fix: populate feature flags before auth notification [IDE-1901]

[nick-y-snyk]

Summary

• Fix race condition where scans after login fail with "Snyk Code is not enabled" because the IDE triggers a scan before SAST settings are cached
• postCredentialUpdateHook runs populateAllFolderConfigs between credential storage and auth notification, ensuring feature flags and SAST settings are available before the IDE reacts
• sendFolderConfigs made synchronous in login command

Review feedback addressed

• Use unenriched folder config (no git enrichment needed for feature flag fetch)
• Loop only on trusted folders
• Remove unnecessary Clone() — PopulateFolderConfig only reads org from config
• Set ConfigResolver on folder config so SetFeatureFlag persists to GAF (was silently no-op without it)
• Case-insensitive error string matching in shouldCauseLogout
• Extract isTransientNetworkError helper to reduce cyclomatic complexity

Test plan

• TestLoginCommand_Execute_FeatureFlagsPopulatedBeforeAuthNotification — regression test verifying feature flags populate BEFORE $/snyk.hasAuthenticated notification (fails when hook is removed)
• Test_PostCredentialUpdateHook_CalledBeforeNotification — hook runs between token storage and notification
• Test_shouldCauseLogout — all 13 cases pass including expired refresh token and transient network errors
• TestIsAuthenticated_ConcurrentCallsSendOnlyOneNotification — concurrent dedup still works
• All existing TestLoginCommand_* tests pass
• Lint clean, zero issues

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[acke]

Ideally, if a user has large workspaces with 100+ projects, we want a separation between the login flow and the setup folders. With clear indications for the user that they are logged in, but snyk is not ready to scan until all configs are ready.

[ShawkyZ]

This can still run in a go routine, since it will get to this point after the postAuth hook

[acke]

Could we user a re.Response.StatusCode == 401 or 400 to catch expired/invalid API credentials?

https://github.com/snyk/sweater-comb/blob/main/docs/standards/rest.md#401---unauthorized

Needs to be verified for both token an oauth.

[acke]

Should the change here be submitted as a separate PR for for changelog clarity?

[ShawkyZ]

Use Unenriched variant

[ShawkyZ]

why the clone ?

[ShawkyZ]

loop on trusted folders

[ShawkyZ]

nitpick: make the comparison case insensitive

[ShawkyZ]

why are you expecting it to panic?

[nick-y-snyk]

I didn't. just a double safety (ai suggestion to prevent ls crash). Do you want this removed?

[nick-y-snyk]

I also added an actual test which fails without other changes. But haven't tested manually yet

[ShawkyZ]

we have a global recovery that should catch it if it happens, I think this is not necessary here.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Blocking Global Lock 🔴 [critical] The updateCredentials function invokes the postCredentialUpdateHook (line 248) while holding the global a.m mutex lock. The registered hook in login.go calls populateAllFolderConfigs, which performs network requests to fetch feature flags and SAST settings via featureFlagService.PopulateFolderConfig. Holding a global mutex across sequential network calls will block all other authentication-related operations—including high-frequency calls like IsAuthenticated() from the status bar or scanner—making the Language Server unresponsive during the entire feature flag fetch sequence. if a.postCredentialUpdateHook != nil && newToken != "" { func() { defer func() { if r := recover(); r != nil { a.engine.GetLogger().Error().Interface("panic", r).Msg("postCredentialUpdateHook panicked") } }() a.postCredentialUpdateHook() }() } Regression in Dynamic Population 🟠 [major] Removing PopulateFolderConfig from buildLspFolderConfigs (lines 115-117 in the old hunk) breaks the 'on-demand' population of feature flags. The new mechanism relies on explicit calls in HandleFolders and the login hook. However, HandleFolders calls populateAllFolderConfigs before handling untrusted folders. If a user trusts a folder via the trust dialog, that folder will never have its feature flags populated because buildLspFolderConfigs no longer performs this check, leading to 'Snyk Code is not enabled' errors for newly trusted folders. func buildLspFolderConfigs(conf configuration.Configuration, engine workflow.Engine, logger *zerolog.Logger, featureFlagService featureflag.Service, configResolver types.ConfigResolverInterface) []types.LspFolderConfig { ws := config.GetWorkspace(conf) if ws == nil { return nil } log := logger.With().Str("method", "buildLspFolderConfigs").Logger() engineConfig := conf var lspFolderConfigs []types.LspFolderConfig for _, folder := range ws.Folders() { fc, err := folderconfig.GetOrCreateFolderConfig(engineConfig, folder.Path(), &log) if err != nil { log.Err(err).Msg("unable to load folderConfig") continue } if fc == nil { log.Warn().Str("path", string(folder.Path())).Msg("folder config is nil, skipping") continue } folderConfig := fc.Clone() // AutoDeterminedOrg is written to FolderMetadataKey by LDX-Sync (SetAutoDeterminedOrg); // no separate cache lookup is needed here. folderConfig.ConfigResolver = configResolver lspConfig := folderConfig.ToLspFolderConfig() if lspConfig != nil { lspFolderConfigs = append(lspFolderConfigs, *lspConfig)

📚 Repository Context Analyzed This review considered 25 relevant code sections from 12 files (average relevance: 0.97) infrastructure/featureflag/featureflag.go (lines 1-241) infrastructure/authentication/oauth_provider.go (lines 1-92) infrastructure/authentication/auth_provider.go (lines 1-61) infrastructure/authentication/auth_configuration.go (lines 1-132) application/server/configuration.go (lines 1-189) infrastructure/code/code.go (lines 1-160) application/di/test_init.go (lines 1-117) ... and 5 more file(s)