Add "No Authentication" connection support#755
Conversation
When a connection string with an embedded username/password is pasted and the user then selects No Authentication or Microsoft Entra ID, the parsed native credentials were still used for duplicate detection (causing a false 'same username and host already exists' error) and were leaked into stored secrets. Native credentials now apply only to the Native authentication method.
…nsion A connection can succeed while the server still rejects listDatabases (e.g. an anonymous 'No Authentication' connection against a server that requires auth). That rejection previously threw out of getChildren(), leaving the tree with no children and no way to retry. The call is now wrapped in try/catch: it records failure telemetry via a 'connect' event (connectionResult=Failed, failurePhase=listDatabases), surfaces a notification, logs to the output channel, and returns the existing '/reconnect' retry node so the user can re-attempt after fixing the configuration.
The interactive expand flow is blocked when listDatabases fails, so present the error as a modal dialog (consistent with how blocking operations are surfaced), suppressing azext's default non-modal notification while still recording the failure telemetry.
There was a problem hiding this comment.
Pull request overview
Adds first-class “No Authentication” support (AuthMethodId.NoAuth) across the DocumentDB connection lifecycle so users can connect to anonymous clusters (no username/password/Entra), while preserving connection-string TLS/SSL overrides and improving tree error recovery when listDatabases() fails.
Changes:
- Introduces
AuthMethodId.NoAuth+NoAuthHandler, and routes it throughClustersClientauth handling. - Updates connection creation, credential caching, tree connect gating, and shell/playground init to support credential-free connections.
- Hardens tree expansion by catching
listDatabases()failures and returning a retry node while emitting telemetry + modal error.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/tree/documentdb/ClusterItemBase.ts | Catch listDatabases() failures during expansion, emit telemetry/modal error, and return a retry node. |
| src/tree/documentdb/ClusterItemBase.test.ts | Adds unit tests covering retry-node + modal + telemetry behavior on listDatabases() failure. |
| src/tree/connections-view/DocumentDBClusterItem.ts | Skips credential prompt for NoAuth; surfaces TLS-disabled state (connection-string override) in description/tooltip. |
| src/documentdb/shell/ShellTerminalLinkProvider.ts | Extends shell terminal metadata union to include NoAuth. |
| src/documentdb/shell/ShellSessionManager.ts | Extends shell auth mechanism union and ensures NoAuth uses credential-free connection string. |
| src/documentdb/shell/DocumentDBShellPty.ts | Displays “No Authentication” label in shell connection summary. |
| src/documentdb/playground/workerTypes.ts | Extends playground worker init message union to include NoAuth. |
| src/documentdb/playground/PlaygroundEvaluator.ts | Ensures NoAuth uses credential-free connection string when building worker init message. |
| src/documentdb/CredentialCache.ts | Makes getConnectionStringWithPassword null-safe and respects explicit NoAuth selection in setFromConnectionItem. |
| src/documentdb/CredentialCache.test.ts | Adds tests for NoAuth cache entries + null-safety behavior. |
| src/documentdb/ClustersClient.ts | Routes AuthMethodId.NoAuth through the auth-handler switch. |
| src/documentdb/auth/NoAuthHandler.ts | Adds handler that passes connection string through verbatim and applies emulator-only TLS invalid cert option. |
| src/documentdb/auth/NoAuthHandler.test.ts | Adds coverage for NoAuthHandler passthrough + emulator-only behavior. |
| src/documentdb/auth/AuthMethod.ts | Adds AuthMethodId.NoAuth and registers it for quick-pick/listing. |
| src/documentdb/auth/AuthMethod.test.ts | Adds unit tests verifying NoAuth is supported/listed/quick-pickable. |
| src/commands/newConnection/PromptConnectionStringStep.ts | Ensures NoAuth is always offered during new-connection flow. |
| src/commands/newConnection/ExecuteStep.ts | Ignores parsed native creds unless Native auth is selected; uses host-only labels; persists native creds only for Native. |
| src/commands/newConnection/ExecuteStep.test.ts | Adds regression tests for dedupe + persistence behavior across NoAuth/Entra/Native. |
| src/commands/accessDataMigrationServices/noAuthMigration.test.ts | Locks the migration sharing contract for NoAuth (no creds injected; preserves tls/ssl overrides). |
| l10n/bundle.l10n.json | Adds new localized strings for NoAuth UI and listDatabases failure UX. |
| docs/ai-and-plans/PRs/755-no-auth-support/summary.md | PR design/implementation summary. |
| docs/ai-and-plans/PRs/755-no-auth-support/01-username-and-tls-checks-report.md | Analysis report on username/password assumptions and TLS override handling. |
…on to NoAuth Adds an explicit NoAuth branch in updateCredentials/ExecuteStep that clears nativeAuthConfig and entraIdAuthConfig, and a defense-in-depth guard in CredentialCache.setFromConnectionItem so an explicit NoAuth connection never re-surfaces stale secrets left in storage. Prevents leaked credentials through paths such as migration sharing after a Native/Entra -> NoAuth switch.
…tions Mirrors the native-credential gate in newConnection/ExecuteStep so a connection saved as No Authentication or Native never carries stale entraIdAuthConfig left in the wizard context after the user backtracked and changed the auth method. Addresses Copilot review thread PRRT_kwDOODtcO86Ln9xO.
…esult Aligns the listDatabases failure path with every other connectionResult value (success/failed/cancelled) so telemetry dashboards grouping by this dimension are not fragmented. Addresses Copilot review thread PRRT_kwDOODtcO86Ln9wH.
The connection summary line in the integrated shell mixed a localized NoAuth label with raw 'Entra ID'/'SCRAM' literals. Wrap them in l10n.t for consistent localization. Addresses Copilot review thread PRRT_kwDOODtcO86Ln9wy.
Review follow-up: cleared stale credentials on switch to No Authentication (commit e936fe3)A local review of this PR surfaced one issue beyond the Copilot reviewer threads, which I've fixed: Problem (High): Switching an existing Native or Microsoft Entra ID connection to No Authentication left the old Fix (two layers):
Tests: new The three Copilot reviewer comments (Entra config persistence, |
✅ Code Quality Checks
This comment is updated automatically on each push. |
📦 Build Size Report
Download artifact · updated automatically on each push. |
Why
Some customers need to interact with a DocumentDB cluster that has no authentication — no username, no password, and no Microsoft Entra ID. A common case is investigative / exploratory work with the interactive shell (or the query playground) against a cluster that is intentionally running without credentials. Today the extension assumes every connection carries credentials, so these anonymous clusters can't be added or used cleanly.
This PR adds first-class "No Authentication" support across the connection lifecycle: creation, the tree, the integrated shell, and the query playground — while continuing to honor connection-string TLS/SSL overrides.
What changed
New auth method
AuthMethodId.NoAuth("No Authentication") rather than overloading Native auth with empty credentials. It's discoverable in the auth-method quick pick and maps cleanly onto the existing auth-handlerswitch.NoAuthHandlerpasses the connection string through verbatim (credential-free) and never forces TLS — it only adds the emulator-specifictlsAllowInvalidCertificatesrule, mirroringNativeAuthHandler.Connection creation
nativeAuthConfig: undefined.user@hostprefix was dropped for all new connections for a consistent, credential-free naming scheme).Tree / connect gate
tls=false/ssl=false) now shows a "⚠ TLS/SSL Disabled" description and tooltip line.listDatabases(e.g. an anonymous connection against a server that actually requires auth → "Command listDatabases is not allowed as the connection is not authenticated yet"). Previously this threw out ofgetChildren(), leaving the tree with no children and no way to retry. The call is now wrapped intry/catch: it records failure telemetry, surfaces a modal error (the interactive expand flow is blocked, matching the convention for blocking operations), logs to the output channel, and returns the existing…/reconnectretry node so the user can re-attempt after fixing the configuration. This applies to anylistDatabasesfailure, not just NoAuth.Integrated shell & query playground
authMechanismunion was widened to include'NoAuth'; both the shell and the playground use the credential-free connection string, and the shell shows a "No Authentication" banner label.Cache hardening
CredentialCache.setFromConnectionItemrespects an explicitselectedAuthMethod === NoAuth(no Native misclassification);getConnectionStringWithPasswordis now null-safe.Migration tools
api/changes. Verified host-side that a NoAuth connection yields a credential-freeoptions.connectionStringwhile preservingtls/ssl, locked with a test.Tests
New/updated unit tests cover: the NoAuth handler (verbatim passthrough, TLS never forced), the auth model (NoAuth supported/listed/quick-pick), the credential cache (credential-free entry, null-safety), the migration connection-string contract, the new-connection wizard dedup/persistence fix (NoAuth/Entra), and the tree retry-node + modal + telemetry behavior on
listDatabasesfailure.Validation
npm run l10n,npm run prettier-fix,npm run lint, full Jest suite (143 suites / 2545 tests), andnpm run buildall pass.Out of scope / unchanged