fix: post auth hook locking

[ShawkyZ]

Description

Fix: move postCredentialUpdateHook execution outside the auth lock

The postCredentialUpdateHook (used to populate feature flags after login) was running inside updateCredentials, which is called from authenticate() while a.m.Lock() is held. The hook makes HTTP calls to fetch feature flags and SAST settings for every workspace folder. This means:

• The auth service's RWMutex write lock was held during multiple network round-trips
• All concurrent IsAuthenticated() callers (which need RLock) were blocked
• Any code in the hook's call chain that transitively called back into the auth service would deadlock

Fix: Remove the hook call from updateCredentials and move it to Authenticate(), where it runs after the lock is released. The hook is still injectable from outside via SetPostCredentialUpdateHook — the only change is when it executes relative to the lock.

Before:

Authenticate() {
    a.m.Lock()
    └─ authenticate()
       └─ updateCredentials()
          ├─ store credentials
          ├─ postCredentialUpdateHook()  ← network I/O under lock
          └─ send notification
    a.m.Unlock()
}

After:

Authenticate() {
    a.m.Lock()
    └─ authenticate()
       └─ updateCredentials()
          ├─ store credentials
          └─ send notification
    a.m.Unlock()
    postCredentialUpdateHook()  ← network I/O, NO lock held
}

The test is updated to verify the hook runs outside the lock by calling IsAuthenticated() from within the hook — which would deadlock under the old code.

Checklist

• Tests added and all succeed
• Regenerated mocks, etc. (make generate)
• Linted (make lint-fix)
• README.md updated, if user-facing
• License file updated, if new 3rd-party dependency is introduced

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[bastiandoetsch]

why did you remove it?

[ShawkyZ]

this was added by a previous PR and wasn't necessary since we have the recovery on a global level.

[bastiandoetsch]

why is this now extracted?

[ShawkyZ]

don't want the post hook to be inside the mutex lock, since post hook will trigger a bunch of network calls for fetching FFs. This will affect other calls like IsAuthenticated

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Deadlock Risk 🔴 [critical] The Authenticate function replaces defer a.m.Unlock() with a manual a.m.Unlock() call after a.authenticate(ctx). If a.authenticate(ctx) or any of its internal logic (such as configureProviders or sendAuthenticationAnalytics) panics, the mutex a.m will remain locked indefinitely, deadlocking all subsequent calls to IsAuthenticated, Provider, and Logout. a.m.Lock() a.previousAuthCtxCancelFuncMu.Lock() ctx, a.previousAuthCtxCancelFunc = context.WithCancel(ctx) a.previousAuthCtxCancelFuncMu.Unlock() token, err = a.authenticate(ctx) hook := a.postCredentialUpdateHook a.previousAuthCtxCancelFunc() a.m.Unlock() Race Condition 🟠 [major] Moving the postCredentialUpdateHook execution to the end of Authenticate ensures it runs after the lock is released, but also after updateCredentials has already sent the $/snyk.hasAuthenticated notification to the IDE. As documented in domain/ide/command/login.go, this hook must run before the notification to ensure feature flags are populated before the IDE triggers an automatic scan. This change re-introduces the race condition where scans fail with 'Snyk Code is not enabled'. if hook != nil && token != "" && err == nil { hook() }

📚 Repository Context Analyzed This review considered 12 relevant code sections from 10 files (average relevance: 0.92) domain/ide/command/login.go (lines 1-133) infrastructure/authentication/provider_fake.go (lines 1-140) application/di/test_init.go (lines 1-117) infrastructure/authentication/auth_service.go (lines 1-71) infrastructure/authentication/oauth_provider.go (lines 1-92) domain/ide/command/apply_auth_config.go (lines 1-64) infrastructure/code/fake_snyk_code_api_service.go (lines 1-116) ... and 3 more file(s)