From d15486c22e59fffdd07c33eb2abac1854f2308d1 Mon Sep 17 00:00:00 2001
From: Aaron Lehmann <alehmann@netflix.com>
Date: Mon, 3 Feb 2025 15:16:15 -0800
Subject: [PATCH] Recreate REST client after starting a workspace

maybeWaitForRunning can take indefinitely long because it prompts for
confirmation, and in that time, client certificates can expire. Start
setup fresh after this call to make sure the REST client uses the latest
certificates.
---
 CHANGELOG.md  |  2 ++
 src/remote.ts | 21 +++++++++++----------
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f2c1ef2..499dda19 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Recreate REST client after starting a workspace to ensure fresh TLS certificates.
+
 ## [v1.3.10](https://github.com/coder/vscode-coder/releases/tag/v1.3.9) (2025-01-17)
 
 - Fix bug where checking for overridden properties incorrectly converted host name pattern to regular expression.
diff --git a/src/remote.ts b/src/remote.ts
index abe93e1f..403642a0 100644
--- a/src/remote.ts
+++ b/src/remote.ts
@@ -56,11 +56,6 @@ export class Remote {
     label: string,
     binPath: string,
   ): Promise<Workspace | undefined> {
-    // Maybe already running?
-    if (workspace.latest_build.status === "running") {
-      return workspace
-    }
-
     const workspaceName = `${workspace.owner_name}/${workspace.name}`
 
     // A terminal will be used to stream the build, if one is necessary.
@@ -320,13 +315,19 @@ export class Remote {
     disposables.push(this.registerLabelFormatter(remoteAuthority, workspace.owner_name, workspace.name))
 
     // If the workspace is not in a running state, try to get it running.
-    const updatedWorkspace = await this.maybeWaitForRunning(workspaceRestClient, workspace, parts.label, binaryPath)
-    if (!updatedWorkspace) {
-      // User declined to start the workspace.
-      await this.closeRemote()
+    if (workspace.latest_build.status !== "running") {
+      if (!(await this.maybeWaitForRunning(workspaceRestClient, workspace, parts.label, binaryPath))) {
+        // User declined to start the workspace.
+        await this.closeRemote()
+      } else {
+        // Start over with a fresh REST client because we may have waited an
+        // indeterminate amount amount of time for confirmation to start the
+        // workspace.
+        await this.setup(remoteAuthority)
+      }
       return
     }
-    this.commands.workspace = workspace = updatedWorkspace
+    this.commands.workspace = workspace
 
     // Pick an agent.
     this.storage.writeToCoderOutputChannel(`Finding agent for ${workspaceName}...`)