feat(IDE-1701): settings page auth flow — bridge persist and forward apiUrl (#366)

* feat: inject __ideExecuteCommand__ bridge in settings page and bump protocol version to 25 [IDE-1701]

Replace __ideLogin__/__ideLogout__ BrowserFunctions with a generic
__ideExecuteCommand__ bridge that dispatches any LS command with
callback support. Bump REQUIRED_LS_PROTOCOL_VERSION to 25.

* refactor: extract ExecuteCommandBridge to shared class for browser reuse [IDE-1701]

Move the __ideExecuteCommandBridge__ BrowserFunction and JS wrapper injection
into a standalone ExecuteCommandBridge class. HTMLSettingsPreferencePage
delegates to ExecuteCommandBridge.install(browser), enabling any future
SWT Browser panel (e.g. tree view) to reuse the same bridge.

* feat(IDE-1701): save login args from settings page and remove persist flag

- Remove persist field from HasAuthenticatedParam — always saves token and apiUrl
- Restore original hasAuthenticated flow: always stores endpoint + token, calls
  configurationUpdater.configurationChanged(), triggers scan when conditions met
- Keep notifyAuthTokenChanged(token, apiUrl) with apiUrl param — settings page
  webview always shows current token after auth
- Add bridge persist in ExecuteCommandBridge.registerBridgeFunction: when snyk.login
  called with 3+ args, save authMethod/endpoint/insecure to Preferences directly
  (no configurationChanged() → no didChangeConfiguration to LS)
- Remove setPersist() calls and persist-related tests from SnykExtendedLanguageClientTest
- Add saveLoginArgs() tests to ExecuteCommandBridgeTest covering auth method mapping,
  endpoint, and insecure saving

* feat(IDE-1701): forward apiUrl in notifyAuthTokenChanged for settings page browser

Pass apiUrl alongside token when calling window.setAuthToken in the browser
so the settings page can update both the token and apiUrl fields after auth.

* feat(IDE-1701): apply auth bridge pattern to both settings pages

- Add singleton + notifyAuthTokenChanged to native PreferencesPage so the
  SWT token field is updated live when hasAuthenticated fires, not just the
  HTML webview
- Reorder hasAuthenticated() to update UIs before persisting to storage,
  avoiding race conditions where a settings-changed event re-reads stale values
- Escape token and apiUrl before JS interpolation in notifyAuthTokenChanged
  to guard against single-quote injection
- Fix dispose() identity check (== instead of .equals()) in both settings pages

* fix: add updateToken method to TokenFieldEditor and fix Java 21 Mockito compatibility

- Add public updateToken() method to TokenFieldEditor to expose
  setStringValue() from outside the class (setStringValue is protected
  in StringFieldEditor)
- Fix test failures on Java 21 by adding -XX:+EnableDynamicAgentLoading
  to tycho-surefire-plugin argLine, required for mockito-inline 4.5.1
  to do byte-buddy instrumentation

* fix: lint

* fix: remove stale PMD.CompareObjectsWithEquals suppression

* fix: catch specific JsonProcessingException instead of generic Exception in ExecuteCommandBridge

* security: restrict webview executeCommand bridge to snyk.* namespace

Prevents XSS-to-arbitrary-command escalation by rejecting any command
not prefixed with "snyk." before it reaches the Language Server.

* refactor: extract JS string escaping into reusable utility method

Pull escapeForJsString() into ExecuteCommandBridge and replace inline
escaping in both ExecuteCommandBridge and HTMLSettingsPreferencePage.
Add explicit test for default (oauth) auth method fallback.

Author: nick-y-snyk

plugin/src/main/java/io/snyk/eclipse/plugin/EnvironmentConstants.java

@@ -1,11 +1,13 @@
 package io.snyk.eclipse.plugin;
 
-public interface EnvironmentConstants {
-  String ENV_SNYK_API = "SNYK_API";
-  String ENV_SNYK_TOKEN = "SNYK_TOKEN";
-  String ENV_SNYK_ORG = "SNYK_CFG_ORG";
-  String ENV_DISABLE_ANALYTICS = "SNYK_CFG_DISABLE_ANALYTICS";
-  String ENV_INTERNAL_SNYK_OAUTH_ENABLED = "INTERNAL_SNYK_OAUTH_ENABLED";
-  String ENV_INTERNAL_OAUTH_TOKEN_STORAGE = "INTERNAL_OAUTH_TOKEN_STORAGE";
-  String ENV_OAUTH_ACCESS_TOKEN = "SNYK_OAUTH_TOKEN";
+public final class EnvironmentConstants {
+  private EnvironmentConstants() {}
+
+  public static final String ENV_SNYK_API = "SNYK_API";
+  public static final String ENV_SNYK_TOKEN = "SNYK_TOKEN";
+  public static final String ENV_SNYK_ORG = "SNYK_CFG_ORG";
+  public static final String ENV_DISABLE_ANALYTICS = "SNYK_CFG_DISABLE_ANALYTICS";
+  public static final String ENV_INTERNAL_SNYK_OAUTH_ENABLED = "INTERNAL_SNYK_OAUTH_ENABLED";
+  public static final String ENV_INTERNAL_OAUTH_TOKEN_STORAGE = "INTERNAL_OAUTH_TOKEN_STORAGE";
+  public static final String ENV_OAUTH_ACCESS_TOKEN = "SNYK_OAUTH_TOKEN";
 }

plugin/src/main/java/io/snyk/eclipse/plugin/html/ExecuteCommandBridge.java

@@ -0,0 +1,189 @@
+package io.snyk.eclipse.plugin.html;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.snyk.eclipse.plugin.preferences.AuthConstants;
+import io.snyk.eclipse.plugin.preferences.Preferences;
+import io.snyk.eclipse.plugin.utils.SnykLogger;
+import io.snyk.languageserver.CommandHandler;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import org.eclipse.swt.browser.Browser;
+import org.eclipse.swt.browser.BrowserFunction;
+import org.eclipse.swt.browser.ProgressAdapter;
+import org.eclipse.swt.browser.ProgressEvent;
+import org.eclipse.swt.widgets.Display;
+
+/**
+ * Shared bridge for the window.__ideExecuteCommand__ JS↔IDE contract. Usable by any SWT Browser
+ * panel (settings preference page, tree view, etc.).
+ *
+ * <p>Responsibilities:
+ *
+ * <ul>
+ *   <li>Register the native {@code __ideExecuteCommandBridge__} BrowserFunction that receives calls
+ *       from JavaScript.
+ *   <li>Inject the client-side JS wrapper that defines {@code window.__ideExecuteCommand__}.
+ *   <li>Dispatch commands to the Language Server and return results via the JS callback registry.
+ * </ul>
+ */
+public class ExecuteCommandBridge {
+
+  private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
+  /**
+   * Registers the {@code __ideExecuteCommandBridge__} BrowserFunction and adds a ProgressListener
+   * that injects the client-side JS wrapper after each page load.
+   */
+  public static void install(Browser browser) {
+    registerBridgeFunction(browser);
+    browser.addProgressListener(
+        new ProgressAdapter() {
+          @Override
+          public void completed(ProgressEvent event) {
+            injectScript(browser);
+          }
+        });
+  }
+
+  /**
+   * Returns the client-side JavaScript that defines {@code window.__ideExecuteCommand__} in the
+   * browser. Assumes {@code __ideExecuteCommandBridge__} BrowserFunction is registered.
+   */
+  public static String buildClientScript() {
+    return "(function() {"
+        + "  if (window.__ideCallbacks__) { return; }"
+        + "  window.__ideCallbacks__ = {};"
+        + "  var __cbCounter = 0;"
+        + "  window.__ideExecuteCommand__ = function(command, args, callback) {"
+        + "    var callbackId = '';"
+        + "    if (typeof callback === 'function') {"
+        + "      callbackId = '__cb_' + (++__cbCounter);"
+        + "      window.__ideCallbacks__[callbackId] = callback;"
+        + "    }"
+        + "    __ideExecuteCommandBridge__(command, JSON.stringify(args || []), callbackId);"
+        + "  };"
+        + "})();";
+  }
+
+  /**
+   * Injects the client-side JS wrapper into the browser. Safe to call on any page load; the script
+   * is idempotent (guarded by {@code window.__ideCallbacks__} check).
+   */
+  public static void injectScript(Browser browser) {
+    if (browser == null || browser.isDisposed()) {
+      return;
+    }
+    browser.execute(buildClientScript());
+  }
+
+  /**
+   * Escapes a string for safe inclusion inside a single-quoted JavaScript string literal.
+   * Backslashes and single quotes are escaped.
+   */
+  public static String escapeForJsString(String value) {
+    if (value == null) {
+      return "";
+    }
+    return value.replace("\\", "\\\\").replace("'", "\\'");
+  }
+
+  /** Returns true if the command is in the snyk.* namespace and may be dispatched from a webview. */
+  static boolean isAllowedCommand(String command) {
+    return command != null && command.startsWith("snyk.");
+  }
+
+  static void saveLoginArgs(List<Object> args) {
+    String authMethodStr = String.valueOf(args.get(0));
+    String authMethod;
+    switch (authMethodStr) {
+      case "pat":
+        authMethod = AuthConstants.AUTH_PERSONAL_ACCESS_TOKEN;
+        break;
+      case "token":
+        authMethod = AuthConstants.AUTH_API_TOKEN;
+        break;
+      default:
+        authMethod = AuthConstants.AUTH_OAUTH2;
+        break;
+    }
+    String endpoint = args.get(1) != null ? String.valueOf(args.get(1)) : "";
+    String insecure = String.valueOf(args.get(2));
+    Preferences prefs = Preferences.getInstance();
+    prefs.store(Preferences.AUTHENTICATION_METHOD, authMethod);
+    prefs.store(Preferences.ENDPOINT_KEY, endpoint);
+    prefs.store(Preferences.INSECURE_KEY, insecure);
+  }
+
+  private static void registerBridgeFunction(Browser browser) {
+    new BrowserFunction(browser, "__ideExecuteCommandBridge__") {
+      @Override
+      public Object function(Object[] arguments) {
+        if (arguments.length < 1 || !(arguments[0] instanceof String)) {
+          return null;
+        }
+        String command = (String) arguments[0];
+        if (!isAllowedCommand(command)) {
+          SnykLogger.logInfo("Webview attempted to execute disallowed command: " + command);
+          return null;
+        }
+        String argsJson =
+            arguments.length > 1 && arguments[1] instanceof String ? (String) arguments[1] : "[]";
+        String callbackId =
+            arguments.length > 2 && arguments[2] instanceof String ? (String) arguments[2] : "";
+
+        List<Object> args;
+        try {
+          args = Arrays.asList(OBJECT_MAPPER.readValue(argsJson, Object[].class));
+        } catch (JsonProcessingException e) {
+          SnykLogger.logError(e);
+          args = Collections.emptyList();
+        }
+
+        if ("snyk.login".equals(command) && args.size() >= 3) {
+          saveLoginArgs(args);
+        }
+
+        final List<Object> finalArgs = args;
+        final String finalCallbackId = callbackId;
+        CommandHandler.getInstance()
+            .executeCommand(command, finalArgs)
+            .thenAccept(
+                result -> {
+                  if (finalCallbackId == null || finalCallbackId.isEmpty()) {
+                    return;
+                  }
+                  try {
+                    String resultJson =
+                        result == null ? "null" : OBJECT_MAPPER.writeValueAsString(result);
+                    String escaped = escapeForJsString(finalCallbackId);
+                    String script =
+                        "if(window.__ideCallbacks__&&window.__ideCallbacks__['"
+                            + escaped
+                            + "']){"
+                            + "var cb=window.__ideCallbacks__['"
+                            + escaped
+                            + "'];"
+                            + "delete window.__ideCallbacks__['"
+                            + escaped
+                            + "'];"
+                            + "cb("
+                            + resultJson
+                            + ");}";
+                    Display.getDefault()
+                        .asyncExec(
+                            () -> {
+                              if (!browser.isDisposed()) {
+                                browser.evaluate(script);
+                              }
+                            });
+                  } catch (JsonProcessingException e) {
+                    SnykLogger.logError(e);
+                  }
+                });
+        return null;
+      }
+    };
+  }
+}

plugin/src/main/java/io/snyk/eclipse/plugin/preferences/HTMLSettingsPreferencePage.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.snyk.eclipse.plugin.html.BaseHtmlProvider;
+import io.snyk.eclipse.plugin.html.ExecuteCommandBridge;
 import io.snyk.eclipse.plugin.properties.FolderConfigs;
 import io.snyk.eclipse.plugin.utils.SnykLogger;
 import io.snyk.eclipse.plugin.views.snyktoolview.handlers.IHandlerCommands;
@@ -37,7 +38,6 @@ public class HTMLSettingsPreferencePage extends PreferencePage implements IWorkb
   private Browser browser;
   private final ObjectMapper objectMapper = new ObjectMapper();
   private final BaseHtmlProvider htmlProvider = new BaseHtmlProvider();
-  private final Object authLock = new Object();
 
   @SuppressWarnings("PMD.AssignmentToNonFinalStatic")
   public HTMLSettingsPreferencePage() {
@@ -75,43 +75,7 @@ public Object function(Object[] arguments) {
       }
     };
 
-    new BrowserFunction(browser, "__ideLogin__") {
-      @Override
-      public Object function(Object[] arguments) {
-        CompletableFuture.runAsync(
-            () -> {
-              synchronized (authLock) {
-                SnykExtendedLanguageClient lc = SnykExtendedLanguageClient.getInstance();
-                if (lc == null) {
-                  SnykLogger.logError(
-                      new IllegalStateException("Language client instance is null during login"));
-                  return;
-                }
-                lc.triggerAuthentication();
-              }
-            });
-        return null;
-      }
-    };
-
-    new BrowserFunction(browser, "__ideLogout__") {
-      @Override
-      public Object function(Object[] arguments) {
-        CompletableFuture.runAsync(
-            () -> {
-              synchronized (authLock) {
-                SnykExtendedLanguageClient lc = SnykExtendedLanguageClient.getInstance();
-                if (lc == null) {
-                  SnykLogger.logError(
-                      new IllegalStateException("Language client instance is null during logout"));
-                  return;
-                }
-                lc.logout();
-              }
-            });
-        return null;
-      }
-    };
+    ExecuteCommandBridge.install(browser);
   }
 
   private void loadContent() {
@@ -389,23 +353,27 @@ public boolean performOk() {
   @Override
   @SuppressWarnings("PMD.NullAssignment")
   public void dispose() {
-    if (this.equals(instance)) {
+    if (instance != null && instance.equals(this)) {
       instance = null;
     }
     super.dispose();
   }
 
-  public static void notifyAuthTokenChanged(String token) {
+  public static void notifyAuthTokenChanged(String token, String apiUrl) {
     if (instance != null && instance.browser != null && !instance.browser.isDisposed()) {
       Display.getDefault()
           .asyncExec(
               () -> {
                 if (instance != null
                     && instance.browser != null
                     && !instance.browser.isDisposed()) {
+                  String safeToken = ExecuteCommandBridge.escapeForJsString(token);
+                  String safeApiUrl = ExecuteCommandBridge.escapeForJsString(apiUrl);
                   instance.browser.evaluate(
                       "if (typeof window.setAuthToken === 'function') { window.setAuthToken('"
-                          + token
+                          + safeToken
+                          + "', '"
+                          + safeApiUrl
                           + "'); }");
                 }
               });

plugin/src/main/java/io/snyk/eclipse/plugin/preferences/PreferencesPage.java

@@ -26,6 +26,8 @@
 import io.snyk.languageserver.protocolextension.SnykExtendedLanguageClient;
 
 public class PreferencesPage extends FieldEditorPreferencePage implements IWorkbenchPreferencePage {
+	private static volatile PreferencesPage instance;
+
 	private BooleanFieldEditor snykCodeSecurityCheckbox;
 	private ComboFieldEditor authenticationEditor;
 	private StringFieldEditor endpoint;
@@ -34,8 +36,10 @@ public class PreferencesPage extends FieldEditorPreferencePage implements IWorkb
 
 	public static final int WIDTH = 60;
 
+	@SuppressWarnings("PMD.AssignmentToNonFinalStatic")
 	public PreferencesPage() {
 		super(GRID);
+		instance = this;
 	}
 
 	@Override
@@ -197,6 +201,25 @@ private FieldEditor space() {
 		return new LabelFieldEditor("", getFieldEditorParent());
 	}
 
+	@Override
+	@SuppressWarnings("PMD.NullAssignment")
+	public void dispose() {
+		if (instance != null && instance.equals(this)) {
+			instance = null;
+		}
+		super.dispose();
+	}
+
+	public static void notifyAuthTokenChanged(String token) {
+		if (instance != null && instance.tokenField != null) {
+			Display.getDefault().asyncExec(() -> {
+				if (instance != null && instance.tokenField != null) {
+					instance.tokenField.updateToken(token);
+				}
+			});
+		}
+	}
+
 	@Override
 	public boolean performOk() {
 		boolean superOK = super.performOk();

plugin/src/main/java/io/snyk/eclipse/plugin/preferences/TokenFieldEditor.java

@@ -26,6 +26,10 @@ public void emptyTextfield() {
 		setStringValue("");
 	}
 
+	public void updateToken(String token) {
+		setStringValue(token);
+	}
+
 	@Override
 	public void setPreferenceStore(IPreferenceStore store) {
 		// we don't let the page override the preference store to a non-secure store

plugin/src/main/java/io/snyk/eclipse/plugin/views/snyktoolview/SnykToolView.java

@@ -353,7 +353,7 @@ public void refreshTree() {
 	@Override
 	public void refreshBrowser(String status) {
 		Display.getDefault().asyncExec(() -> {
-			if (null != status && status.equals(SCAN_STATE_IN_PROGRESS)) {
+			if (SCAN_STATE_IN_PROGRESS.equals(status)) {
 				this.browserHandler.setScanningBrowserText();
 			} else {
 				this.browserHandler.setDefaultBrowserText();

plugin/src/main/java/io/snyk/languageserver/download/LsBinaries.java

@@ -8,7 +8,7 @@
 
 public class LsBinaries {
   private static final Preferences PREFERENCES = Preferences.getInstance();
-  public static final String REQUIRED_LS_PROTOCOL_VERSION = "23";
+  public static final String REQUIRED_LS_PROTOCOL_VERSION = "24";
 
   public static URI getBaseUri() {
     return URI.create(PREFERENCES.getPref(CLI_BASE_URL));