fix: enhance authentication service to handle decryption error

dgolovin · dgolovin · commit 0edfb1b00c6e · 2026-02-18T23:33:54.000-08:00
- Added error handling for decryption failures in the authentication service,
   notifying users and deleting corrupted data.
- Ensured that the onDidChange listener is registered even when no stored
   data exists or decryption fails.
- Updated tests to cover new error handling scenarios and listener
   registration.

Signed-off-by: Denis Golovin &lt;dgolovin@redhat.com&gt;
diff --git a/__mocks__/@podman-desktop/api.js b/__mocks__/@podman-desktop/api.js
@@ -50,6 +50,7 @@ const plugin = {
       });
     },
     showInformationMessage: vi.fn(),
+    showWarningMessage: vi.fn(),
   },
   env: {
     createTelemetryLogger: vi.fn().mockImplementation(() => ({
diff --git a/src/authentication-service.spec.ts b/src/authentication-service.spec.ts
@@ -18,7 +18,7 @@
 /* eslint-disable sonarjs/no-nested-functions */
 
 import type { ExtensionContext } from '@podman-desktop/api';
-import { authentication } from '@podman-desktop/api';
+import { authentication, window } from '@podman-desktop/api';
 import type { BaseClient, TokenSet } from 'openid-client';
 import { Issuer } from 'openid-client';
 import { beforeEach, expect, test, vi } from 'vitest';
@@ -110,3 +110,100 @@ test('Authentication service loads tokens form secret storage during initializat
   expect(extensionContext.secrets.get).toHaveBeenCalledOnce();
   expect((await service.getSessions(['scope1', 'scope3', 'scope4'])).length).toBe(0);
 });
+
+test('Authentication service handles decryption errors gracefully', async () => {
+  const decryptionError = new Error('Error while decrypting the ciphertext provided to safeStorage.decryptString');
+
+  vi.mocked(window.showWarningMessage).mockResolvedValue('OK');
+
+  const onDidChangeCallback = vi.fn();
+  const extensionContext: ExtensionContext = {
+    secrets: {
+      get: vi.fn().mockRejectedValue(decryptionError),
+      store: vi.fn(),
+      delete: vi.fn().mockResolvedValue(undefined),
+      onDidChange: onDidChangeCallback,
+    },
+    subscriptions: [],
+  } as unknown as ExtensionContext;
+
+  const service = await RedHatAuthenticationService.build(extensionContext, getAuthConfig());
+  await service.initialize();
+
+  // Verify secrets.get was called
+  expect(extensionContext.secrets.get).toHaveBeenCalledOnce();
+
+  // Verify warning message was shown to user
+  expect(window.showWarningMessage).toHaveBeenCalledWith(
+    expect.stringContaining('could not be restored'),
+    'OK',
+  );
+
+  // Verify corrupted data was deleted
+  expect(extensionContext.secrets.delete).toHaveBeenCalledOnce();
+
+  // Verify onDidChange listener was still registered
+  expect(onDidChangeCallback).toHaveBeenCalledOnce();
+
+  // Verify no sessions exist after error
+  expect((await service.getSessions()).length).toBe(0);
+});
+
+test('Authentication service registers onDidChange listener even when no stored data exists', async () => {
+  const onDidChangeCallback = vi.fn();
+  const extensionContext: ExtensionContext = {
+    secrets: {
+      get: vi.fn().mockResolvedValue(undefined),
+      store: vi.fn(),
+      delete: vi.fn(),
+      onDidChange: onDidChangeCallback,
+    },
+    subscriptions: [],
+  } as unknown as ExtensionContext;
+
+  const service = await RedHatAuthenticationService.build(extensionContext, getAuthConfig());
+  await service.initialize();
+
+  // Verify secrets.get was called
+  expect(extensionContext.secrets.get).toHaveBeenCalledOnce();
+
+  // Verify onDidChange listener was registered even with no stored data
+  expect(onDidChangeCallback).toHaveBeenCalledOnce();
+
+  // Verify no sessions exist
+  expect((await service.getSessions()).length).toBe(0);
+});
+
+test('Authentication service handles delete error during decryption error recovery', async () => {
+  const decryptionError = new Error('Error while decrypting the ciphertext');
+  const deleteError = new Error('Failed to delete');
+
+  // Clear mock from previous tests
+  vi.mocked(window.showWarningMessage).mockClear();
+  vi.mocked(window.showWarningMessage).mockResolvedValue('OK');
+
+  const onDidChangeCallback = vi.fn();
+  const extensionContext: ExtensionContext = {
+    secrets: {
+      get: vi.fn().mockRejectedValue(decryptionError),
+      store: vi.fn(),
+      delete: vi.fn().mockRejectedValue(deleteError),
+      onDidChange: onDidChangeCallback,
+    },
+    subscriptions: [],
+  } as unknown as ExtensionContext;
+
+  const service = await RedHatAuthenticationService.build(extensionContext, getAuthConfig());
+
+  // Should not throw even if delete fails
+  await expect(service.initialize()).resolves.not.toThrow();
+
+  // Verify warning was still shown
+  expect(window.showWarningMessage).toHaveBeenCalledOnce();
+
+  // Verify delete was attempted
+  expect(extensionContext.secrets.delete).toHaveBeenCalledOnce();
+
+  // Verify onDidChange listener was still registered
+  expect(onDidChangeCallback).toHaveBeenCalledOnce();
+});
diff --git a/src/authentication-service.ts b/src/authentication-service.ts
@@ -155,7 +155,34 @@ export class RedHatAuthenticationService {
   }
 
   public async initialize(): Promise<void> {
-    const storedData = await this.context.secrets.get(this.config.serviceId);
+    let storedData: string | undefined;
+
+    // Try to get stored session data - may throw if decryption fails
+    try {
+      storedData = await this.context.secrets.get(this.config.serviceId);
+    } catch (error) {
+      // Decryption failed - encryption key likely changed after system update
+      Logger.error(`Failed to decrypt stored sessions: ${error}`);
+
+      // Notify user about the issue
+      await window.showWarningMessage(
+        'Your saved Red Hat SSO sessions could not be restored. ' +
+          'This can happen after a system update changes the encryption key. ' +
+          'Please sign in again.',
+        'OK',
+      );
+
+      // Delete the corrupted data from storage
+      try {
+        await this.context.secrets.delete(this.config.serviceId);
+      } catch {
+        // Ignore delete errors
+      }
+
+      // Don't return - still need to register the onDidChange listener below
+      storedData = undefined;
+    }
+
     if (storedData) {
       try {
         const sessions = this.parseStoredData(storedData);
@@ -197,13 +224,14 @@ export class RedHatAuthenticationService {
         Logger.info('Failed to initialize stored data');
         await this.clearSessions();
       }
-
-      this._disposables.push(
-        this.context.secrets.onDidChange(() => {
-          this.checkForUpdates().catch(console.error);
-        }),
-      );
     }
+
+    // Always register the listener to detect session changes
+    this._disposables.push(
+      this.context.secrets.onDidChange(() => {
+        this.checkForUpdates().catch(console.error);
+      }),
+    );
   }
 
   private parseStoredData(data: string): IStoredSession[] {
