LS Code suggestions don't work when the token is missing required scope
Checklist
-
I'm using the latest version of the extension (see the latest version in the right column of this page) - Extension version: 3.88.0
-
I'm using the latest VS Code version (find the latest version here) - VS Code version: Version: 1.84.0-insider
-
I'm using a supported version of GitLab (see README for the supported version) - GitLab version: happens on
gitlab.com
- GitLab version: happens on
Summary
If the extension has been set up before we implemented feat: Add token validation (!1053 - merged), it's possible that the extension works fine (e.g. with just api
scoped token), but the Language Server rejects the token because of its own token check.
Steps to reproduce
In local development environment apply this patch (which simulates not checking for the read_user
scope as we didn't before !1053 (merged))
diff --git a/src/desktop/accounts/get_user_for_credentials_or_fail.ts b/src/desktop/accounts/get_user_for_credentials_or_fail.ts
index e38078b7..f523e817 100644
--- a/src/desktop/accounts/get_user_for_credentials_or_fail.ts
+++ b/src/desktop/accounts/get_user_for_credentials_or_fail.ts
@@ -11,7 +11,7 @@ export const getUserForCredentialsOrFail = async (credentials: Credentials): Pro
try {
const tokenInfo = await gitlabService.fetchFromApi(personalAccessTokenDetailsRequest);
- const REQUIRED_SCOPES = ['api', 'read_user'];
+ const REQUIRED_SCOPES = ['api'];
const firstMissingScope = REQUIRED_SCOPES.find(scope => !tokenInfo.scopes.includes(scope));
if (firstMissingScope) {
- start extension in development mode
- remove all accounts (command
GitLab: Remove Account from VS Code
) - Create a personal access token with only
api
scope https://gitlab.com/-/profile/personal_access_tokens - See that extension works, but suggestions don't
- Open logs (
GitLab: Show Extension Logs
) and see2023-12-01T10:58:05:660 [warning]: Token validation failed in Language Server: (Token has scope(s) 'api' (needs 'api' and 'read_user'). - invalid_scopes). This can happen with OAuth token refresh. If the rest of the extension works, this won't be a problem.
What is the current bug behavior?
LS doesn't work and extension doesn't notify the user
What is the expected correct behavior?
LS should work if it has token with required api
scope.