Block webviews from allowing multiple parallel authorization_grant flows (#4918)

rli · web-flow · commit 0e51c1c2efa2 · 2024-10-02T12:14:16.000-07:00
diff --git a/plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/LoginUtils.kt b/plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/LoginUtils.kt
@@ -18,24 +18,35 @@ import software.amazon.awssdk.services.ssooidc.model.SsoOidcException
 import software.amazon.awssdk.services.sts.StsClient
 import software.aws.toolkits.core.credentials.validatedSsoIdentifierFromUrl
 import software.aws.toolkits.core.region.AwsRegion
+import software.aws.toolkits.core.utils.debug
+import software.aws.toolkits.core.utils.getLogger
+import software.aws.toolkits.core.utils.warn
 import software.aws.toolkits.jetbrains.core.AwsClientManager
 import software.aws.toolkits.jetbrains.core.credentials.profiles.SsoSessionConstants
 import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_REGION
 import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_URL
 import software.aws.toolkits.jetbrains.core.credentials.sono.isSono
 import software.aws.toolkits.jetbrains.core.credentials.sso.bearer.InteractiveBearerTokenProvider
+import software.aws.toolkits.jetbrains.core.credentials.sso.pkce.ToolkitOAuthService
 import software.aws.toolkits.jetbrains.utils.runUnderProgressIfNeeded
 import software.aws.toolkits.resources.AwsCoreBundle
 import software.aws.toolkits.telemetry.CredentialSourceId
 import java.io.IOException
 
+private val LOG = getLogger<Login<*>>()
+
 sealed class Login<T> {
     abstract val id: CredentialSourceId
     abstract val onError: (Exception) -> Unit
     protected abstract fun doLogin(project: Project): T
 
     fun login(project: Project): T {
+        LOG.debug { "Starting login with request: $this" }
         try {
+            check(!ToolkitOAuthService.getInstance().hasPendingRequest()) {
+                LOG.warn { "$this attempt initiated with pending request: ${ToolkitOAuthService.getInstance().pendingRequest()}" }
+                AwsCoreBundle.message("toolkit.login.singleton")
+            }
             return doLogin(project)
         } catch (e: Exception) {
             onError(e)
diff --git a/plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/pkce/ToolkitOAuthService.kt b/plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/pkce/ToolkitOAuthService.kt
@@ -43,6 +43,8 @@ const val PKCE_CLIENT_NAME = "AWS IDE Plugins for JetBrains"
 class ToolkitOAuthService : OAuthServiceBase<AccessToken>() {
     override val name: String = "aws/toolkit"
 
+    internal fun pendingRequest() = (currentRequest.get()?.request as? ToolkitOAuthRequest)?.registration
+
     fun hasPendingRequest() = currentRequest.get() != null
 
     fun authorize(registration: PKCEClientRegistration): CompletableFuture<AccessToken> {
diff --git a/plugins/core/resources/resources/software/aws/toolkits/resources/MessagesBundle.properties b/plugins/core/resources/resources/software/aws/toolkits/resources/MessagesBundle.properties
@@ -1956,6 +1956,7 @@ toolkit.login.dialog.sso.text_field.region=Region:
 toolkit.login.dialog.sso.text_field.start_url=Start URL:
 toolkit.login.dialog.sso.title=Connect using AWS IAM Identity Center
 toolkit.login.dialog.title=AWS Toolkit: Add Connection
+toolkit.login.singleton=Only one browser authorization flow may be active at once
 toolkit.sso_expire.dialog.cancel_button=Cancel
 toolkit.sso_expire.dialog.no_button=Don't show again
 toolkit.sso_expire.dialog.title=Connection Expired
