fix(CodeWhisperer): auto-refresh credentials on Cloud9 #2727

Problem
The Toolkit credentials system does not use a file watcher for detecting credential changes. This specifically affects CodeWhisperer as they never emit an `ExpiredTokenException` which would otherwise trigger a refresh.

## Solution
Force a refresh on errors that are obviously due to expired credentials. We heavily restrict the exact circumstances that this code path can be executed to mitigate risk.

Soon-ish we'll have a file watcher so we can drop a lot of these workarounds.

Author: JadenSimon

.changes/next-release/Bug Fix-f1a5afac-efe0-41aa-8673-60897eb82e5e.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "'security token expired' errors when using CodeWhisperer in Cloud9 with managed credentials"
+}

src/codewhisperer/client/codewhisperer.ts

@@ -14,6 +14,13 @@ import { isCloud9 } from '../../shared/extensionUtilities'
 import { CodeWhispererSettings } from '../util/codewhispererSettings'
 import { getCognitoCredentials } from '../util/cognitoIdentity'
 import { PromiseResult } from 'aws-sdk/lib/request'
+import { getLogger } from '../../shared/logger'
+import { throttle } from 'lodash'
+
+const refreshCredentials = throttle(() => {
+    getLogger().verbose('codewhisperer: invalidating expired credentials')
+    globals.awsContext.credentialsShim?.refresh()
+}, 60000)
 
 export type ProgrammingLanguage = Readonly<CodeWhispererClient.ProgrammingLanguage>
 export type FileContext = Readonly<CodeWhispererClient.FileContext>
@@ -61,6 +68,20 @@ export class DefaultCodeWhispererClient {
                                 req.httpRequest.headers['x-amzn-codewhisperer-optout'] = `${isOptedOut}`
                             })
                         }
+
+                        // This logic is for backward compatability with legacy SDK v2 behavior for refreshing
+                        // credentials. Once the Toolkit adds a file watcher for credentials it won't be needed.
+                        if (isCloud9() && req.operation !== 'getAccessToken') {
+                            req.on('retry', resp => {
+                                if (
+                                    resp.error?.code === 'AccessDeniedException' &&
+                                    resp.error.message.match(/expired/i)
+                                ) {
+                                    refreshCredentials()
+                                    resp.error.retryable = true
+                                }
+                            })
+                        }
                     },
                 ],
             } as ServiceOptions,