From 026aa977445533aa68045802ff308f2b1d5511fb Mon Sep 17 00:00:00 2001 From: Victor Vazquez Date: Fri, 23 Jan 2026 22:54:00 +0000 Subject: [PATCH 1/2] fix security issue with playwright/test 1.49.1 (#6592) --- ext/vscode/package-lock.json | 70 ++---------------------------------- 1 file changed, 3 insertions(+), 67 deletions(-) diff --git a/ext/vscode/package-lock.json b/ext/vscode/package-lock.json index 74f3dfdd325..f16a63bf04d 100644 --- a/ext/vscode/package-lock.json +++ b/ext/vscode/package-lock.json @@ -19,7 +19,6 @@ }, "devDependencies": { "@azure/core-auth": "~1", - "@playwright/test": "~1.49", "@types/chai": "~5", "@types/mocha": "~10", "@types/node": "~20", @@ -925,22 +924,6 @@ "node": ">=14" } }, - "node_modules/@playwright/test": { - "version": "1.49.1", - "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.49.1.tgz", - "integrity": "sha512-Ky+BVzPz8pL6PQxHqNRW1k3mIyv933LML7HktS8uik0bUXNCdPhoS/kLihiO1tMf/egaJb4IutXd7UywvXEW+g==", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "playwright": "1.49.1" - }, - "bin": { - "playwright": "cli.js" - }, - "engines": { - "node": ">=18" - } - }, "node_modules/@polka/url": { "version": "1.0.0-next.29", "resolved": "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz", @@ -3948,21 +3931,6 @@ "node": ">=14.14" } }, - "node_modules/fsevents": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", - "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", - "dev": true, - "hasInstallScript": true, - "license": "MIT", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^8.16.0 || ^10.6.0 || >=11.0.0" - } - }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", @@ -6227,38 +6195,6 @@ "node": ">=8" } }, - "node_modules/playwright": { - "version": "1.49.1", - "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.49.1.tgz", - "integrity": "sha512-VYL8zLoNTBxVOrJBbDuRgDWa3i+mfQgDTrL8Ah9QXZ7ax4Dsj0MSq5bYgytRnDVVe+njoKnfsYkH3HzqVj5UZA==", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "playwright-core": "1.49.1" - }, - "bin": { - "playwright": "cli.js" - }, - "engines": { - "node": ">=18" - }, - "optionalDependencies": { - "fsevents": "2.3.2" - } - }, - "node_modules/playwright-core": { - "version": "1.49.1", - "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.49.1.tgz", - "integrity": "sha512-BzmpVcs4kE2CH15rWfzpjzVGhWERJfmnXmniSyKeRZUs9Ws65m+RGIi7mjJK/euCegfn3i7jvqWeWyHe9y3Vgg==", - "dev": true, - "license": "Apache-2.0", - "bin": { - "playwright-core": "cli.js" - }, - "engines": { - "node": ">=18" - } - }, "node_modules/pluralize": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/pluralize/-/pluralize-8.0.0.tgz", @@ -7787,9 +7723,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.16.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.16.0.tgz", - "integrity": "sha512-QEg3HPMll0o3t2ourKwOeUAZ159Kn9mx5pnzHRQO8+Wixmh88YdZRiIwat0iNzNNXn0yoEtXJqFpyW7eM8BV7g==", + "version": "7.19.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.19.0.tgz", + "integrity": "sha512-Heho1hJD81YChi+uS2RkSjcVO+EQLmLSyUlHyp7Y/wFbxQaGb4WXVKD073JytrjXJVkSZVzoE2MCSOKugFGtOQ==", "dev": true, "license": "MIT", "engines": { From fa365685a6ad284a0edabdfc8fc200e4538210e8 Mon Sep 17 00:00:00 2001 From: Victor Vazquez Date: Mon, 2 Feb 2026 20:15:30 +0000 Subject: [PATCH 2/2] Checkpoint from VS Code for cloud agent session --- cli/azd/cmd/auth_login.go | 29 +++++++++++++------ cli/azd/cmd/testdata/TestFigSpec.ts | 4 +++ .../testdata/TestUsage-azd-auth-login.snap | 1 + cli/azd/go.mod | 2 ++ cli/azd/go.sum | 4 +-- cli/azd/pkg/auth/manager.go | 7 +++++ 6 files changed, 36 insertions(+), 11 deletions(-) diff --git a/cli/azd/cmd/auth_login.go b/cli/azd/cmd/auth_login.go index 8bd94be26ab..bb6e89494e3 100644 --- a/cli/azd/cmd/auth_login.go +++ b/cli/azd/cmd/auth_login.go @@ -16,6 +16,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public" "github.com/MakeNowJust/heredoc/v2" "github.com/azure/azure-dev/cli/azd/cmd/actions" "github.com/azure/azure-dev/cli/azd/internal" @@ -79,6 +80,7 @@ type loginFlags struct { scopes []string claims string redirectPort int + forceLoginPrompt bool global *internal.GlobalCommandOptions } @@ -189,6 +191,12 @@ func (lf *loginFlags) Bind(local *pflag.FlagSet, global *internal.GlobalCommandO "redirect-port", 0, "Choose the port to be used as part of the redirect URI during interactive login.") + local.BoolVar( + &lf.forceLoginPrompt, + "fresh", + false, + "Force re-authentication by ignoring any cached credentials. "+ + "Use this to ensure 2FA/MFA is re-validated.") if oneauth.Supported { local.BoolVar(&lf.browser, "browser", false, "Authenticate in a web browser instead of an integrated dialog.") } @@ -597,15 +605,18 @@ func (la *loginAction) login(ctx context.Context) error { if oneauth.Supported && !la.flags.browser { err = la.authManager.LoginWithOneAuth(ctx, la.flags.tenantID, la.flags.scopes) } else { - _, err = la.authManager.LoginInteractive(ctx, la.flags.scopes, claims, - &auth.LoginInteractiveOptions{ - TenantID: la.flags.tenantID, - RedirectPort: la.flags.redirectPort, - WithOpenUrl: func(url string) error { - openWithDefaultBrowser(ctx, la.console, url) - return nil - }, - }) + loginOptions := &auth.LoginInteractiveOptions{ + TenantID: la.flags.tenantID, + RedirectPort: la.flags.redirectPort, + WithOpenUrl: func(url string) error { + openWithDefaultBrowser(ctx, la.console, url) + return nil + }, + } + if la.flags.forceLoginPrompt { + loginOptions.Prompt = public.PromptLogin + } + _, err = la.authManager.LoginInteractive(ctx, la.flags.scopes, claims, loginOptions) } if err != nil { err = fmt.Errorf("logging in: %w", err) diff --git a/cli/azd/cmd/testdata/TestFigSpec.ts b/cli/azd/cmd/testdata/TestFigSpec.ts index 8a201b7053a..b46fba3682b 100644 --- a/cli/azd/cmd/testdata/TestFigSpec.ts +++ b/cli/azd/cmd/testdata/TestFigSpec.ts @@ -650,6 +650,10 @@ const completionSpec: Fig.Spec = { }, ], }, + { + name: ['--fresh'], + description: 'Force re-authentication by ignoring any cached credentials. Use this to ensure 2FA/MFA is re-validated.', + }, { name: ['--managed-identity'], description: 'Use a managed identity to authenticate.', diff --git a/cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap b/cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap index b1483268d29..5d8a8a1e6e1 100644 --- a/cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap +++ b/cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap @@ -10,6 +10,7 @@ Flags --client-id string : The client id for the service principal to authenticate with. --client-secret string : The client secret for the service principal to authenticate with. Set to the empty string to read the value from the console. --federated-credential-provider string : The provider to use to acquire a federated token to authenticate with. Supported values: github, azure-pipelines, oidc + --fresh : Force re-authentication by ignoring any cached credentials. Use this to ensure 2FA/MFA is re-validated. --managed-identity : Use a managed identity to authenticate. --redirect-port int : Choose the port to be used as part of the redirect URI during interactive login. --tenant-id string : The tenant id or domain name to authenticate with. diff --git a/cli/azd/go.mod b/cli/azd/go.mod index 8f53510db31..5cdd5de0be6 100644 --- a/cli/azd/go.mod +++ b/cli/azd/go.mod @@ -166,3 +166,5 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) + +replace github.com/AzureAD/microsoft-authentication-library-for-go => github.com/vhvb1989/microsoft-authentication-library-for-go v0.0.0-20260202200120-876f224a6905 diff --git a/cli/azd/go.sum b/cli/azd/go.sum index e48b75dac1d..68c356c4eef 100644 --- a/cli/azd/go.sum +++ b/cli/azd/go.sum @@ -89,8 +89,6 @@ github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2 h1:l3SabZmNuXCMCbQUI github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2/go.mod h1:k+mEZ4f1pVqZTRqtSDW2AhZ/3wT5qLpsUA75C/k7dtE= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs= -github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A= github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= @@ -402,6 +400,8 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tmc/langchaingo v0.1.14 h1:o1qWBPigAIuFvrG6cjTFo0cZPFEZ47ZqpOYMjM15yZc= github.com/tmc/langchaingo v0.1.14/go.mod h1:aKKYXYoqhIDEv7WKdpnnCLRaqXic69cX9MnDUk72378= +github.com/vhvb1989/microsoft-authentication-library-for-go v0.0.0-20260202200120-876f224a6905 h1:kPN5hqBseNDDXlZxIKWi48WpPwyHcLsPB/5lMiZWNLQ= +github.com/vhvb1989/microsoft-authentication-library-for-go v0.0.0-20260202200120-876f224a6905/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc= github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw= github.com/x-cray/logrus-prefixed-formatter v0.5.2 h1:00txxvfBM9muc0jiLIEAkAcIMJzfthRT6usrui8uGmg= diff --git a/cli/azd/pkg/auth/manager.go b/cli/azd/pkg/auth/manager.go index ca834bbc5a5..edf57b5f95a 100644 --- a/cli/azd/pkg/auth/manager.go +++ b/cli/azd/pkg/auth/manager.go @@ -672,6 +672,9 @@ type LoginInteractiveOptions struct { TenantID string RedirectPort int WithOpenUrl WithOpenUrl + // Prompt specifies the type of user interaction during login. + // Use public.PromptLogin to force re-authentication and 2FA/MFA validation. + Prompt public.Prompt } // LoginInteractive opens a browser for authenticate the user. @@ -717,6 +720,10 @@ func (m *Manager) LoginInteractive( acquireTokenOptions = append(acquireTokenOptions, public.WithClaims(claims)) } + if options.Prompt != "" { + acquireTokenOptions = append(acquireTokenOptions, public.WithPrompt(options.Prompt)) + } + res, err := m.publicClient.AcquireTokenInteractive(ctx, scopes, acquireTokenOptions...) if err != nil { return nil, err