fix: recover mTLS auth after settings races#976
Merged
Conversation
EhabY
force-pushed
the
fix/mtls-recovery-race
branch
3 times, most recently
from
4afb9d2 to
0e9e93b
Compare
EhabY
force-pushed
the
fix/mtls-recovery-race
branch
from
0e9e93b to
0487124
Compare
code-asher
approved these changes
May 22, 2026
EhabY
force-pushed
the
fix/mtls-recovery-race
branch
2 times, most recently
from
8566983 to
b617e20
Compare
- consolidate 401 recovery paths inside recoverFromUnauthorized - augment axios InternalAxiosRequestConfig via .d.ts so retry/cert/header flags are typed (drops every ad-hoc cast) - rename DeploymentManager.setDeploymentIfValid to verifyAndApplyDeployment - switch configWatcher from leading-edge throttle to true reset-style debounce - document headerCommandKeys cleanup on the augmented type and at the deletion site
EhabY
force-pushed
the
fix/mtls-recovery-race
branch
from
b617e20 to
4ca67d8
Compare
EhabY
added a commit
that referenced
this pull request
May 26, 2026
A session suspended by an mTLS or coder.headerCommand failure stayed suspended even after the user fixed the setting. Two races caused it: a request could 401 from a mid-flight settings change with no way to recover, and nothing re-tried once the fix landed. - Suspended sessions auto-recover once auth settings become valid again, with no logout/login round-trip. - A 401 caused by a settings change mid-flight is retried silently under the new settings instead of escalating to an interactive prompt. - Retried requests no longer carry stale headers from a previous header-command run. - Logout, deployment switch, or dispose during an in-flight auth verify is no longer overwritten by the verify finishing. - Cross-window login keeps listening if the first observed token from another window is invalid, so a follow-up valid write still resolves the dialog. - Config-change side-effects (reload prompt, recovery, reconnects) fire once edits settle instead of on the first event of a burst. - Concurrent logout no longer leaves stale deployment data in storage. Closes #973
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #973
A session suspended by an mTLS or
coder.headerCommandfailure stayed suspended even after the user fixed the setting. Two races caused it: a request could 401 from a mid-flight settings change with no way to recover, and nothing re-tried once the fix landed.What changes
Tests cover silent retry, retry escalation, debounce semantics, suspended-state recovery (including the racing-
clearDeploymentcase), and the header-cleanup-vs-session-token behaviour.pnpm typecheck,pnpm lint, andpnpm test:extensionclean.