Fix login/logout synchronization across multiple VS Code windows (#590)

Introduce ContextManager for centralized state management and use 
secrets to propagate authentication events between windows. Resolves race conditions 
in session token handling and ensures consistent authentication behavior across all 
open extension instances.

Fixes #498

Author: EhabY

.eslintrc.json

@@ -23,17 +23,6 @@
 		"import/internal-regex": "^@/"
 	},
 	"overrides": [
-		{
-			"files": ["test/**/*.{ts,tsx}", "**/*.{test,spec}.ts?(x)"],
-			"settings": {
-				"import/resolver": {
-					"typescript": {
-						// In tests, resolve using the test tsconfig
-						"project": "test/tsconfig.json"
-					}
-				}
-			}
-		},
 		{
 			"files": ["*.ts"],
 			"rules": {
@@ -46,9 +35,30 @@
 						"prefer": "type-imports",
 						"fixStyle": "inline-type-imports"
 					}
+				],
+				"@typescript-eslint/switch-exhaustiveness-check": [
+					"error",
+					{ "considerDefaultExhaustiveForUnions": true }
 				]
 			}
 		},
+		{
+			"files": ["test/**/*.{ts,tsx}", "**/*.{test,spec}.ts?(x)"],
+			"settings": {
+				"import/resolver": {
+					"typescript": {
+						// In tests, resolve using the test tsconfig
+						"project": "test/tsconfig.json"
+					}
+				}
+			}
+		},
+		{
+			"files": ["src/core/contextManager.ts"],
+			"rules": {
+				"no-restricted-syntax": "off"
+			}
+		},
 		{
 			"extends": ["plugin:package-json/legacy-recommended"],
 			"files": ["*.json"],
@@ -106,6 +116,13 @@
 					"sublings_only": true
 				}
 			}
+		],
+		"no-restricted-syntax": [
+			"error",
+			{
+				"selector": "CallExpression[callee.property.name='executeCommand'][arguments.0.value='setContext'][arguments.length>=3]",
+				"message": "Do not use executeCommand('setContext', ...) directly. Use the ContextManager class instead."
+			}
 		]
 	}
 }

src/commands.ts

@@ -12,6 +12,7 @@ import { CoderApi } from "./api/coderApi";
 import { needToken } from "./api/utils";
 import { type CliManager } from "./core/cliManager";
 import { type ServiceContainer } from "./core/container";
+import { type ContextManager } from "./core/contextManager";
 import { type MementoManager } from "./core/mementoManager";
 import { type PathResolver } from "./core/pathResolver";
 import { type SecretsManager } from "./core/secretsManager";
@@ -32,6 +33,7 @@ export class Commands {
 	private readonly mementoManager: MementoManager;
 	private readonly secretsManager: SecretsManager;
 	private readonly cliManager: CliManager;
+	private readonly contextManager: ContextManager;
 	// These will only be populated when actively connected to a workspace and are
 	// used in commands.  Because commands can be executed by the user, it is not
 	// possible to pass in arguments, so we have to store the current workspace
@@ -53,6 +55,7 @@ export class Commands {
 		this.mementoManager = serviceContainer.getMementoManager();
 		this.secretsManager = serviceContainer.getSecretsManager();
 		this.cliManager = serviceContainer.getCliManager();
+		this.contextManager = serviceContainer.getContextManager();
 	}
 
 	/**
@@ -179,31 +182,34 @@ export class Commands {
 	}
 
 	/**
-	 * Log into the provided deployment.  If the deployment URL is not specified,
+	 * Log into the provided deployment. If the deployment URL is not specified,
 	 * ask for it first with a menu showing recent URLs along with the default URL
 	 * and CODER_URL, if those are set.
 	 */
-	public async login(...args: string[]): Promise<void> {
-		// Destructure would be nice but VS Code can pass undefined which errors.
-		const inputUrl = args[0];
-		const inputToken = args[1];
-		const inputLabel = args[2];
-		const isAutologin =
-			typeof args[3] === "undefined" ? false : Boolean(args[3]);
-
-		const url = await this.maybeAskUrl(inputUrl);
+	public async login(args?: {
+		url?: string;
+		token?: string;
+		label?: string;
+		autoLogin?: boolean;
+	}): Promise<void> {
+		if (this.contextManager.get("coder.authenticated")) {
+			return;
+		}
+		this.logger.info("Logging in");
+
+		const url = await this.maybeAskUrl(args?.url);
 		if (!url) {
 			return; // The user aborted.
 		}
 
 		// It is possible that we are trying to log into an old-style host, in which
 		// case we want to write with the provided blank label instead of generating
 		// a host label.
-		const label =
-			typeof inputLabel === "undefined" ? toSafeHost(url) : inputLabel;
+		const label = args?.label === undefined ? toSafeHost(url) : args.label;
 
 		// Try to get a token from the user, if we need one, and their user.
-		const res = await this.maybeAskToken(url, inputToken, isAutologin);
+		const autoLogin = args?.autoLogin === true;
+		const res = await this.maybeAskToken(url, args?.token, autoLogin);
 		if (!res) {
 			return; // The user aborted, or unable to auth.
 		}
@@ -221,13 +227,9 @@ export class Commands {
 		await this.cliManager.configure(label, url, res.token);
 
 		// These contexts control various menu items and the sidebar.
-		await vscode.commands.executeCommand(
-			"setContext",
-			"coder.authenticated",
-			true,
-		);
+		this.contextManager.set("coder.authenticated", true);
 		if (res.user.roles.find((role) => role.name === "owner")) {
-			await vscode.commands.executeCommand("setContext", "coder.isOwner", true);
+			this.contextManager.set("coder.isOwner", true);
 		}
 
 		vscode.window
@@ -245,6 +247,7 @@ export class Commands {
 				}
 			});
 
+		await this.secretsManager.triggerLoginStateChange("login");
 		// Fetch workspaces for the new deployment.
 		vscode.commands.executeCommand("coder.refreshWorkspaces");
 	}
@@ -257,19 +260,21 @@ export class Commands {
 	 */
 	private async maybeAskToken(
 		url: string,
-		token: string,
-		isAutologin: boolean,
+		token: string | undefined,
+		isAutoLogin: boolean,
 	): Promise<{ user: User; token: string } | null> {
 		const client = CoderApi.create(url, token, this.logger);
-		if (!needToken(vscode.workspace.getConfiguration())) {
+		const needsToken = needToken(vscode.workspace.getConfiguration());
+		if (!needsToken || token) {
 			try {
 				const user = await client.getAuthenticatedUser();
 				// For non-token auth, we write a blank token since the `vscodessh`
 				// command currently always requires a token file.
-				return { token: "", user };
+				// For token auth, we have valid access so we can just return the user here
+				return { token: needsToken && token ? token : "", user };
 			} catch (err) {
 				const message = getErrorMessage(err, "no response from the server");
-				if (isAutologin) {
+				if (isAutoLogin) {
 					this.logger.warn("Failed to log in to Coder server:", message);
 				} else {
 					this.vscodeProposed.window.showErrorMessage(
@@ -301,6 +306,9 @@ export class Commands {
 			value: token || (await this.secretsManager.getSessionToken()),
 			ignoreFocusOut: true,
 			validateInput: async (value) => {
+				if (!value) {
+					return null;
+				}
 				client.setSessionToken(value);
 				try {
 					user = await client.getAuthenticatedUser();
@@ -369,7 +377,14 @@ export class Commands {
 			// Sanity check; command should not be available if no url.
 			throw new Error("You are not logged in");
 		}
+		await this.forceLogout();
+	}
 
+	public async forceLogout(): Promise<void> {
+		if (!this.contextManager.get("coder.authenticated")) {
+			return;
+		}
+		this.logger.info("Logging out");
 		// Clear from the REST client.  An empty url will indicate to other parts of
 		// the code that we are logged out.
 		this.restClient.setHost("");
@@ -379,19 +394,16 @@ export class Commands {
 		await this.mementoManager.setUrl(undefined);
 		await this.secretsManager.setSessionToken(undefined);
 
-		await vscode.commands.executeCommand(
-			"setContext",
-			"coder.authenticated",
-			false,
-		);
+		this.contextManager.set("coder.authenticated", false);
 		vscode.window
 			.showInformationMessage("You've been logged out of Coder!", "Login")
 			.then((action) => {
 				if (action === "Login") {
-					vscode.commands.executeCommand("coder.login");
+					this.login();
 				}
 			});
 
+		await this.secretsManager.triggerLoginStateChange("logout");
 		// This will result in clearing the workspace list.
 		vscode.commands.executeCommand("coder.refreshWorkspaces");
 	}

src/core/container.ts

@@ -3,6 +3,7 @@ import * as vscode from "vscode";
 import { type Logger } from "../logging/logger";
 
 import { CliManager } from "./cliManager";
+import { ContextManager } from "./contextManager";
 import { MementoManager } from "./mementoManager";
 import { PathResolver } from "./pathResolver";
 import { SecretsManager } from "./secretsManager";
@@ -17,6 +18,7 @@ export class ServiceContainer implements vscode.Disposable {
 	private readonly mementoManager: MementoManager;
 	private readonly secretsManager: SecretsManager;
 	private readonly cliManager: CliManager;
+	private readonly contextManager: ContextManager;
 
 	constructor(
 		context: vscode.ExtensionContext,
@@ -34,6 +36,7 @@ export class ServiceContainer implements vscode.Disposable {
 			this.logger,
 			this.pathResolver,
 		);
+		this.contextManager = new ContextManager();
 	}
 
 	getVsCodeProposed(): typeof vscode {
@@ -60,10 +63,15 @@ export class ServiceContainer implements vscode.Disposable {
 		return this.cliManager;
 	}
 
+	getContextManager(): ContextManager {
+		return this.contextManager;
+	}
+
 	/**
 	 * Dispose of all services and clean up resources.
 	 */
 	dispose(): void {
+		this.contextManager.dispose();
 		this.logger.dispose();
 	}
 }

src/core/contextManager.ts

@@ -0,0 +1,33 @@
+import * as vscode from "vscode";
+
+const CONTEXT_DEFAULTS = {
+	"coder.authenticated": false,
+	"coder.isOwner": false,
+	"coder.loaded": false,
+	"coder.workspace.updatable": false,
+} as const;
+
+type CoderContext = keyof typeof CONTEXT_DEFAULTS;
+
+export class ContextManager implements vscode.Disposable {
+	private readonly context = new Map<CoderContext, boolean>();
+
+	public constructor() {
+		(Object.keys(CONTEXT_DEFAULTS) as CoderContext[]).forEach((key) => {
+			this.set(key, CONTEXT_DEFAULTS[key]);
+		});
+	}
+
+	public set(key: CoderContext, value: boolean): void {
+		this.context.set(key, value);
+		vscode.commands.executeCommand("setContext", key, value);
+	}
+
+	public get(key: CoderContext): boolean {
+		return this.context.get(key) ?? CONTEXT_DEFAULTS[key];
+	}
+
+	public dispose() {
+		this.context.clear();
+	}
+}

src/core/secretsManager.ts

@@ -1,4 +1,14 @@
-import type { SecretStorage } from "vscode";
+import type { SecretStorage, Disposable } from "vscode";
+
+const SESSION_TOKEN_KEY = "sessionToken";
+
+const LOGIN_STATE_KEY = "loginState";
+
+export enum AuthAction {
+	LOGIN,
+	LOGOUT,
+	INVALID,
+}
 
 export class SecretsManager {
 	constructor(private readonly secrets: SecretStorage) {}
@@ -8,9 +18,9 @@ export class SecretsManager {
 	 */
 	public async setSessionToken(sessionToken?: string): Promise<void> {
 		if (!sessionToken) {
-			await this.secrets.delete("sessionToken");
+			await this.secrets.delete(SESSION_TOKEN_KEY);
 		} else {
-			await this.secrets.store("sessionToken", sessionToken);
+			await this.secrets.store(SESSION_TOKEN_KEY, sessionToken);
 		}
 	}
 
@@ -19,11 +29,45 @@ export class SecretsManager {
 	 */
 	public async getSessionToken(): Promise<string | undefined> {
 		try {
-			return await this.secrets.get("sessionToken");
+			return await this.secrets.get(SESSION_TOKEN_KEY);
 		} catch {
 			// The VS Code session store has become corrupt before, and
 			// will fail to get the session token...
 			return undefined;
 		}
 	}
+
+	/**
+	 * Triggers a login/logout event that propagates across all VS Code windows.
+	 * Uses the secrets storage onDidChange event as a cross-window communication mechanism.
+	 * Appends a timestamp to ensure the value always changes, guaranteeing the event fires.
+	 */
+	public async triggerLoginStateChange(
+		action: "login" | "logout",
+	): Promise<void> {
+		const date = new Date().toISOString();
+		await this.secrets.store(LOGIN_STATE_KEY, `${action}-${date}`);
+	}
+
+	/**
+	 * Listens for login/logout events from any VS Code window.
+	 * The secrets storage onDidChange event fires across all windows, enabling cross-window sync.
+	 */
+	public onDidChangeLoginState(
+		listener: (state: AuthAction) => Promise<void>,
+	): Disposable {
+		return this.secrets.onDidChange(async (e) => {
+			if (e.key === LOGIN_STATE_KEY) {
+				const state = await this.secrets.get(LOGIN_STATE_KEY);
+				if (state?.startsWith("login")) {
+					listener(AuthAction.LOGIN);
+				} else if (state?.startsWith("logout")) {
+					listener(AuthAction.LOGOUT);
+				} else {
+					// Secret was deleted or is invalid
+					listener(AuthAction.INVALID);
+				}
+			}
+		});
+	}
 }

src/error.ts

@@ -64,6 +64,8 @@ export class CertificateError extends Error {
 					return new CertificateError(err.message, X509_ERR.UNTRUSTED_LEAF);
 				case X509_ERR_CODE.SELF_SIGNED_CERT_IN_CHAIN:
 					return new CertificateError(err.message, X509_ERR.UNTRUSTED_CHAIN);
+				case undefined:
+					break;
 			}
 		}
 		return err;
@@ -154,6 +156,7 @@ export class CertificateError extends Error {
 		);
 		switch (val) {
 			case CertificateError.ActionOK:
+			case undefined:
 				return;
 			case CertificateError.ActionAllowInsecure:
 				await this.allowInsecure();