feat: use environment variables for CLI auth instead of file flags #663
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pass CODER_URL and CODER_SESSION_TOKEN via SSH SetEnv directive instead of using --session-token-file and --url-file CLI flags. This simplifies the auth flow by using environment variables that the CLI natively supports. Changes: - Remove --session-token-file and --url-file from vscodessh ProxyCommand - Add CODER_URL and CODER_SESSION_TOKEN to SSH SetEnv directive - Update doc comments to reflect persistence-only purpose of file storage - Keep file-based storage for extension's own credential persistence
EhabY
reviewed
Nov 26, 2025
Comment on lines
-680
to
-682
| )}${await this.formatLogArg(logDir)} --session-token-file ${escapeCommandArg(this.pathResolver.getSessionTokenPath(label))} --url-file ${escapeCommandArg( | ||
| this.pathResolver.getUrlPath(label), | ||
| )} %h`; |
Collaborator
There was a problem hiding this comment.
This removes the session token and URL file from being passed to vscodessh which is the old client that I think is only used by some older servers (< 2.19.0)
| UserKnownHostsFile: "/dev/null", | ||
| LogLevel: "ERROR", | ||
| }; | ||
| if (sshSupportsSetEnv()) { |
Collaborator
There was a problem hiding this comment.
Wouldn't this just fail if the SSH does not support SetEnv? is it possible to have this as a fallback?
| sshValues.SetEnv = " CODER_SSH_SESSION_TYPE=vscode"; | ||
| // Pass Coder URL, session token, and session type via environment. | ||
| // The CLI reads CODER_URL and CODER_SESSION_TOKEN from the environment. | ||
| sshValues.SetEnv = ` CODER_URL=${url} CODER_SESSION_TOKEN=${token} CODER_SSH_SESSION_TYPE=vscode`; |
Collaborator
There was a problem hiding this comment.
Here we still have the token in plaintext but it's now in <globalDir>/<deployment url>/session and in the proxy command (somewhere in ~/.ssh/config?)
Comment on lines
737
to
744
| private globalConfigs(label: string): string { | ||
| const vscodeConfig = vscode.workspace.getConfiguration(); | ||
| const args = getGlobalFlags( | ||
| vscodeConfig, | ||
| this.pathResolver.getGlobalConfigDir(label), | ||
| ); | ||
| return ` ${args.join(" ")}`; | ||
| } |
Collaborator
There was a problem hiding this comment.
If we want to rely on environment variables fully then we need to update the getGlobalFlags function to not return "--global-config", escapeCommandArg(configDir)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Pass
CODER_URLandCODER_SESSION_TOKENvia SSHSetEnvdirective instead of using--session-token-fileand--url-fileCLI flags. This simplifies the auth flow by using environment variables that the CLI natively supports.Changes
--session-token-fileand--url-filefromvscodesshProxyCommandCODER_URLandCODER_SESSION_TOKENto SSHSetEnvdirectiveHow it works
Previously:
Now:
The CLI reads credentials from environment variables, which SSH passes via
SetEnv.