Error signing in to Github. Try Again doesn't try again

[alexr00]

Fixes #4148

[dinofx]

@alexr00 is it possible this PR could have introduced an infinite loop for users that have clicked on "Try again?" when using a GH:E token that doesn't have the right access? We've had a few users today that have clicked on this button, and we've noticed thousands of requests from a few user's IPs to the graphql endpoint here:

vscode-pull-request-github/src/github/credentials.ts

Lines 370 to 372 in ad954b5

	createHttpLink({
	uri: `${url}/graphql`,
	// https://github.com/apollographql/apollo-link/issues/513

[alexr00]

@dinofx would these users be using a PAT and then just pasting the same incorrect PAT into VS Code?

[dinofx]

@alexr00 at least one user was using the new enterprise auth flow that involves some 6-digit code? I suspect the users might have provided an access token, but maybe it didn't have the right permissions? But when you click on "Try again", I don't think it prompts you again to change tokens (based on my experience from a few months ago).

I can't confirm the steps to reproduce this. Our IT department has asked everyone to disable the extension, as it only took a few users with this problem to bring our GH:E to its knees.

Also, I don't know if this is related to the problem, but the graphql URL being created in the code reference in my first comment is NOT the correct path for our GH:E. I think the path for us would be /api/graphql. Having said that, a lot of users were using this extension successfully, so it only seemed to be users who were shown and clicked the "Try again" action that cause the storm of requests.

[dinofx]

Would this change make sense:

while (retry) {
  retry = false;
  try {

so that the loop can only repeat with user interaction?

[alexr00]

@dinofx unless I'm missing something the structure of that while loop already means that the retry only occurs if there's user interaction.

How sure are you that this loop/the "Try again" button is what is causing the requests? I tried to force an error in a few ways but I wasn't able to kick off thousands of requests. Are you able to share some debug logs when these requests occur? Steps for getting logs:

1. Set "githubPullRequests.logLevel": "debug"
2. Reproduce the many requests issues.
3. Share the output from "GitHub Pull Request". If you don't want to share these logs publicly then you can email them to me using the email in my bio.

[alexr00]

Also, are these users definitely on the latest version of the extension? We had a bug 3 minor versions ago (fix was in 0.54.0) which caused enough requests to hit GitHub's rate limit: #3847

[dinofx]

@alexr00 I agree it seems like the loop should not "loop" without setting retry to false. Being totally unfamiliar with this code, I don't know if an exception is possible here (interrupting the loop):

vscode-pull-request-github/src/github/credentials.ts

Lines 212 to 220 in ad954b5

	try {
	await this.initialize(authProviderId, sessionOptions);
	} catch (e) {
	Logger.error(`${errorPrefix}: ${e}`);
	if (e instanceof Error && e.stack) {
	Logger.error(e.stack);
	}
	}
	octokit = this.getHub(authProviderId);

But then perhaps something causes login method to be called over and over (while both retry and forceNewSession are still true).

Someone has reached out to our infra folks to see if the extension's user-agent header might have version details. I will update if that becomes available.

Regarding 3847, that seems like it should be too old? Is there any chance the pre-release version was older than the official release on Feb 3rd? These problems happened after developers rebooted to apply an OS update. After rebooting, VSCode updated itself to the January release, and I assume any extensions would have had the same opportunity to be updated.

[alexr00]

Is there any chance the pre-release version was older than the official release on Feb 3rd?

If a user had installed a specific version of the extension or had turned off automatic extension updating then this could happen. But by default no, it shouldn't happen.

[alexr00]

@dinofx this maybe related: #4507