Adopt createAppUri API in authentication flow

Author: Rachel Macfarlane

src/authentication/githubServer.ts

@@ -1,22 +1,17 @@
-import * as vscode from 'vscode';
-import { IHostConfiguration, HostHelper } from './configuration';
 import * as https from 'https';
-import { Base64 } from 'js-base64';
-import { parse } from 'query-string';
+import * as vscode from 'vscode';
 import Logger from '../common/logger';
+import { agent } from '../common/net';
 import { handler as uriHandler } from '../common/uri';
 import { PromiseAdapter, promiseFromEvent } from '../common/utils';
-import { agent } from '../common/net';
-import { EXTENSION_ID } from '../constants';
-import { onDidChange as onKeychainDidChange, toCanonical, listHosts } from './keychain';
+import { HostHelper, IHostConfiguration } from './configuration';
+import { listHosts, onDidChange as onKeychainDidChange, toCanonical } from './keychain';
+import uuid = require('uuid');
 
 const SCOPES: string = 'read:user user:email repo write:discussion';
 const GHE_OPTIONAL_SCOPES: { [key: string]: boolean } = {'write:discussion': true};
 
-const AUTH_RELAY_SERVER = 'https://vscode-auth.github.com';
-const CALLBACK_PATH = '/did-authenticate';
-const CALLBACK_URI = `${vscode.env.uriScheme}://${EXTENSION_ID}${CALLBACK_PATH}`;
-const MAX_TOKEN_RESPONSE_AGE = 5 * (1000 * 60 /* minutes in ms */);
+const AUTH_RELAY_SERVER = 'vscode-auth.github.com';
 
 export class GitHubManager {
 	private _servers: Map<string, boolean> = new Map().set('github.com', true);
@@ -124,40 +119,54 @@ export class GitHubManager {
 	}
 }
 
-class ResponseExpired extends Error {
-	get message() { return 'Token response expired'; }
-}
+const exchangeCodeForToken: (host: string, state: string) => PromiseAdapter<vscode.Uri, IHostConfiguration> =
+	(host, state) => async (uri, resolve, reject) => {
+		const query = parseQuery(uri);
+		const code = query.code;
 
-const SEPARATOR = '/', SEPARATOR_LEN = SEPARATOR.length;
-
-/**
- * Hydrate and verify the signature of a message produced with `encode`
- *
- * Returns an object
- *
- * @param {string} signedMessage signed message produced by encode
- * @returns {any} decoded JSON data
- * @throws {SyntaxError} if the message was null or could not be parsed as JSON
- */
-const decode = (signedMessage?: string): any => {
-	if (!signedMessage) { throw new SyntaxError('Invalid encoding'); }
-	const separatorIndex = signedMessage.indexOf(SEPARATOR);
-	const message = signedMessage.substr(separatorIndex + SEPARATOR_LEN);
-	return JSON.parse(Base64.decode(message));
-};
-
-const verifyToken: (host: string) => PromiseAdapter<vscode.Uri, IHostConfiguration> =
-	host => async (uri, resolve, reject) => {
-		if (uri.path !== CALLBACK_PATH) { return; }
-		const query = parse(uri.query);
-		const state = decode(query.state as string);
-		const { ts, access_token: token } = state.token;
-		if (Date.now() - ts > MAX_TOKEN_RESPONSE_AGE) {
-			return reject(new ResponseExpired);
+		if (query.state !== state) {
+			vscode.window.showInformationMessage('Sign in failed: Received bad state');
+			reject('Received bad state');
+			return;
 		}
-		resolve({ host, token });
+
+		const post = https.request({
+			host: AUTH_RELAY_SERVER,
+			path: `/token?code=${code}&state=${query.state}`,
+			method: 'POST',
+			headers: {
+				Accept: 'application/json'
+			}
+		}, result => {
+			const buffer: Buffer[] = [];
+			result.on('data', (chunk: Buffer) => {
+				buffer.push(chunk);
+			});
+			result.on('end', () => {
+				if (result.statusCode === 200) {
+					const json = JSON.parse(Buffer.concat(buffer).toString());
+					resolve({ host, token: json.access_token });
+				} else {
+					vscode.window.showInformationMessage(`Sign in failed: ${result.statusMessage}`);
+					reject(new Error(result.statusMessage));
+				}
+			});
+		});
+
+		post.end();
+		post.on('error', err => {
+			reject(err);
+		});
 	};
 
+function parseQuery(uri: vscode.Uri) {
+	return uri.query.split('&').reduce((prev: any, current) => {
+		const queryString = current.split('=');
+		prev[queryString[0]] = queryString[1];
+		return prev;
+	}, {});
+}
+
 const manuallyEnteredToken: (host: string) => PromiseAdapter<IHostConfiguration, IHostConfiguration> =
 	host => (config: IHostConfiguration, resolve) =>
 		config.host === toCanonical(host) && resolve(config);
@@ -172,14 +181,15 @@ export class GitHubServer {
 		this.hostUri = vscode.Uri.parse(host);
 	}
 
-	public login(): Promise<IHostConfiguration> {
+	public async login(): Promise<IHostConfiguration> {
+		const state = uuid();
+		const callbackUri = await vscode.env.createAppUri({ payload: { path: '/did-authenticate' } });
+		const uri = vscode.Uri.parse(`https://${AUTH_RELAY_SERVER}/authorize/?callbackUri=${encodeURIComponent(callbackUri.toString())}&scope=${SCOPES}&state=${state}&responseType=code`);
 		const host = this.hostUri.toString();
-		const uri = vscode.Uri.parse(
-			`${AUTH_RELAY_SERVER}/authorize?authServer=${host}&callbackUri=${CALLBACK_URI}&scope=${SCOPES}`
-		);
-		vscode.commands.executeCommand('vscode.open', uri);
+
+		vscode.env.openExternal(uri);
 		return Promise.race([
-			promiseFromEvent(uriHandler.event, verifyToken(host)),
+			promiseFromEvent(uriHandler.event, exchangeCodeForToken(host, state)),
 			promiseFromEvent(onKeychainDidChange, manuallyEnteredToken(host))
 		]);
 	}

src/extension.ts

@@ -5,22 +5,22 @@
 'use strict';
 
 import * as vscode from 'vscode';
+import TelemetryReporter from 'vscode-extension-telemetry';
+import { Repository } from './api/api';
+import { ApiImpl } from './api/api1';
+import * as Keychain from './authentication/keychain';
 import { migrateConfiguration } from './authentication/vsConfiguration';
-import { Resource } from './common/resources';
-import { ReviewManager } from './view/reviewManager';
 import { registerCommands } from './commands';
 import Logger from './common/logger';
-import { PullRequestManager } from './github/pullRequestManager';
+import { Resource } from './common/resources';
+import { handler as uriHandler } from './common/uri';
 import { formatError, onceEvent } from './common/utils';
+import { EXTENSION_ID } from './constants';
+import { PullRequestManager } from './github/pullRequestManager';
 import { registerBuiltinGitProvider, registerLiveShareGitProvider } from './gitProviders/api';
-import { handler as uriHandler } from './common/uri';
-import * as Keychain from './authentication/keychain';
 import { FileTypeDecorationProvider } from './view/fileTypeDecorationProvider';
 import { PullRequestsTreeDataProvider } from './view/prsTreeDataProvider';
-import { ApiImpl } from './api/api1';
-import { Repository } from './api/api';
-import TelemetryReporter from 'vscode-extension-telemetry';
-import { EXTENSION_ID } from './constants';
+import { ReviewManager } from './view/reviewManager';
 
 const aiKey: string = 'AIF-d9b70cd4-b9f9-4d70-929b-a071c400b217';
 

src/typings/vscode.proposed.d.ts

@@ -783,4 +783,50 @@ declare module 'vscode' {
 
 	//#endregion
 
+		// #region Ben - extension auth flow (desktop+web)
+
+		export interface AppUriOptions {
+			payload?: {
+				path?: string;
+				query?: string;
+				fragment?: string;
+			};
+		}
+
+		export namespace env {
+
+			/**
+			 * Creates a Uri that - if opened in a browser - will result in a
+			 * registered [UriHandler](#UriHandler) to fire. The handler's
+			 * Uri will be configured with the path, query and fragment of
+			 * [AppUriOptions](#AppUriOptions) if provided, otherwise it will be empty.
+			 *
+			 * Extensions should not make any assumptions about the resulting
+			 * Uri and should not alter it in anyway. Rather, extensions can e.g.
+			 * use this Uri in an authentication flow, by adding the Uri as
+			 * callback query argument to the server to authenticate to.
+			 *
+			 * Note: If the server decides to add additional query parameters to the Uri
+			 * (e.g. a token or secret), it will appear in the Uri that is passed
+			 * to the [UriHandler](#UriHandler).
+			 *
+			 * **Example** of an authentication flow:
+			 * ```typescript
+			 * vscode.window.registerUriHandler({
+			 *   handleUri(uri: vscode.Uri): vscode.ProviderResult<void> {
+			 *     if (uri.path === '/did-authenticate') {
+			 *       console.log(uri.toString());
+			 *     }
+			 *   }
+			 * });
+			 *
+			 * const callableUri = await vscode.env.createAppUri({ payload: { path: '/did-authenticate' } });
+			 * await vscode.env.openExternal(callableUri);
+			 * ```
+			 */
+			export function createAppUri(options?: AppUriOptions): Thenable<Uri>;
+		}
+
+		//#endregion
+
 }