Couple of fixes:

- Previous sudo check blocked the main thread
- Move title of sudo inside of the box
- Make sure not to cache password for regular plugin requests

Author: kevinwang5658

src/common/base-command.ts

@@ -52,8 +52,8 @@ export abstract class BaseCommand extends Command {
         this.reporter.notifySudoPasswordPreSupplied();
       }
 
-      this.reporter.onSudoPasswordSubmitted((password: string) => {
-        const isValid = SudoUtils.validate(password);
+      this.reporter.onSudoPasswordSubmitted(async (password: string) => {
+        const isValid = await SudoUtils.validate(password);
         if (isValid) {
           cachedSudoPassword = password;
         }

src/ui/components/default-component.tsx

@@ -85,6 +85,7 @@ export function DefaultComponent(props: {
       renderStatus === RenderStatus.SUDO_PROMPT && (
         <SudoPasswordInput
           key={(renderData as { attemptCount: number }).attemptCount}
+          title={(renderData as { title?: string }).title}
           hasError={(renderData as { attemptCount: number }).attemptCount > 0}
           cancellable={(renderData as { cancellable: boolean }).cancellable}
           onSubmit={(password) => emitter.emit(RenderEvent.SUDO_PROMPT_RESULT, password)}

src/ui/components/widgets/SudoPasswordInput.tsx

@@ -4,12 +4,13 @@ import React, { useState } from 'react';
 import Spinner from '../progress/spinner.js';
 
 export function SudoPasswordInput(props: {
+  title?: string;
   hasError: boolean;
   cancellable: boolean;
   onSubmit: (password: string) => void;
   onCancel: () => void;
 }) {
-  const { hasError, cancellable, onSubmit, onCancel } = props;
+  const { title, hasError, cancellable, onSubmit, onCancel } = props;
   const [value, setValue] = useState('');
   const [isChecking, setIsChecking] = useState(false);
 
@@ -52,6 +53,7 @@ export function SudoPasswordInput(props: {
       borderColor={borderColor}
       marginTop={1}
     >
+      {title && <Text bold>{title}</Text>}
       {isChecking ? (
         <Spinner label="Checking password..." />
       ) : (

src/ui/reporters/default-reporter.tsx

@@ -47,7 +47,7 @@ export class DefaultReporter implements Reporter {
   private renderEmitter = new EventEmitter();
   private progressState: ProgressState | null = null
   private verbosityToggleCallback: (() => void) | null = null;
-  private sudoPasswordSubmittedCallback: ((password: string) => boolean) | null = null;
+  private sudoPasswordSubmittedCallback: ((password: string) => Promise<boolean>) | null = null;
   silent = false;
 
   constructor() {
@@ -72,7 +72,7 @@ export class DefaultReporter implements Reporter {
     this.verbosityToggleCallback = callback;
   }
 
-  onSudoPasswordSubmitted(callback: (password: string) => boolean): void {
+  onSudoPasswordSubmitted(callback: (password: string) => Promise<boolean>): void {
     this.sudoPasswordSubmittedCallback = callback;
   }
 
@@ -199,13 +199,14 @@ export class DefaultReporter implements Reporter {
   }
 
   async promptSudo(pluginName: string, data: CommandRequestData, secureMode: boolean): Promise<string | undefined> {
-    ctx.log(chalk.blue(`Plugin: "${pluginName}" requires root access to run command: "sudo ${data.command}"`));
+    ctx.log(`Plugin: "${pluginName}" requires root access to run command: "sudo ${data.command}"`);
+    const title = `Plugin: "${pluginName}" requires root access to run command: "sudo ${data.command}"`;
 
     let password;
 
     // Password is only needed outside of sudo timeout. Pass password in as undefined if not needed.
-    if (secureMode || !SudoUtils.validate()) {
-      password = await this.getUserPassword();
+    if (secureMode || !(await SudoUtils.validate())) {
+      password = await this.getUserPassword(title);
     }
 
     return password;
@@ -332,7 +333,7 @@ export class DefaultReporter implements Reporter {
         ctx.log('Sudo password attempt');
       }
 
-      const isValid = this.sudoPasswordSubmittedCallback?.(result as string) ?? false;
+      const isValid = await (this.sudoPasswordSubmittedCallback?.(result as string) ?? Promise.resolve(false));
       if (isValid) {
         ctx.log('Sudo password successful!');
 
@@ -349,17 +350,21 @@ export class DefaultReporter implements Reporter {
     await this.displayProgress();
   }
 
-  private async getUserPassword(): Promise<string> {
+  private async getUserPassword(title?: string): Promise<string> {
     let attemptCount = 0;
 
     while (attemptCount < 3) {
       const passwordAttempt = await this.updateStateAndAwaitEvent<string>(
-        () => this.updateRenderState(RenderStatus.SUDO_PROMPT, { attemptCount, cancellable: false }),
+        () => this.updateRenderState(RenderStatus.SUDO_PROMPT, { attemptCount, cancellable: false, title }),
         RenderEvent.SUDO_PROMPT_RESULT,
       );
 
       // Validates that the password works
-      if (SudoUtils.validate(passwordAttempt)) {
+      if (await SudoUtils.validate(passwordAttempt)) {
+        // Drop the sudo session so it is not cached for future prompts.
+        // The inline sudo path (handleInlineSudoPassword) caches intentionally;
+        // this path (promptSudo) must not.
+        await SudoUtils.invalidate();
         await this.displayProgress();
         return passwordAttempt;
       }

src/utils/sudo.ts

@@ -1,22 +1,43 @@
-import { execSync } from 'node:child_process';
+import { execFile, spawn } from 'node:child_process';
+import util from 'node:util';
 
 import { OsUtils } from './os-utils.js';
 import { ShellUtils } from './shell.js';
 
+const execFileAsync = util.promisify(execFile);
+
+function spawnWithInput(command: string, args: string[], input?: string): Promise<boolean> {
+  return new Promise((resolve) => {
+    const child = spawn(command, args, { stdio: ['pipe', 'ignore', 'ignore'] });
+    child.on('error', () => resolve(false));
+    child.on('close', (code) => resolve(code === 0));
+    if (input) {
+      child.stdin.end(input + '\n');
+    } else {
+      child.stdin.end();
+    }
+  });
+}
+
 export const SudoUtils = {
-  validate(password?: string): boolean {
+  async validate(password?: string): Promise<boolean> {
     try {
       if (OsUtils.isMacOS()) {
         // Sudo with -SNv will not prompt if within sudo cache timeout. Mac OS uses -SNv instead of -Snv
-        execSync(`sudo -SNv ${password ? `<<< ${password}` : ''}`, { stdio: 'ignore' })
-        return true;
+        return await spawnWithInput('sudo', ['-SNv'], password);
       }
 
-      // Sudo with -Snv will not prompt if within sudo cache timeout
-      execSync(`sudo -Skv ${password ? `<<< '${password}'` : ''}`, { stdio: 'ignore', shell: ShellUtils.getDefaultShell() })
-      return true;
+      // Sudo with -Skv will not prompt if within sudo cache timeout
+      const shell = ShellUtils.getDefaultShell();
+      return await spawnWithInput(shell, ['-c', 'sudo -Skv'], password);
     } catch {
       return false;
     }
-  }
+  },
+
+  async invalidate(): Promise<void> {
+    try {
+      await execFileAsync('sudo', ['-k']);
+    } catch { /* sudo -k never fails meaningfully */ }
+  },
 };