Skip to content

Add "No Authentication" connection support#755

Merged
tnaum-ms merged 24 commits into
mainfrom
dev/tnaum/no-auth-mode
Jun 24, 2026
Merged

Add "No Authentication" connection support#755
tnaum-ms merged 24 commits into
mainfrom
dev/tnaum/no-auth-mode

Conversation

@tnaum-ms

Copy link
Copy Markdown
Collaborator

Why

Some customers need to interact with a DocumentDB cluster that has no authentication — no username, no password, and no Microsoft Entra ID. A common case is investigative / exploratory work with the interactive shell (or the query playground) against a cluster that is intentionally running without credentials. Today the extension assumes every connection carries credentials, so these anonymous clusters can't be added or used cleanly.

This PR adds first-class "No Authentication" support across the connection lifecycle: creation, the tree, the integrated shell, and the query playground — while continuing to honor connection-string TLS/SSL overrides.

What changed

New auth method

  • Introduced an explicit AuthMethodId.NoAuth ("No Authentication") rather than overloading Native auth with empty credentials. It's discoverable in the auth-method quick pick and maps cleanly onto the existing auth-handler switch.
  • New NoAuthHandler passes the connection string through verbatim (credential-free) and never forces TLS — it only adds the emulator-specific tlsAllowInvalidCertificates rule, mirroring NativeAuthHandler.

Connection creation

  • "No Authentication" is offered in the new-connection wizard; NoAuth connections are stored with nativeAuthConfig: undefined.
  • New connection labels are derived from the host(s) only (the user@host prefix was dropped for all new connections for a consistent, credential-free naming scheme).
  • Bug fix: when a pasted connection string contains an embedded username/password but the user then selects No Authentication (or Microsoft Entra ID), those parsed native credentials are now ignored. Previously they were reused for duplicate detection — producing a false "A connection with the same username and host already exists." error — and were leaked into stored secrets. Native credentials now apply only to the Native method.

Tree / connect gate

  • The connect gate no longer re-prompts for a username/password when the method is NoAuth.
  • A non-emulator connection whose connection string disables TLS (tls=false / ssl=false) now shows a "⚠ TLS/SSL Disabled" description and tooltip line.
  • Error recovery: a connection can succeed while the server still rejects listDatabases (e.g. an anonymous connection against a server that actually requires auth → "Command listDatabases is not allowed as the connection is not authenticated yet"). Previously this threw out of getChildren(), leaving the tree with no children and no way to retry. The call is now wrapped in try/catch: it records failure telemetry, surfaces a modal error (the interactive expand flow is blocked, matching the convention for blocking operations), logs to the output channel, and returns the existing …/reconnect retry node so the user can re-attempt after fixing the configuration. This applies to any listDatabases failure, not just NoAuth.

Integrated shell & query playground

  • The authMechanism union was widened to include 'NoAuth'; both the shell and the playground use the credential-free connection string, and the shell shows a "No Authentication" banner label.

Cache hardening

  • CredentialCache.setFromConnectionItem respects an explicit selectedAuthMethod === NoAuth (no Native misclassification); getConnectionStringWithPassword is now null-safe.

Migration tools

  • No api/ changes. Verified host-side that a NoAuth connection yields a credential-free options.connectionString while preserving tls/ssl, locked with a test.

Tests

New/updated unit tests cover: the NoAuth handler (verbatim passthrough, TLS never forced), the auth model (NoAuth supported/listed/quick-pick), the credential cache (credential-free entry, null-safety), the migration connection-string contract, the new-connection wizard dedup/persistence fix (NoAuth/Entra), and the tree retry-node + modal + telemetry behavior on listDatabases failure.

Validation

npm run l10n, npm run prettier-fix, npm run lint, full Jest suite (143 suites / 2545 tests), and npm run build all pass.

Out of scope / unchanged

  • Public migration API surface.
  • Entra ID TLS forcing (intentional — OIDC requires TLS).
  • No storage version bump (only a new auth-method enum value was added).

tnaum-ms added 17 commits June 23, 2026 05:48
When a connection string with an embedded username/password is pasted and the
user then selects No Authentication or Microsoft Entra ID, the parsed native
credentials were still used for duplicate detection (causing a false 'same
username and host already exists' error) and were leaked into stored secrets.
Native credentials now apply only to the Native authentication method.
…nsion

A connection can succeed while the server still rejects listDatabases (e.g. an
anonymous 'No Authentication' connection against a server that requires auth).
That rejection previously threw out of getChildren(), leaving the tree with no
children and no way to retry. The call is now wrapped in try/catch: it records
failure telemetry via a 'connect' event (connectionResult=Failed,
failurePhase=listDatabases), surfaces a notification, logs to the output
channel, and returns the existing '/reconnect' retry node so the user can
re-attempt after fixing the configuration.
The interactive expand flow is blocked when listDatabases fails, so present the
error as a modal dialog (consistent with how blocking operations are surfaced),
suppressing azext's default non-modal notification while still recording the
failure telemetry.
Copilot AI review requested due to automatic review settings June 23, 2026 14:45
@tnaum-ms tnaum-ms requested a review from a team as a code owner June 23, 2026 14:45

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds first-class “No Authentication” support (AuthMethodId.NoAuth) across the DocumentDB connection lifecycle so users can connect to anonymous clusters (no username/password/Entra), while preserving connection-string TLS/SSL overrides and improving tree error recovery when listDatabases() fails.

Changes:

  • Introduces AuthMethodId.NoAuth + NoAuthHandler, and routes it through ClustersClient auth handling.
  • Updates connection creation, credential caching, tree connect gating, and shell/playground init to support credential-free connections.
  • Hardens tree expansion by catching listDatabases() failures and returning a retry node while emitting telemetry + modal error.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/tree/documentdb/ClusterItemBase.ts Catch listDatabases() failures during expansion, emit telemetry/modal error, and return a retry node.
src/tree/documentdb/ClusterItemBase.test.ts Adds unit tests covering retry-node + modal + telemetry behavior on listDatabases() failure.
src/tree/connections-view/DocumentDBClusterItem.ts Skips credential prompt for NoAuth; surfaces TLS-disabled state (connection-string override) in description/tooltip.
src/documentdb/shell/ShellTerminalLinkProvider.ts Extends shell terminal metadata union to include NoAuth.
src/documentdb/shell/ShellSessionManager.ts Extends shell auth mechanism union and ensures NoAuth uses credential-free connection string.
src/documentdb/shell/DocumentDBShellPty.ts Displays “No Authentication” label in shell connection summary.
src/documentdb/playground/workerTypes.ts Extends playground worker init message union to include NoAuth.
src/documentdb/playground/PlaygroundEvaluator.ts Ensures NoAuth uses credential-free connection string when building worker init message.
src/documentdb/CredentialCache.ts Makes getConnectionStringWithPassword null-safe and respects explicit NoAuth selection in setFromConnectionItem.
src/documentdb/CredentialCache.test.ts Adds tests for NoAuth cache entries + null-safety behavior.
src/documentdb/ClustersClient.ts Routes AuthMethodId.NoAuth through the auth-handler switch.
src/documentdb/auth/NoAuthHandler.ts Adds handler that passes connection string through verbatim and applies emulator-only TLS invalid cert option.
src/documentdb/auth/NoAuthHandler.test.ts Adds coverage for NoAuthHandler passthrough + emulator-only behavior.
src/documentdb/auth/AuthMethod.ts Adds AuthMethodId.NoAuth and registers it for quick-pick/listing.
src/documentdb/auth/AuthMethod.test.ts Adds unit tests verifying NoAuth is supported/listed/quick-pickable.
src/commands/newConnection/PromptConnectionStringStep.ts Ensures NoAuth is always offered during new-connection flow.
src/commands/newConnection/ExecuteStep.ts Ignores parsed native creds unless Native auth is selected; uses host-only labels; persists native creds only for Native.
src/commands/newConnection/ExecuteStep.test.ts Adds regression tests for dedupe + persistence behavior across NoAuth/Entra/Native.
src/commands/accessDataMigrationServices/noAuthMigration.test.ts Locks the migration sharing contract for NoAuth (no creds injected; preserves tls/ssl overrides).
l10n/bundle.l10n.json Adds new localized strings for NoAuth UI and listDatabases failure UX.
docs/ai-and-plans/PRs/755-no-auth-support/summary.md PR design/implementation summary.
docs/ai-and-plans/PRs/755-no-auth-support/01-username-and-tls-checks-report.md Analysis report on username/password assumptions and TLS override handling.

Comment thread src/tree/documentdb/ClusterItemBase.ts Outdated
Comment thread src/documentdb/shell/DocumentDBShellPty.ts Outdated
Comment thread src/commands/newConnection/ExecuteStep.ts
tnaum-ms added 5 commits June 23, 2026 15:19
…on to NoAuth

Adds an explicit NoAuth branch in updateCredentials/ExecuteStep that clears
nativeAuthConfig and entraIdAuthConfig, and a defense-in-depth guard in
CredentialCache.setFromConnectionItem so an explicit NoAuth connection never
re-surfaces stale secrets left in storage. Prevents leaked credentials through
paths such as migration sharing after a Native/Entra -> NoAuth switch.
…tions

Mirrors the native-credential gate in newConnection/ExecuteStep so a connection
saved as No Authentication or Native never carries stale entraIdAuthConfig left
in the wizard context after the user backtracked and changed the auth method.

Addresses Copilot review thread PRRT_kwDOODtcO86Ln9xO.
…esult

Aligns the listDatabases failure path with every other connectionResult value
(success/failed/cancelled) so telemetry dashboards grouping by this dimension are
not fragmented. Addresses Copilot review thread PRRT_kwDOODtcO86Ln9wH.
The connection summary line in the integrated shell mixed a localized NoAuth
label with raw 'Entra ID'/'SCRAM' literals. Wrap them in l10n.t for consistent
localization. Addresses Copilot review thread PRRT_kwDOODtcO86Ln9wy.
@tnaum-ms

Copy link
Copy Markdown
Collaborator Author

Review follow-up: cleared stale credentials on switch to No Authentication (commit e936fe3)

A local review of this PR surfaced one issue beyond the Copilot reviewer threads, which I've fixed:

Problem (High): Switching an existing Native or Microsoft Entra ID connection to No Authentication left the old nativeAuthConfig / entraIdAuthConfig in storage. The connection string had its embedded credentials stripped, but on the next load CredentialCache.setFromConnectionItem still read those leftover secrets back into the cache — re-injecting the old username/password into connectionStringWithPassword and re-exposing them through paths such as migration sharing (getConnectionUser / getConnectionPassword). A connection the user explicitly marked credential-free could therefore still connect/share with the old credentials.

Fix (two layers):

  • Write sideupdateCredentials/ExecuteStep now has an explicit AuthMethodId.NoAuth branch that clears both nativeAuthConfig and entraIdAuthConfig.
  • Cache side (defense in depth)CredentialCache.setFromConnectionItem now skips reading native/Entra secrets for an explicit NoAuth method, so even records saved before this fix can't re-surface stale credentials.

Tests: new updateCredentials/ExecuteStep.test.ts (Native→NoAuth, Entra→NoAuth clearing) and an added CredentialCache.test.ts case asserting stale secrets are never surfaced for a NoAuth item.

The three Copilot reviewer comments (Entra config persistence, connectionResult casing, shell label localization) were addressed in commits 44d75f0, 87a258c, and 91468c3 respectively, with replies in each thread. Full checklist (prettier, lint, 2550 Jest tests, build) passes.

@tnaum-ms tnaum-ms enabled auto-merge June 24, 2026 11:48
@github-actions

Copy link
Copy Markdown
Contributor

✅ Code Quality Checks

Check Status How to fix
Localization (l10n) ✅ Passed
ESLint ✅ Passed
Prettier formatting ✅ Passed

This comment is updated automatically on each push.

@github-actions

Copy link
Copy Markdown
Contributor

📦 Build Size Report

Metric Base (main) PR Delta
VSIX (vscode-documentdb-0.9.0.vsix) 8.00 MB 8.00 MB ⬆️ +0 KB (+0.0%)
Webview bundle (views.js) 5.88 MB 5.88 MB ✅ 0 KB (0.0%)

Download artifact · updated automatically on each push.

@tnaum-ms tnaum-ms merged commit eed226a into main Jun 24, 2026
8 checks passed
@tnaum-ms tnaum-ms deleted the dev/tnaum/no-auth-mode branch June 24, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

3 participants