@core-workspace/infoflow-openclaw-plugin 2026.3.9 → 2026.3.27-beta.0

package/src/utils/token-adapter.ts

@@ -1,35 +1,30 @@
 /**
- * SDK Adapter Layer: wraps SDK TokenManager for token management.
- * Each appKey gets its own adapter instance (multi-account isolation).
+ * Token management: fetches and caches Infoflow app_access_token.
  *
- * Design decision: Only use SDK TokenManager, NOT HTTPClient, because:
- * - SDK HTTPClient uses http:// but plugin requires https://
- * - Plugin needs raw response text for large integer precision (>2^53)
- * - Plugin needs manual JSON construction for group recall
+ * Replaces SDK TokenManager with a self-contained implementation for
+ * full visibility into token requests and easier debugging.
  *
- * HTTP requests continue using fetch in send.ts.
+ * API: POST {apiHost}/auth/app_access_token
+ * Body: { app_key, app_secret: md5(appSecret).toLowerCase() }
+ * Response: { code: "ok", data: { app_access_token, expire } }
+ *
+ * Features:
+ * - Per-appKey instance cache (multi-account isolation)
+ * - In-memory token cache with 5-minute early expiry buffer
+ * - Concurrent request deduplication (Promise lock)
+ * - Full logging at every step
  */
 
-import { ConfigManager, TokenManager } from "@core-workspace/infoflow-sdk-nodejs";
+import { createHash } from "node:crypto";
+import { ensureHttps } from "../channel/outbound.js";
+import { getInfoflowSendLog } from "../logging.js";
 
-/**
- * Ensures apiHost uses HTTPS for security (secrets in transit).
- * Allows HTTP only for localhost/127.0.0.1 (local development).
- * (Inlined from send.ts to avoid circular dependency)
- */
-function ensureHttps(apiHost: string): string {
-  if (apiHost.startsWith("http://")) {
-    const url = new URL(apiHost);
-    const isLocal = url.hostname === "localhost" || url.hostname === "127.0.0.1";
-    if (!isLocal) {
-      return apiHost.replace(/^http:/, "https:");
-    }
-  }
-  return apiHost;
-}
+const TOKEN_PATH = "/api/v1/auth/app_access_token";
+const EXPIRE_BUFFER_MS = 5 * 60 * 1000; // refresh 5 minutes before expiry
+const FETCH_TIMEOUT_MS = 15_000;
 
 // Module-level instance cache (keyed by appKey for multi-account isolation)
-const adapterCache = new Map<string, InfoflowSDKAdapter>();
+const adapterCache = new Map<string, InfoflowTokenManager>();
 
 export type SDKAdapterParams = {
   apiHost: string;
@@ -38,49 +33,123 @@ export type SDKAdapterParams = {
 };
 
 /**
- * Gets or creates an SDK adapter for the given appKey.
- * Adapter instances are cached per appKey to reuse SDK TokenManager's
- * internal token cache and Promise lock.
+ * Gets or creates a token manager for the given appKey.
  */
-export function getOrCreateAdapter(params: SDKAdapterParams): InfoflowSDKAdapter {
+export function getOrCreateAdapter(params: SDKAdapterParams): InfoflowTokenManager {
   const existing = adapterCache.get(params.appKey);
   if (existing) {
     return existing;
   }
-
-  const adapter = new InfoflowSDKAdapter(params);
+  const adapter = new InfoflowTokenManager(params);
   adapterCache.set(params.appKey, adapter);
   return adapter;
 }
 
+type TokenCache = {
+  token: string;
+  expireAt: number; // ms timestamp
+};
+
 /**
- * SDK adapter wrapping TokenManager for a single appKey.
+ * Self-contained token manager for a single appKey.
  */
-export class InfoflowSDKAdapter {
-  private tokenManager: TokenManager;
+export class InfoflowTokenManager {
+  private readonly apiHost: string;
+  private readonly appKey: string;
+  private readonly appSecret: string;
+  private cache: TokenCache | null = null;
+  private refreshPromise: Promise<string> | null = null;
 
   constructor(params: SDKAdapterParams) {
-    // SDK ConfigManager expects pure domain (e.g. "apiin.im.baidu.com"),
-    // but plugin's apiHost is a full URL (e.g. "https://apiin.im.baidu.com").
-    // Extract the host portion.
-    const apiUrl = ensureHttps(params.apiHost);
-    const domain = new URL(apiUrl).host;
-
-    const configManager = new ConfigManager({
-      appId: params.appKey,
-      appSecret: params.appSecret,
-      apiDomain: domain,
-    });
-
-    this.tokenManager = new TokenManager(configManager);
+    this.apiHost = ensureHttps(params.apiHost);
+    this.appKey = params.appKey;
+    this.appSecret = params.appSecret;
+    getInfoflowSendLog().info(
+      `[token] init: appKey=${params.appKey.slice(0, 4)}***, apiHost=${this.apiHost}`,
+    );
   }
 
-  /**
-   * Gets an access token via SDK TokenManager.
-   * Handles caching, MD5 signing, concurrency safety, and early refresh internally.
-   */
   async getToken(): Promise<string> {
-    return this.tokenManager.getAccessToken();
+    const log = getInfoflowSendLog();
+
+    // Deduplicate concurrent requests
+    if (this.refreshPromise) {
+      log.info(`[token] waiting for in-flight refresh: appKey=${this.appKey.slice(0, 4)}***`);
+      return this.refreshPromise;
+    }
+
+    // Return cached token if still valid
+    if (this.cache && Date.now() < this.cache.expireAt - EXPIRE_BUFFER_MS) {
+      log.info(
+        `[token] cache hit: appKey=${this.appKey.slice(0, 4)}***, expiresIn=${Math.round((this.cache.expireAt - Date.now()) / 1000)}s`,
+      );
+      return this.cache.token;
+    }
+
+    log.info(`[token] cache miss, fetching new token: appKey=${this.appKey.slice(0, 4)}***`);
+    this.refreshPromise = this.fetchToken();
+    try {
+      const token = await this.refreshPromise;
+      return token;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+
+  private async fetchToken(): Promise<string> {
+    const log = getInfoflowSendLog();
+    const url = `${this.apiHost}${TOKEN_PATH}`;
+    const signedSecret = createHash("md5").update(this.appSecret).digest("hex").toLowerCase();
+
+    log.info(`[token] POST ${url}, app_key=${this.appKey.slice(0, 4)}***`);
+
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+
+    let responseText = "";
+    try {
+      const res = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ app_key: this.appKey, app_secret: signedSecret }),
+        signal: controller.signal,
+      });
+
+      responseText = await res.text();
+      log.info(`[token] response: status=${res.status}, body=${responseText.slice(0, 200)}`);
+
+      const data = JSON.parse(responseText) as Record<string, unknown>;
+      const inner = data.data as Record<string, unknown> | undefined;
+
+      if (data.code !== "ok" || !inner?.app_access_token) {
+        const errMsg = String(data.message ?? data.errmsg ?? `code=${data.code ?? "unknown"}`);
+        log.error(`[token] fetch failed: appKey=${this.appKey.slice(0, 4)}***, error=${errMsg}`);
+        throw new Error(`Failed to get token: ${errMsg}`);
+      }
+
+      const token = String(inner.app_access_token);
+      const expireSeconds = typeof inner.expire === "number" ? inner.expire : 7200;
+      this.cache = { token, expireAt: Date.now() + expireSeconds * 1000 };
+
+      log.info(
+        `[token] fetch ok: appKey=${this.appKey.slice(0, 4)}***, tokenLen=${token.length}, expireIn=${expireSeconds}s`,
+      );
+      return token;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("abort") || msg.includes("signal")) {
+        log.error(
+          `[token] fetch timeout after ${FETCH_TIMEOUT_MS}ms: appKey=${this.appKey.slice(0, 4)}***`,
+        );
+        throw new Error(`Token fetch timed out after ${FETCH_TIMEOUT_MS}ms`);
+      }
+      log.error(
+        `[token] fetch exception: appKey=${this.appKey.slice(0, 4)}***, error=${msg}, responseText=${responseText.slice(0, 200)}`,
+      );
+      throw err;
+    } finally {
+      clearTimeout(timer);
+    }
   }
 }