Secrets API

[RMacfarlane]

A couple of months ago we introduced password related APIs that are currently being used by the built-in auth provider extensions. These APIs expose a first-class way for extensions to store sensitive information, instead of having to use a library like keytar themselves. The API currently looks like:

		/**
		 * Retrieve a password that was stored with key. Returns undefined if there
		 * is no password matching that key.
		 * @param key The key the password was stored under.
		 */
		export function getPassword(key: string): Thenable<string | undefined>;

		/**
		 * Store a password under a given key.
		 * @param key The key to store the password under
		 * @param value The password
		 */
		export function setPassword(key: string, value: string): Thenable<void>;

		/**
		 * Remove a password from storage.
		 * @param key The key the password was stored under.
		 */
		export function deletePassword(key: string): Thenable<void>;

		/**
		 * Fires when a password is set or deleted.
		 */
		export const onDidChangePassword: Event<void>;

Some suggestions that I plan to adopt are

• move to the extension context instead of the authentication namespace, as what's being stored is not necessarily auth info, and these APIs are similar to the storage APIs on context
• rename to secret instead of password, also to make it more generic

[RMacfarlane]

I have moved this over to the extension context, it now looks like:

	export interface SecretState {
		/**
		 * Retrieve a secret that was stored with key. Returns undefined if there
		 * is no password matching that key.
		 * @param key The key the password was stored under.
		 */
		get(key: string): Thenable<string | undefined>;

		/**
		 * Store a secret under a given key.
		 * @param key The key to store the password under
		 * @param value The password
		 */
		set(key: string, value: string): Thenable<void>;

		/**
		 * Remove a secret from storage.
		 * @param key The key the password was stored under.
		 */
		delete(key: string): Thenable<void>;

		/**
		 * Fires when a secret is set or deleted.
		 */
		onDidChange: Event<void>;
	}

	export interface ExtensionContext {
		secretState: SecretState;
	}

[ankitbko]

1. Is the secret scoped to a particular extension or can any extension read the secrets?
2. Does the key need to be unique within an extension or globally unique?

[RMacfarlane]

1. The secret is scoped to the extension that writes it. 2. The key only needs to be unique within an extension. Good questions, I’ll update the API docs to make this clearer.

[ankitbko]

Thanks, is there any way to know which secret was set or deleted in onDidChange: Event<void>?

[ankitbko]

@RMacfarlane So the event does not pass any argument so there does not looks like a way to get which key changed. Any chance to implementing this?

[RMacfarlane]

Yes, this is something I plan to add today. Should look like

export interface SecretStorageChangeEvent {
    key: string
}
...
onDidChange: Event<SecretStorageChangeEvent>