[Bug]: GitHub login status gets lost after restarting of code-server daemon

[karuboniru]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: FireFox
• Local OS: Fedora 36 Workstation Beta And Windows 11
• Remote OS: Fedora Server 36 Beta
• Remote Architecture: x86_64
• code-server --version: 4.2.0 693b1fac04524bb0e0cfbb93afc85702263329bb with Code 1.64.2

Steps to Reproduce

1. Install GitHub related addons, e.g. copilot
2. Login the extension
3. Restart code-server via systemctl restart code-server@user
4. Reopen code page

Expected

GitHub login status should persist, no need to re-login

Actual

extension asked to login again

Logs

No response

Screenshot/Video

No response

Does this issue happen in VS Code?

• I cannot reproduce this in VS Code.

Are you accessing code-server over HTTPS?

• I am using HTTPS.

Notes

The disscussion may provide more infomation.
#5052

[jsjoeio]

Hmm...I'm using the PWA on macOS + Brave and the login persists (tested GitHub Pull Requests extension)

I also tested opening it up in the browser directly and couldn't reproduce.

Does this happen on Chrome or other browsers?

[karuboniru]

Tried chrome also, no luck, still need a re-login.
Just curious, where is the credentials supposed to be stored at, I suspect it should be in the local storage, but I did not see anything like a credential

[jsjoeio]

Ah, thanks for confirming. Based on our patch related to GitHub auth, I think it is stored in localStorage. See this. You can dig in to the code here

And you should see it in localStorage here:

[ZauberNerd]

I have the same issue. Previously (up to code-server v4.1.0) the credentials were stored in the browser storage (maybe indexed DB or local storage - haven't checked it in detail).

Since code-server v4.2.0 the credentials are not stored in the browser anymore, but apparently they are stored in-memory on the server. Thus restarting the server causes it to forget them (as described above).

The following log might be related to this, since it mentions switching to an in-memory credential store because keytar failed to load.
On the other hand, it looks like keytar is intentionally not installed: #5018 and we wouldn't want to use keytar, because then the credentials would be stored in the hosts local keyring / keychain.

[2022-04-27T18:24:48.025Z] info  code-server 4.3.0 09bc30027a7fbba170f907a527eaa9f7219fe739
[2022-04-27T18:24:48.027Z] info  Using user-data-dir ~/.local/share/code-server
[2022-04-27T18:24:48.051Z] info  Using config file ~/.config/code-server/config.yaml
[2022-04-27T18:24:48.051Z] info  HTTP server listening on http://127.0.0.1:9090/
[2022-04-27T18:24:48.051Z] info    - Authentication is disabled
[2022-04-27T18:24:48.052Z] info    - Not serving HTTPS
[18:24:54] Extension host agent started.
[18:24:56] [127.0.0.1][bf000a82][ManagementConnection] New connection established.
[18:24:57] [127.0.0.1][e21040ab][ExtensionHostConnection] New connection established.
[18:24:57] [127.0.0.1][e21040ab][ExtensionHostConnection] <2762> Launched Extension Host Process.
[18:25:01] Switching to using in-memory credential store instead because Keytar failed to load: Cannot find module '../build/Release/keytar.node'
Require stack:
- /usr/lib/code-server/lib/vscode/node_modules/keytar/lib/keytar.js
- /usr/lib/code-server/lib/vscode/out/bootstrap-amd.js
- /usr/lib/code-server/out/node/util.js
- /usr/lib/code-server/out/node/cli.js
- /usr/lib/code-server/out/node/entry.js

[stevenlafl]

I created this to solve the problem. Since vscode expects keytar I just implemented it in NodeJS and had it write to a file. It does not perform the same keyring activity that the original does - it's more or less a simple keystore.

https://github.com/stevenlafl/node-keytar/blob/master/lib/keytar.js

You can encrypt it with environment variable ENCRYPTION_KEY, though it's visible to VSCode, so I am not sure how useful that feature is to anyone yet.

So, in a Dockerfile:

# Install Keytar replacement
# Places credentials in $HOME/.local/creds/keytar.json
USER root

RUN curl -L https://raw.githubusercontent.com/stevenlafl/node-keytar/master/lib/keytar.js -o /usr/lib/code-server/lib/vscode/node_modules/keytar/lib/keytar.js

USER coder

Then volume mount /home/coder/.local/creds to wherever you want. (of course, chown it from within the container so coder can access it)

[jsjoeio]

Hmm... @code-asher what are your thoughts on how we can fix this? 🤔

Re-reading the comments seems like upstream moved this out of localStorage causing the issue. Not sure what the best approach is here.

[code-asher]

Huh yeah my memory is also that it used to be in browser storage so if they moved it out that would explain the problem.

Our Linux builds were silently not including keytar (yarn failed to build but never errored) because we were missing the libsecret dependency which I think we added recently so hopefully that means it stops using the in-memory store (from 4.9.1 onward I think).

[hacker1024]

Is there another way we could store secrets without relying on libsecret? D-Bus can be a pain to set up on headless servers. It'd be great if a solution like @stevenlafl's could be included somehow.

[code-asher]

I think a proposal to change secret storage would make more sense upstream rather than a patch here in code-server but there might be an existing method that works better because Codespaces does not seem to spawn dbus yet presumably secrets work there. So if we can figure that out maybe we can leverage it in code-server.

[code-asher]

Just in case this is useful I was experimenting with how one might get keytar working and this did the trick:

dbus-run-session sh -c 'echo pass | gnome-keyring-daemon --unlock --replace ; code-server'

Unfortunate that the password has to be provided like this though. Maybe there is a better way to unlock the keyring or maybe there is a different keyring that would work better (one that could ask for the password through Code might be ideal).

[2ndMessiah]

GH login session will still expire if the code-server daemon is restarted on v4.13.0

I restart my server every morning to free the memory etc...So I have to log in to copilot and GH repo every day...I hope we can solve this issue and it would save much of time.

Appreciate it!

[aleleba]

I have this same isuue.

[cleardusk]

The same issue on v4.16.1.

[Zai-Kun]

Same issue here.

[Sharpz7]

Yeah for a long time I didn't have this problem, on the newer versions I do again (4.16.1)

In fact, its even worse in the sense that every time I reload I have to re-login

[dexter4life]

I need to know when this problem is going to be fixed?

[code-asher]

Is the session still lost if running code-server with dbus? If so that sounds like a bug. Making secrets work without dbus is not something I have time to do at the moment but maybe it would make sense to propose a change upstream. If it is not something upstream is willing to consider we could try patching secret storage in code-server if the changes are reasonably succinct.

[Zai-Kun]

I attempted to run code-server with dbus using this command:

dbus-run-session sh -c 'echo pass | gnome-keyring-daemon --unlock --replace ; code-server'

However, the issue still persists.

[Zai-Kun]

When will this issue be resolved? Is there any temporary solution I can implement?

[benz0li]

When will this issue be resolved? Is there any temporary solution I can implement?

@Zai-Kun You can either set github-auth in the config file, set GITHUB_TOKEN=<personal access token> before starting code-server or start code-server with --github-auth=<personal access token> (Personal access token with scopes repo and user).
👉 The extension should then be authenticated. (If not, Device activation may require a one-time login from the extension's sidebar.)

Cross references:

• https://github.com/coder/code-server/blob/5ce99f8d1c0d72735a123e964c1aa3529243d553/patches/github-auth.diff
• [Feat]: Accept Multiple GITHUB_TOKEN  #6199

[Zai-Kun]

@Zai-Kun You can either set github-auth in the config file, set GITHUB_TOKEN=<Personal Access Token> before starting code-server or start code-server with --github-auth=<Personal Access Token> (Personal Access Token with scopes repo and user). 👉 The extension should then be authenticated.

Thanks, it seems to be working now.

[benz0li]

P.S.: The same applies for the GitLab Workflow extensions, i.e. set environment variables GITLAB_WORKFLOW_INSTANCE_URL and GITLAB_WORKFLOW_TOKEN before starting code-server.

[benz0li]

[...] we could try patching secret storage in code-server if the changes are reasonably succinct.

@code-asher Yes, please have a look at this.

As @AntoineMorcos pointed out in #6408, VS Code moved away from keytar (due to its archival) in favor of Electron's safeStorage API since version 1.80 and higher.

[gcarrarom]

When will this issue be resolved? Is there any temporary solution I can implement?

@Zai-Kun You can either set github-auth in the config file, set GITHUB_TOKEN=<personal access token> before starting code-server or start code-server with --github-auth=<personal access token> (Personal access token with scopes repo and user). 👉 The extension should then be authenticated. (If not, Device activation may require a one-time login from the extension's sidebar.)

Cross references:

• https://github.com/coder/code-server/blob/5ce99f8d1c0d72735a123e964c1aa3529243d553/patches/github-auth.diff
• [Feat]: Accept Multiple GITHUB_TOKEN  #6199

Interestingly it is not working for my version of the image. I will troubleshoot a bit more to figure out why, but it doesn't seem to be using the gitlab or github auth tokens from here. I've tried authenticating after setting the environment variable and it still comes back unauthenticated once I open another window.

[rohit901]

@Zai-Kun You can either set github-auth in the config file, set GITHUB_TOKEN= before starting code-server

@benz0li, in this instruction you mean that we have to set an ENVIRONMENT Variable GITHUB_TOKEN=<our_generated_github_pat> and then start the code-server right?

[benz0li]

@benz0li, in this instruction you mean that we have to set an ENVIRONMENT Variable GITHUB_TOKEN=<our_generated_github_pat> and then start the code-server right?

Correct. E.g. export GITHUB_TOKEN=<our_generated_github_pat> and then start code-server.

[rohit901]

@benz0li copilot is still asking to sign in using github, each time i quit server and open again. I generated my personal access token with the repo and user scope as you said, putting it in GITHUB_TOKEN environment variable and starting code-server with:
.local/bin/code-server --bind-addr 0.0.0.0:11000

[rohit901]

If it helps this is the log from console when selecting github authentication. am i doing something wrong?

[benz0li]

@rohit901 I never claimed that this method works with GitHub Copilot¹.
ℹ️ This extension may only be used with VS Code from Microsoft.

My advice: Keep your hands off GitHub Copilot.
https://drewdevault.com/2022/06/23/Copilot-GPL-washing.html

Footnotes

1. I do not know, if a personal access token with scopes repo and user is sufficient for GitHub Copilot – it is for GitHub Pull Requests and Issues, though. ↩

[starball5]

Potentially related on Stack Overflow: VS Code with code-server (circa version 4.2.0-4.16.0) always asks for login credential after restart