Combine auth initialization with config query

Add TryInitializeAndQueryGVFSConfig to GitAuthentication that merges
the anonymous probe, credential fetch, and config query into a single
flow, making at most 2 HTTP requests (or 1 for anonymous repos) and
reusing the same TCP/TLS connection.

Refactor TryInitialize to delegate to the combined method, eliminating
the duplicated TryAnonymousQuery logic. Add TryAuthenticateAndQueryGVFSConfig
to GVFSVerb and update CloneVerb, PrefetchVerb, and CacheServerVerb to
use it, replacing the two-step TryAuthenticate + QueryGVFSConfig pattern
with a single call. Remove the now-unused QueryGVFSConfigWithFallbackCacheServer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: tyrielv

GVFS/GVFS.Common/Git/GitAuthentication.cs

@@ -183,34 +183,98 @@ public bool TryGetCredentials(ITracer tracer, out string credentialString, out s
             return true;
         }
 
+        /// <summary>
+        /// Initialize authentication by probing the server. Determines whether
+        /// anonymous access is supported and, if not, fetches credentials.
+        /// Callers that also need the GVFS config should use
+        /// <see cref="TryInitializeAndQueryGVFSConfig"/> instead to avoid a
+        /// redundant HTTP round-trip.
+        /// </summary>
         public bool TryInitialize(ITracer tracer, Enlistment enlistment, out string errorMessage)
+        {
+            // Delegate to the combined method, discarding the config result.
+            // This avoids duplicating the anonymous-probe + credential-fetch logic.
+            return this.TryInitializeAndQueryGVFSConfig(
+                tracer,
+                enlistment,
+                new RetryConfig(),
+                out _,
+                out errorMessage);
+        }
+
+        /// <summary>
+        /// Combines authentication initialization with the GVFS config query,
+        /// eliminating a redundant HTTP round-trip. The anonymous probe and
+        /// config query use the same request to /gvfs/config:
+        ///   1. Config query → /gvfs/config → 200 (anonymous) or 401
+        ///   2. If 401: credential fetch, then retry → 200
+        /// This saves one HTTP request compared to probing auth separately
+        /// and then querying config, and reuses the same TCP/TLS connection.
+        /// </summary>
+        public bool TryInitializeAndQueryGVFSConfig(
+            ITracer tracer,
+            Enlistment enlistment,
+            RetryConfig retryConfig,
+            out ServerGVFSConfig serverGVFSConfig,
+            out string errorMessage)
         {
             if (this.isInitialized)
             {
                 throw new InvalidOperationException("Already initialized");
             }
 
+            serverGVFSConfig = null;
             errorMessage = null;
 
-            bool isAnonymous;
-            if (!this.TryAnonymousQuery(tracer, enlistment, out isAnonymous))
+            using (ConfigHttpRequestor configRequestor = new ConfigHttpRequestor(tracer, enlistment, retryConfig))
             {
-                errorMessage = $"Unable to determine if authentication is required";
-                return false;
-            }
+                HttpStatusCode? httpStatus;
 
-            if (!isAnonymous &&
-                !this.TryCallGitCredential(tracer, out errorMessage))
-            {
+                // First attempt without credentials. If anonymous access works,
+                // we get the config in a single request.
+                if (configRequestor.TryQueryGVFSConfig(false, out serverGVFSConfig, out httpStatus, out _))
+                {
+                    this.IsAnonymous = true;
+                    this.isInitialized = true;
+                    tracer.RelatedInfo("{0}: Anonymous access succeeded, config obtained in one request", nameof(this.TryInitializeAndQueryGVFSConfig));
+                    return true;
+                }
+
+                if (httpStatus != HttpStatusCode.Unauthorized)
+                {
+                    errorMessage = "Unable to query /gvfs/config";
+                    tracer.RelatedWarning("{0}: Config query failed with status {1}", nameof(this.TryInitializeAndQueryGVFSConfig), httpStatus?.ToString() ?? "None");
+                    return false;
+                }
+
+                // Server requires authentication — fetch credentials
+                this.IsAnonymous = false;
+
+                if (!this.TryCallGitCredential(tracer, out errorMessage))
+                {
+                    tracer.RelatedWarning("{0}: Credential fetch failed: {1}", nameof(this.TryInitializeAndQueryGVFSConfig), errorMessage);
+                    return false;
+                }
+
+                this.isInitialized = true;
+
+                // Retry with credentials using the same ConfigHttpRequestor (reuses HttpClient/connection)
+                if (configRequestor.TryQueryGVFSConfig(true, out serverGVFSConfig, out _, out errorMessage))
+                {
+                    tracer.RelatedInfo("{0}: Config obtained with credentials", nameof(this.TryInitializeAndQueryGVFSConfig));
+                    return true;
+                }
+
+                tracer.RelatedWarning("{0}: Config query failed with credentials: {1}", nameof(this.TryInitializeAndQueryGVFSConfig), errorMessage);
                 return false;
             }
-
-            this.IsAnonymous = isAnonymous;
-            this.isInitialized = true;
-            return true;
         }
 
-        public bool TryInitializeAndRequireAuth(ITracer tracer, out string errorMessage)
+        /// <summary>
+        /// Test-only initialization that skips the network probe and goes
+        /// straight to credential fetch. Not for production use.
+        /// </summary>
+        internal bool TryInitializeAndRequireAuth(ITracer tracer, out string errorMessage)
         {
             if (this.isInitialized)
             {
@@ -267,45 +331,6 @@ private static bool TryParseCredentialString(string credentialString, out string
             return false;
         }
 
-        private bool TryAnonymousQuery(ITracer tracer, Enlistment enlistment, out bool isAnonymous)
-        {
-            bool querySucceeded;
-            using (ITracer anonymousTracer = tracer.StartActivity("AttemptAnonymousAuth", EventLevel.Informational))
-            {
-                HttpStatusCode? httpStatus;
-
-                using (ConfigHttpRequestor configRequestor = new ConfigHttpRequestor(anonymousTracer, enlistment, new RetryConfig()))
-                {
-                    ServerGVFSConfig gvfsConfig;
-                    const bool LogErrors = false;
-                    if (configRequestor.TryQueryGVFSConfig(LogErrors, out gvfsConfig, out httpStatus, out _))
-                    {
-                        querySucceeded = true;
-                        isAnonymous = true;
-                    }
-                    else if (httpStatus == HttpStatusCode.Unauthorized)
-                    {
-                        querySucceeded = true;
-                        isAnonymous = false;
-                    }
-                    else
-                    {
-                        querySucceeded = false;
-                        isAnonymous = false;
-                    }
-                }
-
-                anonymousTracer.Stop(new EventMetadata
-                {
-                    { "HttpStatus", httpStatus.HasValue ? ((int)httpStatus).ToString() : "None" },
-                    { "QuerySucceeded", querySucceeded },
-                    { "IsAnonymous", isAnonymous },
-                });
-            }
-
-            return querySucceeded;
-        }
-
         private DateTime GetNextAuthAttemptTime()
         {
             if (this.numberOfAttempts <= 1)

GVFS/GVFS.Mount/InProcessMount.cs

@@ -88,21 +88,34 @@ public void Mount(EventLevel verbosity, Keywords keywords)
             // Start auth + config query immediately — these are network-bound and don't
             // depend on repo metadata or cache paths. Every millisecond of network latency
             // we can overlap with local I/O is a win.
+            // TryInitializeAndQueryGVFSConfig combines the anonymous probe, credential fetch,
+            // and config query into at most 2 HTTP requests (1 for anonymous repos), reusing
+            // the same HttpClient/TCP connection.
             Stopwatch parallelTimer = Stopwatch.StartNew();
 
             var networkTask = Task.Run(() =>
             {
                 Stopwatch sw = Stopwatch.StartNew();
-                string authError;
-                if (!this.enlistment.Authentication.TryInitialize(this.tracer, this.enlistment, out authError))
+                ServerGVFSConfig config;
+                string authConfigError;
+
+                if (!this.enlistment.Authentication.TryInitializeAndQueryGVFSConfig(
+                    this.tracer, this.enlistment, this.retryConfig,
+                    out config, out authConfigError))
                 {
-                    this.tracer.RelatedWarning("Mount will proceed, but new files cannot be accessed until GVFS can authenticate: " + authError);
+                    if (this.cacheServer != null && !string.IsNullOrWhiteSpace(this.cacheServer.Url))
+                    {
+                        this.tracer.RelatedWarning("Mount will proceed with fallback cache server: " + authConfigError);
+                        config = null;
+                    }
+                    else
+                    {
+                        this.FailMountAndExit("Unable to query /gvfs/config" + Environment.NewLine + authConfigError);
+                    }
                 }
 
-                this.tracer.RelatedInfo("ParallelMount: Auth completed in {0}ms", sw.ElapsedMilliseconds);
-
-                ServerGVFSConfig config = this.QueryAndValidateGVFSConfig();
-                this.tracer.RelatedInfo("ParallelMount: Auth + config query completed in {0}ms", sw.ElapsedMilliseconds);
+                this.ValidateGVFSVersion(config);
+                this.tracer.RelatedInfo("ParallelMount: Auth + config completed in {0}ms", sw.ElapsedMilliseconds);
                 return config;
             });
 

GVFS/GVFS/CommandLine/CacheServerVerb.cs

@@ -42,21 +42,19 @@ protected override void Execute(GVFSEnlistment enlistment)
 
             using (ITracer tracer = new JsonTracer(GVFSConstants.GVFSEtwProviderName, "CacheVerb"))
             {
-                string authErrorMessage;
-                if (!this.TryAuthenticate(tracer, enlistment, out authErrorMessage))
-                {
-                    this.ReportErrorAndExit(tracer, "Authentication failed: " + authErrorMessage);
-                }
-
                 CacheServerResolver cacheServerResolver = new CacheServerResolver(tracer, enlistment);
                 ServerGVFSConfig serverGVFSConfig = null;
                 string error = null;
 
                 // Handle the three operation types: list, set, and get (default)
                 if (this.ListCacheServers)
                 {
-                    // For listing, require config endpoint to succeed
-                    serverGVFSConfig = this.QueryGVFSConfig(tracer, enlistment, retryConfig);
+                    // For listing, require config endpoint to succeed (no fallback)
+                    if (!this.TryAuthenticateAndQueryGVFSConfig(
+                        tracer, enlistment, retryConfig, out serverGVFSConfig, out error))
+                    {
+                        this.ReportErrorAndExit(tracer, "Unable to query /gvfs/config" + Environment.NewLine + error);
+                    }
 
                     List<CacheServerInfo> cacheServers = serverGVFSConfig.CacheServers.ToList();
 
@@ -80,11 +78,12 @@ protected override void Execute(GVFSEnlistment enlistment)
                     CacheServerInfo cacheServer = cacheServerResolver.ParseUrlOrFriendlyName(this.CacheToSet);
 
                     // For set operation, allow fallback if config endpoint fails but cache server URL is valid
-                    serverGVFSConfig = this.QueryGVFSConfigWithFallbackCacheServer(
-                        tracer,
-                        enlistment,
-                        retryConfig,
-                        cacheServer);
+                    if (!this.TryAuthenticateAndQueryGVFSConfig(
+                        tracer, enlistment, retryConfig, out serverGVFSConfig, out error,
+                        fallbackCacheServer: cacheServer))
+                    {
+                        this.ReportErrorAndExit(tracer, "Authentication failed: " + error);
+                    }
 
                     cacheServer = this.ResolveCacheServer(tracer, cacheServer, cacheServerResolver, serverGVFSConfig);
 
@@ -101,11 +100,12 @@ protected override void Execute(GVFSEnlistment enlistment)
                     CacheServerInfo cacheServer = CacheServerResolver.GetCacheServerFromConfig(enlistment);
 
                     // For get operation, allow fallback if config endpoint fails but cache server URL is valid
-                    serverGVFSConfig =this.QueryGVFSConfigWithFallbackCacheServer(
-                        tracer,
-                        enlistment,
-                        retryConfig,
-                        cacheServer);
+                    if (!this.TryAuthenticateAndQueryGVFSConfig(
+                        tracer, enlistment, retryConfig, out serverGVFSConfig, out error,
+                        fallbackCacheServer: cacheServer))
+                    {
+                        this.ReportErrorAndExit(tracer, "Authentication failed: " + error);
+                    }
 
                     CacheServerInfo resolvedCacheServer = cacheServerResolver.ResolveNameFromRemote(cacheServer.Url, serverGVFSConfig);
 

GVFS/GVFS/CommandLine/CloneVerb.cs

@@ -185,19 +185,19 @@ public override void Execute()
                         this.Output.WriteLine("  Local Cache:  " + resolvedLocalCacheRoot);
                         this.Output.WriteLine("  Destination:  " + enlistment.EnlistmentRoot);
 
-                        string authErrorMessage;
-                        if (!this.TryAuthenticate(tracer, enlistment, out authErrorMessage))
-                        {
-                            this.ReportErrorAndExit(tracer, "Cannot clone because authentication failed: " + authErrorMessage);
-                        }
-
                         RetryConfig retryConfig = this.GetRetryConfig(tracer, enlistment, TimeSpan.FromMinutes(RetryConfig.FetchAndCloneTimeoutMinutes));
 
-                        serverGVFSConfig = this.QueryGVFSConfigWithFallbackCacheServer(
+                        string authErrorMessage;
+                        if (!this.TryAuthenticateAndQueryGVFSConfig(
                             tracer,
                             enlistment,
                             retryConfig,
-                            cacheServer);
+                            out serverGVFSConfig,
+                            out authErrorMessage,
+                            fallbackCacheServer: cacheServer))
+                        {
+                            this.ReportErrorAndExit(tracer, "Cannot clone because authentication failed: " + authErrorMessage);
+                        }
 
                         cacheServer = this.ResolveCacheServer(tracer, cacheServer, cacheServerResolver, serverGVFSConfig);
 

GVFS/GVFS/CommandLine/GVFSVerb.cs

@@ -429,14 +429,50 @@ protected bool ShowStatusWhileRunning(
 
         protected bool TryAuthenticate(ITracer tracer, GVFSEnlistment enlistment, out string authErrorMessage)
         {
-            string authError = null;
+            return this.TryAuthenticateAndQueryGVFSConfig(tracer, enlistment, null, out _, out authErrorMessage);
+        }
+
+        /// <summary>
+        /// Combines authentication and GVFS config query into a single operation,
+        /// eliminating a redundant HTTP round-trip. If <paramref name="retryConfig"/>
+        /// is null, a default RetryConfig is used.
+        /// If the config query fails but a valid <paramref name="fallbackCacheServer"/>
+        /// URL is available, auth succeeds but <paramref name="serverGVFSConfig"/>
+        /// will be null (caller should handle this gracefully).
+        /// </summary>
+        protected bool TryAuthenticateAndQueryGVFSConfig(
+            ITracer tracer,
+            GVFSEnlistment enlistment,
+            RetryConfig retryConfig,
+            out ServerGVFSConfig serverGVFSConfig,
+            out string errorMessage,
+            CacheServerInfo fallbackCacheServer = null)
+        {
+            ServerGVFSConfig config = null;
+            string error = null;
 
             bool result = this.ShowStatusWhileRunning(
-                () => enlistment.Authentication.TryInitialize(tracer, enlistment, out authError),
+                () => enlistment.Authentication.TryInitializeAndQueryGVFSConfig(
+                    tracer,
+                    enlistment,
+                    retryConfig ?? new RetryConfig(),
+                    out config,
+                    out error),
                 "Authenticating",
                 enlistment.EnlistmentRoot);
 
-            authErrorMessage = authError;
+            if (!result && fallbackCacheServer != null && !string.IsNullOrWhiteSpace(fallbackCacheServer.Url))
+            {
+                // Auth/config query failed, but we have a fallback cache server.
+                // Allow auth to succeed so mount/clone can proceed; config will be null.
+                tracer.RelatedWarning("Config query failed but continuing with fallback cache server: " + error);
+                serverGVFSConfig = null;
+                errorMessage = null;
+                return true;
+            }
+
+            serverGVFSConfig = config;
+            errorMessage = error;
             return result;
         }
 
@@ -493,50 +529,7 @@ protected RetryConfig GetRetryConfig(ITracer tracer, GVFSEnlistment enlistment,
             return retryConfig;
         }
 
-        /// <summary>
-        /// Attempts to query the GVFS config endpoint. If successful, returns the config.
-        /// If the query fails but a valid fallback cache server URL is available, returns null and continues.
-        /// (A warning will be logged later.)
-        /// If the query fails and no valid fallback is available, reports an error and exits.
-        /// </summary>
-        protected ServerGVFSConfig QueryGVFSConfigWithFallbackCacheServer(
-            ITracer tracer,
-            GVFSEnlistment enlistment,
-            RetryConfig retryConfig,
-            CacheServerInfo fallbackCacheServer)
-        {
-            ServerGVFSConfig serverGVFSConfig = null;
-            string errorMessage = null;
-            bool configSuccess = this.ShowStatusWhileRunning(
-                () =>
-                {
-                    using (ConfigHttpRequestor configRequestor = new ConfigHttpRequestor(tracer, enlistment, retryConfig))
-                    {
-                        const bool LogErrors = true;
-                        return configRequestor.TryQueryGVFSConfig(LogErrors, out serverGVFSConfig, out _, out errorMessage);
-                    }
-                },
-                "Querying remote for config",
-                suppressGvfsLogMessage: true);
-
-            if (!configSuccess)
-            {
-                // If a valid cache server URL is available, warn and continue
-                if (fallbackCacheServer != null && !string.IsNullOrWhiteSpace(fallbackCacheServer.Url))
-                {
-                    // Continue without config
-                    // Warning will be logged/displayed when version check is run
-                    return null;
-                }
-                else
-                {
-                    this.ReportErrorAndExit(tracer, "Unable to query /gvfs/config" + Environment.NewLine + errorMessage);
-                }
-            }
-            return serverGVFSConfig;
-        }
-
-        // Restore original QueryGVFSConfig for other callers
+        // QueryGVFSConfig for callers that require config to succeed (no fallback)
         protected ServerGVFSConfig QueryGVFSConfig(ITracer tracer, GVFSEnlistment enlistment, RetryConfig retryConfig)
         {
             ServerGVFSConfig serverGVFSConfig = null;