Revert "feat: store session tokens in the OS keyring (#808)"

This reverts commit 80f0c0a.

Author: sreya

esbuild.mjs

@@ -32,7 +32,7 @@ const buildOptions = {
 		// undefined when bundled to CJS, causing runtime errors.
 		openpgp: "./node_modules/openpgp/dist/node/openpgp.min.cjs",
 	},
-	external: ["vscode", "@napi-rs/keyring"],
+	external: ["vscode"],
 	sourcemap: production ? "external" : true,
 	minify: production,
 	plugins: watch ? [logRebuildPlugin] : [],

eslint.config.mjs

@@ -154,7 +154,7 @@ export default defineConfig(
 
 	// Build config - ESM with Node globals
 	{
-		files: ["esbuild.mjs", "scripts/*.mjs"],
+		files: ["esbuild.mjs"],
 		languageOptions: {
 			globals: {
 				...globals.node,

package.json

@@ -32,7 +32,7 @@
 		"test:integration": "tsc -p test --outDir out --noCheck && node esbuild.mjs && vscode-test",
 		"test:webview": "vitest --project webview",
 		"typecheck": "concurrently -g \"tsc --noEmit\" \"tsc --noEmit -p test\"",
-		"vscode:prepublish": "pnpm build:production && node scripts/vendor-keyring.mjs",
+		"vscode:prepublish": "pnpm build:production",
 		"watch": "concurrently -n extension,webviews \"pnpm watch:extension\" \"pnpm watch:webviews\"",
 		"watch:extension": "node esbuild.mjs --watch",
 		"watch:webviews": "pnpm -r --filter \"./packages/*\" --parallel dev"
@@ -156,11 +156,6 @@
 						"type": "string"
 					}
 				},
-				"coder.useKeyring": {
-					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0. Has no effect on Linux.",
-					"type": "boolean",
-					"default": true
-				},
 				"coder.httpClientLogLevel": {
 					"markdownDescription": "Controls the verbosity of HTTP client logging. This affects what details are logged for each HTTP request and response.",
 					"type": "string",
@@ -468,7 +463,6 @@
 		"word-wrap": "1.2.5"
 	},
 	"dependencies": {
-		"@napi-rs/keyring": "^1.2.0",
 		"@peculiar/x509": "^1.14.3",
 		"@repo/shared": "workspace:*",
 		"axios": "1.13.6",

pnpm-lock.yaml

@@ -27,16 +27,3 @@ onlyBuiltDependencies:
   - keytar
   - unrs-resolver
   - utf-8-validate
-
-# Install @napi-rs/keyring native binaries for macOS and Windows so they're
-# available when building the universal VSIX (even on Linux CI).
-# Only macOS and Windows use the keyring; Linux falls back to file storage.
-supportedArchitectures:
-  os:
-    - current
-    - darwin
-    - win32
-  cpu:
-    - current
-    - x64
-    - arm64

pnpm-workspace.yaml

@@ -7,7 +7,7 @@ import {
 import { spawn } from "node:child_process";
 import * as vscode from "vscode";
 
-import { type CliAuth, getGlobalFlags } from "../cliConfig";
+import { getGlobalFlags } from "../cliConfig";
 import { type FeatureSet } from "../featureSet";
 import { escapeCommandArg } from "../util";
 import { type UnidirectionalStream } from "../websocket/eventStreamConnection";
@@ -50,7 +50,7 @@ export class LazyStream<T> {
  */
 export async function startWorkspaceIfStoppedOrFailed(
 	restClient: Api,
-	auth: CliAuth,
+	globalConfigDir: string,
 	binPath: string,
 	workspace: Workspace,
 	writeEmitter: vscode.EventEmitter<string>,
@@ -65,7 +65,7 @@ export async function startWorkspaceIfStoppedOrFailed(
 
 	return new Promise((resolve, reject) => {
 		const startArgs = [
-			...getGlobalFlags(vscode.workspace.getConfiguration(), auth),
+			...getGlobalFlags(vscode.workspace.getConfiguration(), globalConfigDir),
 			"start",
 			"--yes",
 			createWorkspaceIdentifier(workspace),

scripts/vendor-keyring.mjs

@@ -1,15 +1,8 @@
+import { type WorkspaceConfiguration } from "vscode";
+
 import { getHeaderArgs } from "./headers";
-import { isKeyringSupported } from "./keyringStore";
 import { escapeCommandArg } from "./util";
 
-import type { WorkspaceConfiguration } from "vscode";
-
-import type { FeatureSet } from "./featureSet";
-
-export type CliAuth =
-	| { mode: "global-config"; configDir: string }
-	| { mode: "url"; url: string };
-
 /**
  * Returns the raw global flags from user configuration.
  */
@@ -21,61 +14,21 @@ export function getGlobalFlagsRaw(
 
 /**
  * Returns global configuration flags for Coder CLI commands.
- * Includes either `--global-config` or `--url` depending on the auth mode.
+ * Always includes the `--global-config` argument with the specified config directory.
  */
 export function getGlobalFlags(
 	configs: Pick<WorkspaceConfiguration, "get">,
-	auth: CliAuth,
+	configDir: string,
 ): string[] {
-	const authFlags =
-		auth.mode === "url"
-			? ["--url", escapeCommandArg(auth.url)]
-			: ["--global-config", escapeCommandArg(auth.configDir)];
-
 	// Last takes precedence/overrides previous ones
 	return [
 		...getGlobalFlagsRaw(configs),
-		...authFlags,
+		"--global-config",
+		escapeCommandArg(configDir),
 		...getHeaderArgs(configs),
 	];
 }
 
-/**
- * Returns true when the user has keyring enabled and the platform supports it.
- */
-export function isKeyringEnabled(
-	configs: Pick<WorkspaceConfiguration, "get">,
-): boolean {
-	return isKeyringSupported() && configs.get<boolean>("coder.useKeyring", true);
-}
-
-/**
- * Single source of truth: should the extension use the OS keyring for this session?
- * Requires CLI >= 2.29.0, macOS or Windows, and the coder.useKeyring setting enabled.
- */
-export function shouldUseKeyring(
-	configs: Pick<WorkspaceConfiguration, "get">,
-	featureSet: FeatureSet,
-): boolean {
-	return isKeyringEnabled(configs) && featureSet.keyringAuth;
-}
-
-/**
- * Resolves how the CLI should authenticate: via the keyring (`--url`) or via
- * the global config directory (`--global-config`).
- */
-export function resolveCliAuth(
-	configs: Pick<WorkspaceConfiguration, "get">,
-	featureSet: FeatureSet,
-	deploymentUrl: string,
-	configDir: string,
-): CliAuth {
-	if (shouldUseKeyring(configs, featureSet)) {
-		return { mode: "url", url: deploymentUrl };
-	}
-	return { mode: "global-config", configDir };
-}
-
 /**
  * Returns SSH flags for the `coder ssh` command from user configuration.
  */