feat: use local HTTP server for OAuth callback - AAP-70006

eslint.config.mjs

@@ -78,6 +78,10 @@ export default defineConfig(
       "@typescript-eslint/no-non-null-assertion": "error",
       "@typescript-eslint/no-base-to-string": "error",
       "@typescript-eslint/no-require-imports": "off",
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        { argsIgnorePattern: "^_", varsIgnorePattern: "^_" },
+      ],
       "local/node-DEP0190": "error",
       "no-case-declarations": "error",
       "no-constant-condition": "error",

src/extension.ts

@@ -497,6 +497,8 @@ export async function activate(context: ExtensionContext): Promise<void> {
         providerManager: lightSpeedManager.providerManager,
         llmProviderSettings: llmProviderSettings,
         lightspeedUser: lightSpeedManager.lightspeedAuthenticatedUser,
+        lightSpeedAuthenticationProvider:
+          lightSpeedManager.lightSpeedAuthenticationProvider,
         quickLinksProvider: quickLinksHome,
       });
     },

src/features/lightspeed/ansibleContext.ts

@@ -141,7 +141,7 @@ Generate Ansible inventory content with:
    */
   private static preprocessAnsibleContent(
     content: string,
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+
     _fileType: string,
   ): string {
     try {

src/features/lightspeed/commands/providerCommands.ts

@@ -96,11 +96,25 @@ export class ProviderCommands {
     }
   }
 
+  /**
+   * Remove all OAuth sessions (equivalent to "Sign Out" in VSCode accounts menu).
+   */
+  private async signOutOAuthSessions(): Promise<void> {
+    const sessions =
+      await this.lightSpeedManager.lightSpeedAuthenticationProvider.getSessions();
+    for (const session of sessions) {
+      await this.lightSpeedManager.lightSpeedAuthenticationProvider.removeSession(
+        session.id,
+      );
+    }
+  }
+
   /**
    * Configure LLM provider through guided setup
    */
   private async configureLlmProvider(): Promise<void> {
     try {
+      const previousProvider = this.llmProviderSettings.getProvider();
       const supportedProviders = providerFactory.getSupportedProviders();
 
       // Step 1: Select provider type
@@ -128,6 +142,11 @@ export class ProviderCommands {
         selectedProvider.provider.type,
       );
 
+      // Sign out OAuth sessions if provider changed
+      if (selectedProvider.provider.type !== previousProvider) {
+        await this.signOutOAuthSessions();
+      }
+
       const providerType = selectedProvider.provider.type;
 
       // Configure required fields using generic API
@@ -277,11 +296,18 @@ export class ProviderCommands {
     }
 
     try {
+      const previousProvider = this.llmProviderSettings.getProvider();
+
       // Switch to selected provider using LlmProviderSettings
       await this.llmProviderSettings.setProvider(
         selectedProvider.provider.type,
       );
 
+      // Sign out OAuth sessions if provider changed
+      if (selectedProvider.provider.type !== previousProvider) {
+        await this.signOutOAuthSessions();
+      }
+
       // Enable lightspeed in VS Code settings
       const config = vscode.workspace.getConfiguration("ansible.lightspeed");
       await config.update(

src/features/lightspeed/explorerWebviewViewProvider.ts

@@ -21,9 +21,9 @@ export class LightspeedExplorerWebviewViewProvider implements WebviewViewProvide
 
   public async resolveWebviewView(
     webviewView: WebviewView,
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+
     _resolveContext: WebviewViewResolveContext,
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+
     _token: CancellationToken,
   ) {
     this._view = webviewView;

src/features/lightspeed/lightSpeedOAuthProvider.ts

@@ -14,6 +14,8 @@
 } from "vscode";
 import { v4 as uuid } from "uuid";
 import crypto from "crypto";
+import http from "http";
+import { AddressInfo } from "net";
 import {
   PromiseAdapter,
   promiseFromEvent,
@@ -167,13 +169,15 @@
 
   /**
    * Create a new auth session
-   * @param scopes - Scopes
+   * @param _scopes - Scopes
    * @returns
    */
-  public async createSession(scopes: string[]): Promise<LightspeedAuthSession> {
+  public async createSession(
+    _scopes: string[],
+  ): Promise<LightspeedAuthSession> {
     try {
       lightSpeedManager.currentModelValue = undefined;
-      const account = await this.login(scopes);
+      const account = await this.login();
 
       if (!account) {
         throw new Error(`Ansible Lightspeed login failure`);
@@ -276,34 +280,127 @@
     }
   }
 
+  /**
+   * Start a local HTTP server to receive the OAuth callback.
+   * Returns a promise that resolves with the authorization code and
+   * a cleanup function to shut down the server.
+   */
+  private async startLocalCallbackServer(): Promise<{
+    redirectUri: string;
+    codePromise: Promise<string>;
+    close: () => void;
+  }> {
+    let resolveCode: (code: string) => void;
+    let rejectCode: (err: Error) => void;
+    const codePromise = new Promise<string>((resolve, reject) => {
+      resolveCode = resolve;
+      rejectCode = reject;
+    });
+
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://${req.headers.host}`);
+      if (url.pathname !== "/callback") {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      if (code) {
+        res.end(
+          "<html><body><h1>Authentication successful</h1><p>You can close this tab and return to your editor.</p></body></html>",
+        );
+        resolveCode(code);
+      } else {
+        res.end(
+          "<html><body><h1>Authentication failed</h1><p>Something went wrong. Return to your editor for details.</p></body></html>",
+        );
+        rejectCode(
+          new Error(error || "No authorization code received from the server"),
+        );
+      }
+    });
+
+    await new Promise<void>((resolve) => {
+      server.listen(0, "127.0.0.1", () => resolve());
+    });
+
+    const port = (server.address() as AddressInfo).port;
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+    this._logger.debug(
+      `[ansible-lightspeed-oauth] Local callback server listening on ${redirectUri}`,
+    );
+
+    const close = () => {
+      server.close();
+    };
+
+    return { redirectUri, codePromise, close };
+  }
+
+  private static readonly LOOPBACK_CALLBACK_HOSTS = [
+    "https://c.ai.ansible.redhat.com",
+    "https://stage.ai.ansible.redhat.com",
+  ];
+
   /* Log in to the Ansible Lightspeed auth service */
-  private async login(scopes: string[] = []) {
+  private async login() {
     this._logger.debug("[ansible-lightspeed-oauth] Logging in...");
 
     await this.setExternalRedirectUri();
 
-    const searchParams = new URLSearchParams([
-      ["response_type", "code"],
-      ["code_challenge", getCodeChallenge()],
-      ["code_challenge_method", "S256"],
-      ["client_id", LIGHTSPEED_CLIENT_ID],
-      ["redirect_uri", this._externalRedirectUri],
-    ]);
-
     const base_uri = await getBaseUri(this.settingsManager);
     if (!base_uri) {
       throw new Error(
         "Please enter the Ansible Lightspeed URL under the Ansible Lightspeed settings!",
       );
     }
 
+    const useLoopback =
+      LightSpeedAuthenticationProvider.LOOPBACK_CALLBACK_HOSTS.includes(
+        base_uri,
+      );
+
+    let localServer:
+      | Awaited<ReturnType<typeof this.startLocalCallbackServer>>
+      | undefined;
+    let redirectUri: string;
+
+    if (useLoopback) {
+      localServer = await this.startLocalCallbackServer();
+      redirectUri = localServer.redirectUri;
+      this._logger.debug(
+        `[ansible-lightspeed-oauth] Using local callback redirect URI: ${redirectUri}`,
+      );
+    } else {
+      redirectUri = this._externalRedirectUri;
+      this._logger.debug(
+        `[ansible-lightspeed-oauth] Using external redirect URI: ${redirectUri}`,
+      );
+    }
+
+    const searchParams = new URLSearchParams([
+      ["response_type", "code"],
+      ["code_challenge", getCodeChallenge()],
+      ["code_challenge_method", "S256"],
+      ["client_id", LIGHTSPEED_CLIENT_ID],
+      ["redirect_uri", redirectUri],
+    ]);
+
     const query = searchParams.toString();
     const uri = Uri.parse(base_uri).with({ path: "/o/authorize/", query });
 
     const {
       promise: receivedRedirectUrl,
       cancel: cancelWaitingForRedirectUrl,
-    } = promiseFromEvent(this._uriHandler.event, this.handleUriForCode(scopes));
+    } = promiseFromEvent(
+      this._uriHandler.event,
+      this.handleUriForCode(redirectUri),
+    );
 
     await env.openExternal(uri);
 
@@ -315,7 +412,7 @@
       },
       async (_, token): Promise<OAuthAccount> => {
         try {
-          return await Promise.race<OAuthAccount>([
+          const candidates: Promise<OAuthAccount>[] = [
             receivedRedirectUrl,
             new Promise<OAuthAccount>((_, reject) => {
               setTimeout(() => {
@@ -329,8 +426,19 @@
             promiseFromEvent(token.onCancellationRequested, (_, __, reject) => {
               reject("User Cancelled");
             }).promise as Promise<OAuthAccount>,
-          ]);
+          ];
+
+          if (localServer) {
+            candidates.push(
+              localServer.codePromise.then((code) =>
+                this.requestOAuthAccountFromCode(code, redirectUri),
+              ) as Promise<OAuthAccount>,
+            );
+          }
+
+          return await Promise.race<OAuthAccount>(candidates);
         } finally {
+          localServer?.close();
           cancelWaitingForRedirectUrl.fire();
         }
       },
@@ -341,9 +449,9 @@
 
   /* Handle the redirect to VS Code (after sign in from the Ansible Lightspeed auth service) */
   private handleUriForCode: (
-    scopes: readonly string[],
+    redirectUri: string,
   ) => PromiseAdapter<Uri, OAuthAccount> =
-    () => async (uri, resolve, reject) => {
+    (redirectUri) => async (uri, resolve, reject) => {
       const query = new URLSearchParams(uri.query);
       const code = query.get("code");
 
@@ -356,7 +464,7 @@
         return;
       }
 
-      const account = await this.requestOAuthAccountFromCode(code);
+      const account = await this.requestOAuthAccountFromCode(code, redirectUri);
 
       if (!account) {
         reject(new Error("Unable to form account"));
@@ -369,6 +477,7 @@
   /* Request access token from server using code */
   private async requestOAuthAccountFromCode(
     code: string,
+    redirectUri: string,
   ): Promise<OAuthAccount | undefined> {
     const headers = {
       "Cache-Control": "no-cache",
@@ -387,7 +496,7 @@
         {
           method: "POST",
           signal: AbortSignal.timeout(ANSIBLE_LIGHTSPEED_API_TIMEOUT),
-          body: `client_id=${encodeURIComponent(LIGHTSPEED_CLIENT_ID)}&code_verifier=${encodeURIComponent(getCodeVerifier())}&grant_type=authorization_code&code=${code}&redirect_uri=${encodeURIComponent(this._externalRedirectUri)}`,
+          body: `client_id=${encodeURIComponent(LIGHTSPEED_CLIENT_ID)}&code_verifier=${encodeURIComponent(getCodeVerifier())}&grant_type=authorization_code&code=${code}&redirect_uri=${encodeURIComponent(redirectUri)}`,
           headers,
         },
       );

src/features/lightspeed/providers/rhcustom.ts

@@ -253,7 +253,6 @@ export class RHCustomProvider extends BaseLLMProvider<RHCustomConfig> {
   }
 
   async completionRequest(
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
     _params: CompletionRequestParams,
   ): Promise<CompletionResponseParams> {
     // Inline suggestions are out of scope for the Red Hat AI provider currently