fix(auth): add extra notification to SSO login flow (#3148)

## Problem
Logging in via the browser is currently too easy. Section 5.4 of RFC 8628 suggests that implementations should make it clear to users which device is requesting access at all times.

## Solution
Add an additional notification containing the user verification code before opening the browser. Users must now enter in this code in the browser whereas before it was done automatically. The user code is automatically copied to the clipboard to make things slightly easier.

## Relevant changes
* Add notification to SSO portal login flow
* Globally fake `vscode.window` for unit tests

Author: JadenSimon

.changes/next-release/Bug Fix-2564ea73-0e4a-4404-ab79-14710c867bea.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "Authenticating through the browser now requires users to manually enter a user verification code. Previously this was done automatically."
+}

docs/TESTPLAN.md

@@ -20,6 +20,7 @@ The test suite has two categories of tests:
 -   Unit Tests: **fast** tests
     -   Live in `src/test/`
     -   The `vscode` API is available.
+        -   Use `getTestWindow()` to inspect or manipulate `vscode.window`
     -   The Toolkit code is invoked as a library, not as an extension activated in VSCode's typical lifecycle.
     -   Call functions and create objects directly.
     -   May mock state where needed, though this is discouraged in favor of "fake" data/objects/files.
@@ -65,7 +66,7 @@ modifications/workarounds in `src/test/testRunner.ts`.
 -   Many failure modes (as opposed to the "happy path") are not tested.
 -   No performance/benchmark regression tests.
 -   No UI tests (to exercise webviews).
-    - https://github.com/redhat-developer/vscode-extension-tester
+    -   https://github.com/redhat-developer/vscode-extension-tester
 -   Missing acceptance tests:
     -   Connect to AWS
     -   Fixed credentials and fixed credentials with assume roles

package-lock.json

@@ -3517,7 +3517,7 @@
         "report": "nyc report --reporter=html --reporter=json"
     },
     "devDependencies": {
-        "@aws-toolkits/telemetry": "^1.0.87",
+        "@aws-toolkits/telemetry": "^1.0.100",
         "@cspotcode/source-map-support": "^0.8.1",
         "@sinonjs/fake-timers": "^8.1.0",
         "@types/adm-zip": "^0.4.34",

package.json

@@ -20,7 +20,7 @@ import { CancellationError } from '../shared/utilities/timeoutUtils'
 import { ToolkitError, UnknownError } from '../shared/errors'
 import { getCache } from './sso/cache'
 import { createFactoryFunction, Mutable } from '../shared/utilities/tsUtils'
-import { SsoToken } from './sso/model'
+import { builderIdStartUrl, SsoToken } from './sso/model'
 import { SsoClient } from './sso/clients'
 import { getLogger } from '../shared/logger'
 import { CredentialsProviderManager } from './providers/credentialsProviderManager'
@@ -38,7 +38,6 @@ import { getCodeCatalystDevEnvId } from '../shared/vscode/env'
 import { getConfigFilename } from './sharedCredentials'
 import { authHelpUrl } from '../shared/constants'
 
-export const builderIdStartUrl = 'https://view.awsapps.com/start'
 export const ssoScope = 'sso:account:access'
 export const codecatalystScopes = ['codecatalyst:read_write']
 export const ssoAccountAccessScopes = ['sso:account:access']
@@ -581,7 +580,9 @@ export class Auth implements AuthService, ConnectionManager {
         const provider = this.getTokenProvider(id, profile)
         const truncatedUrl = profile.startUrl.match(/https?:\/\/(.*)\.awsapps\.com\/start/)?.[1] ?? profile.startUrl
         const label =
-            profile.startUrl === builderIdStartUrl ? 'AWS Builder ID' : `IAM Identity Center (${truncatedUrl})`
+            profile.startUrl === builderIdStartUrl
+                ? localizedText.builderId()
+                : `${localizedText.iamIdentityCenter} (${truncatedUrl})`
 
         return {
             id,
@@ -832,23 +833,25 @@ export const createBuilderIdItem = () =>
     ({
         label: codicon`${getIcon('vscode-person')} ${localize(
             'aws.auth.builderIdItem.label',
-            'Use a personal email to sign up and sign in with AWS Builder ID'
+            'Use a personal email to sign up and sign in with {0}',
+            localizedText.builderId()
         )}`,
         data: 'builderId',
         onClick: () => telemetry.ui_click.emit({ elementId: 'connection_optionBuilderID' }),
-        detail: 'AWS Builder ID is a new, personal profile for builders.', // TODO: need a "Learn more" button ?
+        detail: `${localizedText.builderId()} is a new, personal profile for builders.`, // TODO: need a "Learn more" button ?
     } as DataQuickPickItem<'builderId'>)
 
 export const createSsoItem = () =>
     ({
         label: codicon`${getIcon('vscode-organization')} ${localize(
             'aws.auth.ssoItem.label',
-            'Connect using {0} IAM Identity Center',
-            getIdeProperties().company
+            'Connect using {0} {1}',
+            getIdeProperties().company,
+            localizedText.iamIdentityCenter
         )}`,
         data: 'sso',
         onClick: () => telemetry.ui_click.emit({ elementId: 'connection_optionSSO' }),
-        detail: "Sign in to your company's IAM Identity Center access portal login page.",
+        detail: `Sign in to your company's ${localizedText.iamIdentityCenter} access portal login page.`,
     } as DataQuickPickItem<'sso'>)
 
 export const createIamItem = () =>
@@ -889,7 +892,7 @@ export async function createStartUrlPrompter(title: string, ignoreScopes = true)
 
     return createInputBox({
         title: `${title}: Enter Start URL`,
-        placeholder: "Enter start URL for your organization's IAM Identity Center",
+        placeholder: `Enter start URL for your organization's IAM Identity Center`,
         buttons: [createHelpButton(), createExitButton()],
         validateInput: validateSsoUrl,
     })

src/credentials/auth.ts

@@ -56,10 +56,10 @@ export class OidcClient {
 
     public async startDeviceAuthorization(request: StartDeviceAuthorizationRequest) {
         const response = await this.client.startDeviceAuthorization(request)
-        assertHasProps(response, 'expiresIn', 'deviceCode', 'verificationUriComplete')
+        assertHasProps(response, 'expiresIn', 'deviceCode', 'userCode', 'verificationUri')
 
         return {
-            ...selectFrom(response, 'deviceCode', 'verificationUriComplete'),
+            ...selectFrom(response, 'deviceCode', 'userCode', 'verificationUri'),
             expiresAt: new this.clock.Date(response.expiresIn * 1000 + this.clock.Date.now()),
             interval: response.interval ? response.interval * 1000 : undefined,
         }

src/credentials/sso/clients.ts

@@ -5,7 +5,15 @@
 
 import globals from '../../shared/extensionGlobals'
 
+import * as nls from 'vscode-nls'
+const localize = nls.loadMessageBundle()
+
 import * as vscode from 'vscode'
+import * as localizedText from '../../shared/localizedText'
+import { getLogger } from '../../shared/logger/logger'
+import { telemetry } from '../../shared/telemetry/telemetry'
+import { CancellationError } from '../../shared/utilities/timeoutUtils'
+import { ssoAuthHelpUrl } from '../../shared/constants'
 
 export interface SsoToken {
     /**
@@ -66,8 +74,59 @@ export interface SsoProfile {
     readonly identifier?: string
 }
 
-export async function openSsoPortalLink(authorization: { readonly verificationUriComplete: string }): Promise<boolean> {
-    return vscode.env.openExternal(vscode.Uri.parse(authorization.verificationUriComplete))
+export const builderIdStartUrl = 'https://view.awsapps.com/start'
+
+const tryOpenHelpUrl = (url: string) =>
+    telemetry.aws_openUrl
+        .run(async span => {
+            span.record({ url })
+            const didOpen = await vscode.env.openExternal(vscode.Uri.parse(url))
+            if (!didOpen) {
+                throw new CancellationError('user')
+            }
+        })
+        .catch(e => getLogger().verbose('auth: failed to open help URL: %s', e))
+
+export async function openSsoPortalLink(
+    startUrl: string,
+    authorization: { readonly verificationUri: string; readonly userCode: string }
+): Promise<boolean> {
+    async function copyCodeAndOpenLink() {
+        await vscode.env.clipboard.writeText(authorization.userCode).then(undefined, err => {
+            getLogger().warn(`auth: failed to copy user code "${authorization.userCode}" to clipboard: %s`, err)
+        })
+
+        return vscode.env.openExternal(vscode.Uri.parse(authorization.verificationUri))
+    }
+
+    async function showLoginNotification() {
+        const name = startUrl === builderIdStartUrl ? localizedText.builderId() : localizedText.iamIdentityCenterFull()
+        const title = localize('AWS.auth.loginWithBrowser.messageTitle', 'Copy Code for {0}', name)
+        const detail = localize(
+            'AWS.auth.loginWithBrowser.messageDetail',
+            'To proceed, open the login page and provide this code to confirm the access request: {0}',
+            authorization.userCode
+        )
+        const copyCode = localize('AWS.auth.loginWithBrowser.copyCodeAction', 'Copy Code and Proceed')
+        const options = { modal: true, detail } as vscode.MessageOptions
+
+        while (true) {
+            // TODO: add the 'Help' item back once we have a suitable URL
+            // const resp = await vscode.window.showInformationMessage(title, options, copyCode, localizedText.help)
+            const resp = await vscode.window.showInformationMessage(title, options, copyCode)
+            switch (resp) {
+                case copyCode:
+                    return copyCodeAndOpenLink()
+                case localizedText.help:
+                    await tryOpenHelpUrl(ssoAuthHelpUrl)
+                    continue
+                default:
+                    throw new CancellationError('user')
+            }
+        }
+    }
+
+    return telemetry.aws_loginWithBrowser.run(() => showLoginNotification())
 }
 
 // Most SSO 'expirables' are fairly long lived, so a one minute buffer is plenty.

src/credentials/sso/model.ts

@@ -145,7 +145,7 @@ export class SsoAccessTokenProvider {
             clientSecret: registration.clientSecret,
         })
 
-        if (!(await openSsoPortalLink(authorization))) {
+        if (!(await openSsoPortalLink(this.profile.startUrl, authorization))) {
             throw new CancellationError('user')
         }
 

src/credentials/sso/ssoAccessTokenProvider.ts

@@ -12,7 +12,7 @@ import { MessageObject } from '../../stepFunctions/commands/visualizeStateMachin
 import { makeTemporaryToolkitFolder } from '../../shared/filesystemUtilities'
 import { closeAllEditors } from '../../test/testUtil'
 import { previewStateMachineCommand } from '../../stepFunctions/activation'
-import { createTestWindow } from '../../test/shared/vscode/window'
+import { getTestWindow } from '../../test/globalSetup.test'
 
 const sampleStateMachine = `
 	 {
@@ -212,9 +212,7 @@ describe('visualizeStateMachine', async function () {
         await closeAllEditors()
         assert.strictEqual(vscode.window.activeTextEditor, undefined)
 
-        const testWindow = createTestWindow()
-        sinon.replace(vscode, 'window', testWindow)
-        const errorMessage = testWindow.waitForMessage(/no active text editor/i)
+        const errorMessage = getTestWindow().waitForMessage(/no active text editor/i)
 
         await Promise.all([previewStateMachineCommand.execute(), errorMessage.then(dialog => dialog.close())])
     })

src/integrationTest/stepFunctions/visualizeStateMachine.test.ts

@@ -28,6 +28,7 @@ export const documentationUrl: string = isCloud9()
  * - alternative?: codecatalyst/latest/userguide/sign-up-create-resources.html
  */
 export const authHelpUrl = 'https://docs.aws.amazon.com/general/latest/gr/differences-aws_builder_id.html'
+export const ssoAuthHelpUrl = 'https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosignin.html'
 export const credentialHelpUrl: string =
     'https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/setup-credentials.html'
 export const ssoCredentialsHelpUrl: string =