Refactor OAuth flow: separate authorization from session management

  The changes extract the OAuth authorization flow into a dedicated OAuthAuthorizer class:
  - OAuthAuthorizer handles login: client registration, PKCE, browser flow, token exchange
  - OAuthSessionManager focuses on token lifecycle: refresh, revocation, interceptor
  - LoginCoordinator now owns OAuthAuthorizer and stores OAuth tokens in session auth
  - Removes oauthSessionManager from Commands and UriHandler constructors

This separation clarifies responsibilities and simplifies the auth flow.

Author: EhabY

src/commands.ts

@@ -19,7 +19,6 @@ import { type DeploymentManager } from "./deployment/deploymentManager";
 import { CertificateError } from "./error";
 import { type Logger } from "./logging/logger";
 import { type LoginCoordinator } from "./login/loginCoordinator";
-import { type OAuthSessionManager } from "./oauth/sessionManager";
 import { maybeAskAgent, maybeAskUrl } from "./promptUtils";
 import { escapeCommandArg, toRemoteAuthority, toSafeHost } from "./util";
 import {
@@ -52,7 +51,6 @@ export class Commands {
 	public constructor(
 		serviceContainer: ServiceContainer,
 		private readonly extensionClient: CoderApi,
-		private readonly oauthSessionManager: OAuthSessionManager,
 		private readonly deploymentManager: DeploymentManager,
 	) {
 		this.vscodeProposed = serviceContainer.getVsCodeProposed();
@@ -107,7 +105,6 @@ export class Commands {
 			safeHostname,
 			url,
 			autoLogin: args?.autoLogin,
-			oauthSessionManager: this.oauthSessionManager,
 		});
 
 		if (!result.success) {

src/core/container.ts

@@ -48,6 +48,7 @@ export class ServiceContainer implements vscode.Disposable {
 			this.mementoManager,
 			this.vscodeProposed,
 			this.logger,
+			context.extension.id,
 		);
 	}
 
@@ -89,5 +90,6 @@ export class ServiceContainer implements vscode.Disposable {
 	dispose(): void {
 		this.contextManager.dispose();
 		this.logger.dispose();
+		this.loginCoordinator.dispose();
 	}
 }

src/extension.ts

@@ -73,7 +73,6 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 	const oauthSessionManager = OAuthSessionManager.create(
 		deployment,
 		serviceContainer,
-		ctx.extension.id,
 	);
 	ctx.subscriptions.push(oauthSessionManager);
 
@@ -152,19 +151,13 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
 
 	// Register globally available commands.  Many of these have visibility
 	// controlled by contexts, see `when` in the package.json.
-	const commands = new Commands(
-		serviceContainer,
-		client,
-		oauthSessionManager,
-		deploymentManager,
-	);
+	const commands = new Commands(serviceContainer, client, deploymentManager);
 
 	ctx.subscriptions.push(
 		registerUriHandler(
 			serviceContainer,
 			deploymentManager,
 			commands,
-			oauthSessionManager,
 			vscodeProposed,
 		),
 		vscode.commands.registerCommand(

src/login/loginCoordinator.ts

@@ -5,40 +5,48 @@ import * as vscode from "vscode";
 import { CoderApi } from "../api/coderApi";
 import { needToken } from "../api/utils";
 import { CertificateError } from "../error";
-import { type OAuthSessionManager } from "../oauth/sessionManager";
+import { OAuthAuthorizer } from "../oauth/authorizer";
+import { buildOAuthTokenData } from "../oauth/utils";
 import { maybeAskAuthMethod, maybeAskUrl } from "../promptUtils";
 
 import type { User } from "coder/site/src/api/typesGenerated";
 
 import type { MementoManager } from "../core/mementoManager";
-import type { SecretsManager } from "../core/secretsManager";
+import type { OAuthTokenData, SecretsManager } from "../core/secretsManager";
 import type { Deployment } from "../deployment/types";
 import type { Logger } from "../logging/logger";
 
 type LoginResult =
 	| { success: false }
-	| { success: true; user: User; token: string };
+	| { success: true; user: User; token: string; oauth?: OAuthTokenData };
 
 interface LoginOptions {
 	safeHostname: string;
 	url: string | undefined;
-	oauthSessionManager: OAuthSessionManager;
 	autoLogin?: boolean;
 	token?: string;
 }
 
 /**
  * Coordinates login prompts across windows and prevents duplicate dialogs.
  */
-export class LoginCoordinator {
+export class LoginCoordinator implements vscode.Disposable {
 	private loginQueue: Promise<unknown> = Promise.resolve();
+	private readonly oauthAuthorizer: OAuthAuthorizer;
 
 	constructor(
 		private readonly secretsManager: SecretsManager,
 		private readonly mementoManager: MementoManager,
 		private readonly vscodeProposed: typeof vscode,
 		private readonly logger: Logger,
-	) {}
+		extensionId: string,
+	) {
+		this.oauthAuthorizer = new OAuthAuthorizer(
+			secretsManager,
+			logger,
+			extensionId,
+		);
+	}
 
 	/**
 	 * Direct login - for user-initiated login via commands.
@@ -47,12 +55,11 @@ export class LoginCoordinator {
 	public async ensureLoggedIn(
 		options: LoginOptions & { url: string },
 	): Promise<LoginResult> {
-		const { safeHostname, url, oauthSessionManager } = options;
+		const { safeHostname, url } = options;
 		return this.executeWithGuard(async () => {
 			const result = await this.attemptLogin(
 				{ safeHostname, url },
 				options.autoLogin ?? false,
-				oauthSessionManager,
 				options.token,
 			);
 
@@ -68,8 +75,7 @@ export class LoginCoordinator {
 	public async ensureLoggedInWithDialog(
 		options: LoginOptions & { message?: string; detailPrefix?: string },
 	): Promise<LoginResult> {
-		const { safeHostname, url, detailPrefix, message, oauthSessionManager } =
-			options;
+		const { safeHostname, url, detailPrefix, message } = options;
 		return this.executeWithGuard(async () => {
 			// Show dialog promise
 			const dialogPromise = this.vscodeProposed.window
@@ -101,7 +107,6 @@ export class LoginCoordinator {
 						const result = await this.attemptLogin(
 							{ url: newUrl, safeHostname },
 							false,
-							oauthSessionManager,
 							options.token,
 						);
 
@@ -137,6 +142,7 @@ export class LoginCoordinator {
 			await this.secretsManager.setSessionAuth(safeHostname, {
 				url,
 				token: result.token,
+				oauth: result.oauth, // undefined for non-OAuth logins
 			});
 			await this.mementoManager.addToUrlHistory(url);
 		}
@@ -195,7 +201,6 @@ export class LoginCoordinator {
 	private async attemptLogin(
 		deployment: Deployment,
 		isAutoLogin: boolean,
-		oauthSessionManager: OAuthSessionManager,
 		providedToken?: string,
 	): Promise<LoginResult> {
 		const client = CoderApi.create(deployment.url, "", this.logger);
@@ -232,15 +237,9 @@ export class LoginCoordinator {
 		const authMethod = await maybeAskAuthMethod(client);
 		switch (authMethod) {
 			case "oauth":
-				return this.loginWithOAuth(oauthSessionManager, deployment);
-			case "legacy": {
-				const result = await this.loginWithToken(client);
-				if (result.success) {
-					// Clear OAuth state since user explicitly chose token auth
-					await oauthSessionManager.clearOAuthState();
-				}
-				return result;
-			}
+				return this.loginWithOAuth(deployment);
+			case "legacy":
+				return this.loginWithToken(client);
 			case undefined:
 				return { success: false }; // User aborted
 		}
@@ -359,27 +358,29 @@ export class LoginCoordinator {
 	/**
 	 * OAuth authentication flow.
 	 */
-	private async loginWithOAuth(
-		oauthSessionManager: OAuthSessionManager,
-		deployment: Deployment,
-	): Promise<LoginResult> {
+	private async loginWithOAuth(deployment: Deployment): Promise<LoginResult> {
 		try {
 			this.logger.info("Starting OAuth authentication");
 
-			const { token, user } = await vscode.window.withProgress(
+			const { tokenResponse, user } = await vscode.window.withProgress(
 				{
 					location: vscode.ProgressLocation.Notification,
 					title: "Authenticating",
 					cancellable: true,
 				},
-				async (progress, token) =>
-					await oauthSessionManager.login(deployment, progress, token),
+				async (progress, cancellationToken) =>
+					await this.oauthAuthorizer.login(
+						deployment,
+						progress,
+						cancellationToken,
+					),
 			);
 
 			return {
 				success: true,
-				token,
+				token: tokenResponse.access_token,
 				user,
+				oauth: buildOAuthTokenData(tokenResponse),
 			};
 		} catch (error) {
 			const title = "OAuth authentication failed";
@@ -394,4 +395,8 @@ export class LoginCoordinator {
 			return { success: false };
 		}
 	}
+
+	public dispose(): void {
+		this.oauthAuthorizer.dispose();
+	}
 }