Self-review

Author: EhabY

scripts/vendor-keyring.mjs

@@ -1,52 +1,61 @@
 /**
  * Vendor @napi-rs/keyring into dist/node_modules/ for VSIX packaging.
  *
- * pnpm uses symlinks that vsce can't follow.  This script resolves them and
+ * pnpm uses symlinks that vsce can't follow. This script resolves them and
  * copies the JS wrapper plus macOS/Windows .node binaries into dist/, where
  * Node's require() resolution finds them from dist/extension.js.
  */
-import { cpSync, existsSync, mkdirSync, realpathSync, rmSync } from "node:fs";
-import { join, resolve, basename } from "node:path";
+import {
+	cpSync,
+	existsSync,
+	mkdirSync,
+	readdirSync,
+	realpathSync,
+	rmSync,
+} from "node:fs";
+import { join, resolve } from "node:path";
 
-const outputDir = resolve("dist/node_modules/@napi-rs/keyring");
 const keyringPkg = resolve("node_modules/@napi-rs/keyring");
+const outputDir = resolve("dist/node_modules/@napi-rs/keyring");
 
 if (!existsSync(keyringPkg)) {
-	console.log("@napi-rs/keyring not found, skipping");
-	process.exit(0);
+	console.error("@napi-rs/keyring not found — run pnpm install first");
+	process.exit(1);
 }
 
+// Copy the JS wrapper package (resolving pnpm symlinks)
 const resolvedPkg = realpathSync(keyringPkg);
-
 rmSync(outputDir, { recursive: true, force: true });
 mkdirSync(outputDir, { recursive: true });
 cpSync(resolvedPkg, outputDir, { recursive: true });
 
-// Platform packages are siblings of the resolved keyring package in pnpm's layout.
-// Exact file names so the build fails loudly if the native module renames anything.
+// Native binary packages live as siblings of the resolved keyring package in
+// pnpm's content-addressable store (they aren't hoisted to node_modules).
 const siblingsDir = resolve(resolvedPkg, "..");
-const binaries = [
-	"keyring-darwin-arm64/keyring.darwin-arm64.node",
-	"keyring-darwin-x64/keyring.darwin-x64.node",
-	"keyring-win32-arm64-msvc/keyring.win32-arm64-msvc.node",
-	"keyring-win32-x64-msvc/keyring.win32-x64-msvc.node",
+const nativePackages = [
+	"keyring-darwin-arm64",
+	"keyring-darwin-x64",
+	"keyring-win32-arm64-msvc",
+	"keyring-win32-x64-msvc",
 ];
 
-for (const binary of binaries) {
-	const symlink = join(siblingsDir, binary);
-	if (!existsSync(symlink)) {
+for (const pkg of nativePackages) {
+	const pkgDir = join(siblingsDir, pkg);
+	if (!existsSync(pkgDir)) {
 		console.error(
-			`Missing native binary: ${binary}\n` +
-				"Ensure .npmrc includes supportedArchitectures for all target OS/CPU combinations.",
+			`Missing native package: ${pkg}\n` +
+				"Ensure supportedArchitectures in pnpm-workspace.yaml includes all target platforms.",
 		);
 		process.exit(1);
 	}
-	const src = realpathSync(symlink);
-	const filename = basename(binary);
-	const dest = join(outputDir, filename);
-	cpSync(src, dest);
+	const nodeFile = readdirSync(pkgDir).find((f) => f.endsWith(".node"));
+	if (!nodeFile) {
+		console.error(`No .node binary found in ${pkg}`);
+		process.exit(1);
+	}
+	cpSync(join(pkgDir, nodeFile), join(outputDir, nodeFile));
 }
 
 console.log(
-	`Vendored @napi-rs/keyring with ${binaries.length} platform binaries into dist/`,
+	`Vendored @napi-rs/keyring with ${nativePackages.length} platform binaries into dist/`,
 );

src/core/cliManager.ts

@@ -2,27 +2,30 @@ import globalAxios, {
 	type AxiosInstance,
 	type AxiosRequestConfig,
 } from "axios";
-import { type Api } from "coder/site/src/api/api";
 import { createWriteStream, type WriteStream } from "node:fs";
 import fs from "node:fs/promises";
-import { type IncomingMessage } from "node:http";
 import path from "node:path";
 import prettyBytes from "pretty-bytes";
 import * as semver from "semver";
 import * as vscode from "vscode";
 
 import { errToStr } from "../api/api-helper";
 import { shouldUseKeyring } from "../cliConfig";
-import { type FeatureSet } from "../featureSet";
-import { type KeyringStore } from "../keyringStore";
-import { type Logger } from "../logging/logger";
+import { isKeyringSupported, type KeyringStore } from "../keyringStore";
 import * as pgp from "../pgp";
 import { vscodeProposed } from "../vscodeProposed";
 
 import { BinaryLock } from "./binaryLock";
 import * as cliUtils from "./cliUtils";
 import * as downloadProgress from "./downloadProgress";
-import { type PathResolver } from "./pathResolver";
+
+import type { Api } from "coder/site/src/api/api";
+import type { IncomingMessage } from "node:http";
+
+import type { FeatureSet } from "../featureSet";
+import type { Logger } from "../logging/logger";
+
+import type { PathResolver } from "./pathResolver";
 
 export class CliManager {
 	private readonly binaryLock: BinaryLock;
@@ -712,9 +715,9 @@ export class CliManager {
 		safeHostname: string,
 		url: string | undefined,
 		token: string | null,
-		featureSet?: FeatureSet,
+		featureSet: FeatureSet,
 	) {
-		if (featureSet && shouldUseKeyring(featureSet) && url && token !== null) {
+		if (shouldUseKeyring(featureSet) && url && token !== null) {
 			try {
 				this.keyringStore.setToken(url, token);
 				this.output.info("Stored token in OS keyring for", url);
@@ -736,11 +739,13 @@ export class CliManager {
 	 * Remove credentials for a deployment from both keyring and file storage.
 	 */
 	public async clearCredentials(safeHostname: string): Promise<void> {
-		try {
-			this.keyringStore.deleteToken(safeHostname);
-			this.output.info("Removed keyring token for", safeHostname);
-		} catch (error) {
-			this.output.warn("Failed to remove keyring token", error);
+		if (isKeyringSupported()) {
+			try {
+				this.keyringStore.deleteToken(safeHostname);
+				this.output.info("Removed keyring token for", safeHostname);
+			} catch (error) {
+				this.output.warn("Failed to remove keyring token", error);
+			}
 		}
 
 		const tokenPath = this.pathResolver.getSessionTokenPath(safeHostname);

src/keyringStore.ts

@@ -55,8 +55,10 @@ function toHost(deploymentUrl: string): string {
 }
 
 /**
- * Finds the map key matching a safeHostname (ports stripped). Map keys use
- * `new URL().host` which preserves ports, so the fallback strips ports to match.
+ * Finds the map key matching a safeHostname. VS Code identifies deployments by
+ * safeHostname (port stripped), while the CLI stores map keys via `toHost`
+ * which preserves ports. The fallback strips ports from map keys so VS Code's
+ * port-less hostname still matches a CLI-written entry with a port.
  */
 function findMapKey(
 	map: CredentialMap,
@@ -90,12 +92,12 @@ export function isKeyringSupported(): boolean {
  *   Windows: raw UTF-8 JSON bytes via setSecret/getSecret
  */
 export class KeyringStore {
-	constructor(
+	public constructor(
 		private readonly logger: Logger,
 		private readonly entryFactory: () => KeyringEntry = createDefaultEntry,
 	) {}
 
-	setToken(deploymentUrl: string, token: string): void {
+	public setToken(deploymentUrl: string, token: string): void {
 		this.assertSupported();
 		const entry = this.entryFactory();
 		const map = this.readMap(entry);
@@ -104,15 +106,15 @@ export class KeyringStore {
 		this.writeMap(entry, map);
 	}
 
-	getToken(safeHostname: string): string | undefined {
+	public getToken(safeHostname: string): string | undefined {
 		this.assertSupported();
 		const entry = this.entryFactory();
 		const map = this.readMap(entry);
 		const key = findMapKey(map, safeHostname);
 		return key !== undefined ? map[key].api_token : undefined;
 	}
 
-	deleteToken(safeHostname: string): void {
+	public deleteToken(safeHostname: string): void {
 		this.assertSupported();
 		const entry = this.entryFactory();
 		const map = this.readMap(entry);

src/login/loginCoordinator.ts

@@ -213,11 +213,13 @@ export class LoginCoordinator implements vscode.Disposable {
 
 		// mTLS authentication (no token needed)
 		if (!needToken(vscode.workspace.getConfiguration())) {
+			this.logger.debug("Attempting mTLS authentication (no token required)");
 			return this.tryMtlsAuth(client, isAutoLogin);
 		}
 
 		// Try provided token first
 		if (providedToken) {
+			this.logger.debug("Trying provided token");
 			const result = await this.tryTokenAuth(
 				client,
 				providedToken,
@@ -233,32 +235,31 @@ export class LoginCoordinator implements vscode.Disposable {
 			deployment.safeHostname,
 		);
 		if (auth?.token && auth.token !== providedToken) {
+			this.logger.debug("Trying stored session token");
 			const result = await this.tryTokenAuth(client, auth.token, isAutoLogin);
 			if (result !== "unauthorized") {
 				return result;
 			}
 		}
 
 		// Try keyring token (picks up tokens written by `coder login` in the terminal)
+		let keyringToken: string | undefined;
 		try {
-			const keyringToken = this.keyringStore.getToken(deployment.safeHostname);
-			if (
-				keyringToken &&
-				keyringToken !== providedToken &&
-				keyringToken !== auth?.token
-			) {
-				const result = await this.tryTokenAuth(
-					client,
-					keyringToken,
-					isAutoLogin,
-				);
-				if (result !== "unauthorized") {
-					return result;
-				}
-			}
+			keyringToken = this.keyringStore.getToken(deployment.safeHostname);
 		} catch (error) {
 			this.logger.warn("Failed to read token from keyring", error);
 		}
+		if (
+			keyringToken &&
+			keyringToken !== providedToken &&
+			keyringToken !== auth?.token
+		) {
+			this.logger.debug("Trying token from OS keyring");
+			const result = await this.tryTokenAuth(client, keyringToken, isAutoLogin);
+			if (result !== "unauthorized") {
+				return result;
+			}
+		}
 
 		// Prompt user for token
 		const authMethod = await maybeAskAuthMethod(client);

src/remote/remote.ts

@@ -176,7 +176,7 @@ export class Remote {
 				}
 			};
 
-			// It could be that the cli config was deleted.  If so, ask for the url.
+			// It could be that the cli config was deleted. If so, ask for the url.
 			if (
 				!baseUrlRaw ||
 				(!token && needToken(vscode.workspace.getConfiguration()))

test/unit/cliConfig.test.ts

@@ -175,48 +175,48 @@ describe("cliConfig", () => {
 
 		it("returns true when all conditions are met (macOS, keyringAuth, setting enabled)", () => {
 			vi.stubGlobal("process", { ...process, platform: "darwin" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			expect(shouldUseKeyring(featureSet)).toBe(true);
 		});
 
 		it("returns true when all conditions are met (Windows)", () => {
 			vi.stubGlobal("process", { ...process, platform: "win32" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			expect(shouldUseKeyring(featureSet)).toBe(true);
 		});
 
 		it("returns false on Linux", () => {
 			vi.stubGlobal("process", { ...process, platform: "linux" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			expect(shouldUseKeyring(featureSet)).toBe(false);
 		});
 
 		it("returns false when CLI version is too old", () => {
 			vi.stubGlobal("process", { ...process, platform: "darwin" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.28.0"));
 			expect(shouldUseKeyring(featureSet)).toBe(false);
 		});
 
 		it("returns false when setting is disabled", () => {
 			vi.stubGlobal("process", { ...process, platform: "darwin" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", false);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", false);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			expect(shouldUseKeyring(featureSet)).toBe(false);
 		});
 
 		it("returns true for devel prerelease on macOS", () => {
 			vi.stubGlobal("process", { ...process, platform: "darwin" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(
 				semver.parse("0.0.0-devel+abc123"),
 			);
@@ -238,8 +238,8 @@ describe("cliConfig", () => {
 
 		it("returns url mode when keyring should be used", () => {
 			vi.stubGlobal("process", { ...process, platform: "darwin" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			const auth = resolveCliAuth(
 				featureSet,
@@ -254,7 +254,7 @@ describe("cliConfig", () => {
 
 		it("returns global-config mode when keyring should not be used", () => {
 			vi.stubGlobal("process", { ...process, platform: "linux" });
-			const _config = new MockConfigurationProvider();
+			new MockConfigurationProvider();
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			const auth = resolveCliAuth(
 				featureSet,
@@ -269,8 +269,8 @@ describe("cliConfig", () => {
 
 		it("returns global-config mode when url is undefined", () => {
 			vi.stubGlobal("process", { ...process, platform: "darwin" });
-			const _config = new MockConfigurationProvider();
-			_config.set("coder.useKeyring", true);
+			const config = new MockConfigurationProvider();
+			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			const auth = resolveCliAuth(featureSet, undefined, "/config/dir");
 			expect(auth).toEqual({