bug: Revoke the access token when a user signs out of JetBrains and VSCode

[chenkc805]

Installation Information

Most recent version of Cody in JetBrains

Describe the bug

Steps to repro:

• With account A, have signed in with it 20+ times, and therefore have 20+ access tokens
• Log out of account A in VS Code
• Try signing back into account A in VS Code
• See error

Expected behavior

This is a new feature for enterprise customers, but PLG users (aka users not on their own Enterprise instance) should never encounter this bug

@eseliger suggested revoking the access token when you sign out of Cody in the IDE. Context: https://sourcegraph.slack.com/archives/C05MW2TMYAV/p1706317215280919

Additional context (logs, images, etc)

No response

[chenkc805]

Related task in VS Code: https://github.com/sourcegraph/cody/issues/2935

[dominiccooney]

Retitling this "and VSCode" because the VSCode issue was autoclosed as stale without being fixed AFAICT.

[dominiccooney]

Should we be invalidating any token when you sign out, or just ones we created with the sign-in flow?

Might be painful if a user is reusing the same token elsewhere to invalidate it…

[chenkc805]

Yeah - can we do some sort of first in, last out (FILO) with tokens, where the oldest token that you authenticated with just gets discarded in favor of the new one? I can't imagine that anyone with 20+ tokens would be keeping around that 1st token…

[dominiccooney]

Ok, @ara.khan is that enough to go on or do you need more design support? Can you bring #discuss-security in on this too, since we are messing with token issuance…