Auth: Add input validation for instance URL

[abeatrix]

This commit adds validation for sourcegraph tokens in the AuthMenus and AuthProvider files. The showInstanceURLInputBox function in AuthMenus now checks if the user is entering a token as a URL and displays an error message if so.
Similarly, the formatURL function in AuthProvider now throws an error if the URI is a sourcegraph token, and return null.

Additionally, the LocalStorageProvider file now ignores and clears the last used endpoint if the provided endpoint is a sourcegraph token.

Update placeholder value for URL to always starts with https:// to make it clear that the field is for URL input:

Test plan

Screen.Recording.2024-02-13.at.8.57.40.AM.mov

[dcomas]

@abeatrix this does not look to be catching the old format. Does everyone uses the new token format only? Can we include the ones from this list? cc:@willdollman @shivasurya

[abeatrix]

@dcomas @willdollman @shivasurya Thanks for the link! Would it be safe to assume anything without a . in the URL is an invalid URL?

[willdollman]

Broadly no (e.g. http://localhost) and slight concern that some edge case customer will have a crazy dns setup that this would break.

What about ensuring the url matches this: ([.]|^https?:\/\/)

Matches anything containg a dot or anything starting with https?://
Matches:

https://sourcegraph.com
http://localhost
sourcegraph.com
http://customersourcegraph

Doesn't match:

sgp_abcd_foobar
sgp_abcd
sgp_foobar
foobar

[willdollman]

I'm making the assumption that we automatically add the missing https:// if a user enters a url without a prefix (sourcegraph.com)

[unknwon]

(what Will is proposing) LGTM 👍

[abeatrix]

I'm making the assumption that we automatically add the missing https:// if a user enters a url without a prefix (sourcegraph.com)

@willdollman yea i added the check before we add the https:// prefix:

cody/vscode/src/services/AuthProvider.ts

Lines 463 to 465 in 7711472

	if (!uri.startsWith('http')) {
	uri = `https://${uri}`
	}

But that's a good callout, I'll make sure to include those cases

[abeatrix]

i just updated the regex for catching token:

Sourcegraph Access Token (v3):

Sourcegraph Access Token (v2, deprecated):

Sourcegraph Access Token (v1, deprecated):

Catch tokens with http prefix:

Also updated the check to ensure the URL must starts with http to reduce confusion:

[willdollman]

Validating new tokens lgtm - thanks!

@abeatrix are you able to also validate that if a user already has a token saved in local storage as the endpoint, will this update result in the token being purged? I see it will purge via saveEndpoint but is that called if the endpoint is already stored and just being read?

[abeatrix]

Validating new tokens lgtm - thanks!

@abeatrix are you able to also validate that if a user already has a token saved in local storage as the endpoint, will this update result in the token being purged? I see it will purge via saveEndpoint but is that called if the endpoint is already stored and just being read?

@willdollman we call the auth function when we first get the stored endpoint from the local storage, and then first thing we do in the auth function is to run the formatURL function on the endpoint which now will return null if the store endpoint is a token. Does this address your concern?

[willdollman]

Yep looks good! My concern was whether the bad endpoint is (eventually) removed from local storage and I see in auth() that we call this.storeAuthInfo(endpoint, token) which will overwrite endpoint with the empty string returned by formatURL.

@willdollman we call the auth function when we first get the stored endpoint from the local storage, and then first thing we do in the auth function is to run the formatURL function on the endpoint which now will return null if the store endpoint is a token. Does this address your concern?

[willdollman]

lgtm. Thank you for the quick work on this! 🙏