fix(auth): preserve old scopes if re-auth fails. show more helpful error message

hayemaxi · web-flow · commit 9d329a987551 · 2023-11-26T06:30:17.000-08:00
Problem: If a connection fails due to not having valid scopes, the scopes are not reset. This
soft-locks the user and new connections aren't possible until it is deleted in the quick pick.

Solution: Restore scopes if that is the failure reason. Also, add a more helpful UI message to
indicate why the sign on failed.
diff --git a/src/auth/secondaryAuth.ts b/src/auth/secondaryAuth.ts
@@ -11,7 +11,6 @@ import { cast, Optional } from '../shared/utilities/typeConstructors'
 import { Auth } from './auth'
 import { once } from '../shared/utilities/functionUtils'
 import { isNonNullable } from '../shared/utilities/tsUtils'
-import { CancellationError } from '../shared/utilities/timeoutUtils'
 import { Connection, SsoConnection, StatefulConnection } from './connection'
 
 let currentConn: Auth['activeConnection']
@@ -221,11 +220,11 @@ export class SecondaryAuth<T extends Connection = Connection> {
         try {
             return await this.auth.reauthenticate(updatedConn)
         } catch (e) {
-            if (CancellationError.isUserCancelled(e)) {
-                // We updated the connection scopes, but the user cancelled reauth.
-                // Revert to old connection scopes, otherwise the new scopes persist.
-                await updateConnectionScopes(oldScopes)
-            }
+            // We updated the connection scopes pre-emptively, but if there is some issue (e.g. user cancels,
+            // InvalidGrantException, etc), then we need to revert to the old connection scopes. Otherwise,
+            // this could soft-lock users into a broken connection that cannot be re-authenticated without
+            // first deleting the connection.
+            await updateConnectionScopes(oldScopes)
             throw e
         }
     }
diff --git a/src/auth/ui/vue/show.ts b/src/auth/ui/vue/show.ts
@@ -52,6 +52,7 @@ import { Commands, VsCodeCommandArg, placeholder, vscodeComponent } from '../../
 import { ClassToInterfaceType } from '../../../shared/utilities/tsUtils'
 import { debounce } from 'lodash'
 import { submitFeedback } from '../../../feedback/vue/submitFeedback'
+import { InvalidGrantException } from '@aws-sdk/client-sso-oidc'
 
 export class AuthWebview extends VueWebview {
     public override id: string = 'authWebview'
@@ -234,6 +235,13 @@ export class AuthWebview extends VueWebview {
                 return { id: userCancelled, text: 'Setup cancelled.' }
             }
 
+            if (e instanceof ToolkitError && e.cause instanceof InvalidGrantException) {
+                return {
+                    id: 'invalidGrantException',
+                    text: 'Permissions for this service may not be enabled by your SSO Admin, or the selected region may not be supported.',
+                }
+            }
+
             if (
                 e instanceof ToolkitError &&
                 (e.code === trustedDomainCancellation || e.cause?.name === trustedDomainCancellation)
