@allbaseai/openclaw-allbase 0.1.3 → 0.1.5

package/README.md

@@ -103,3 +103,34 @@ Optional `profile` parameter overrides automatic mapping for one call.
 - Plugin id is `openclaw-allbase` (use this id in `plugins.entries.*`).
 - Keep tokens/API keys private.
 - `upload_document` requires local file path available to the gateway host.
+
+
+## Interactive OAuth CLI flow (new)
+
+You can now run a browser-based OAuth flow directly from OpenClaw commands:
+
+1. Start flow (prints a URL):
+
+```text
+/allbase-auth-start <profile>
+```
+
+2. Open URL on any device, approve, copy code.
+
+3. Complete flow (stores tokens in `~/.openclaw/openclaw.json`):
+
+```text
+/allbase-auth-complete <CODE> <profile>
+```
+
+4. Check pending states:
+
+```text
+/allbase-auth-status
+```
+
+After completion, restart gateway if needed:
+
+```bash
+openclaw gateway restart
+```

package/index.ts

@@ -1,8 +1,10 @@
 import { Type } from "@sinclair/typebox";
 import type { AnyAgentTool, OpenClawPluginApi, OpenClawPluginToolContext } from "openclaw/plugin-sdk";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
-import { readFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { basename } from "node:path";
+import { createHash, randomBytes } from "node:crypto";
+import { homedir } from "node:os";
 
 type AgentResult = { content: Array<{ type: string; text: string }>; details?: unknown };
 
@@ -58,6 +60,90 @@ const AllbaseToolSchema = Type.Object(
 
 const tokenCache = new Map<string, { token: string; exp: number }>();
 
+
+type OAuthPending = {
+  profile: string;
+  baseUrl: string;
+  clientId: string;
+  tokenEndpoint: string;
+  authorizeEndpoint: string;
+  redirectUri: string;
+  scope: string;
+  codeVerifier: string;
+  state: string;
+  createdAt: number;
+};
+
+type OAuthStore = {
+  pending?: Record<string, OAuthPending>;
+};
+
+function oauthStorePath(): string {
+  return `${homedir()}/.openclaw/openclaw-allbase-oauth-state.json`;
+}
+
+function readOAuthStore(): OAuthStore {
+  const path = oauthStorePath();
+  try {
+    if (!existsSync(path)) return {};
+    return JSON.parse(readFileSync(path, "utf8")) as OAuthStore;
+  } catch {
+    return {};
+  }
+}
+
+function writeOAuthStore(store: OAuthStore): void {
+  const path = oauthStorePath();
+  const dir = path.split('/').slice(0, -1).join('/');
+  if (dir) mkdirSync(dir, { recursive: true });
+  writeFileSync(path, JSON.stringify(store, null, 2));
+}
+
+function base64Url(buf: Buffer): string {
+  return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+
+function getOpenclawConfigPath(): string {
+  return `${homedir()}/.openclaw/openclaw.json`;
+}
+
+function writeOAuthProfileToConfig(
+  profileName: string,
+  values: {
+    oauthAccessToken: string;
+    oauthRefreshToken?: string;
+    oauthClientId: string;
+    oauthTokenEndpoint: string;
+    baseUrl: string;
+  },
+  defaultAgentId?: string,
+): void {
+  const cfgPath = getOpenclawConfigPath();
+  const raw = existsSync(cfgPath) ? readFileSync(cfgPath, 'utf8') : '{}';
+  const obj = JSON.parse(raw) as any;
+  obj.plugins = obj.plugins || {};
+  obj.plugins.entries = obj.plugins.entries || {};
+  obj.plugins.entries['openclaw-allbase'] = obj.plugins.entries['openclaw-allbase'] || { enabled: true, config: {} };
+  const cfg = obj.plugins.entries['openclaw-allbase'].config || {};
+  cfg.baseUrl = cfg.baseUrl || values.baseUrl;
+  cfg.defaultProfile = cfg.defaultProfile || profileName;
+  cfg.profiles = cfg.profiles || {};
+  cfg.profiles[profileName] = {
+    ...(cfg.profiles[profileName] || {}),
+    ...(values.oauthAccessToken ? { oauthAccessToken: values.oauthAccessToken } : {}),
+    ...(values.oauthRefreshToken ? { oauthRefreshToken: values.oauthRefreshToken } : {}),
+    oauthClientId: values.oauthClientId,
+    oauthTokenEndpoint: values.oauthTokenEndpoint,
+  };
+  cfg.mapByOpenclawAgent = cfg.mapByOpenclawAgent || {};
+  if (defaultAgentId) cfg.mapByOpenclawAgent[defaultAgentId] = profileName;
+  obj.plugins.entries['openclaw-allbase'].enabled = true;
+  obj.plugins.entries['openclaw-allbase'].config = cfg;
+  obj.plugins.allow = Array.isArray(obj.plugins.allow) ? obj.plugins.allow : [];
+  if (!obj.plugins.allow.includes('openclaw-allbase')) obj.plugins.allow.push('openclaw-allbase');
+  writeFileSync(cfgPath, JSON.stringify(obj, null, 2) + '\n');
+}
+
 function json(payload: unknown): AgentResult {
   return {
     content: [{ type: "text", text: JSON.stringify(payload, null, 2) }],
@@ -147,6 +233,67 @@ function jwtExpMs(token: string): number | null {
   return null;
 }
 
+
+
+async function ensureOAuthClientId(
+  profileName: string,
+  baseUrl: string,
+  profile: AllbaseProfile,
+  redirectUri: string,
+): Promise<{ clientId: string; tokenEndpoint: string; registrationEndpoint: string }> {
+  const existingClientId = (profile.oauthClientId || process.env.ALLBASE_OAUTH_CLIENT_ID || '').trim();
+  const tokenEndpoint = (profile.oauthTokenEndpoint || process.env.ALLBASE_OAUTH_TOKEN_ENDPOINT || `${baseUrl}/oauth/token`).trim();
+
+  // discover registration endpoint
+  let registrationEndpoint = `${baseUrl}/oauth/register`;
+  try {
+    const d = await fetch(`${baseUrl}/.well-known/oauth-authorization-server`);
+    if (d.ok) {
+      const doc = await d.json() as any;
+      if (typeof doc?.registration_endpoint === 'string' && doc.registration_endpoint.trim()) {
+        registrationEndpoint = doc.registration_endpoint.trim();
+      }
+    }
+  } catch {
+    // use default
+  }
+
+  if (existingClientId) {
+    return { clientId: existingClientId, tokenEndpoint, registrationEndpoint };
+  }
+
+  const resp = await fetch(registrationEndpoint, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      client_name: 'OpenClaw Allbase Plugin',
+      redirect_uris: [redirectUri],
+      grant_types: ['authorization_code', 'refresh_token'],
+      response_types: ['code'],
+      scope: 'allbase:read allbase:write',
+      token_endpoint_auth_method: 'none',
+      client_uri: 'https://docs.openclaw.ai',
+    }),
+  });
+
+  const text = await resp.text();
+  let body: any = {};
+  try { body = text ? JSON.parse(text) : {}; } catch { body = { raw: text }; }
+  if (!resp.ok || !body?.client_id) {
+    throw new Error(`OAuth client registration failed (${resp.status}): ${typeof body === 'string' ? body : JSON.stringify(body)}`);
+  }
+
+  const clientId = String(body.client_id);
+  writeOAuthProfileToConfig(profileName, {
+    oauthAccessToken: profile.oauthAccessToken || '',
+    oauthRefreshToken: profile.oauthRefreshToken,
+    oauthClientId: clientId,
+    oauthTokenEndpoint: tokenEndpoint,
+    baseUrl,
+  });
+
+  return { clientId, tokenEndpoint, registrationEndpoint };
+}
 async function getOAuthToken(baseUrl: string, profile: AllbaseProfile): Promise<{ token: string; exp: number }> {
   const directToken = profile.oauthAccessToken?.trim();
   if (directToken) {
@@ -417,6 +564,144 @@ const plugin = {
       { optional: true },
     );
 
+
+
+    api.registerCommand({
+      name: "allbase-auth-start",
+      description: "Start OAuth browser flow for Allbase and print authorize URL",
+      acceptsArgs: true,
+      requireAuth: true,
+      handler: async (cmdCtx) => {
+        try {
+          const args = (cmdCtx.args || "").trim();
+          const profileName = args || "default";
+          const cfg = getConfig(api);
+          const profile = (cfg.profiles || {})[profileName] || {};
+          const baseUrl = resolveBaseUrl(cfg, profile);
+          const redirectUri = (process.env.ALLBASE_OAUTH_REDIRECT_URI || "urn:ietf:wg:oauth:2.0:oob").trim();
+          const scope = (profile.oauthScope || process.env.ALLBASE_OAUTH_SCOPE || "allbase:read allbase:write").trim();
+          const { clientId, tokenEndpoint } = await ensureOAuthClientId(profileName, baseUrl, profile, redirectUri);
+          const authorizeEndpoint = `${baseUrl}/oauth/authorize`;
+          const state = base64Url(randomBytes(24));
+          const codeVerifier = base64Url(randomBytes(48));
+          const codeChallenge = base64Url(createHash('sha256').update(codeVerifier).digest());
+
+          const authUrl = new URL(authorizeEndpoint);
+          authUrl.searchParams.set('response_type', 'code');
+          authUrl.searchParams.set('client_id', clientId);
+          authUrl.searchParams.set('redirect_uri', redirectUri);
+          authUrl.searchParams.set('scope', scope);
+          authUrl.searchParams.set('state', state);
+          authUrl.searchParams.set('code_challenge', codeChallenge);
+          authUrl.searchParams.set('code_challenge_method', 'S256');
+
+          const store = readOAuthStore();
+          store.pending = store.pending || {};
+          store.pending[profileName] = {
+            profile: profileName,
+            baseUrl,
+            clientId,
+            tokenEndpoint,
+            authorizeEndpoint,
+            redirectUri,
+            scope,
+            codeVerifier,
+            state,
+            createdAt: Date.now(),
+          };
+          writeOAuthStore(store);
+
+          return {
+            text:
+              `Allbase OAuth started for profile: ${profileName}\n\n` +
+              `1) Open this URL in your browser:\n${authUrl.toString()}\n\n` +
+              `2) Complete login and agent selection\n` +
+              `3) Copy the authorization code and run:\n/allbase-auth-complete <CODE> ${profileName}\n\n` +
+              `Tip: You can do this on any laptop/device.`
+          };
+        } catch (err) {
+          return { text: `Failed to start OAuth flow: ${err instanceof Error ? err.message : String(err)}` };
+        }
+      },
+    });
+
+    api.registerCommand({
+      name: "allbase-auth-complete",
+      description: "Complete OAuth flow using authorization code",
+      acceptsArgs: true,
+      requireAuth: true,
+      handler: async (cmdCtx) => {
+        try {
+          const raw = (cmdCtx.args || "").trim();
+          const [codeOrUrl, profileArg] = raw.split(/\s+/);
+          if (!codeOrUrl) return { text: "Usage: /allbase-auth-complete <CODE|CALLBACK_URL> [profile]" };
+          const profileName = profileArg || "default";
+          let code = codeOrUrl;
+          if (codeOrUrl.includes("code=") || codeOrUrl.startsWith("http")) {
+            try {
+              const u = new URL(codeOrUrl);
+              const c = u.searchParams.get("code");
+              if (c) code = c;
+            } catch {
+              const m = codeOrUrl.match(/[?&]code=([^&]+)/);
+              if (m?.[1]) code = decodeURIComponent(m[1]);
+            }
+          }
+          const store = readOAuthStore();
+          const pending = store.pending?.[profileName];
+          if (!pending) return { text: `No pending OAuth flow for profile '${profileName}'. Run /allbase-auth-start ${profileName} first.` };
+
+          const body = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            client_id: pending.clientId,
+            redirect_uri: pending.redirectUri,
+            code_verifier: pending.codeVerifier,
+          });
+
+          const resp = await fetch(pending.tokenEndpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: body.toString(),
+          });
+          const text = await resp.text();
+          let data: any = {};
+          try { data = text ? JSON.parse(text) : {}; } catch { data = { raw: text }; }
+          if (!resp.ok || !data.access_token) {
+            return { text: `OAuth token exchange failed (${resp.status}): ${typeof data === 'string' ? data : JSON.stringify(data)}` };
+          }
+
+          writeOAuthProfileToConfig(profileName, {
+            oauthAccessToken: data.access_token,
+            oauthRefreshToken: data.refresh_token,
+            oauthClientId: pending.clientId,
+            oauthTokenEndpoint: pending.tokenEndpoint,
+            baseUrl: pending.baseUrl,
+          }, cmdCtx.config.defaultAgentId);
+
+          if (store.pending) delete store.pending[profileName];
+          writeOAuthStore(store);
+
+          return { text: `✅ Allbase OAuth connected for profile '${profileName}'.\nMapped current agent (${cmdCtx.config.defaultAgentId || 'default'}) -> ${profileName}.\nRestart gateway to pick up updated config if needed.` };
+        } catch (err) {
+          return { text: `Failed to complete OAuth flow: ${err instanceof Error ? err.message : String(err)}` };
+        }
+      },
+    });
+
+    api.registerCommand({
+      name: "allbase-auth-status",
+      description: "Show pending OAuth profiles for Allbase",
+      acceptsArgs: false,
+      requireAuth: true,
+      handler: async () => {
+        const store = readOAuthStore();
+        const keys = Object.keys(store.pending || {});
+        if (!keys.length) return { text: "No pending Allbase OAuth flows." };
+        return { text: `Pending Allbase OAuth profiles: ${keys.join(', ')}` };
+      },
+    });
+
     api.registerCommand({
       name: "allbase-status",
       description: "Show resolved Allbase profile for this agent",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@allbaseai/openclaw-allbase",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "type": "module",
   "description": "OpenClaw plugin to map OpenClaw agents to Allbase agent/workspace profiles.",
   "license": "MIT",