Rendered from specs/F07-auth.md — edit it there, not here.
F07 — Remote Schema Authentication
Overview
The extension can fetch JSON Schema files from private HTTPS endpoints using credentials stored securely in the OS keychain. It supports GitHub OAuth, Bearer tokens, and Basic auth.
User Stories
- As a developer using schemas from a private GitHub repo, I want to authenticate with my existing VS Code GitHub session without copying tokens.
- As an enterprise developer using Artifactory, I want to store a Bearer token once and have the extension use it automatically.
- As a developer, I want VS Code's language server to stop showing a red squiggle for private schemas after I configure auth.
Functional Requirements
Configure Auth Command
- F07-FR-01 The command
jsonschema.configureSchemaAuthMUST present a Quick Pick of authentication methods for the URL associated with the active file's schema. - F07-FR-02 If the active file has no remote
$schemaURL the command MUST prompt the user for a URL. - F07-FR-03 If the URL is not a remote URL (i.e. not
http://orhttps://) the command MUST show an informational message and return.
Authentication Methods
- F07-FR-04 GitHub OAuth — the extension MUST obtain a GitHub OAuth token through VS Code's built-in GitHub authentication provider (no user-visible token).
- F07-FR-05 Bearer token — the user MUST be prompted to enter a token; the token MUST be stored in VS Code's Secret Storage (OS keychain), not in plaintext settings.
- F07-FR-06 Basic auth — the user MUST be prompted for a username and password; both MUST be stored in Secret Storage.
Credential Storage and Retrieval
- F07-FR-07 Credentials MUST be keyed by hostname so one set covers all paths under the same host.
- F07-FR-08 When fetching a remote schema the extension MUST automatically apply the stored credentials for the schema's host.
- F07-FR-09 If a fetch returns 401 or 403 the extension MUST surface an
AuthRequiredErrorwith the URL so the caller can offer the Configure Auth flow.
Discoverability
- F07-FR-10 A 🔒 / 🔓 status bar item MUST be visible when the active file has a remote
$schema. It MUST indicate whether credentials are configured for the schema's host. To stay compact the item's label MUST be icon-only (🔒 when configured, 🔓 otherwise); the schema host MUST be shown in the item's tooltip rather than in its label, so the item does not widen with the host's domain length. - F07-FR-11 When VS Code cannot load a remote schema a code action (lightbulb) MUST appear on the
$schemaline offering to configure auth. - F07-FR-12 When the Validate This File command returns a 401/403, the error notification MUST include a Configure Auth button.
Post-Configuration
- F07-FR-13 After auth is successfully configured the extension SHOULD offer to cache the schema locally (see F08) with a Cache Schema button.
Non-Functional Requirements
- F07-NFR-01 Credentials MUST be stored via
vscode.SecretStorage; they MUST NOT be written tosettings.jsonor any other plaintext file. - F07-NFR-02 Token values MUST NOT appear in log output.
Acceptance Criteria
- Running Configure Schema Authentication… and selecting GitHub OAuth completes without prompting for a token on machines already signed into GitHub in VS Code.
- Running the command with no remote schema URL shows an information message.
Requirement traceability
Status of each requirement in specs/traceability.json. Test coverage is auto-discovered from [ID] tags in test titles and is not listed here.
| Requirement | Status | Implementation | Note |
|---|---|---|---|
F07-FR-01 | implemented | src/SchemaAuthManager.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-02 | manual | src/SchemaAuthManager.ts | VS Code API-bound; verified by manual / E2E testing |
F07-FR-03 | manual | src/extension.ts | VS Code API-bound; verified by manual / E2E testing |
F07-FR-04 | implemented | src/SchemaAuthManager.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-05 | implemented | src/SchemaAuthManager.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-06 | implemented | src/SchemaAuthManager.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-07 | implemented | src/SchemaAuthManager.ts | credentials keyed by host cover all paths under it |
F07-FR-08 | implemented | src/SchemaAuthManager.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-09 | implemented | src/SchemaAuthManager.ts | AuthRequiredError unit-tested |
F07-FR-10 | implemented | src/SchemaAuthStatusBar.ts | icon-only label (host moved to the tooltip so the item stays compact); unit-tested via the vscode mock |
F07-FR-11 | implemented | src/SchemaAuthCodeActionProvider.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-12 | implemented | src/ValidationManager.ts | unit-tested via the vscode mock (2026-07 coverage expansion) |
F07-FR-13 | manual | src/extension.ts | VS Code API-bound; verified by manual / E2E testing |
F07-NFR-01 | manual | src/SchemaAuthManager.ts | VS Code API-bound; verified by manual / E2E testing |
F07-NFR-02 | manual | src/SchemaAuthManager.ts | VS Code API-bound; verified by manual / E2E testing |