Rely on the secrets API + Refactorings

Author: EhabY

src/api/coderApi.ts

@@ -3,8 +3,6 @@ import {
 	type AxiosInstance,
 	type AxiosHeaders,
 	type AxiosResponseTransformer,
-	isAxiosError,
-	type AxiosError,
 } from "axios";
 import { Api } from "coder/site/src/api/api";
 import {
@@ -33,8 +31,6 @@ import {
 	HttpClientLogLevel,
 } from "../logging/types";
 import { sizeOf } from "../logging/utils";
-import { parseOAuthError, requiresReAuthentication } from "../oauth/errors";
-import { type OAuthSessionManager } from "../oauth/sessionManager";
 import { HttpStatusCode } from "../websocket/codes";
 import {
 	type UnidirectionalStream,
@@ -76,15 +72,14 @@ export class CoderApi extends Api {
 		baseUrl: string,
 		token: string | undefined,
 		output: Logger,
-		oauthSessionManager?: OAuthSessionManager,
 	): CoderApi {
 		const client = new CoderApi(output);
 		client.setHost(baseUrl);
 		if (token) {
 			client.setSessionToken(token);
 		}
 
-		setupInterceptors(client, output, oauthSessionManager);
+		setupInterceptors(client, output);
 		return client;
 	}
 
@@ -395,11 +390,7 @@ export class CoderApi extends Api {
 /**
  * Set up logging and request interceptors for the CoderApi instance.
  */
-function setupInterceptors(
-	client: CoderApi,
-	output: Logger,
-	oauthSessionManager?: OAuthSessionManager,
-): void {
+function setupInterceptors(client: CoderApi, output: Logger): void {
 	addLoggingInterceptors(client.getAxiosInstance(), output);
 
 	client.getAxiosInstance().interceptors.request.use(async (config) => {
@@ -437,11 +428,6 @@ function setupInterceptors(
 			}
 		},
 	);
-
-	// OAuth token refresh interceptors
-	if (oauthSessionManager) {
-		addOAuthInterceptors(client, output, oauthSessionManager);
-	}
 }
 
 function addLoggingInterceptors(client: AxiosInstance, logger: Logger) {
@@ -487,116 +473,6 @@ function addLoggingInterceptors(client: AxiosInstance, logger: Logger) {
 	);
 }
 
-/**
- * Add OAuth token refresh interceptors.
- * Success interceptor: proactively refreshes token when approaching expiry.
- * Error interceptor: reactively refreshes token on 401 responses.
- */
-function addOAuthInterceptors(
-	client: CoderApi,
-	logger: Logger,
-	oauthSessionManager: OAuthSessionManager,
-) {
-	client.getAxiosInstance().interceptors.response.use(
-		// Success response interceptor: proactive token refresh
-		(response) => {
-			if (oauthSessionManager.shouldRefreshToken()) {
-				logger.debug(
-					"Token approaching expiry, triggering proactive refresh in background",
-				);
-
-				// Fire-and-forget: don't await, don't block response
-				oauthSessionManager.refreshToken().catch((error) => {
-					logger.warn("Background token refresh failed:", error);
-				});
-			}
-
-			return response;
-		},
-		// Error response interceptor: reactive token refresh on 401
-		async (error: unknown) => {
-			if (!isAxiosError(error)) {
-				throw error;
-			}
-
-			if (error.config) {
-				const config = error.config as {
-					_oauthRetryAttempted?: boolean;
-				};
-				if (config._oauthRetryAttempted) {
-					throw error;
-				}
-			}
-
-			const status = error.response?.status;
-
-			// These could indicate permanent auth failures that won't be fixed by token refresh
-			if (status === 400 || status === 403) {
-				handlePossibleOAuthError(error, logger, oauthSessionManager);
-				throw error;
-			} else if (status === 401) {
-				return handle401Error(error, client, logger, oauthSessionManager);
-			}
-
-			throw error;
-		},
-	);
-}
-
-function handlePossibleOAuthError(
-	error: unknown,
-	logger: Logger,
-	oauthSessionManager: OAuthSessionManager,
-): void {
-	const oauthError = parseOAuthError(error);
-	if (oauthError && requiresReAuthentication(oauthError)) {
-		logger.error(
-			`OAuth error requires re-authentication: ${oauthError.errorCode}`,
-		);
-
-		oauthSessionManager.showReAuthenticationModal(oauthError).catch((err) => {
-			logger.error("Failed to show re-auth modal:", err);
-		});
-	}
-}
-
-async function handle401Error(
-	error: AxiosError,
-	client: CoderApi,
-	logger: Logger,
-	oauthSessionManager: OAuthSessionManager,
-): Promise<void> {
-	if (!oauthSessionManager.isLoggedInWithOAuth()) {
-		throw error;
-	}
-
-	logger.info("Received 401 response, attempting token refresh");
-
-	try {
-		const newTokens = await oauthSessionManager.refreshToken();
-		client.setSessionToken(newTokens.access_token);
-
-		logger.info("Token refresh successful, retrying request");
-
-		// Retry the original request with the new token
-		if (error.config) {
-			const config = error.config as RequestConfigWithMeta & {
-				_oauthRetryAttempted?: boolean;
-			};
-			config._oauthRetryAttempted = true;
-			config.headers[coderSessionTokenHeader] = newTokens.access_token;
-			return client.getAxiosInstance().request(config);
-		}
-
-		throw error;
-	} catch (refreshError) {
-		logger.error("Token refresh failed:", refreshError);
-
-		handlePossibleOAuthError(refreshError, logger, oauthSessionManager);
-		throw error;
-	}
-}
-
 function wrapRequestTransform(
 	transformer: AxiosResponseTransformer | AxiosResponseTransformer[],
 	config: RequestConfigWithMeta,

src/api/oauthInterceptors.ts

@@ -0,0 +1,122 @@
+import { type AxiosError, isAxiosError } from "axios";
+
+import { type Logger } from "../logging/logger";
+import { type RequestConfigWithMeta } from "../logging/types";
+import { parseOAuthError, requiresReAuthentication } from "../oauth/errors";
+import { type OAuthSessionManager } from "../oauth/sessionManager";
+
+import { type CoderApi } from "./coderApi";
+
+const coderSessionTokenHeader = "Coder-Session-Token";
+
+/**
+ * Attach OAuth token refresh interceptors to a CoderApi instance.
+ * This should be called after creating the CoderApi when OAuth authentication is being used.
+ *
+ * Success interceptor: proactively refreshes token when approaching expiry.
+ * Error interceptor: reactively refreshes token on 401 responses.
+ */
+export function attachOAuthInterceptors(
+	client: CoderApi,
+	logger: Logger,
+	oauthSessionManager: OAuthSessionManager,
+): void {
+	client.getAxiosInstance().interceptors.response.use(
+		// Success response interceptor: proactive token refresh
+		(response) => {
+			if (oauthSessionManager.shouldRefreshToken()) {
+				logger.debug(
+					"Token approaching expiry, triggering proactive refresh in background",
+				);
+
+				// Fire-and-forget: don't await, don't block response
+				oauthSessionManager.refreshToken().catch((error) => {
+					logger.warn("Background token refresh failed:", error);
+				});
+			}
+
+			return response;
+		},
+		// Error response interceptor: reactive token refresh on 401
+		async (error: unknown) => {
+			if (!isAxiosError(error)) {
+				throw error;
+			}
+
+			if (error.config) {
+				const config = error.config as {
+					_oauthRetryAttempted?: boolean;
+				};
+				if (config._oauthRetryAttempted) {
+					throw error;
+				}
+			}
+
+			const status = error.response?.status;
+
+			// These could indicate permanent auth failures that won't be fixed by token refresh
+			if (status === 400 || status === 403) {
+				handlePossibleOAuthError(error, logger, oauthSessionManager);
+				throw error;
+			} else if (status === 401) {
+				return handle401Error(error, client, logger, oauthSessionManager);
+			}
+
+			throw error;
+		},
+	);
+}
+
+function handlePossibleOAuthError(
+	error: unknown,
+	logger: Logger,
+	oauthSessionManager: OAuthSessionManager,
+): void {
+	const oauthError = parseOAuthError(error);
+	if (oauthError && requiresReAuthentication(oauthError)) {
+		logger.error(
+			`OAuth error requires re-authentication: ${oauthError.errorCode}`,
+		);
+
+		oauthSessionManager.showReAuthenticationModal(oauthError).catch((err) => {
+			logger.error("Failed to show re-auth modal:", err);
+		});
+	}
+}
+
+async function handle401Error(
+	error: AxiosError,
+	client: CoderApi,
+	logger: Logger,
+	oauthSessionManager: OAuthSessionManager,
+): Promise<void> {
+	if (!oauthSessionManager.isLoggedInWithOAuth()) {
+		throw error;
+	}
+
+	logger.info("Received 401 response, attempting token refresh");
+
+	try {
+		const newTokens = await oauthSessionManager.refreshToken();
+		client.setSessionToken(newTokens.access_token);
+
+		logger.info("Token refresh successful, retrying request");
+
+		// Retry the original request with the new token
+		if (error.config) {
+			const config = error.config as RequestConfigWithMeta & {
+				_oauthRetryAttempted?: boolean;
+			};
+			config._oauthRetryAttempted = true;
+			config.headers[coderSessionTokenHeader] = newTokens.access_token;
+			return client.getAxiosInstance().request(config);
+		}
+
+		throw error;
+	} catch (refreshError) {
+		logger.error("Token refresh failed:", refreshError);
+
+		handlePossibleOAuthError(refreshError, logger, oauthSessionManager);
+		throw error;
+	}
+}

src/commands.ts

@@ -68,7 +68,6 @@ export class Commands {
 	 */
 	public async login(args?: {
 		url?: string;
-		token?: string;
 		label?: string;
 		autoLogin?: boolean;
 	}): Promise<void> {
@@ -89,8 +88,7 @@ export class Commands {
 		this.logger.info("Using deployment label", label);
 
 		const result = await this.loginCoordinator.promptForLogin({
-			url,
-			label,
+			deployment: { url, label },
 			autoLogin: args?.autoLogin,
 			oauthSessionManager: this.oauthSessionManager,
 		});
@@ -105,14 +103,11 @@ export class Commands {
 
 		// Store for later sessions
 		await this.mementoManager.setUrl(url);
-		await this.secretsManager.setSessionToken(label, {
+		await this.secretsManager.setSessionAuth(label, {
 			url,
-			sessionToken: result.token,
+			token: result.token,
 		});
 
-		// Store on disk for CLI
-		await this.cliManager.configure(label, url, result.token);
-
 		// Update contexts
 		this.contextManager.set("coder.authenticated", true);
 		if (result.user.roles.some((role) => role.name === "owner")) {
@@ -195,7 +190,7 @@ export class Commands {
 
 		// Clear from memory.
 		await this.mementoManager.setUrl(undefined);
-		await this.secretsManager.setSessionToken(label, undefined);
+		await this.secretsManager.clearAllAuthData(label);
 
 		this.contextManager.set("coder.authenticated", false);
 		vscode.window