feat(IDE-1701): settings page auth flow — bridge persist and forward apiUrl by nick-y-snyk · Pull Request #366 · snyk/snyk-eclipse-plugin

nick-y-snyk · 2026-03-05T17:46:38Z

What & Why

The settings page drives authentication via snyk.login with [authMethod, endpoint, insecure] args. Before forwarding to the LS, the IDE must persist these values locally so they survive a page close. Additionally, $/snyk.hasAuthenticated now carries apiUrl which is forwarded to the settings browser so the settings page can update both fields after auth.

Bridge persist calls Preferences.store() only — no configurationChanged() means no didChangeConfiguration loop.

Changes

ExecuteCommandBridge.java (refactored to shared class, with new persist logic)
saveLoginArgs(List<Object> args) (package-private for testability) called before CommandHandler.getInstance().executeCommand(...) when "snyk.login".equals(command) && args.size() >= 3:

Maps args.get(0): "pat" → AUTH_PERSONAL_ACCESS_TOKEN, "token" → AUTH_API_TOKEN, default → AUTH_OAUTH2
prefs.store(Preferences.AUTHENTICATION_METHOD, authMethod)
prefs.store(Preferences.ENDPOINT_KEY, endpoint)
prefs.store(Preferences.INSECURE_KEY, String.valueOf(insecure))
No configurationChanged() call → no didChangeConfiguration sent to LS

SnykExtendedLanguageClient.java — hasAuthenticated
Calls HTMLSettingsPreferencePage.notifyAuthTokenChanged(newToken, param.getApiUrl()) when token changes — passes apiUrl alongside token so the settings browser updates both fields.

HTMLSettingsPreferencePage.java
notifyAuthTokenChanged(String token, String apiUrl) — passes apiUrl to window.setAuthToken(token, apiUrl) in the browser evaluate call.

Tests

ExecuteCommandBridgeTest.java: 5 new saveLoginArgs tests (oauth/pat/token mapping, endpoint stored, insecure stored as string "true"); class now extends LsBaseTest for prefs fixture

Test plan

Settings page: change endpoint + auth method → click Authenticate → IDE saves values → auth succeeds → token and apiUrl appear in settings page
Close/reopen settings page → values persist
Panel login → auth succeeds → token and apiUrl shown immediately in settings browser
No didChangeConfiguration fired when bridge saves auth params
Run test suite: mvn test

…rotocol version to 25 [IDE-1701] Replace __ideLogin__/__ideLogout__ BrowserFunctions with a generic __ideExecuteCommand__ bridge that dispatches any LS command with callback support. Bump REQUIRED_LS_PROTOCOL_VERSION to 25.

…use [IDE-1701] Move the __ideExecuteCommandBridge__ BrowserFunction and JS wrapper injection into a standalone ExecuteCommandBridge class. HTMLSettingsPreferencePage delegates to ExecuteCommandBridge.install(browser), enabling any future SWT Browser panel (e.g. tree view) to reuse the same bridge.

… flag - Remove persist field from HasAuthenticatedParam — always saves token and apiUrl - Restore original hasAuthenticated flow: always stores endpoint + token, calls configurationUpdater.configurationChanged(), triggers scan when conditions met - Keep notifyAuthTokenChanged(token, apiUrl) with apiUrl param — settings page webview always shows current token after auth - Add bridge persist in ExecuteCommandBridge.registerBridgeFunction: when snyk.login called with 3+ args, save authMethod/endpoint/insecure to Preferences directly (no configurationChanged() → no didChangeConfiguration to LS) - Remove setPersist() calls and persist-related tests from SnykExtendedLanguageClientTest - Add saveLoginArgs() tests to ExecuteCommandBridgeTest covering auth method mapping, endpoint, and insecure saving

snyk-io · 2026-03-05T17:46:57Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

… page browser Pass apiUrl alongside token when calling window.setAuthToken in the browser so the settings page can update both the token and apiUrl fields after auth.

+      prefs.store(Preferences.AUTHENTICATION_METHOD, authMethod);
+      prefs.store(Preferences.ENDPOINT_KEY, endpoint);
+      prefs.store(Preferences.INSECURE_KEY, insecure);
+    } catch (Exception e) {


+        List<Object> args;
+        try {
+          args = Arrays.asList(OBJECT_MAPPER.readValue(argsJson, Object[].class));
+        } catch (Exception e) {


+                                browser.evaluate(script);
+                              }
+                            });
+                  } catch (Exception e) {


- Add singleton + notifyAuthTokenChanged to native PreferencesPage so the SWT token field is updated live when hasAuthenticated fires, not just the HTML webview - Reorder hasAuthenticated() to update UIs before persisting to storage, avoiding race conditions where a settings-changed event re-reads stale values - Escape token and apiUrl before JS interpolation in notifyAuthTokenChanged to guard against single-quote injection - Fix dispose() identity check (== instead of .equals()) in both settings pages

…to compatibility - Add public updateToken() method to TokenFieldEditor to expose setStringValue() from outside the class (setStringValue is protected in StringFieldEditor) - Fix test failures on Java 21 by adding -XX:+EnableDynamicAgentLoading to tycho-surefire-plugin argLine, required for mockito-inline 4.5.1 to do byte-buddy instrumentation

…ion in ExecuteCommandBridge

Prevents XSS-to-arbitrary-command escalation by rejecting any command not prefixed with "snyk." before it reaches the Language Server.

andrewrobinsonhodges-snyk · 2026-03-26T18:05:15Z

                if (instance != null
                    && instance.browser != null
                    && !instance.browser.isDisposed()) {
+                  String safeToken = token.replace("\\", "\\\\").replace("'", "\\'");


We could consider pulling the escaping logc out into a utility function

andrewrobinsonhodges-snyk · 2026-03-26T18:07:20Z

+  }
+
+  @Test
+  void saveLoginArgs_savesOauthAuthMethod() {


Add test for default (this is implicitly testing it; better to be explicit)

Pull escapeForJsString() into ExecuteCommandBridge and replace inline escaping in both ExecuteCommandBridge and HTMLSettingsPreferencePage. Add explicit test for default (oauth) auth method fallback.

snyk-pr-review-bot · 2026-03-26T18:40:28Z

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review Silent Configuration Overwrite 🟡 [minor] In `hasAuthenticated`, the code now automatically persists the `apiUrl` received from the Language Server to the global `ENDPOINT_KEY` if it differs from the current setting. While this ensures the IDE and LS stay in sync during OAuth flows (e.g., when a user logs into a specific region), it may silently overwrite a user's manually configured custom endpoint without an explicit prompt. if (differentApi) { prefs.store(Preferences.ENDPOINT_KEY, param.getApiUrl()); }
📚 Repository Context Analyzed This review considered 21 relevant code sections from 13 files (average relevance: 0.87) plugin/src/main/java/io/snyk/languageserver/protocolextension/SnykExtendedLanguageClient.java (3 segments, lines 131-747) plugin/src/main/java/io/snyk/languageserver/protocolextension/messageObjects/scanResults/Issue.java (lines 1-54) plugin/src/main/java/io/snyk/eclipse/plugin/preferences/TokenFieldEditor.java (lines 1-38) plugin/src/main/java/io/snyk/eclipse/plugin/views/snyktoolview/SnykToolView.java (lines 1-540) plugin/src/main/java/io/snyk/eclipse/plugin/preferences/PreferencesPage.java (lines 1-234) plugin/src/main/java/io/snyk/eclipse/plugin/EnvironmentConstants.java (lines 1-13) plugin/src/main/java/io/snyk/eclipse/plugin/preferences/HTMLSettingsPreferencePage.java (lines 1-382) ... and 6 more file(s)

nick-y-snyk added 3 commits March 3, 2026 11:56

nick-y-snyk requested review from a team as code owners March 5, 2026 17:46

feat(IDE-1701): forward apiUrl in notifyAuthTokenChanged for settings…

89be4f7

… page browser Pass apiUrl alongside token when calling window.setAuthToken in the browser so the settings page can update both the token and apiUrl fields after auth.

github-advanced-security AI found potential problems Mar 5, 2026

View reviewed changes

nick-y-snyk changed the title ~~feat(IDE-1701): settings page auth flow — bridge persist and remove persist flag~~ feat(IDE-1701): settings page auth flow — bridge persist and forward apiUrl Mar 5, 2026

Merge branch 'main' into feat/generic-webview-execute-command-bridge

9760f45