Add diagnostic logging for debugger tunnel 403

rentziass · Copilot · rentziass · commit 02e77825accc · 2026-04-23T11:38:00.000+02:00
Instruments the Actions job debugger flow with non-sensitive diagnostic
logging so we can investigate devtunnel 403 upgrade failures that only
reproduce on some users' machines.

Logged (never the full token):
- Prefix (first 4 chars) and length of the access token used, plus the
  session's granted scopes and account label. Distinguishes ghu_ (VS Code
  GitHub App) from gho_ (OAuth app) / ghp_ (PAT); Dev Tunnels only
  trusts ghu_.
- A silent probe for a scope-less ("App-backed") session so we can tell
  whether the requested ["repo","workflow"] scopes forced VS Code onto
  the OAuth path.
- Top-level field names of the /actions/jobs/{job_id}/debugger response,
  in case a separate tunnel access token is returned.
- On WS upgrade failure, the tunnel's HTTP status, statusText, a
  whitelist of diagnostic headers, and a truncated response body via
  the ws 'unexpected-response' event.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/debugger/debugger.ts b/src/debugger/debugger.ts
@@ -69,6 +69,36 @@ async function connectToDebugger(): Promise<void> {
   }
 
   const token = session.accessToken;
+
+  // Diagnostic: log token shape (prefix + length) and session scopes to help
+  // diagnose devtunnel 403 errors. `ghu_` = VS Code GitHub App user-to-server
+  // token (accepted by devtunnels); `gho_`/`ghp_` = OAuth/PAT (may be rejected).
+  // The full token is never logged.
+  log(
+    `[debugger] Using session: tokenPrefix=${token.slice(0, 4)} tokenLen=${token.length} ` +
+      `scopes=[${session.scopes.join(",")}] account=${session.account.label}`
+  );
+
+  // Diagnostic probe: silently check if a scope-less GitHub session exists.
+  // Dev Tunnels only trusts VS Code GitHub App tokens (`ghu_`). A scope-less
+  // session is always backed by the App, so if its prefix differs from the
+  // one above we know the requested scopes forced VS Code onto the OAuth
+  // app path (which returns `gho_` and gets rejected by the tunnel).
+  try {
+    const appSession = await vscode.authentication.getSession("github", [], {createIfNone: false, silent: true});
+    if (appSession) {
+      log(
+        `[debugger] App-backed session probe: tokenPrefix=${appSession.accessToken.slice(0, 4)} ` +
+          `tokenLen=${appSession.accessToken.length} scopes=[${appSession.scopes.join(",")}] ` +
+          `sameAsAbove=${appSession.accessToken === token}`
+      );
+    } else {
+      log(`[debugger] App-backed session probe: no scope-less session cached`);
+    }
+  } catch (e) {
+    log(`[debugger] App-backed session probe failed: ${(e as Error).message}`);
+  }
+
   let debuggerUrl: string;
   try {
     debuggerUrl = await vscode.window.withProgress(
@@ -80,6 +110,13 @@ async function connectToDebugger(): Promise<void> {
           repo: parsed.repo,
           job_id: parsed.jobId
         });
+        // Diagnostic: log top-level fields in the API response. If the API
+        // returns a tunnel-specific access token (separate from the GitHub
+        // token), we'd see it here and can switch the WS to use it.
+        if (response.data && typeof response.data === "object") {
+          const keys = Object.keys(response.data as object);
+          log(`[debugger] /debugger API response fields: [${keys.join(", ")}]`);
+        }
         return (response.data as {debugger_url: string}).debugger_url;
       }
     );
diff --git a/src/debugger/webSocketDapAdapter.ts b/src/debugger/webSocketDapAdapter.ts
@@ -1,3 +1,4 @@
+import type {IncomingMessage} from "http";
 import * as vscode from "vscode";
 import WebSocket from "ws";
 import {log, logDebug, logError} from "../log";
@@ -49,6 +50,56 @@ export class WebSocketDapAdapter implements vscode.DebugAdapter {
         }
       });
 
+      // Diagnostic: the tunnel server may reject the WS upgrade with an HTTP
+      // response (e.g. 401/403). The plain `error` event only surfaces
+      // "Unexpected server response: 403" — grab the full response here so
+      // we can log status text and diagnostic headers (which token auth the
+      // tunnel checked, rejection reason, etc.).
+      let unexpectedResponse: {status: number; statusMessage: string; headers: string} | undefined;
+      const onUnexpectedResponse = (_req: unknown, res: IncomingMessage) => {
+        const interestingHeaders = [
+          "www-authenticate",
+          "x-tunnel-authorization",
+          "x-tunnel-service-version",
+          "x-powered-by",
+          "server",
+          "date",
+          "content-type",
+          "content-length",
+          "x-request-id",
+          "x-correlation-id",
+          "x-ms-request-id",
+          "x-ms-error-code"
+        ];
+        const headerLines = interestingHeaders
+          .map(h => {
+            const v = res.headers[h];
+            return v ? `${h}=${Array.isArray(v) ? v.join(",") : v}` : undefined;
+          })
+          .filter(Boolean)
+          .join(" ");
+        unexpectedResponse = {
+          status: res.statusCode ?? 0,
+          statusMessage: res.statusMessage ?? "",
+          headers: headerLines
+        };
+        log(
+          `[debugger] Tunnel rejected WS upgrade: ${unexpectedResponse.status} ` +
+            `${unexpectedResponse.statusMessage} | ${headerLines}`
+        );
+        // Drain the body so the socket can close cleanly, and capture any
+        // error text the tunnel included (e.g. a JSON {message: "..."}).
+        const chunks: Buffer[] = [];
+        res.on("data", (c: Buffer) => chunks.push(c));
+        res.on("end", () => {
+          if (chunks.length > 0) {
+            const body = Buffer.concat(chunks).toString("utf8").slice(0, 500);
+            log(`[debugger] Tunnel rejection body: ${body}`);
+          }
+        });
+      };
+      ws.on("unexpected-response", onUnexpectedResponse);
+
       const connectTimer = setTimeout(() => {
         if (!settled) {
           settled = true;
@@ -99,6 +150,7 @@ export class WebSocketDapAdapter implements vscode.DebugAdapter {
         ws.removeListener("open", onOpen);
         ws.removeListener("error", onError);
         ws.removeListener("close", onClose);
+        ws.removeListener("unexpected-response", onUnexpectedResponse);
       };
 
       ws.on("open", onOpen);
