		const response = await axiosInstance.post<ClientRegistrationResponse>(
@@ -241,7 +242,10 @@ export class OAuthAuthorizer implements vscode.Disposable {
 
 		const callbackPromise = new Promise<{ code: string; verifier: string }>(
 			(resolve, reject) => {
-				// Track reject for disposal
+				// Reject any existing pending auth before starting a new one
+				if (this.pendingAuthReject) {
+					this.pendingAuthReject(new Error("New OAuth flow started"));
+				}
 				this.pendingAuthReject = reject;
 
 				const timeoutMins = 5;
@@ -258,6 +262,10 @@ export class OAuthAuthorizer implements vscode.Disposable {
 				const listener = this.secretsManager.onDidChangeOAuthCallback(
 					({ state: callbackState, code, error }) => {
 						if (callbackState !== state) {
+							this.logger.warn(
+								"Ignoring OAuth callback with mismatched state",
+								{ expected: state, received: callbackState },
+							);
 							return;
 						}
 

src/oauth/axiosInterceptor.ts

@@ -4,6 +4,7 @@ import type * as vscode from "vscode";
 
 import type { CoderApi } from "../api/coderApi";
 import type { SecretsManager } from "../core/secretsManager";
+import type { Deployment } from "../deployment/types";
 import type { Logger } from "../logging/logger";
 import type { RequestConfigWithMeta } from "../logging/types";
 
@@ -53,12 +54,12 @@ export class OAuthInterceptor implements vscode.Disposable {
 		return instance;
 	}
 
-	public async setDeployment(safeHostname: string): Promise<void> {
-		if (this.safeHostname === safeHostname) {
+	public async setDeployment(deployment: Deployment): Promise<void> {
+		if (this.safeHostname === deployment.safeHostname) {
 			return;
 		}
 
-		this.safeHostname = safeHostname;
+		this.safeHostname = deployment.safeHostname;
 		this.detach();
 		this.setupTokenListener();
 		await this.syncWithTokenState();
@@ -94,9 +95,9 @@ export class OAuthInterceptor implements vscode.Disposable {
 	 */
 	private async syncWithTokenState(): Promise<void> {
 		const isOAuth = await this.oauthSessionManager.isLoggedInWithOAuth();
-		if (isOAuth && this.interceptorId === null) {
+		if (isOAuth) {
 			this.attach();
-		} else if (!isOAuth && this.interceptorId !== null) {
+		} else {
 			this.detach();
 		}
 	}

src/oauth/constants.ts

@@ -0,0 +1,12 @@
+// OAuth 2.1 Grant Types
+export const AUTH_GRANT_TYPE = "authorization_code";
+export const REFRESH_GRANT_TYPE = "refresh_token";
+
+// OAuth 2.1 Response Types
+export const RESPONSE_TYPE = "code";
+
+// Token Endpoint Authentication Methods
+export const TOKEN_ENDPOINT_AUTH_METHOD = "client_secret_post";
+
+// PKCE Code Challenge Methods (OAuth 2.1 requires S256)
+export const PKCE_CHALLENGE_METHOD = "S256";

src/oauth/metadataClient.ts

@@ -1,3 +1,11 @@
+import {
+	AUTH_GRANT_TYPE,
+	PKCE_CHALLENGE_METHOD,
+	REFRESH_GRANT_TYPE,
+	RESPONSE_TYPE,
+	TOKEN_ENDPOINT_AUTH_METHOD,
+} from "./constants";
+
 import type { AxiosInstance } from "axios";
 
 import type { Logger } from "../logging/logger";
@@ -11,20 +19,17 @@ import type {
 
 const OAUTH_DISCOVERY_ENDPOINT = "/.well-known/oauth-authorization-server";
 
-const AUTH_GRANT_TYPE = "authorization_code" as const;
-const REFRESH_GRANT_TYPE = "refresh_token" as const;
-const RESPONSE_TYPE = "code" as const;
-const OAUTH_METHOD = "client_secret_post" as const;
-const PKCE_CHALLENGE_METHOD = "S256" as const;
-
-const REQUIRED_GRANT_TYPES = [AUTH_GRANT_TYPE, REFRESH_GRANT_TYPE] as const;
+const REQUIRED_GRANT_TYPES: readonly string[] = [
+	AUTH_GRANT_TYPE,
+	REFRESH_GRANT_TYPE,
+];
 
 // RFC 8414 defaults when fields are omitted
-const DEFAULT_GRANT_TYPES = [AUTH_GRANT_TYPE] as GrantType[];
-const DEFAULT_RESPONSE_TYPES = [RESPONSE_TYPE] as ResponseType[];
-const DEFAULT_AUTH_METHODS = [
+const DEFAULT_GRANT_TYPES: readonly GrantType[] = [AUTH_GRANT_TYPE];
+const DEFAULT_RESPONSE_TYPES: readonly ResponseType[] = [RESPONSE_TYPE];
+const DEFAULT_AUTH_METHODS: readonly TokenEndpointAuthMethod[] = [
 	"client_secret_basic",
-] as TokenEndpointAuthMethod[];
+];
 
 /**
  * Client for discovering and validating OAuth server metadata.
@@ -95,7 +100,7 @@ export class OAuthMetadataClient {
 		const supported = metadata.grant_types_supported ?? DEFAULT_GRANT_TYPES;
 		if (!includesAllTypes(supported, REQUIRED_GRANT_TYPES)) {
 			throw new Error(
-				`Server does not support required grant types: ${REQUIRED_GRANT_TYPES.join(", ")}. Supported: ${supported.join(", ")}`,
+				`Server does not support required grant types: ${REQUIRED_GRANT_TYPES.join(", ")}. Supported: ${formatSupported(supported)}`,
 			);
 		}
 	}
@@ -105,17 +110,17 @@ export class OAuthMetadataClient {
 			metadata.response_types_supported ?? DEFAULT_RESPONSE_TYPES;
 		if (!includesAllTypes(supported, [RESPONSE_TYPE])) {
 			throw new Error(
-				`Server does not support required response type: ${RESPONSE_TYPE}. Supported: ${supported.join(", ")}`,
+				`Server does not support required response type: ${RESPONSE_TYPE}. Supported: ${formatSupported(supported)}`,
 			);
 		}
 	}
 
 	private validateAuthMethods(metadata: OAuthServerMetadata): void {
 		const supported =
 			metadata.token_endpoint_auth_methods_supported ?? DEFAULT_AUTH_METHODS;
-		if (!includesAllTypes(supported, [OAUTH_METHOD])) {
+		if (!includesAllTypes(supported, [TOKEN_ENDPOINT_AUTH_METHOD])) {
 			throw new Error(
-				`Server does not support required auth method: ${OAUTH_METHOD}. Supported: ${supported.join(", ")}`,
+				`Server does not support required auth method: ${TOKEN_ENDPOINT_AUTH_METHOD}. Supported: ${formatSupported(supported)}`,
 			);
 		}
 	}
@@ -125,7 +130,7 @@ export class OAuthMetadataClient {
 		const supported = metadata.code_challenge_methods_supported ?? [];
 		if (!includesAllTypes(supported, [PKCE_CHALLENGE_METHOD])) {
 			throw new Error(
-				`Server does not support required PKCE method: ${PKCE_CHALLENGE_METHOD}. Supported: ${supported.length > 0 ? supported.join(", ") : "none"}`,
+				`Server does not support required PKCE method: ${PKCE_CHALLENGE_METHOD}. Supported: ${formatSupported(supported)}`,
 			);
 		}
 	}
@@ -140,3 +145,7 @@ function includesAllTypes(
 ): boolean {
 	return requiredTypes.every((type) => arr.includes(type));
 }
+
+function formatSupported(supported: readonly string[]): string {
+	return supported.length > 0 ? supported.join(", ") : "none";
+}

src/oauth/sessionManager.ts

@@ -11,6 +11,7 @@ import { type Deployment } from "../deployment/types";
 import { type Logger } from "../logging/logger";
 import { type LoginCoordinator } from "../login/loginCoordinator";
 
+import { REFRESH_GRANT_TYPE } from "./constants";
 import {
 	type OAuthError,
 	parseOAuthError,
@@ -29,8 +30,6 @@ import type {
 	TokenRevocationRequest,
 } from "./types";
 
-const REFRESH_GRANT_TYPE = "refresh_token";
-
 /**
  * Token refresh threshold: refresh when token expires in less than this time.
  */
@@ -73,6 +72,7 @@ type StoredTokens = OAuthTokenData & {
  */
 export class OAuthSessionManager implements vscode.Disposable {
 	private refreshPromise: Promise<TokenResponse> | null = null;
+	private refreshAbortController: AbortController | null = null;
 	private lastRefreshAttempt = 0;
 	private refreshTimer: NodeJS.Timeout | undefined;
 	private tokenChangeListener: vscode.Disposable | undefined;
@@ -171,8 +171,11 @@ export class OAuthSessionManager implements vscode.Disposable {
 
 	/**
 	 * Clear all refresh-related state: in-flight promise, throttle, timer, and listener.
+	 * Aborts any in-flight refresh request to prevent stale token updates.
 	 */
 	private clearRefreshState(): void {
+		this.refreshAbortController?.abort();
+		this.refreshAbortController = null;
 		this.refreshPromise = null;
 		this.lastRefreshAttempt = 0;
 		if (this.refreshTimer) {
@@ -386,6 +389,9 @@ export class OAuthSessionManager implements vscode.Disposable {
 	private async executeTokenRefresh(
 		deployment: Deployment,
 	): Promise<TokenResponse> {
+		const abortController = new AbortController();
+		this.refreshAbortController = abortController;
+
 		try {
 			const storedTokens = await this.getStoredTokens();
 			if (!storedTokens?.refresh_token) {
@@ -418,9 +424,15 @@ export class OAuthSessionManager implements vscode.Disposable {
 					headers: {
 						"Content-Type": "application/x-www-form-urlencoded",
 					},
+					signal: abortController.signal,
 				},
 			);
 
+			// Check if aborted between response and save
+			if (abortController.signal.aborted) {
+				throw new Error("Token refresh aborted");
+			}
+
 			this.logger.debug("Token refresh successful");
 
 			const oauthData = buildOAuthTokenData(response.data);
@@ -435,6 +447,9 @@ export class OAuthSessionManager implements vscode.Disposable {
 			this.handleOAuthError(error);
 			throw error;
 		} finally {
+			if (this.refreshAbortController === abortController) {
+				this.refreshAbortController = null;
+			}
 			this.refreshPromise = null;
 		}
 	}

src/oauth/types.ts

@@ -13,9 +13,6 @@ export type TokenEndpointAuthMethod =
 	| "client_secret_basic"
 	| "none";
 
-// Application Types
-export type ApplicationType = "native" | "web";
-
 // PKCE Code Challenge Methods (OAuth 2.1 requires S256)
 export type CodeChallengeMethod = "S256";
 
@@ -26,7 +23,6 @@ export type TokenType = "Bearer" | "DPoP";
 export interface ClientRegistrationRequest {
 	redirect_uris: string[];
 	token_endpoint_auth_method: TokenEndpointAuthMethod;
-	application_type: ApplicationType;
 	grant_types: GrantType[];
 	response_types: ResponseType[];
 	client_name?: string;
@@ -49,7 +45,6 @@ export interface ClientRegistrationResponse {
 	client_secret_expires_at?: number;
 	redirect_uris: string[];
 	token_endpoint_auth_method: TokenEndpointAuthMethod;
-	application_type?: ApplicationType;
 	grant_types: GrantType[];
 	response_types: ResponseType[];
 	client_name?: string;

src/oauth/utils.ts

@@ -10,7 +10,8 @@ import type { TokenResponse } from "./types";
 export const CALLBACK_PATH = "/oauth/callback";
 
 /**
- * Default expiry time for OAuth access tokens when the server doesn't provide one.
+ * Fallback expiry time for access tokens when the server omits expires_in.
+ * RFC 6749 recommends but doesn't require expires_in and specifies no default.
  */
 const ACCESS_TOKEN_DEFAULT_EXPIRY_MS = 60 * 60 * 1000;
 

test/mocks/testHelpers.ts

@@ -695,7 +695,8 @@ export function setupAxiosMockRoutes(
 					if (value instanceof Error) {
 						throw value;
 					}
-					const data = typeof value === "function" ? await value() : value;
+					const data =
+						typeof value === "function" ? await value(config) : value;
 					return {
 						data,
 						status: 200,