[Bug]: Cannot retrieve values stored using extension context SecretStorage

[pablocabrera85]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome
• Local OS: macOS
• Remote OS: Ubuntu
• Remote Architecture: amd64
• code-server --version: 4.16.1

Steps to Reproduce

1. Install the attached extension (rename .zip to .vsix)
2. Execute the hello world command. This will prompt for a value that will be stored using the context.secrets instance for this extension. Input any value and proceed.
3. Reload the browser tab
4. Execute the hello world command again so that this time, we read the value and display it.
5. Instead of showing the value, you will be prompted again for a value to store.
   secrets-0.0.1.zip

NOTE: If you prefer, you can just create an extension with the following code:

// The module 'vscode' contains the VS Code extensibility API
// Import the module and reference it with the alias vscode in your code below
import * as vscode from 'vscode';

// this method is called when your extension is activated
// your extension is activated the very first time the command is executed
export function activate(context: vscode.ExtensionContext) {
	
	// Use the console to output diagnostic information (console.log) and errors (console.error)
	// This line of code will only be executed once when your extension is activated
	console.log('Congratulations, your extension "secrets" is now active!');

	// The command has been defined in the package.json file
	// Now provide the implementation of the command with registerCommand
	// The commandId parameter must match the command field in package.json
	let disposable = vscode.commands.registerCommand('secrets.helloWorld', async () => {
		// The code you place here will be executed every time your command is executed
		// Display a message box to the user
			const value= await context.secrets.get('secrets.pass');
		if(value){
			vscode.window.showInformationMessage(`Retrieved ${value}`);
		}else{
			const value=await vscode.window.showInputBox({ title: 'Input secret value'});
			if(value){
				context.secrets.store('secrets.pass',value);
			}
		}
	});
	context.subscriptions.push(disposable);
}

// this method is called when your extension is deactivated
export function deactivate() {}

Expected

After the reload and executing the command a second time, the persisted value should be displayed.

According to the API, the secrets should be automatically persisted. But every time the browser tab reloads, the value is not there

		/**
		 * A storage utility for secrets. Secrets are persisted across reloads and are independent of the
		 * current opened {@link workspace.workspaceFolders workspace}.
		 */
		readonly secrets: SecretStorage;

Actual

Values are not stored between sessions/reloads

I tried the same extension in codespaces and it worked as expected

Logs

No response

Screenshot/Video

No response

Does this issue happen in VS Code or GitHub Codespaces?

• I cannot reproduce this in VS Code.
• I cannot reproduce this in GitHub Codespaces.

Are you accessing code-server over HTTPS?

• I am using HTTPS.

Notes

No response

[pablocabrera85]

Code server 4.11 does not have this issue

[code-asher]

Are you running code-server with dbus? I think in previous versions it would store secrets in the browser but it switched to storing them server-side and the current implementation uses dbus. Without dbus it uses an in-memory store so I wonder if a new store gets created every time the extension host is started (which happens on each page load). Related: #5072

[benz0li]

For containers: Use environment variables to provide credentials. See #5072 (comment) ff for more information.

[pablocabrera85]

@code-asher @benz0li Thanks for your replies, but the problems we are facing are not related to the github extension. We have other extensions that use the secret storage API.

We have tried also running code-server in a plain ubuntu image (not in a container), and we have the same problem with the code snippet provided.

From the dbus session logs, we can see that code-server is trying to retrieve the values from it, but we never see any event when trying to store the value.

We are using the default configuration when running code-server. Do we need to do anything in particular for the secret storage API to work?

Thanks in advance.

[code-asher]

There is nothing particular you need to do as far as I am aware. I think there is a bug although the mystery is why it only presents in code-server and not Codespaces. We will need to dive into it and see what we can find.

[speriasamy0]

Facing the same issue. After upgrading to 4.16.1, page refresh is resetting the session. I spent some time comparing codespace and my container. I didn't notice keyring or dbus configured/running in my codespace instance. Also codespace version is different from what comes with 4.16.1 which I am using.

Codespace version

/home/codespace/.vscode-remote/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/bin/code-server --version
1.82.2
abd2f3db4bdb28f9e95536dfa84d8479f1eb312d
x64

My code-server instance 4.16.1 94ef3776ad7bebfb5780dfc9632e04d20d5c9a6c with Code 1.80.2

Also the doc mentions that since version 1.80 VS Code moved away from using keytar. But in my logs I see keytar is being used. Also there are references in code

[18:16:35] Going to get password from keytar: code-oss-serverundefined_publisher.secrets secrets.pass
[18:16:35] Doing get password from keytar: code-oss-serverundefined_publisher.secrets secrets.pass
[18:16:35] Did not get a password from keytar for account: secrets.pass

[speriasamy0]

Attaching an archive that has a Dockerfile that bundles the example extension provided by @pablocabrera85. This has dbus and keyring configured.

docker build . -t secrets_test:latest
docker run --rm -d --name secrets-test-container --privileged -p8080:8080 secrets_test:latest

To rule out any setup issues I've added a python program. You can invoke it by launching a terminal within the browser and type python /main.py. To invoke from outside the browser, you have to ensure you're in a dbus session and the keyring unlocked.

export $(dbus-launch) 
echo | gnome-keyring-daemon --unlock # unlock the system's keyring
python /main.py

code-server-secrets.zip

fina.mov

[code-asher]

Thank you for the detailed information! The fact that it works in Codespaces yet dbus is not running is curious indeed. I wonder if they replace keytar in Codespaces or something like that, and whether that is something part of the OSS or something bespoke they do as part of their build process. Maybe we can just swap out the keytar module for something else.

[matias-mule]

Same issue here.
Is there any ETA for a fixed / workaround?

[code-asher]

I am not sure it is worth debugging this because keytar has been removed upstream, so I think the next release will have some new system. I will definitely revisit at that point.