fix: show different dialogs for authorization errors and other errors#305
Merged
fix: show different dialogs for authorization errors and other errors#305
Conversation
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
liukatkat
commented
Mar 26, 2026
| export class SemgrepPolicyViewProvider | ||
| implements vscode.TreeDataProvider<PolicyItem> | ||
| { | ||
| export class SemgrepPolicyViewProvider implements vscode.TreeDataProvider<PolicyItem> { |
Contributor
Author
There was a problem hiding this comment.
This is an unrelated change, but I had to do this to pass precommit.
liukatkat
changed the title
ajbt200128
approved these changes
Mar 31, 2026
semgrep-ci Bot
pushed a commit
to semgrep/semgrep
that referenced
this pull request
Apr 1, 2026
…ion (semgrep/semgrep-proprietary#5938) ### Why: As reported in ENGINE-2638 (IDE login issues propagating to MCP), users who have both MCP/Plugin and the IDE enabled are frequently required to rerun `semgrep login`. During investigation, I found that we clear the stored Semgrep token and surface an “invalid token” error (via a popup dialog) even when token validation fails for reasons other than a 401, which is bad. Additionally, I want to ensure that this IDE behavior does not negatively impact MCP. Currently, the IDE clears tokens whenever validation fails, but the underlying issue may be with how validation is performed rather than the token itself. Since MCP depends on these tokens, this can lead to unnecessary login churn. ### How: To address the first issue, in this PR (and [a corresponding PR ](semgrep/semgrep-vscode#305 the `semgrep-vscode` repo), I’ve updated error handling so that different failure modes produce distinct logs and popup dialogs. This will help us better understand what’s actually happening when users encounter this issue again. For the second point, this PR removes all instances where the IDE proactively clears stored tokens. Instead, if the IDE determines that a token is invalid, we return an error and allow the user to explicitly re-authenticate, overwriting the existing token if needed. One remaining issue is that we currently rely on `is_logged_in_weak` during `LoginStart` requests to determine login state. If we stop clearing invalid tokens, this check may incorrectly treat a bad token as valid. As a result, we should update `LoginStart` to perform a proper token validation check rather than relying solely on `is_logged_in_weak`. ### Test plan: See the test plan in semgrep/semgrep-vscode#305. synced from Pro 8dc8daf9a14a8c3e9526601dd00877acf6dfe6b9
semgrep-ci Bot
pushed a commit
to semgrep/semgrep
that referenced
this pull request
Apr 2, 2026
…ion (semgrep/semgrep-proprietary#5938) ### Why: As reported in ENGINE-2638 (IDE login issues propagating to MCP), users who have both MCP/Plugin and the IDE enabled are frequently required to rerun `semgrep login`. During investigation, I found that we clear the stored Semgrep token and surface an “invalid token” error (via a popup dialog) even when token validation fails for reasons other than a 401, which is bad. Additionally, I want to ensure that this IDE behavior does not negatively impact MCP. Currently, the IDE clears tokens whenever validation fails, but the underlying issue may be with how validation is performed rather than the token itself. Since MCP depends on these tokens, this can lead to unnecessary login churn. ### How: To address the first issue, in this PR (and [a corresponding PR ](semgrep/semgrep-vscode#305 the `semgrep-vscode` repo), I’ve updated error handling so that different failure modes produce distinct logs and popup dialogs. This will help us better understand what’s actually happening when users encounter this issue again. For the second point, this PR removes all instances where the IDE proactively clears stored tokens. Instead, if the IDE determines that a token is invalid, we return an error and allow the user to explicitly re-authenticate, overwriting the existing token if needed. One remaining issue is that we currently rely on `is_logged_in_weak` during `LoginStart` requests to determine login state. If we stop clearing invalid tokens, this check may incorrectly treat a bad token as valid. As a result, we should update `LoginStart` to perform a proper token validation check rather than relying solely on `is_logged_in_weak`. ### Test plan: See the test plan in semgrep/semgrep-vscode#305. synced from Pro 8dc8daf9a14a8c3e9526601dd00877acf6dfe6b9
semgrep-ci Bot
pushed a commit
to semgrep/semgrep
that referenced
this pull request
Apr 3, 2026
…ion (semgrep/semgrep-proprietary#5938) ### Why: As reported in ENGINE-2638 (IDE login issues propagating to MCP), users who have both MCP/Plugin and the IDE enabled are frequently required to rerun `semgrep login`. During investigation, I found that we clear the stored Semgrep token and surface an “invalid token” error (via a popup dialog) even when token validation fails for reasons other than a 401, which is bad. Additionally, I want to ensure that this IDE behavior does not negatively impact MCP. Currently, the IDE clears tokens whenever validation fails, but the underlying issue may be with how validation is performed rather than the token itself. Since MCP depends on these tokens, this can lead to unnecessary login churn. ### How: To address the first issue, in this PR (and [a corresponding PR ](semgrep/semgrep-vscode#305 the `semgrep-vscode` repo), I’ve updated error handling so that different failure modes produce distinct logs and popup dialogs. This will help us better understand what’s actually happening when users encounter this issue again. For the second point, this PR removes all instances where the IDE proactively clears stored tokens. Instead, if the IDE determines that a token is invalid, we return an error and allow the user to explicitly re-authenticate, overwriting the existing token if needed. One remaining issue is that we currently rely on `is_logged_in_weak` during `LoginStart` requests to determine login state. If we stop clearing invalid tokens, this check may incorrectly treat a bad token as valid. As a result, we should update `LoginStart` to perform a proper token validation check rather than relying solely on `is_logged_in_weak`. ### Test plan: See the test plan in semgrep/semgrep-vscode#305. synced from Pro 8dc8daf9a14a8c3e9526601dd00877acf6dfe6b9
semgrep-ci Bot
pushed a commit
to semgrep/semgrep
that referenced
this pull request
Apr 3, 2026
…ion (semgrep/semgrep-proprietary#5938) ### Why: As reported in ENGINE-2638 (IDE login issues propagating to MCP), users who have both MCP/Plugin and the IDE enabled are frequently required to rerun `semgrep login`. During investigation, I found that we clear the stored Semgrep token and surface an “invalid token” error (via a popup dialog) even when token validation fails for reasons other than a 401, which is bad. Additionally, I want to ensure that this IDE behavior does not negatively impact MCP. Currently, the IDE clears tokens whenever validation fails, but the underlying issue may be with how validation is performed rather than the token itself. Since MCP depends on these tokens, this can lead to unnecessary login churn. ### How: To address the first issue, in this PR (and [a corresponding PR ](semgrep/semgrep-vscode#305 the `semgrep-vscode` repo), I’ve updated error handling so that different failure modes produce distinct logs and popup dialogs. This will help us better understand what’s actually happening when users encounter this issue again. For the second point, this PR removes all instances where the IDE proactively clears stored tokens. Instead, if the IDE determines that a token is invalid, we return an error and allow the user to explicitly re-authenticate, overwriting the existing token if needed. One remaining issue is that we currently rely on `is_logged_in_weak` during `LoginStart` requests to determine login state. If we stop clearing invalid tokens, this check may incorrectly treat a bad token as valid. As a result, we should update `LoginStart` to perform a proper token validation check rather than relying solely on `is_logged_in_weak`. ### Test plan: See the test plan in semgrep/semgrep-vscode#305. synced from Pro 8dc8daf9a14a8c3e9526601dd00877acf6dfe6b9
semgrep-ci Bot
pushed a commit
to semgrep/semgrep
that referenced
this pull request
Apr 6, 2026
…ion (semgrep/semgrep-proprietary#5938) ### Why: As reported in ENGINE-2638 (IDE login issues propagating to MCP), users who have both MCP/Plugin and the IDE enabled are frequently required to rerun `semgrep login`. During investigation, I found that we clear the stored Semgrep token and surface an “invalid token” error (via a popup dialog) even when token validation fails for reasons other than a 401, which is bad. Additionally, I want to ensure that this IDE behavior does not negatively impact MCP. Currently, the IDE clears tokens whenever validation fails, but the underlying issue may be with how validation is performed rather than the token itself. Since MCP depends on these tokens, this can lead to unnecessary login churn. ### How: To address the first issue, in this PR (and [a corresponding PR ](semgrep/semgrep-vscode#305 the `semgrep-vscode` repo), I’ve updated error handling so that different failure modes produce distinct logs and popup dialogs. This will help us better understand what’s actually happening when users encounter this issue again. For the second point, this PR removes all instances where the IDE proactively clears stored tokens. Instead, if the IDE determines that a token is invalid, we return an error and allow the user to explicitly re-authenticate, overwriting the existing token if needed. One remaining issue is that we currently rely on `is_logged_in_weak` during `LoginStart` requests to determine login state. If we stop clearing invalid tokens, this check may incorrectly treat a bad token as valid. As a result, we should update `LoginStart` to perform a proper token validation check rather than relying solely on `is_logged_in_weak`. ### Test plan: See the test plan in semgrep/semgrep-vscode#305. synced from Pro 8dc8daf9a14a8c3e9526601dd00877acf6dfe6b9
yosefAlsuhaibani
pushed a commit
to semgrep/semgrep
that referenced
this pull request
Apr 6, 2026
…ion (semgrep/semgrep-proprietary#5938) ### Why: As reported in ENGINE-2638 (IDE login issues propagating to MCP), users who have both MCP/Plugin and the IDE enabled are frequently required to rerun `semgrep login`. During investigation, I found that we clear the stored Semgrep token and surface an “invalid token” error (via a popup dialog) even when token validation fails for reasons other than a 401, which is bad. Additionally, I want to ensure that this IDE behavior does not negatively impact MCP. Currently, the IDE clears tokens whenever validation fails, but the underlying issue may be with how validation is performed rather than the token itself. Since MCP depends on these tokens, this can lead to unnecessary login churn. ### How: To address the first issue, in this PR (and [a corresponding PR ](semgrep/semgrep-vscode#305 the `semgrep-vscode` repo), I’ve updated error handling so that different failure modes produce distinct logs and popup dialogs. This will help us better understand what’s actually happening when users encounter this issue again. For the second point, this PR removes all instances where the IDE proactively clears stored tokens. Instead, if the IDE determines that a token is invalid, we return an error and allow the user to explicitly re-authenticate, overwriting the existing token if needed. One remaining issue is that we currently rely on `is_logged_in_weak` during `LoginStart` requests to determine login state. If we stop clearing invalid tokens, this check may incorrectly treat a bad token as valid. As a result, we should update `LoginStart` to perform a proper token validation check rather than relying solely on `is_logged_in_weak`. ### Test plan: See the test plan in semgrep/semgrep-vscode#305. synced from Pro 8dc8daf9a14a8c3e9526601dd00877acf6dfe6b9
Contributor
Author
Merge activity
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a new command
loginFailedNudgewhich is different from theloginNudge. This command is intended to be the pop up dialog for any non-authorization errors occurred during login.Reasons as to why we need to do this is documented here: https://github.com/semgrep/semgrep-proprietary/pull/5938
This change should only be released after the change in the
semgrep-proprietaryrepo is released and bumped in this repo.Test plan:
Experimental LS
No token:
Network error:
and token was not cleared out.
Bad token (authorization error):
and token was not cleared out.
Also checked that rules were successfully refreshed for the valid token case
Legacy:
No token:
Network error:
and token wasn't cleared out.
Bad token (authorization error):
and token wasn't cleared out.
Also checked that rules were successfully refreshed for the valid token case
PR checklist:
If you're unsure about any of this, please see: