fix(codecatalyst): dev env logged out on load (#5196)

* fix(codecatalyst): dev env logged out on load

Problem: We forget all connections without all codecatalyst scopes only (aws account + coca scopes). However, the stored credentials in dev environments do not have the account scopes, so we are forgetting it.

Solution: Check for Q scopes explicitly.

* Update packages/core/src/extension.ts

Co-authored-by: Justin M. Keyes <[email protected]>

---------

Co-authored-by: Justin M. Keyes <[email protected]>

Author: hayemaxi

packages/core/src/auth/secondaryAuth.ts

@@ -197,6 +197,7 @@ export class SecondaryAuth<T extends Connection = Connection> {
      * Clears the connection in use without deleting it or logging out.
      */
     public async forgetConnection() {
+        getLogger().debug('running SecondaryAuth:forgetConnection()')
         await this.clearSavedConnection()
         await this.clearActiveConnection()
     }

packages/core/src/codecatalyst/activation.ts

@@ -10,7 +10,7 @@ import { ExtContext } from '../shared/extensions'
 import { CodeCatalystRemoteSourceProvider } from './repos/remoteSourceProvider'
 import { CodeCatalystCommands, codecatalystConnectionsCmd } from './commands'
 import { GitExtension } from '../shared/extensions/git'
-import { CodeCatalystAuthenticationProvider, defaultScopes } from './auth'
+import { CodeCatalystAuthenticationProvider } from './auth'
 import { registerDevfileWatcher, updateDevfileCommand } from './devfile'
 import { DevEnvClient } from '../shared/clients/devenvClient'
 import { watchRestartingDevEnvs } from './reconnect'
@@ -25,7 +25,7 @@ import { getLogger } from '../shared/logger/logger'
 import { DevEnvActivityStarter } from './devEnv'
 import { learnMoreCommand, onboardCommand, reauth } from './explorer'
 import { isInDevEnv } from '../shared/vscode/env'
-import { hasExactScopes } from '../auth/connection'
+import { hasScopes, scopesCodeWhispererCore } from '../auth/connection'
 import { SessionSeparationPrompt } from '../auth/auth'
 
 const localize = nls.loadMessageBundle()
@@ -46,9 +46,10 @@ export async function activate(ctx: ExtContext): Promise<void> {
 
     await authProvider.restore()
 
-    // Forget Amazon Q connections while we transition to separate auth sessions per extension
+    // Forget Amazon Q connections while we transition to separate auth sessions per extension.
+    // Note: credentials on disk in the dev env cannot have Q scopes, so it will never be forgotten.
     // TODO: Remove after some time?
-    if (authProvider.isConnected() && !hasExactScopes(authProvider.activeConnection!, defaultScopes)) {
+    if (authProvider.isConnected() && hasScopes(authProvider.activeConnection!, scopesCodeWhispererCore)) {
         await authProvider.secondaryAuth.forgetConnection()
         await SessionSeparationPrompt.instance.showForCommand('aws.codecatalyst.manageConnections')
     }

packages/core/src/extension.ts

@@ -128,6 +128,10 @@ export async function activate(context: vscode.ExtensionContext) {
         // TODO: Remove after some time?
         for (const conn of await Auth.instance.listConnections()) {
             if (isSsoConnection(conn) && hasScopes(conn, codeWhispererCoreScopes)) {
+                getLogger().debug(
+                    `forgetting connection: ${conn.id} with starturl/scopes: ${conn.startUrl} / %O`,
+                    conn.scopes
+                )
                 await Auth.instance.forgetConnection(conn)
                 await SessionSeparationPrompt.instance.showForCommand('aws.toolkit.auth.manageConnections')
             }