Skip to content

dotfiles command hangs on expired external auth token during workspace restart #18804

New issue
New issue
Open
Open
dotfiles command hangs on expired external auth token during workspace restart#18804
@blink-so

Description

@blink-so
blink-so
bot
opened on Jul 8, 2025

Problem

When a workspace is restarted and the startup script includes coder dotfiles <private-dotfiles-gitlab-repo>, the command hangs indefinitely if the user's GitLab external auth token has expired. This creates a poor user experience because:

  1. The workspace startup process gets stuck
  2. Users are not prompted to re-authenticate with GitLab
  3. There's no clear indication of what went wrong
  4. Users must manually intervene to resolve the issue

Current Behavior

  1. User configures GitLab external auth and successfully authenticates
  2. User sets up dotfiles with a private GitLab repository
  3. GitLab token expires (tokens have limited lifetime)
  4. User restarts workspace
  5. Startup script runs coder dotfiles <gitlab-repo>
  6. Command hangs indefinitely without user feedback
  7. Workspace startup never completes

Expected Behavior

  1. User configures GitLab external auth and successfully authenticates
  2. User sets up dotfiles with a private GitLab repository
  3. GitLab token expires
  4. User restarts workspace
  5. Startup script runs coder dotfiles <gitlab-repo>
  6. Command detects expired token and either:
    • Prompts user to re-authenticate with GitLab, OR
    • Fails gracefully with a clear error message directing user to re-authenticate
  7. User can take appropriate action to resolve the authentication issue

Technical Details

Based on code analysis:

  • The coder dotfiles command in /cli/dotfiles.go uses standard Git operations for cloning/pulling repositories
  • External auth token handling is in /coderd/externalauth/externalauth.go with RefreshToken() function
  • When tokens expire and NoRefresh is true or refresh fails, an InvalidTokenError is returned
  • However, the dotfiles command doesn't appear to handle this case gracefully during non-interactive startup scripts
  • Git operations may hang waiting for credentials that will never be provided

Reproduction Steps

  1. Set up GitLab external auth with a Coder instance
  2. Configure a workspace template with dotfiles pointing to a private GitLab repository
  3. Create a workspace and authenticate with GitLab
  4. Wait for GitLab token to expire (or manually revoke it)
  5. Restart the workspace
  6. Observe that the startup script hangs on the dotfiles command

Suggested Solution

The dotfiles command should:

  1. Check if external auth tokens are available and valid before attempting Git operations
  2. If tokens are expired/invalid, fail fast with a clear error message
  3. Provide guidance on how to re-authenticate
  4. Consider adding a --non-interactive flag for startup scripts that skips prompts and fails gracefully

Impact

  • Severity: Medium-High (affects workspace startup reliability)
  • Frequency: Occurs whenever tokens expire and workspaces are restarted
  • User Experience: Poor (silent hang with no feedback)
  • Workaround: Manual intervention required to clear startup script or re-authenticate

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions