feat: make keyring opt-in and store token at login

- Default `coder.useKeyring` to false (opt-in) due to shared logout
  side effects between CLI and IDE
- Update setting description to document sync behavior and version
  requirements
- Store token to OS keyring at login time so the CLI picks it up
  immediately
- Show cancellable progress notification for all CLI keyring
  invocations during login
- Migrate CliCredentialManager public API to options bag pattern with
  signal and keyringOnly support

Author: EhabY

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## Unreleased
 
+### Changed
+
+- `coder.useKeyring` is now opt-in (default: false). Keyring storage requires CLI >= 2.29.0 for
+  storage and logout sync, and >= 2.31.0 for syncing login from CLI to VS Code.
+- Session tokens are now saved to the OS keyring at login time (when enabled and CLI >= 2.29.0),
+  not only when connecting to a workspace.
+
 ### Added
 
 - Proxy log directory now defaults to the extension's global storage when `coder.proxyLogDirectory`

package.json

@@ -157,9 +157,9 @@
 					}
 				},
 				"coder.useKeyring": {
-					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0. Has no effect on Linux.",
+					"markdownDescription": "Store session tokens in the OS keyring (macOS Keychain, Windows Credential Manager) instead of plaintext files. Requires CLI >= 2.29.0 (>= 2.31.0 to sync login from CLI to VS Code). This will attempt to sync between the CLI and VS Code since they share the same keyring entry. It will log you out of the CLI if you log out of the IDE, and vice versa. Has no effect on Linux.",
 					"type": "boolean",
-					"default": true
+					"default": false
 				},
 				"coder.httpClientLogLevel": {
 					"markdownDescription": "Controls the verbosity of HTTP client logging. This affects what details are logged for each HTTP request and response.",

src/cliConfig.ts

@@ -68,7 +68,9 @@ function isFlag(item: string, name: string): boolean {
 export function isKeyringEnabled(
 	configs: Pick<WorkspaceConfiguration, "get">,
 ): boolean {
-	return isKeyringSupported() && configs.get<boolean>("coder.useKeyring", true);
+	return (
+		isKeyringSupported() && configs.get<boolean>("coder.useKeyring", false)
+	);
 }
 
 /**

src/core/cliCredentialManager.ts

@@ -1,5 +1,6 @@
 import { execFile } from "node:child_process";
 import fs from "node:fs/promises";
+import os from "node:os";
 import path from "node:path";
 import { promisify } from "node:util";
 import * as semver from "semver";
@@ -34,7 +35,8 @@ export type BinaryResolver = (deploymentUrl: string) => Promise<string>;
  * Returns true on platforms where the OS keyring is supported (macOS, Windows).
  */
 export function isKeyringSupported(): boolean {
-	return process.platform === "darwin" || process.platform === "win32";
+	const platform = os.platform();
+	return platform === "darwin" || platform === "win32";
 }
 
 /**
@@ -54,19 +56,25 @@ export class CliCredentialManager {
 	 * files under --global-config.
 	 *
 	 * Keyring and files are mutually exclusive — never both.
+	 *
+	 * When `keyringOnly` is set, silently returns if the keyring is unavailable
+	 * instead of falling back to file storage.
 	 */
 	public async storeToken(
 		url: string,
 		token: string,
 		configs: Pick<WorkspaceConfiguration, "get">,
-		signal?: AbortSignal,
+		options?: { signal?: AbortSignal; keyringOnly?: boolean },
 	): Promise<void> {
 		const binPath = await this.resolveKeyringBinary(
 			url,
 			configs,
 			"keyringAuth",
 		);
 		if (!binPath) {
+			if (options?.keyringOnly) {
+				return;
+			}
 			await this.writeCredentialFiles(url, token);
 			return;
 		}
@@ -80,7 +88,7 @@ export class CliCredentialManager {
 		try {
 			await this.execWithTimeout(binPath, args, {
 				env: { ...process.env, CODER_SESSION_TOKEN: token },
-				signal,
+				signal: options?.signal,
 			});
 			this.logger.info("Stored token via CLI for", url);
 		} catch (error) {
@@ -96,6 +104,7 @@ export class CliCredentialManager {
 	public async readToken(
 		url: string,
 		configs: Pick<WorkspaceConfiguration, "get">,
+		options?: { signal?: AbortSignal },
 	): Promise<string | undefined> {
 		let binPath: string | undefined;
 		try {
@@ -114,10 +123,15 @@ export class CliCredentialManager {
 
 		const args = [...getHeaderArgs(configs), "login", "token", "--url", url];
 		try {
-			const { stdout } = await this.execWithTimeout(binPath, args);
+			const { stdout } = await this.execWithTimeout(binPath, args, {
+				signal: options?.signal,
+			});
 			const token = stdout.trim();
 			return token || undefined;
 		} catch (error) {
+			if ((error as Error).name === "AbortError") {
+				throw error;
+			}
 			this.logger.warn("Failed to read token via CLI:", error);
 			return undefined;
 		}
@@ -130,11 +144,11 @@ export class CliCredentialManager {
 	public async deleteToken(
 		url: string,
 		configs: Pick<WorkspaceConfiguration, "get">,
-		signal?: AbortSignal,
+		options?: { signal?: AbortSignal },
 	): Promise<void> {
 		await Promise.all([
 			this.deleteCredentialFiles(url),
-			this.deleteKeyringToken(url, configs, signal),
+			this.deleteKeyringToken(url, configs, options?.signal),
 		]);
 	}
 

src/core/cliManager.ts

@@ -10,8 +10,9 @@ import * as semver from "semver";
 import * as vscode from "vscode";
 
 import { errToStr } from "../api/api-helper";
+import { isKeyringEnabled } from "../cliConfig";
 import * as pgp from "../pgp";
-import { withCancellableProgress } from "../progress";
+import { withCancellableProgress, withOptionalProgress } from "../progress";
 import { tempFilePath, toSafeHost } from "../util";
 import { vscodeProposed } from "../vscodeProposed";
 
@@ -759,13 +760,13 @@ export class CliManager {
 		}
 
 		const result = await withCancellableProgress(
+			({ signal }) =>
+				this.cliCredentialManager.storeToken(url, token, configs, { signal }),
 			{
 				location: vscode.ProgressLocation.Notification,
 				title: `Storing credentials for ${url}`,
 				cancellable: true,
 			},
-			({ signal }) =>
-				this.cliCredentialManager.storeToken(url, token, configs, signal),
 		);
 		if (result.ok) {
 			return;
@@ -783,14 +784,15 @@ export class CliManager {
 	 */
 	public async clearCredentials(url: string): Promise<void> {
 		const configs = vscode.workspace.getConfiguration();
-		const result = await withCancellableProgress(
+		const result = await withOptionalProgress(
+			({ signal }) =>
+				this.cliCredentialManager.deleteToken(url, configs, { signal }),
 			{
+				enabled: isKeyringEnabled(configs),
 				location: vscode.ProgressLocation.Notification,
 				title: `Removing credentials for ${url}`,
 				cancellable: true,
 			},
-			({ signal }) =>
-				this.cliCredentialManager.deleteToken(url, configs, signal),
 		);
 		if (result.ok) {
 			return;

src/login/loginCoordinator.ts

@@ -4,9 +4,11 @@ import * as vscode from "vscode";
 
 import { CoderApi } from "../api/coderApi";
 import { needToken } from "../api/utils";
+import { isKeyringEnabled } from "../cliConfig";
 import { CertificateError } from "../error/certificateError";
 import { OAuthAuthorizer } from "../oauth/authorizer";
 import { buildOAuthTokenData } from "../oauth/utils";
+import { withOptionalProgress } from "../progress";
 import { maybeAskAuthMethod, maybeAskUrl } from "../promptUtils";
 import { vscodeProposed } from "../vscodeProposed";
 
@@ -147,6 +149,19 @@ export class LoginCoordinator implements vscode.Disposable {
 				oauth: result.oauth, // undefined for non-OAuth logins
 			});
 			await this.mementoManager.addToUrlHistory(url);
+
+			if (result.token) {
+				this.cliCredentialManager
+					.storeToken(url, result.token, vscode.workspace.getConfiguration(), {
+						keyringOnly: true,
+					})
+					.catch((error) => {
+						this.logger.warn(
+							"Failed to store token in keyring at login:",
+							error,
+						);
+					});
+			}
 		}
 	}
 
@@ -243,10 +258,20 @@ export class LoginCoordinator implements vscode.Disposable {
 		}
 
 		// Try keyring token (picks up tokens written by `coder login` in the terminal)
-		const keyringToken = await this.cliCredentialManager.readToken(
-			deployment.url,
-			vscode.workspace.getConfiguration(),
+		const configs = vscode.workspace.getConfiguration();
+		const keyringResult = await withOptionalProgress(
+			({ signal }) =>
+				this.cliCredentialManager.readToken(deployment.url, configs, {
+					signal,
+				}),
+			{
+				enabled: isKeyringEnabled(configs),
+				location: vscode.ProgressLocation.Notification,
+				title: "Reading token from OS keyring...",
+				cancellable: true,
+			},
 		);
+		const keyringToken = keyringResult.ok ? keyringResult.value : undefined;
 		if (
 			keyringToken &&
 			keyringToken !== providedToken &&

src/progress.ts

@@ -17,8 +17,8 @@ export interface ProgressContext {
  * `{ cancelled: true }`.
  */
 export function withCancellableProgress<T>(
-	options: vscode.ProgressOptions & { cancellable: true },
 	fn: (ctx: ProgressContext) => Promise<T>,
+	options: vscode.ProgressOptions & { cancellable: true },
 ): Thenable<ProgressResult<T>> {
 	return vscode.window.withProgress(
 		options,
@@ -40,6 +40,32 @@ export function withCancellableProgress<T>(
 	);
 }
 
+/**
+ * Like withCancellableProgress, but only shows the progress notification when
+ * `enabled` is true. When false, runs the function directly without UI.
+ * Returns ProgressResult<T> in both cases for uniform call-site handling.
+ */
+export async function withOptionalProgress<T>(
+	fn: (ctx: ProgressContext) => Promise<T>,
+	options: vscode.ProgressOptions & { cancellable: true; enabled: boolean },
+): Promise<ProgressResult<T>> {
+	if (options.enabled) {
+		return withCancellableProgress(fn, options);
+	}
+	try {
+		const noop = () => {
+			// No-op: progress reporting is disabled.
+		};
+		const value = await fn({
+			progress: { report: noop },
+			signal: new AbortController().signal,
+		});
+		return { ok: true, value };
+	} catch (error) {
+		return { ok: false, cancelled: false, error };
+	}
+}
+
 /**
  * Run a task inside a VS Code progress notification (no cancellation).
  * A thin wrapper over `vscode.window.withProgress` that passes only the

test/unit/cliConfig.test.ts

@@ -1,5 +1,6 @@
+import * as os from "node:os";
 import * as semver from "semver";
-import { afterEach, it, expect, describe, vi } from "vitest";
+import { it, expect, describe, vi } from "vitest";
 
 import {
 	type CliAuth,
@@ -14,16 +15,14 @@ import { featureSetForVersion } from "@/featureSet";
 import { MockConfigurationProvider } from "../mocks/testHelpers";
 import { isWindows } from "../utils/platform";
 
+vi.mock("node:os");
+
 const globalConfigAuth: CliAuth = {
 	mode: "global-config",
 	configDir: "/config/dir",
 };
 
 describe("cliConfig", () => {
-	afterEach(() => {
-		vi.unstubAllGlobals();
-	});
-
 	describe("getGlobalFlags", () => {
 		const urlAuth: CliAuth = { mode: "url", url: "https://dev.coder.com" };
 
@@ -224,6 +223,12 @@ describe("cliConfig", () => {
 			useKeyring: boolean;
 			expected: boolean;
 		}
+		it("returns false on darwin when setting is unset (default)", () => {
+			vi.mocked(os.platform).mockReturnValue("darwin");
+			const config = new MockConfigurationProvider();
+			expect(isKeyringEnabled(config)).toBe(false);
+		});
+
 		it.each<KeyringEnabledCase>([
 			{ platform: "darwin", useKeyring: true, expected: true },
 			{ platform: "win32", useKeyring: true, expected: true },
@@ -232,7 +237,7 @@ describe("cliConfig", () => {
 		])(
 			"returns $expected on $platform with useKeyring=$useKeyring",
 			({ platform, useKeyring, expected }) => {
-				vi.stubGlobal("process", { ...process, platform });
+				vi.mocked(os.platform).mockReturnValue(platform);
 				const config = new MockConfigurationProvider();
 				config.set("coder.useKeyring", useKeyring);
 				expect(isKeyringEnabled(config)).toBe(expected);
@@ -242,7 +247,7 @@ describe("cliConfig", () => {
 
 	describe("resolveCliAuth", () => {
 		it("returns url mode when keyring should be used", () => {
-			vi.stubGlobal("process", { ...process, platform: "darwin" });
+			vi.mocked(os.platform).mockReturnValue("darwin");
 			const config = new MockConfigurationProvider();
 			config.set("coder.useKeyring", true);
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
@@ -259,7 +264,7 @@ describe("cliConfig", () => {
 		});
 
 		it("returns global-config mode when keyring should not be used", () => {
-			vi.stubGlobal("process", { ...process, platform: "linux" });
+			vi.mocked(os.platform).mockReturnValue("linux");
 			const config = new MockConfigurationProvider();
 			const featureSet = featureSetForVersion(semver.parse("2.29.0"));
 			const auth = resolveCliAuth(