* Run awsAuthRefresh to perform interactive authentication (e.g., aws sso login) * Streams output in real-time for user visibility
()
| 684 | * Streams output in real-time for user visibility |
| 685 | */ |
| 686 | async function runAwsAuthRefresh(): Promise<boolean> { |
| 687 | const awsAuthRefresh = getConfiguredAwsAuthRefresh() |
| 688 | |
| 689 | if (!awsAuthRefresh) { |
| 690 | return false // Not configured, treat as success |
| 691 | } |
| 692 | |
| 693 | // SECURITY: Check if awsAuthRefresh is from project settings |
| 694 | if (isAwsAuthRefreshFromProjectSettings()) { |
| 695 | // Check if trust has been established for this project |
| 696 | const hasTrust = checkHasTrustDialogAccepted() |
| 697 | if (!hasTrust && !getIsNonInteractiveSession()) { |
| 698 | const error = new Error( |
| 699 | `Security: awsAuthRefresh executed before workspace trust is confirmed. If you see this message, post in ${MACRO.FEEDBACK_CHANNEL}.`, |
| 700 | ) |
| 701 | logAntError('awsAuthRefresh invoked before trust check', error) |
| 702 | logEvent('ncode_awsAuthRefresh_missing_trust', {}) |
| 703 | return false |
| 704 | } |
| 705 | } |
| 706 | |
| 707 | try { |
| 708 | logForDebugging('Fetching AWS caller identity for AWS auth refresh command') |
| 709 | await checkStsCallerIdentity() |
| 710 | logForDebugging( |
| 711 | 'Fetched AWS caller identity, skipping AWS auth refresh command', |
| 712 | ) |
| 713 | return false |
| 714 | } catch { |
| 715 | // only actually do the refresh if caller-identity calls |
| 716 | return refreshAwsAuth(awsAuthRefresh) |
| 717 | } |
| 718 | } |
| 719 | |
| 720 | // Timeout for AWS auth refresh command (3 minutes). |
| 721 | // Long enough for browser-based SSO flows, short enough to prevent indefinite hangs. |
no test coverage detected