gitkraken
diff --git a/‎src/errors.ts‎
Lines changed: 20 additions & 8 deletions b/‎src/errors.ts‎
Lines changed: 20 additions & 8 deletions
diff --git a/‎src/plus/gk/serverConnection.ts‎
Lines changed: 10 additions & 3 deletions b/‎src/plus/gk/serverConnection.ts‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎src/plus/integrations/authentication/models.ts‎
Lines changed: 56 additions & 0 deletions b/‎src/plus/integrations/authentication/models.ts‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎src/plus/integrations/models/gitHostIntegration.ts‎
Lines changed: 9 additions & 9 deletions b/‎src/plus/integrations/models/gitHostIntegration.ts‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎src/plus/integrations/providers/azure/azure.ts‎
Lines changed: 16 additions & 14 deletions b/‎src/plus/integrations/providers/azure/azure.ts‎
Lines changed: 16 additions & 14 deletions
@@ -4,6 +4,7 @@ import { CancellationError as _CancellationError } from 'vscode';
 import type { Response } from '@env/fetch.js';
 import type { RequiredSubscriptionPlanIds, Subscription } from './plus/gk/models/subscription.js';
 import { isSubscriptionPaidPlan } from './plus/gk/utils/subscription.utils.js';
+import type { TokenInfo } from './plus/integrations/authentication/models.js';
 
 export class AccessDeniedError extends Error {
 	public readonly subscription: Subscription;
@@ -54,27 +55,38 @@ export class AuthenticationError extends Error {
 	readonly original?: Error;
 	readonly reason: AuthenticationErrorReason | undefined;
 
-	constructor(id: string, reason?: AuthenticationErrorReason, original?: Error);
-	constructor(id: string, message?: string, original?: Error);
-	constructor(id: string, messageOrReason: string | AuthenticationErrorReason | undefined, original?: Error) {
+	constructor(info: TokenInfo, reason?: AuthenticationErrorReason, original?: Error);
+	constructor(info: TokenInfo, message?: string, original?: Error);
+	constructor(info: TokenInfo, messageOrReason: string | AuthenticationErrorReason | undefined, original?: Error) {
+		const { providerId: id, type, cloud, scopes, expiresAt } = info;
+		const tokenDetails = [
+			cloud ? 'cloud' : 'self-managed',
+			info.microHash && `@${info.microHash}`,
+			type && ` ${type}`,
+			expiresAt && `expires at ${expiresAt.toISOString()}`,
+			scopes && `[${scopes.join(',')}]`,
+		]
+			.filter(v => v)
+			.join(', ');
+		const authInfo = `(token details: ${tokenDetails})`;
 		let message;
 		let reason: AuthenticationErrorReason | undefined;
 		if (messageOrReason == null) {
-			message = `Unable to get required authentication session for '${id}'`;
+			message = `Unable to get required authentication session for '${id}' ${authInfo}`;
 		} else if (typeof messageOrReason === 'string') {
-			message = messageOrReason;
+			message = `"${messageOrReason}" for '${id}' ${authInfo}`;
 			reason = undefined;
 		} else {
 			reason = messageOrReason;
 			switch (reason) {
 				case AuthenticationErrorReason.UserDidNotConsent:
-					message = `'${id}' authentication is required for this operation`;
+					message = `'${id}' authentication is required for this operation ${authInfo}`;
 					break;
 				case AuthenticationErrorReason.Unauthorized:
-					message = `Your '${id}' credentials are either invalid or expired`;
+					message = `Your '${id}' credentials are either invalid or expired ${authInfo}`;
 					break;
 				case AuthenticationErrorReason.Forbidden:
-					message = `Your '${id}' credentials do not have the required access`;
+					message = `Your '${id}' credentials do not have the required access ${authInfo}`;
 					break;
 			}
 		}
 
@@ -28,6 +28,8 @@ import { memoize } from '../../system/decorators/memoize.js';
 import { Logger } from '../../system/logger.js';
 import type { LogScope } from '../../system/logger.scope.js';
 import { getLogScope } from '../../system/logger.scope.js';
+import type { TokenInfo } from '../integrations/authentication/models.js';
+import { toTokenInfo } from '../integrations/authentication/models.js';
 import type { UrlsProvider } from './urlsProvider.js';
 
 interface FetchOptions {
@@ -185,7 +187,7 @@ export class ServerConnection implements Disposable {
 			}
 			return rsp;
 		} catch (ex) {
-			this.handleGkRequestError('gitkraken', ex, scope);
+			this.handleGkRequestError(options?.token || undefined, ex, scope);
 			throw ex;
 		}
 	}
@@ -266,6 +268,11 @@ export class ServerConnection implements Disposable {
 		if (ex instanceof CancellationError) throw ex;
 		if (ex.name === 'AbortError') throw new CancellationError(ex);
 
+		const gitkrakenTokenInfo: TokenInfo<'gitkraken'> = toTokenInfo('gitkraken', token, {
+			cloud: true,
+			scopes: undefined,
+		});
+
 		switch (ex.status) {
 			case 404: // Not found
 				throw new RequestNotFoundError(ex);
@@ -274,7 +281,7 @@ export class ServerConnection implements Disposable {
 			case 422: // Unprocessable Entity
 				throw new RequestUnprocessableEntityError(ex);
 			case 401: // Unauthorized
-				throw new AuthenticationError('gitkraken', AuthenticationErrorReason.Unauthorized, ex);
+				throw new AuthenticationError(gitkrakenTokenInfo, AuthenticationErrorReason.Unauthorized, ex);
 			case 429: //Too Many Requests
 				this.trackRequestException();
 				throw this.buildRequestRateLimitError(token, ex);
@@ -283,7 +290,7 @@ export class ServerConnection implements Disposable {
 					this.trackRequestException();
 					throw this.buildRequestRateLimitError(token, ex);
 				}
-				throw new AuthenticationError('gitkraken', AuthenticationErrorReason.Forbidden, ex);
+				throw new AuthenticationError(gitkrakenTokenInfo, AuthenticationErrorReason.Forbidden, ex);
 			case 500: // Internal Server Error
 				Logger.error(ex, scope);
 				if (ex.response != null) {
 
@@ -1,4 +1,5 @@
 import type { AuthenticationSession } from 'vscode';
+import { md5 } from '@env/crypto.js';
 import type { IntegrationIds, SupportedCloudIntegrationIds } from '../../../constants.integrations.js';
 import {
 	GitCloudHostIntegrationId,
@@ -16,6 +17,61 @@ export interface ProviderAuthenticationSession extends AuthenticationSession {
 	readonly protocol?: string;
 }
 
+export interface TokenInfo<T extends IntegrationIds | 'gitkraken' = IntegrationIds | 'gitkraken'> {
+	readonly providerId: T;
+	/**
+	 * The first 3 characters of the md5 hash of the token.
+	 * It's a very obfuscated representation of the token that we can use in logs
+	 * to see whether the token survives refreshing or gets updated.
+	 */
+	readonly microHash: string | undefined;
+	readonly cloud: boolean;
+	readonly scopes: readonly string[] | undefined;
+	readonly type?: CloudIntegrationAuthType;
+	readonly expiresAt?: Date;
+}
+
+export interface TokenWithInfo<T extends IntegrationIds = IntegrationIds> extends TokenInfo<T> {
+	readonly accessToken: string;
+}
+
+export function toTokenInfo<T extends IntegrationIds | 'gitkraken'>(
+	providerId: T,
+	accessToken: string | undefined,
+	info: { cloud: boolean; scopes?: readonly string[]; expiresAt?: Date },
+): TokenInfo<T> {
+	return {
+		providerId: providerId,
+		microHash: microhash(accessToken),
+		cloud: info.cloud,
+		scopes: info.scopes,
+		expiresAt: info.expiresAt,
+	};
+}
+
+export function toTokenWithInfo<T extends IntegrationIds>(
+	providerId: T,
+	session: ProviderAuthenticationSession,
+	altToken?: string,
+): TokenWithInfo<T> {
+	const accessToken = altToken ?? session.accessToken;
+	return {
+		...toTokenInfo(providerId, accessToken, session),
+		accessToken: accessToken,
+	};
+}
+
+function microhash(token: undefined): undefined;
+function microhash(token: string): string;
+function microhash(token: string | undefined): string | undefined;
+function microhash(token: string | undefined): string | undefined {
+	return !token ? undefined : md5(token, 'hex').substring(0, 3);
+}
+
+export type TokenOptInfo<T extends IntegrationIds = IntegrationIds> =
+	| TokenWithInfo<T>
+	| { providerId: T; accessToken?: undefined };
+
 export interface ConfiguredIntegrationDescriptor {
 	readonly cloud: boolean;
 	readonly integrationId: IntegrationIds;
 
@@ -337,7 +337,7 @@ export abstract class GitHostIntegration<
 
 				let userAccount: ProviderAccount | undefined;
 				try {
-					userAccount = await api.getCurrentUserForInstance(providerId, organization);
+					userAccount = await api.getCurrentUserForInstance({ providerId: providerId }, organization);
 				} catch (ex) {
 					Logger.error(ex, 'getIssuesForRepos');
 					return undefined;
@@ -380,7 +380,7 @@ export abstract class GitHostIntegration<
 				await Promise.all(
 					projectInputs.map(async projectInput => {
 						const results = await api.getIssuesForAzureProject(
-							providerId,
+							{ providerId: providerId },
 							projectInput.namespace,
 							projectInput.project,
 							{
@@ -415,7 +415,7 @@ export abstract class GitHostIntegration<
 		if (options?.filters != null) {
 			let userAccount: ProviderAccount | undefined;
 			try {
-				userAccount = await api.getCurrentUser(providerId);
+				userAccount = await api.getCurrentUser({ providerId: providerId });
 			} catch (ex) {
 				Logger.error(ex, 'getIssuesForRepos');
 				return undefined;
@@ -453,7 +453,7 @@ export abstract class GitHostIntegration<
 				const data: ProviderIssue[] = [];
 				await Promise.all(
 					repoInputs.map(async repoInput => {
-						const results = await api.getIssuesForRepo(providerId, repoInput.repo, {
+						const results = await api.getIssuesForRepo({ providerId: providerId }, repoInput.repo, {
 							...getIssuesOptions,
 							cursor: repoInput.cursor,
 							baseUrl: options?.customUrl,
@@ -480,7 +480,7 @@ export abstract class GitHostIntegration<
 		}
 
 		try {
-			return await api.getIssuesForRepos(providerId, reposOrRepoIds, {
+			return await api.getIssuesForRepos({ providerId: providerId }, reposOrRepoIds, {
 				...getIssuesOptions,
 				cursor: options?.cursor,
 				baseUrl: options?.customUrl,
@@ -540,14 +540,14 @@ export abstract class GitHostIntegration<
 
 				const organization: string = first(organizations.values())!;
 				try {
-					userAccount = await api.getCurrentUserForInstance(providerId, organization);
+					userAccount = await api.getCurrentUserForInstance({ providerId: providerId }, organization);
 				} catch (ex) {
 					Logger.error(ex, 'getPullRequestsForRepos');
 					return undefined;
 				}
 			} else {
 				try {
-					userAccount = await api.getCurrentUser(providerId);
+					userAccount = await api.getCurrentUser({ providerId: providerId });
 				} catch (ex) {
 					Logger.error(ex, 'getPullRequestsForRepos');
 					return undefined;
@@ -602,7 +602,7 @@ export abstract class GitHostIntegration<
 				const data: ProviderPullRequest[] = [];
 				await Promise.all(
 					repoInputs.map(async repoInput => {
-						const results = await api.getPullRequestsForRepo(providerId, repoInput.repo, {
+						const results = await api.getPullRequestsForRepo({ providerId: providerId }, repoInput.repo, {
 							...getPullRequestsOptions,
 							cursor: repoInput.cursor,
 							baseUrl: options?.customUrl,
@@ -629,7 +629,7 @@ export abstract class GitHostIntegration<
 		}
 
 		try {
-			return await api.getPullRequestsForRepos(providerId, reposOrRepoIds, {
+			return await api.getPullRequestsForRepos({ providerId: providerId }, reposOrRepoIds, {
 				...getPullRequestsOptions,
 				cursor: options?.cursor,
 				baseUrl: options?.customUrl,
 
@@ -26,6 +26,7 @@ import { Logger } from '../../../../system/logger.js';
 import type { LogScope } from '../../../../system/logger.scope.js';
 import { getLogScope } from '../../../../system/logger.scope.js';
 import { maybeStopWatch } from '../../../../system/stopwatch.js';
+import type { TokenInfo, TokenWithInfo } from '../../authentication/models.js';
 import type {
 	AzureGitCommit,
 	AzureProjectDescriptor,
@@ -82,7 +83,7 @@ export class AzureDevOpsApi implements Disposable {
 	@debug<AzureDevOpsApi['getPullRequestForBranch']>({ args: { 0: p => p.name, 1: '<token>' } })
 	public async getPullRequestForBranch(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		owner: string,
 		repo: string,
 		branch: string,
@@ -136,7 +137,7 @@ export class AzureDevOpsApi implements Disposable {
 	@debug<AzureDevOpsApi['getPullRequestForCommit']>({ args: { 0: p => p.name, 1: '<token>' } })
 	async getPullRequestForCommit(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		owner: string,
 		repo: string,
 		rev: string,
@@ -193,7 +194,7 @@ export class AzureDevOpsApi implements Disposable {
 	@debug<AzureDevOpsApi['getIssueOrPullRequest']>({ args: { 0: p => p.name, 1: '<token>' } })
 	public async getIssueOrPullRequest(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		owner: string,
 		repo: string,
 		id: string,
@@ -295,7 +296,7 @@ export class AzureDevOpsApi implements Disposable {
 	@debug<AzureDevOpsApi['getIssue']>({ args: { 0: p => p.name, 1: '<token>' } })
 	public async getIssue(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		project: AzureProjectDescriptor,
 		id: string,
 		options: {
@@ -344,7 +345,7 @@ export class AzureDevOpsApi implements Disposable {
 	@debug<AzureDevOpsApi['getAccountForCommit']>({ args: { 0: p => p.name, 1: '<token>' } })
 	async getAccountForCommit(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		owner: string,
 		repo: string,
 		rev: string,
@@ -394,7 +395,7 @@ export class AzureDevOpsApi implements Disposable {
 	@debug<AzureDevOpsApi['getCurrentUserOnServer']>({ args: { 0: p => p.name, 1: '<token>' } })
 	async getCurrentUserOnServer(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		baseUrl: string,
 	): Promise<{ id: string; name?: string; email?: string; username?: string; avatarUrl?: string } | undefined> {
 		const scope = getLogScope();
@@ -450,7 +451,7 @@ export class AzureDevOpsApi implements Disposable {
 		issueType: string,
 		state: string,
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		owner: string,
 		projectName: string,
 		options: {
@@ -470,7 +471,7 @@ export class AzureDevOpsApi implements Disposable {
 	private async retrieveWorkItemTypeStates(
 		workItemType: string,
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		owner: string,
 		projectName: string,
 		options: {
@@ -500,13 +501,14 @@ export class AzureDevOpsApi implements Disposable {
 
 	private async request<T>(
 		provider: Provider,
-		token: string,
+		token: TokenWithInfo,
 		baseUrl: string | undefined,
 		route: string,
 		options: { method: RequestInit['method'] } & Record<string, unknown>,
 		scope: LogScope | undefined,
 		cancellation?: CancellationToken | undefined,
 	): Promise<T | undefined> {
+		const { accessToken, ...tokenInfo } = token;
 		const url = baseUrl ? `${baseUrl}/${route}` : route;
 
 		let rsp: Response;
@@ -526,7 +528,7 @@ export class AzureDevOpsApi implements Disposable {
 				rsp = await wrapForForcedInsecureSSL(provider.getIgnoreSSLErrors(), () =>
 					fetch(url, {
 						headers: {
-							Authorization: `Basic ${base64(`PAT:${token}`)}`,
+							Authorization: `Basic ${base64(`PAT:${accessToken}`)}`,
 							'Content-Type': 'application/json',
 						},
 						agent: agent,
@@ -546,7 +548,7 @@ export class AzureDevOpsApi implements Disposable {
 			}
 		} catch (ex) {
 			if (ex instanceof ProviderFetchError || ex.name === 'AbortError') {
-				this.handleRequestError(provider, token, ex, scope);
+				this.handleRequestError(provider, tokenInfo, ex, scope);
 			} else if (Logger.isDebugging) {
 				void window.showErrorMessage(`AzureDevOps request failed: ${ex.message}`);
 			}
@@ -557,7 +559,7 @@ export class AzureDevOpsApi implements Disposable {
 
 	private handleRequestError(
 		provider: Provider | undefined,
-		_token: string,
+		tokenInfo: TokenInfo,
 		ex: ProviderFetchError | (Error & { name: 'AbortError' }),
 		scope: LogScope | undefined,
 	): void {
@@ -569,7 +571,7 @@ export class AzureDevOpsApi implements Disposable {
 			case 422: // Unprocessable Entity
 				throw new RequestNotFoundError(ex);
 			case 401: // Unauthorized
-				throw new AuthenticationError('azureDevOps', AuthenticationErrorReason.Unauthorized, ex);
+				throw new AuthenticationError(tokenInfo, AuthenticationErrorReason.Unauthorized, ex);
 			case 403: // Forbidden
 				// TODO: Learn the Azure API docs and put it in order:
 				// 	if (ex.message.includes('rate limit')) {
@@ -585,7 +587,7 @@ export class AzureDevOpsApi implements Disposable {
 
 				// 		throw new RequestRateLimitError(ex, token, resetAt);
 				// 	}
-				throw new AuthenticationError('azure', AuthenticationErrorReason.Forbidden, ex);
+				throw new AuthenticationError(tokenInfo, AuthenticationErrorReason.Forbidden, ex);
 			case 500: // Internal Server Error
 				Logger.error(ex, scope);
 				if (ex.response != null) {