@microsoft/vscode-azext-azureauth 6.0.0-alpha.5 → 6.0.0-alpha.7

package/dist/cjs/src/index.js

@@ -26,6 +26,7 @@ __exportStar(require("./contracts/AzureTenant"), exports);
 // The `AzureDevOpsSubscriptionProvider` is intentionally not exported, it must be imported from `'@microsoft/vscode-azext-azureauth/azdo'`
 __exportStar(require("./providers/AzureSubscriptionProviderBase"), exports);
 __exportStar(require("./providers/VSCodeAzureSubscriptionProvider"), exports);
+__exportStar(require("./utils/BearerChallengePolicy"), exports);
 __exportStar(require("./utils/configuredAzureEnv"), exports);
 __exportStar(require("./utils/dedupeSubscriptions"), exports);
 __exportStar(require("./utils/getMetricsForTelemetry"), exports);

package/dist/cjs/src/providers/AzureSubscriptionProviderBase.js

@@ -38,6 +38,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AzureSubscriptionProviderBase = void 0;
+const BearerChallengePolicy_1 = require("../utils/BearerChallengePolicy");
 const util_1 = require("util");
 const vscode = __importStar(require("vscode"));
 const AzureSubscriptionProviderRequestOptions_1 = require("../contracts/AzureSubscriptionProviderRequestOptions");
@@ -50,7 +51,7 @@ const Limiter_1 = require("../utils/Limiter");
 const NotSignedInError_1 = require("../utils/NotSignedInError");
 const screen_1 = require("../utils/screen");
 const tryGetTokenExpiration_1 = require("../utils/tryGetTokenExpiration");
-const EventDebounce = 5 * 1000; // 5 seconds minimum between `onRefreshSuggested` events
+const EventDebounce = 2 * 1000; // 2 seconds minimum between `onRefreshSuggested` events
 const EventSilenceTime = 5 * 1000; // 5 seconds after sign-in to silence `onRefreshSuggested` events
 const TenantListConcurrency = 3; // We will try to list tenants for at most 3 accounts in parallel
 const SubscriptionListConcurrency = 5; // We will try to list subscriptions for at most 5 account+tenants in parallel
@@ -93,7 +94,11 @@ class AzureSubscriptionProviderBase {
         return this.refreshSuggestedEmitter.event(callback, thisArg, disposables);
     }
     fireRefreshSuggestedIfNeeded(evtArgs) {
-        if (this.suppressRefreshSuggestedEvents || Date.now() < this.lastRefreshSuggestedTime + EventDebounce) {
+        // subscriptionFilterChange is an explicit user action and must never be suppressed,
+        // otherwise re-selecting a subscription shortly after unselecting one gets swallowed
+        // by the debounce/silence window that the first refresh triggered.
+        if (evtArgs.reason !== 'subscriptionFilterChange' &&
+            (this.suppressRefreshSuggestedEvents || Date.now() < this.lastRefreshSuggestedTime + EventDebounce)) {
             // Suppress and/or debounce events to avoid flooding
             return false;
         }
@@ -347,8 +352,15 @@ class AzureSubscriptionProviderBase {
             }
         };
         armSubs ??= await import('@azure/arm-resources-subscriptions');
+        const endpoint = (0, configuredAzureEnv_1.getConfiguredAzureEnv)().resourceManagerEndpointUrl;
+        const client = new armSubs.SubscriptionClient(credential, { endpoint });
+        client.pipeline.addPolicy(new BearerChallengePolicy_1.BearerChallengePolicy(async (challenge) => {
+            this.silenceRefreshEvents();
+            const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(challenge, tenant.tenantId, { createIfNone: true, account: tenant.account });
+            return session?.accessToken;
+        }, endpoint), { phase: 'Sign', afterPolicies: ['bearerTokenAuthenticationPolicy'] });
         return {
-            client: new armSubs.SubscriptionClient(credential, { endpoint: (0, configuredAzureEnv_1.getConfiguredAzureEnv)().resourceManagerEndpointUrl }),
+            client,
             credential: credential,
             authentication: {
                 getSession: async () => {

package/dist/cjs/src/utils/BearerChallengePolicy.js

@@ -0,0 +1,41 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BearerChallengePolicy = void 0;
+exports.getDefaultScopeFromEndpoint = getDefaultScopeFromEndpoint;
+function getDefaultScopeFromEndpoint(endpoint) {
+    let base = endpoint ?? 'https://management.azure.com/';
+    base = base.replace(/\/+$/, '');
+    return `${base}/.default`;
+}
+const challengeRetriedRequests = new WeakSet();
+class BearerChallengePolicy {
+    getTokenForChallenge;
+    endpoint;
+    name = 'BearerChallengePolicy';
+    constructor(getTokenForChallenge, endpoint) {
+        this.getTokenForChallenge = getTokenForChallenge;
+        this.endpoint = endpoint;
+    }
+    async sendRequest(request, next) {
+        const initial = await next(request);
+        if (initial.status === 401 && !challengeRetriedRequests.has(request)) {
+            const header = initial.headers.get('WWW-Authenticate') || initial.headers.get('www-authenticate');
+            if (header) {
+                const scopes = [getDefaultScopeFromEndpoint(this.endpoint)];
+                challengeRetriedRequests.add(request);
+                const token = await this.getTokenForChallenge({ wwwAuthenticate: header, fallbackScopes: scopes });
+                if (token) {
+                    request.headers.set('Authorization', `Bearer ${token}`);
+                    return await next(request);
+                }
+            }
+        }
+        return initial;
+    }
+}
+exports.BearerChallengePolicy = BearerChallengePolicy;
+//# sourceMappingURL=BearerChallengePolicy.js.map

package/dist/esm/src/contracts/AzureSubscriptionProvider.d.ts

@@ -10,7 +10,7 @@ export interface AzureSubscriptionProvider {
     /**
      * Fires when the list of available subscriptions may have changed, and a refresh is suggested.
      * The callback will be given a {@link RefreshSuggestedEvent} with more information.
-     * @note This will be fired at most every 5 seconds, to avoid flooding. It is also suppressed
+     * @note This will be fired at most every 2 seconds, to avoid flooding. It is also suppressed
      * during operations this provider is performing itself, such as during sign-in.
      */
     onRefreshSuggested: vscode.Event<RefreshSuggestedEvent>;

package/dist/esm/src/index.d.ts

@@ -6,6 +6,7 @@ export type * from './contracts/AzureSubscriptionProviderRequestOptions';
 export * from './contracts/AzureTenant';
 export * from './providers/AzureSubscriptionProviderBase';
 export * from './providers/VSCodeAzureSubscriptionProvider';
+export * from './utils/BearerChallengePolicy';
 export * from './utils/configuredAzureEnv';
 export * from './utils/dedupeSubscriptions';
 export * from './utils/getMetricsForTelemetry';

package/dist/esm/src/index.js

@@ -10,6 +10,7 @@ export * from './contracts/AzureTenant';
 // The `AzureDevOpsSubscriptionProvider` is intentionally not exported, it must be imported from `'@microsoft/vscode-azext-azureauth/azdo'`
 export * from './providers/AzureSubscriptionProviderBase';
 export * from './providers/VSCodeAzureSubscriptionProvider';
+export * from './utils/BearerChallengePolicy';
 export * from './utils/configuredAzureEnv';
 export * from './utils/dedupeSubscriptions';
 export * from './utils/getMetricsForTelemetry';

package/dist/esm/src/providers/AzureSubscriptionProviderBase.js

@@ -2,6 +2,7 @@
  *  Copyright (c) Microsoft Corporation. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
+import { BearerChallengePolicy } from '../utils/BearerChallengePolicy';
 import { inspect } from 'util';
 import * as vscode from 'vscode';
 import { DefaultOptions, DefaultSignInOptions } from '../contracts/AzureSubscriptionProviderRequestOptions';
@@ -14,7 +15,7 @@ import { Limiter } from '../utils/Limiter';
 import { isNotSignedInError, NotSignedInError } from '../utils/NotSignedInError';
 import { screen } from '../utils/screen';
 import { tryGetTokenExpiration } from '../utils/tryGetTokenExpiration';
-const EventDebounce = 5 * 1000; // 5 seconds minimum between `onRefreshSuggested` events
+const EventDebounce = 2 * 1000; // 2 seconds minimum between `onRefreshSuggested` events
 const EventSilenceTime = 5 * 1000; // 5 seconds after sign-in to silence `onRefreshSuggested` events
 const TenantListConcurrency = 3; // We will try to list tenants for at most 3 accounts in parallel
 const SubscriptionListConcurrency = 5; // We will try to list subscriptions for at most 5 account+tenants in parallel
@@ -57,7 +58,11 @@ export class AzureSubscriptionProviderBase {
         return this.refreshSuggestedEmitter.event(callback, thisArg, disposables);
     }
     fireRefreshSuggestedIfNeeded(evtArgs) {
-        if (this.suppressRefreshSuggestedEvents || Date.now() < this.lastRefreshSuggestedTime + EventDebounce) {
+        // subscriptionFilterChange is an explicit user action and must never be suppressed,
+        // otherwise re-selecting a subscription shortly after unselecting one gets swallowed
+        // by the debounce/silence window that the first refresh triggered.
+        if (evtArgs.reason !== 'subscriptionFilterChange' &&
+            (this.suppressRefreshSuggestedEvents || Date.now() < this.lastRefreshSuggestedTime + EventDebounce)) {
             // Suppress and/or debounce events to avoid flooding
             return false;
         }
@@ -311,8 +316,15 @@ export class AzureSubscriptionProviderBase {
             }
         };
         armSubs ??= await import('@azure/arm-resources-subscriptions');
+        const endpoint = getConfiguredAzureEnv().resourceManagerEndpointUrl;
+        const client = new armSubs.SubscriptionClient(credential, { endpoint });
+        client.pipeline.addPolicy(new BearerChallengePolicy(async (challenge) => {
+            this.silenceRefreshEvents();
+            const session = await getSessionFromVSCode(challenge, tenant.tenantId, { createIfNone: true, account: tenant.account });
+            return session?.accessToken;
+        }, endpoint), { phase: 'Sign', afterPolicies: ['bearerTokenAuthenticationPolicy'] });
         return {
-            client: new armSubs.SubscriptionClient(credential, { endpoint: getConfiguredAzureEnv().resourceManagerEndpointUrl }),
+            client,
             credential: credential,
             authentication: {
                 getSession: async () => {

package/dist/esm/src/utils/BearerChallengePolicy.d.ts

@@ -0,0 +1,10 @@
+import type { PipelinePolicy, PipelineRequest, PipelineResponse, SendRequest } from '@azure/core-rest-pipeline';
+import type * as vscode from 'vscode';
+export declare function getDefaultScopeFromEndpoint(endpoint?: string): string;
+export declare class BearerChallengePolicy implements PipelinePolicy {
+    private readonly getTokenForChallenge;
+    private readonly endpoint?;
+    readonly name = "BearerChallengePolicy";
+    constructor(getTokenForChallenge: (request: vscode.AuthenticationWwwAuthenticateRequest) => Promise<string | undefined>, endpoint?: string | undefined);
+    sendRequest(request: PipelineRequest, next: SendRequest): Promise<PipelineResponse>;
+}

package/dist/esm/src/utils/BearerChallengePolicy.js

@@ -0,0 +1,36 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export function getDefaultScopeFromEndpoint(endpoint) {
+    let base = endpoint ?? 'https://management.azure.com/';
+    base = base.replace(/\/+$/, '');
+    return `${base}/.default`;
+}
+const challengeRetriedRequests = new WeakSet();
+export class BearerChallengePolicy {
+    getTokenForChallenge;
+    endpoint;
+    name = 'BearerChallengePolicy';
+    constructor(getTokenForChallenge, endpoint) {
+        this.getTokenForChallenge = getTokenForChallenge;
+        this.endpoint = endpoint;
+    }
+    async sendRequest(request, next) {
+        const initial = await next(request);
+        if (initial.status === 401 && !challengeRetriedRequests.has(request)) {
+            const header = initial.headers.get('WWW-Authenticate') || initial.headers.get('www-authenticate');
+            if (header) {
+                const scopes = [getDefaultScopeFromEndpoint(this.endpoint)];
+                challengeRetriedRequests.add(request);
+                const token = await this.getTokenForChallenge({ wwwAuthenticate: header, fallbackScopes: scopes });
+                if (token) {
+                    request.headers.set('Authorization', `Bearer ${token}`);
+                    return await next(request);
+                }
+            }
+        }
+        return initial;
+    }
+}
+//# sourceMappingURL=BearerChallengePolicy.js.map

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureauth",
     "author": "Microsoft Corporation",
-    "version": "6.0.0-alpha.5",
+    "version": "6.0.0-alpha.7",
     "description": "Azure authentication helpers for Visual Studio Code",
     "tags": [
         "azure",
@@ -55,6 +55,7 @@
     },
     "dependencies": {
         "@azure/arm-resources-subscriptions": "^2.1.0",
+        "@azure/core-rest-pipeline": "^1.22.2",
         "@azure/identity": "^4.13.0",
         "@azure/ms-rest-azure-env": "^2.0.0"
     },