feat(IDE-1701): settings page auth flow — bridge persist and forward apiUrl (#453)

* feat: inject __ideExecuteCommand__ bridge in settings page and bump protocol version to 25 [IDE-1701]

Replace __ideLogin__/__ideLogout__ COM methods with a generic
__ideExecuteCommand__ bridge that dispatches any LS command with
callback support via window.__ideCallbacks__. Bump ProtocolVersion to 25.

* refactor: extract ExecuteCommandBridge to shared class for webview reuse [IDE-1701]

Move BuildClientScript() and DispatchAsync() into a standalone ExecuteCommandBridge
class. HtmlSettingsScriptingBridge delegates dispatch and HtmlSettingsWindow
uses BuildClientScript() for injection, enabling any future WebBrowser panel
(e.g. tree view) to reuse the same bridge.

* feat(IDE-1701): save login args from settings page and remove persist flag

- Remove persist flag from OnHasAuthenticated — always saves endpoint + token
- Keep Save(options, false) to avoid DidChangeConfigurationAsync loop
- Keep isNewLogin guard — only triggers HandleAuthenticationSuccess on first login
- Keep UpdateAuthToken(token, apiUrl) — settings page webview always updated
- Add bridge persist in HtmlSettingsScriptingBridge.__ideExecuteCommand__: when
  snyk.login called with 3+ args, save authMethod/endpoint/ignoreUnknownCA to
  options properties directly (no Save() call → no SettingsChanged event →
  no DidChangeConfigurationAsync to LS)
- Remove OnHasAuthenticated_NoPersist test; rename persist-prefixed tests
- Add HtmlSettingsScriptingBridgeTest with 6 tests for login args persist

* feat(IDE-1701): forward apiUrl in UpdateAuthToken for settings page webview

Pass apiUrl alongside token when calling window.setAuthToken via InvokeSetAuthToken
so the settings page can update both the token and apiUrl fields after auth.

* fix(IDE-1701): apply auth webview bridge security patterns

- Add callbackId XSS allowlist guard (regex ^(__cb_\d+)?$) in ExecuteCommandBridge.IsValidCallbackId, used in DispatchAsync and InvokeCommandCallback
- Fix JS string escaping order in InvokeSetAuthToken: escape backslash before single-quote
- Add volatile keyword to HtmlSettingsWindow singleton instance for cross-thread visibility
- Clear stored token when auth method changes in ParseAndSaveConfigAsync to prevent stale token from one method being used with another
- Add tests for all four fixes

* fix: add ExecuteCommandBridge.cs to csproj compile items [IDE-1701]

* fix: use ForContext(typeof) for static class logger [IDE-1701]

* fix: expose LogManager.ForContext(Type) as public for static class callers [IDE-1701]

* fix: add missing Language using in HtmlSettingsScriptingBridgeTest [IDE-1701]

* fix(IDE-1701): inject bridge script into HTML before NavigateToString

The LS HTML page checks window.__ideExecuteCommand__ during its own
initialization scripts. Injecting only in LoadCompleted (after the page
has already parsed and run its scripts) means the auth button is never
wired up, causing it to do nothing when clicked.

Now inject bridge functions directly into the HTML string before
NavigateToString so they are defined before any LS page scripts run.
The LoadCompleted injection is kept as a secondary safety net.

* security: restrict webview executeCommand bridge to snyk.* namespace

Prevents XSS-to-arbitrary-command escalation by rejecting any command
not prefixed with "snyk." before it reaches the Language Server.

* fix: address PR review feedback for executeCommand bridge

- Extract <head> tag string to constant in InjectBridgeScriptIntoHtml
- Move callbackId validation outside ThreadHelper.Run in InvokeCommandCallback
- Extract JS string escaping into ExecuteCommandBridge.EscapeForJsString utility
- Add _cb_8 and whitespace test cases for IsValidCallbackId
- Add test for default OAuth fallback on invalid auth method string

Author: nick-y-snyk

Snyk.VisualStudio.Extension.2022/Language/ILanguageClientManager.cs

@@ -21,6 +21,7 @@ public interface ILanguageClientManager
         Task<SastSettings> InvokeGetSastEnabled(CancellationToken cancellationToken);
         Task<string> InvokeLogin(CancellationToken cancellationToken);
         Task<object> InvokeLogout(CancellationToken cancellationToken);
+        Task<object> InvokeExecuteCommandAsync(string command, object[] args, CancellationToken cancellationToken);
         Task<object> DidChangeConfigurationAsync(CancellationToken cancellationToken);
         Task<string> InvokeCopyLinkAsync(CancellationToken cancellationToken);
         Task<string> InvokeGenerateIssueDescriptionAsync(string issueId, CancellationToken cancellationToken);

Snyk.VisualStudio.Extension.2022/Language/LsConstants.cs

@@ -2,7 +2,7 @@
 {
     public static class LsConstants
     {
-        public const string ProtocolVersion = "23";
+        public const string ProtocolVersion = "24";
 
         // Notifications
         public const string SnykHasAuthenticated = "$/snyk.hasAuthenticated";

Snyk.VisualStudio.Extension.2022/Language/SnykLanguageClient.cs

@@ -362,6 +362,16 @@ public async Task<object> InvokeLogout(CancellationToken cancellationToken)
             return isEnabled;
         }
 
+        public async Task<object> InvokeExecuteCommandAsync(string command, object[] args, CancellationToken cancellationToken)
+        {
+            var param = new LSP.ExecuteCommandParams
+            {
+                Command = command,
+                Arguments = args
+            };
+            return await InvokeWithParametersAsync<object>(LsConstants.WorkspaceExecuteCommand, param, cancellationToken);
+        }
+
         public async Task<string> InvokeCopyLinkAsync(CancellationToken cancellationToken)
         {
             var param = new LSP.ExecuteCommandParams

Snyk.VisualStudio.Extension.2022/Language/SnykLanguageClientCustomTarget.cs

@@ -268,20 +268,30 @@ public async Task OnHasAuthenticated(JToken arg)
             }
 
             var token = arg["token"].ToString();
-
             var apiUrl = arg["apiUrl"]?.ToString();
+
+            var oldToken = serviceProvider.Options.ApiToken?.ToString() ?? string.Empty;
+
+            // Always notify the HTML settings window so the token field updates immediately.
+            HtmlSettingsWindow.Instance?.UpdateAuthToken(token, apiUrl);
+
             if (!string.IsNullOrEmpty(apiUrl))
             {
                 serviceProvider.Options.CustomEndpoint = apiUrl;
             }
 
             serviceProvider.Options.ApiToken = new AuthenticationToken(serviceProvider.Options.AuthenticationMethod, token);
-            serviceProvider.SnykOptionsManager.Save(serviceProvider.Options);
 
-            await serviceProvider.GeneralOptionsDialogPage.HandleAuthenticationSuccess(token, apiUrl);
+            // Persist without triggering SettingsChanged → DidChangeConfigurationAsync back to the LS.
+            serviceProvider.SnykOptionsManager.Save(serviceProvider.Options, false);
+
+            // Scan only when this is a new login (old token was blank).
+            // Token refresh also has old token non-blank, so no scan.
+            var isNewLogin = string.IsNullOrEmpty(oldToken) && !string.IsNullOrEmpty(token);
+            if (!isNewLogin)
+                return;
 
-            // Notify HTML settings window of auth token change
-            HtmlSettingsWindow.Instance?.UpdateAuthToken(token);
+            await serviceProvider.GeneralOptionsDialogPage.HandleAuthenticationSuccess(token, apiUrl);
 
             if (!serviceProvider.Options.ApiToken.IsValid())
                 return;

Snyk.VisualStudio.Extension.2022/LogManager.cs

@@ -46,7 +46,7 @@ public static class LogManager
                     shared: true)
                 .CreateLogger();
 
-        private static ILogger ForContext(Type type) => Logger.Value.ForContext(type)
+        public static ILogger ForContext(Type type) => Logger.Value.ForContext(type)
             .ForContext("ShortSourceContext", type.Name);
     }
 

Snyk.VisualStudio.Extension.2022/Settings/HtmlSettingsWindow.xaml.cs

@@ -22,7 +22,7 @@ namespace Snyk.VisualStudio.Extension.Settings
     public partial class HtmlSettingsWindow : DialogWindow
     {
         protected static readonly ILogger Logger = LogManager.ForContext<HtmlSettingsWindow>();
-        private static HtmlSettingsWindow instance;
+        private static volatile HtmlSettingsWindow instance;
 
         public static HtmlSettingsWindow Instance => instance;
 
@@ -93,6 +93,7 @@ private async Task LoadHtmlSettingsAsync()
                 SettingsBrowser.UpdateLayout();
 
                 html = HtmlResourceLoader.ApplyTheme(html);
+                html = InjectBridgeScriptIntoHtml(html);
                 SettingsBrowser.NavigateToString(html);
             }
             catch (Exception ex)
@@ -113,7 +114,8 @@ protected virtual void SetupScriptingBridge()
             scriptingBridge = new HtmlSettingsScriptingBridge(
                 serviceProvider,
                 onModified: () => IsDirty = true,
-                onReset: () => IsDirty = false);
+                onReset: () => IsDirty = false,
+                onCommandResult: (callbackId, resultJson) => InvokeCommandCallback(callbackId, resultJson));
 
             // Set the scripting bridge as the ObjectForScripting
             SettingsBrowser.ObjectForScripting = scriptingBridge;
@@ -169,8 +171,36 @@ protected virtual async Task<string> GetHtmlContentAsync()
             return HtmlResourceLoader.LoadFallbackHtml(serviceProvider.Options);
         }
 
+        private static string BuildIdeBridgeScript() =>
+            @"window.__saveIdeConfig__ = function(jsonString) { window.external.__saveIdeConfig__(jsonString); };
+            window.__onFormDirtyChange__ = function(isDirty) { window.external.__onFormDirtyChange__(isDirty); };
+            window.__ideSaveAttemptFinished__ = function(status) { window.external.__ideSaveAttemptFinished__(status); };"
+            + ExecuteCommandBridge.BuildClientScript();
+
+        /// <summary>
+        /// Injects IDE bridge functions into the HTML string before it is loaded by the browser.
+        /// This ensures the functions are defined before the page's own scripts run, which is
+        /// required for the LS HTML page to wire up its auth and command buttons correctly.
+        /// </summary>
+        protected virtual string InjectBridgeScriptIntoHtml(string html)
+        {
+            var script = BuildIdeBridgeScript();
+            var scriptTag = $"<script type=\"text/javascript\">{script}</script>";
+
+            const string headTag = "<head>";
+            var headIndex = html.IndexOf(headTag, StringComparison.OrdinalIgnoreCase);
+            if (headIndex >= 0)
+            {
+                return html.Insert(headIndex + headTag.Length, scriptTag);
+            }
+
+            // Fallback: prepend if no <head> found
+            return scriptTag + html;
+        }
+
         /// <summary>
-        /// Injects IDE bridge functions into the HTML window object for save/login/logout operations.
+        /// Injects IDE bridge functions into the HTML window object for save and command operations.
+        /// Called after LoadCompleted as a secondary injection to ensure functions are (re-)applied.
         /// </summary>
         protected virtual void InjectIdeBridgeFunctions()
         {
@@ -179,28 +209,9 @@ protected virtual void InjectIdeBridgeFunctions()
                 dynamic doc = SettingsBrowser.Document;
                 if (doc == null) return;
 
-                // Inject bridge functions that LS HTML expects
-                var script = @"
-                    window.__saveIdeConfig__ = function(jsonString) {
-                        window.external.__saveIdeConfig__(jsonString);
-                    };
-                    window.__ideLogin__ = function() {
-                        window.external.__ideLogin__();
-                    };
-                    window.__ideLogout__ = function() {
-                        window.external.__ideLogout__();
-                    };
-                    window.__onFormDirtyChange__ = function(isDirty) {
-                        window.external.__onFormDirtyChange__(isDirty);
-                    };
-                    window.__ideSaveAttemptFinished__ = function(status) {
-                        window.external.__ideSaveAttemptFinished__(status);
-                    };
-                ";
-
                 var scriptElement = doc.CreateElement("script");
                 scriptElement.SetAttribute("type", "text/javascript");
-                scriptElement.InnerText = script;
+                scriptElement.InnerText = BuildIdeBridgeScript();
                 doc.GetElementsByTagName("head")[0].AppendChild(scriptElement);
             }
             catch (Exception ex)
@@ -259,7 +270,7 @@ private void TitleBar_MouseLeftButtonDown(object sender, MouseButtonEventArgs e)
             }
         }
 
-        public void UpdateAuthToken(string token)
+        public void UpdateAuthToken(string token, string apiUrl = null)
         {
             try
             {
@@ -269,7 +280,7 @@ public void UpdateAuthToken(string token)
 
                     if (SettingsBrowser?.Document != null)
                     {
-                        InvokeSetAuthToken(token);
+                        InvokeSetAuthToken(token, apiUrl);
                     }
                 });
             }
@@ -279,7 +290,42 @@ public void UpdateAuthToken(string token)
             }
         }
 
-        private void InvokeSetAuthToken(string token)
+        private void InvokeCommandCallback(string callbackId, string resultJson)
+        {
+            if (!ExecuteCommandBridge.IsValidCallbackId(callbackId))
+            {
+                Logger.Warning("Rejected callbackId with unexpected format: {CallbackId}", callbackId);
+                return;
+            }
+
+            try
+            {
+                ThreadHelper.JoinableTaskFactory.Run(async () =>
+                {
+                    await ThreadHelper.JoinableTaskFactory.SwitchToMainThreadAsync();
+
+                    dynamic doc = SettingsBrowser.Document;
+                    if (doc == null) return;
+
+                    var escapedCallbackId = ExecuteCommandBridge.EscapeForJsString(callbackId);
+                    var script = $"if(window.__ideCallbacks__&&window.__ideCallbacks__['{escapedCallbackId}']){{" +
+                                 $"var cb=window.__ideCallbacks__['{escapedCallbackId}'];" +
+                                 $"delete window.__ideCallbacks__['{escapedCallbackId}'];" +
+                                 $"cb({resultJson});}}";
+
+                    var scriptElement = doc.CreateElement("script");
+                    scriptElement.SetAttribute("type", "text/javascript");
+                    scriptElement.InnerText = script;
+                    doc.GetElementsByTagName("head")[0].AppendChild(scriptElement);
+                });
+            }
+            catch (Exception ex)
+            {
+                Logger.Error(ex, "Error invoking command callback {CallbackId}", callbackId);
+            }
+        }
+
+        private void InvokeSetAuthToken(string token, string apiUrl)
         {
             try
             {
@@ -291,11 +337,12 @@ private void InvokeSetAuthToken(string token)
                     return;
                 }
 
-                var escapedToken = token.Replace("'", "\\'").Replace("\"", "\\\"");
+                var escapedToken = ExecuteCommandBridge.EscapeForJsString(token);
+                var escapedApiUrl = ExecuteCommandBridge.EscapeForJsString(apiUrl ?? string.Empty);
                 var script = $@"
                     (function() {{
                         if (typeof window.setAuthToken === 'function') {{
-                            window.setAuthToken('{escapedToken}');
+                            window.setAuthToken('{escapedToken}', '{escapedApiUrl}');
                         }} else {{
                             console.warn('window.setAuthToken is not available');
                         }}
@@ -307,7 +354,7 @@ private void InvokeSetAuthToken(string token)
                 scriptElement.InnerText = script;
                 doc.GetElementsByTagName("head")[0].AppendChild(scriptElement);
 
-                Logger.Information("Invoked window.setAuthToken with token");
+                Logger.Information("Invoked window.setAuthToken with token and apiUrl");
             }
             catch (Exception ex)
             {

Snyk.VisualStudio.Extension.2022/Snyk.VisualStudio.Extension.2022.csproj

@@ -251,6 +251,7 @@
     </Compile>
     <Compile Include="UI\Html\BaseHtmlProvider.cs" />
     <Compile Include="UI\Html\ColorExtension.cs" />
+    <Compile Include="UI\Html\ExecuteCommandBridge.cs" />
     <Compile Include="UI\Html\HtmlSettingsScriptingBridge.cs" />
     <Compile Include="UI\Html\IdeConfigData.cs" />
     <Compile Include="UI\Html\HtmlResourceLoader.cs" />

Snyk.VisualStudio.Extension.2022/UI/Html/ExecuteCommandBridge.cs

@@ -0,0 +1,121 @@
+// ABOUTME: Shared bridge for the window.__ideExecuteCommand__ JS<->IDE contract.
+// ABOUTME: Reusable by any WebBrowser panel (settings, tree view, etc.).
+
+using System;
+using System.Text.RegularExpressions;
+using System.Threading;
+using System.Threading.Tasks;
+using Newtonsoft.Json;
+using Serilog;
+using Snyk.VisualStudio.Extension;
+using Snyk.VisualStudio.Extension.Language;
+
+namespace Snyk.VisualStudio.Extension.UI.Html
+{
+    /// <summary>
+    /// Shared bridge for the <c>window.__ideExecuteCommand__</c> JS↔IDE contract.
+    /// Reusable by any WebBrowser panel (settings window, tree view, etc.).
+    ///
+    /// Responsibilities:
+    /// <list type="bullet">
+    ///   <item>Provide the ES5-compatible JS that defines <c>window.__ideExecuteCommand__</c>.</item>
+    ///   <item>Dispatch incoming commands to the Language Server.</item>
+    ///   <item>Return results to the JS callback via <c>window.__ideCallbacks__</c>.</item>
+    /// </list>
+    /// </summary>
+    public static class ExecuteCommandBridge
+    {
+        private static readonly ILogger Logger = LogManager.ForContext(typeof(ExecuteCommandBridge));
+
+        // Allowlist regex for callbackIds produced by BuildClientScript: "" or "__cb_<digits>"
+        private static readonly Regex CallbackIdPattern = new Regex(@"^(__cb_\d+)?$", RegexOptions.Compiled);
+
+        /// <summary>
+        /// Escapes a string for safe embedding inside a single-quoted JavaScript string literal.
+        /// Handles backslashes first, then single quotes, to avoid double-escaping.
+        /// </summary>
+        public static string EscapeForJsString(string value) =>
+            (value ?? string.Empty).Replace("\\", "\\\\").Replace("'", "\\'");
+
+        /// <summary>
+        /// Returns true if <paramref name="callbackId"/> matches the expected format produced by
+        /// <see cref="BuildClientScript"/>. Used as an XSS guard before injecting the id back into JS.
+        /// </summary>
+        public static bool IsValidCallbackId(string callbackId) =>
+            CallbackIdPattern.IsMatch(callbackId ?? string.Empty);
+
+        /// <summary>
+        /// Returns true if <paramref name="command"/> is in the <c>snyk.*</c> namespace and may be
+        /// dispatched from a webview.
+        /// </summary>
+        public static bool IsAllowedCommand(string command) =>
+            !string.IsNullOrEmpty(command) && command.StartsWith("snyk.");
+
+        /// <summary>
+        /// Returns the ES5-compatible JavaScript that defines <c>window.__ideExecuteCommand__</c>.
+        /// Assumes <c>window.external.__ideExecuteCommand__(command, argsJson, callbackId)</c>
+        /// is provided by the COM bridge (<see cref="HtmlSettingsScriptingBridge"/>).
+        /// </summary>
+        public static string BuildClientScript()
+        {
+            return @"
+                window.__ideCallbacks__ = {};
+                var __cbCounter_ide = 0;
+                window.__ideExecuteCommand__ = function(command, args, callback) {
+                    var callbackId = '';
+                    if (typeof callback === 'function') {
+                        callbackId = '__cb_' + (++__cbCounter_ide);
+                        window.__ideCallbacks__[callbackId] = callback;
+                    }
+                    var argsJson = JSON.stringify(args || []);
+                    window.external.__ideExecuteCommand__(command, argsJson, callbackId);
+                };
+            ";
+        }
+
+        /// <summary>
+        /// Dispatches a command to the Language Server and invokes <paramref name="onCommandResult"/>
+        /// with the serialized result when a <paramref name="callbackId"/> is provided.
+        /// </summary>
+        public static async Task DispatchAsync(
+            ILanguageClientManager languageClientManager,
+            string command,
+            string argsJson,
+            string callbackId,
+            Action<string, string> onCommandResult,
+            CancellationToken cancellationToken = default)
+        {
+            try
+            {
+                if (!IsAllowedCommand(command))
+                {
+                    Logger.Warning("Webview attempted to execute disallowed command: {Command}", command);
+                    return;
+                }
+
+                var args = string.IsNullOrEmpty(argsJson)
+                    ? Array.Empty<object>()
+                    : JsonConvert.DeserializeObject<object[]>(argsJson);
+
+                var result = await languageClientManager.InvokeExecuteCommandAsync(
+                    command, args, cancellationToken);
+
+                if (!string.IsNullOrEmpty(callbackId))
+                {
+                    if (!IsValidCallbackId(callbackId))
+                    {
+                        Logger.Warning("Rejected callbackId with unexpected format: {CallbackId}", callbackId);
+                        return;
+                    }
+
+                    var resultJson = result != null ? JsonConvert.SerializeObject(result) : "null";
+                    onCommandResult?.Invoke(callbackId, resultJson);
+                }
+            }
+            catch (Exception ex)
+            {
+                Logger.Error(ex, "Error executing command {Command} from HTML bridge", command);
+            }
+        }
+    }
+}