@jsonstudio/rcc 0.89.1552 → 0.89.1800

package/dist/providers/auth/oauth-lifecycle.js

@@ -5,12 +5,15 @@ import fsSync from 'fs';
 import path from 'path';
 import os from 'os';
 import { fetchIFlowUserInfo, mergeIFlowTokenData } from './iflow-userinfo-helper.js';
-import {} from './qwen-userinfo-helper.js';
+import { fetchQwenUserInfo, mergeQwenTokenData } from './qwen-userinfo-helper.js';
 import { fetchGeminiCLIUserInfo, fetchGeminiCLIProjects, mergeGeminiCLITokenData, getDefaultProjectId } from './gemini-cli-userinfo-helper.js';
 import { parseTokenSequenceFromPath } from './token-scanner/index.js';
 import { logOAuthDebug } from './oauth-logger.js';
 import { fetchAntigravityProjectId } from './antigravity-userinfo-helper.js';
 import { HTTP_PROTOCOLS, LOCAL_HOSTS } from '../../constants/index.js';
+import { withOAuthRepairEnv } from './oauth-repair-env.js';
+import { markInteractiveOAuthRepairAttempt, shouldSkipInteractiveOAuthRepair } from './oauth-repair-cooldown.js';
+import { openAuthInCamoufox } from '../core/config/camoufox-launcher.js';
 const TOKEN_REFRESH_SKEW_MS = 60_000;
 const inFlight = new Map();
 const lastRunAt = new Map();
@@ -31,7 +34,9 @@ function defaultTokenFile(providerType) {
         return path.join(home, '.iflow', 'oauth_creds.json');
     }
     if (providerType === 'qwen') {
-        return path.join(home, '.routecodex', 'auth', 'qwen-oauth.json');
+        // Align with TokenFileAuthProvider + token-daemon defaults:
+        // keep a stable, well-known Qwen token file for alias="default".
+        return path.join(home, '.routecodex', 'auth', 'qwen-oauth-1-default.json');
     }
     if (isGeminiCliFamily(providerType)) {
         const file = providerType.toLowerCase() === 'antigravity'
@@ -60,7 +65,22 @@ function resolveTokenFilePath(auth, providerType) {
     const homeDir = process.env.HOME || os.homedir();
     const authDir = path.join(homeDir, '.routecodex', 'auth');
     const pattern = new RegExp(`^${providerType}-oauth-(\\d+)(?:-(.+))?\\.json$`, 'i');
+    const pt = providerType.toLowerCase();
+    // Qwen: keep a stable "default" file name whenever possible.
+    if (pt === 'qwen' && alias === 'default') {
+        const pinned = path.join(authDir, 'qwen-oauth-1-default.json');
+        try {
+            if (fsSync.existsSync(pinned)) {
+                auth.tokenFile = pinned;
+                return pinned;
+            }
+        }
+        catch {
+            // ignore and fall back to scanning
+        }
+    }
     let existingPath = null;
+    let bestSeqForAlias = 0;
     let maxSeq = 0;
     try {
         const entries = fsSync.readdirSync(authDir);
@@ -74,7 +94,8 @@ function resolveTokenFilePath(auth, providerType) {
                 continue;
             }
             const entryAlias = (match[2] || 'default');
-            if (entryAlias === alias && !existingPath) {
+            if (entryAlias === alias && seq >= bestSeqForAlias) {
+                bestSeqForAlias = seq;
                 existingPath = path.join(authDir, entry);
             }
             if (seq > maxSeq) {
@@ -89,7 +110,10 @@ function resolveTokenFilePath(auth, providerType) {
         auth.tokenFile = existingPath;
         return existingPath;
     }
-    const nextSeq = maxSeq + 1;
+    // When we don't have any existing token for this alias:
+    // - Qwen default alias should always map to seq=1 for stability.
+    // - Otherwise, allocate next seq to avoid collisions.
+    const nextSeq = (pt === 'qwen' && alias === 'default') ? 1 : (maxSeq + 1);
     const fileName = `${providerType}-oauth-${nextSeq}-${alias}.json`;
     const fullPath = path.join(authDir, fileName);
     auth.tokenFile = fullPath;
@@ -102,6 +126,139 @@ function shouldThrottle(k, ms = 60_000) {
 function updateThrottle(k) {
     lastRunAt.set(k, Date.now());
 }
+function extractStatusCode(upstreamError) {
+    if (!upstreamError || typeof upstreamError !== 'object') {
+        return undefined;
+    }
+    const anyErr = upstreamError;
+    const direct = anyErr.statusCode;
+    if (typeof direct === 'number' && Number.isFinite(direct)) {
+        return direct;
+    }
+    const status = anyErr.status;
+    if (typeof status === 'number' && Number.isFinite(status)) {
+        return status;
+    }
+    const response = anyErr.response;
+    if (response && typeof response === 'object') {
+        const respStatus = response.status;
+        if (typeof respStatus === 'number' && Number.isFinite(respStatus)) {
+            return respStatus;
+        }
+        const respStatusCode = response.statusCode;
+        if (typeof respStatusCode === 'number' && Number.isFinite(respStatusCode)) {
+            return respStatusCode;
+        }
+    }
+    return undefined;
+}
+function isGoogleAccountVerificationRequiredMessage(lower) {
+    if (!lower) {
+        return false;
+    }
+    return (lower.includes('verify your account') ||
+        lower.includes('validation_required') ||
+        lower.includes('validation required') ||
+        lower.includes('validation_url') ||
+        lower.includes('validation url') ||
+        lower.includes('accounts.google.com/signin/continue') ||
+        lower.includes('support.google.com/accounts?p=al_alert'));
+}
+function extractGoogleAccountVerificationUrl(message) {
+    const msg = typeof message === 'string' ? message : '';
+    if (!msg) {
+        return null;
+    }
+    const normalized = msg
+        .replace(/\\\//g, '/')
+        .replace(/\\u0026/gi, '&')
+        .replace(/\\u003d/gi, '=')
+        .replace(/\\x26/gi, '&')
+        .replace(/\\x3d/gi, '=');
+    const patterns = [
+        /https:\/\/accounts\.google\.com\/signin\/continue[^\s"'\\<>)]*/i,
+        /https:\/\/accounts\.google\.com\/[^\s"'\\<>)]*/i,
+        /https:\/\/support\.google\.com\/accounts\?p=al_alert[^\s"'\\<>)]*/i
+    ];
+    for (const re of patterns) {
+        const m = normalized.match(re);
+        if (m && m[0]) {
+            const url = String(m[0]).trim().replace(/[\\"']+$/g, '').replace(/[),.]+$/g, '');
+            if (url) {
+                return url;
+            }
+        }
+    }
+    return null;
+}
+function resolveCamoufoxAliasForAuth(providerType, auth) {
+    const raw = typeof auth.tokenFile === 'string' ? auth.tokenFile.trim() : '';
+    if (raw && !raw.includes('/') && !raw.includes('\\') && !raw.endsWith('.json')) {
+        return raw;
+    }
+    const base = raw ? path.basename(raw) : '';
+    const pt = String(providerType || '').trim().toLowerCase();
+    if (base && pt) {
+        const re = new RegExp(`^${pt}-oauth-\\d+(?:-(.+))?\\.json$`, 'i');
+        const m = base.match(re);
+        const alias = m && m[1] ? String(m[1]).trim() : '';
+        if (alias) {
+            return alias;
+        }
+    }
+    return 'default';
+}
+async function openGoogleAccountVerificationInCamoufox(args) {
+    const providerType = args.providerType;
+    const url = args.url;
+    if (!url) {
+        return;
+    }
+    const alias = resolveCamoufoxAliasForAuth(providerType, args.auth);
+    const prevBrowser = process.env.ROUTECODEX_OAUTH_BROWSER;
+    const prevAutoMode = process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+    const prevDevMode = process.env.ROUTECODEX_CAMOUFOX_DEV_MODE;
+    const prevOpenOnly = process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY;
+    process.env.ROUTECODEX_OAUTH_BROWSER = 'camoufox';
+    delete process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+    process.env.ROUTECODEX_CAMOUFOX_DEV_MODE = '1';
+    process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY = '1';
+    try {
+        const ok = await openAuthInCamoufox({ url, provider: providerType, alias });
+        if (ok) {
+            console.warn(`[OAuth] Google account verification opened in Camoufox (provider=${providerType} alias=${alias}).`);
+        }
+    }
+    catch {
+        // best-effort; never block requests
+    }
+    finally {
+        if (prevBrowser === undefined) {
+            delete process.env.ROUTECODEX_OAUTH_BROWSER;
+        }
+        else {
+            process.env.ROUTECODEX_OAUTH_BROWSER = prevBrowser;
+        }
+        if (prevAutoMode === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_AUTO_MODE = prevAutoMode;
+        }
+        if (prevDevMode === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_DEV_MODE;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_DEV_MODE = prevDevMode;
+        }
+        if (prevOpenOnly === undefined) {
+            delete process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY;
+        }
+        else {
+            process.env.ROUTECODEX_CAMOUFOX_OPEN_ONLY = prevOpenOnly;
+        }
+    }
+}
 function isOAuthConfig(auth) {
     return Boolean(auth && typeof auth.type === 'string' && auth.type.toLowerCase().includes('oauth'));
 }
@@ -249,12 +406,30 @@ function extractAccessToken(token) {
     }
     return undefined;
 }
+function extractApiKey(token) {
+    if (!token) {
+        return undefined;
+    }
+    const candidate = token.apiKey ?? token.api_key;
+    return hasNonEmptyString(candidate) ? String(candidate) : undefined;
+}
 function hasApiKeyField(token) {
     if (!token) {
         return false;
     }
-    const candidate = token.apiKey ?? token.api_key;
-    return hasNonEmptyString(candidate);
+    return hasNonEmptyString(token.apiKey ?? token.api_key);
+}
+/**
+ * Qwen: api_key 可能被降级为 access_token（userInfo 404 时的兼容写法），这种情况不应被视为“稳定 API Key”。
+ * 只有当 api_key 存在且与 access_token 不同（或缺失 access_token）时，才认为可以长期复用并跳过刷新。
+ */
+function hasStableQwenApiKey(token) {
+    const apiKey = extractApiKey(token);
+    if (!apiKey) {
+        return false;
+    }
+    const access = extractAccessToken(token);
+    return !access || apiKey !== access;
 }
 function hasAccessToken(token) {
     return hasNonEmptyString(token?.access_token) || hasNonEmptyString(token?.AccessToken);
@@ -448,7 +623,8 @@ function evaluateTokenState(token, providerType) {
         validAccess = hasApiKey || (!isExpiredOrNear && hasAccess);
     }
     else if (pt === 'qwen') {
-        validAccess = (hasApiKey || hasAccess) && !isExpiredOrNear;
+        // Qwen: 当获取到稳定 api_key 后，可跳过 refresh/reauth；否则仍依赖 access_token 的有效期。
+        validAccess = hasStableQwenApiKey(token) || (!isExpiredOrNear && (hasAccess || hasApiKey));
     }
     else {
         validAccess = (hasApiKey || hasAccess) && !isExpiredOrNear;
@@ -669,6 +845,37 @@ async function finalizeTokenWrite(providerType, strategy, tokenFilePath, tokenDa
     logOAuthDebug(`[OAuth] Token ${reason} saved: ${tokenFilePath}`);
 }
 async function maybeEnrichToken(providerType, tokenData, tokenFilePath) {
+    if (providerType === 'qwen') {
+        const sanitized = sanitizeToken(tokenData) ?? tokenData;
+        if (hasStableQwenApiKey(sanitized)) {
+            return tokenData;
+        }
+        const accessToken = extractAccessToken(sanitized);
+        if (!accessToken) {
+            logOAuthDebug('[OAuth] Qwen: no access_token found in auth result, skipping API Key fetch');
+            return tokenData;
+        }
+        try {
+            const userInfo = await fetchQwenUserInfo(accessToken);
+            if (userInfo.apiKey) {
+                logOAuthDebug(`[OAuth] Qwen: successfully fetched API Key${userInfo.email ? ` for ${userInfo.email}` : ''}`);
+            }
+            else {
+                logOAuthDebug('[OAuth] Qwen: user info fetched but apiKey missing; continuing with access_token only');
+            }
+            return mergeQwenTokenData(tokenData, userInfo);
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            // If userInfo endpoint is unavailable (404), treat access_token as api_key to avoid repeated lookups.
+            if (/\bHTTP\s+404\b/i.test(msg) || /\bnot\s+found\b/i.test(msg)) {
+                logOAuthDebug('[OAuth] Qwen: userInfo endpoint unavailable (404); using access_token as api_key fallback');
+                return mergeQwenTokenData(tokenData, { apiKey: accessToken });
+            }
+            logOAuthDebug(`[OAuth] Qwen: failed to fetch user info - ${msg}`);
+            return tokenData;
+        }
+    }
     if (providerType === 'iflow') {
         const accessToken = extractAccessToken(sanitizeToken(tokenData) ?? null);
         if (!accessToken) {
@@ -847,9 +1054,14 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         await inFlight.get(cacheKey);
         return;
     }
+    // Only treat "open browser" as explicit user intent when caller passed it explicitly.
+    // This prevents background flows (daemon/provider init) from bypassing noRefresh due to env defaults.
+    const openBrowserRequested = opts.openBrowser === true;
     // 当 opts.forceReauthorize 显式为 true 时，跳过节流检查，
     // 确保来自上游 401/406 等认证错误的修复请求不会被初始化阶段的调用吞掉。
-    if (!opts.forceReauthorize && shouldThrottle(cacheKey)) {
+    // Explicit user-triggered OAuth (openBrowser=true) must also bypass throttle,
+    // otherwise repeated "Authorize" clicks in WebUI can become a silent no-op.
+    if (!opts.forceReauthorize && !openBrowserRequested && shouldThrottle(cacheKey)) {
         return;
     }
     const aliasInfo = parseTokenSequenceFromPath(tokenFilePath);
@@ -869,6 +1081,22 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         const strategy = createStrategy(providerType, overrides, tokenFilePath);
         let token = await readTokenFromFile(tokenFilePath);
         const hadExistingTokenFile = token !== null;
+        // Qwen: ensure api_key is present even when access_token is still valid.
+        // Qwen OpenAI-compatible endpoints may require api_key (not access_token) for business requests.
+        if (providerType === 'qwen' && token && !hasStableQwenApiKey(token)) {
+            try {
+                const enriched = await maybeEnrichToken(providerType, token);
+                if (enriched && typeof strategy.saveToken === 'function') {
+                    const prepared = await prepareTokenForStorage(providerType, tokenFilePath, enriched);
+                    await strategy.saveToken(prepared);
+                    token = sanitizeToken(enriched) ?? enriched;
+                }
+            }
+            catch (error) {
+                const msg = error instanceof Error ? error.message : String(error);
+                console.error(`[OAuth] Qwen: failed to enrich existing token with api_key - ${msg}`);
+            }
+        }
         // Gemini CLI family: if existing token lacks project metadata, try to enrich it without
         // forcing a full OAuth flow. Use current access_token to fetch userinfo/projects and write back.
         if (isGeminiCliFamily(providerType) && token) {
@@ -900,7 +1128,7 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         logTokenSnapshot(providerType, token, endpoints);
         const tokenState = evaluateTokenState(token, providerType);
         const noRefresh = hasNoRefreshFlag(token);
-        if (noRefresh) {
+        if (noRefresh && !forceReauth && !openBrowserRequested) {
             logOAuthDebug(`[OAuth] norefresh flag set for provider=${providerType} tokenFile=${tokenFilePath} - skip auto-refresh and re-authorization.`);
             updateThrottle(cacheKey);
             return;
@@ -953,48 +1181,80 @@ export async function ensureValidOAuthToken(providerType, auth, opts = {}) {
         inFlight.delete(cacheKey);
     }
 }
-export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstreamError) {
+export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstreamError, options) {
     const pt = providerType.toLowerCase();
+    const allowBlocking = options?.allowBlocking !== false;
+    const ensureValid = options?.ensureValidOAuthToken ?? ensureValidOAuthToken;
     try {
-        const msg = upstreamError instanceof Error ? upstreamError.message : String(upstreamError || '');
+        if (!shouldTriggerInteractiveOAuthRepair(providerType, upstreamError)) {
+            return false;
+        }
+        const msg = upstreamError instanceof Error
+            ? upstreamError.message
+            : upstreamError && typeof upstreamError === 'object' && typeof upstreamError.message === 'string'
+                ? String(upstreamError.message)
+                : String(upstreamError || '');
         const lower = msg.toLowerCase();
-        let statusCode;
-        try {
-            const anyErr = upstreamError;
-            if (anyErr) {
-                if (typeof anyErr.statusCode === 'number') {
-                    statusCode = anyErr.statusCode;
-                }
-                else if (typeof anyErr.status === 'number') {
-                    statusCode = anyErr.status;
-                }
-            }
+        const statusCode = extractStatusCode(upstreamError);
+        const tokenFilePath = resolveTokenFilePath(auth, providerType);
+        const cooldownReason = statusCode === 403 && isGoogleAccountVerificationRequiredMessage(lower) ? 'google_verify' : 'generic';
+        const gate = await shouldSkipInteractiveOAuthRepair({
+            providerType,
+            tokenFile: tokenFilePath,
+            reason: cooldownReason
+        });
+        if (gate.skip) {
+            const msLeft = typeof gate.msLeft === 'number' ? gate.msLeft : 0;
+            console.warn(`[OAuth] interactive repair skipped due to cooldown (provider=${providerType} status=${statusCode ?? 'unknown'} reason=${cooldownReason} msLeft=${msLeft} tokenFile=${tokenFilePath})`);
+            return false;
         }
-        catch {
-            // best-effort statusCode extraction
-        }
-        // 基本令牌失效判定：只看典型 OAuth 文案
-        let looksInvalid = /invalid[_-]?token|invalid[_-]?grant|unauthenticated|unauthorized|token has expired|access token expired/.test(lower);
-        // 对于 iflow / qwen，保留基于 401/403 的宽松判定，避免破坏既有行为。
-        if (!looksInvalid && (pt === 'iflow' || pt === 'qwen')) {
-            if (statusCode === 401 ||
-                statusCode === 403 ||
-                /\b401\b|\b403\b|40308/.test(msg)) {
-                looksInvalid = true;
+        // Mark immediately so repeated auth failures don't cause infinite auth loops within a short window.
+        await markInteractiveOAuthRepairAttempt({
+            providerType,
+            tokenFile: tokenFilePath,
+            reason: cooldownReason
+        });
+        // Non-blocking server semantics:
+        // - Try silent refresh first (fast path).
+        // - If refresh fails or interactive is required (e.g. 403 verify), kick off interactive flow in background.
+        // - Return false so Virtual Router can failover immediately.
+        if (!allowBlocking) {
+            if (statusCode === 403 && cooldownReason === 'google_verify') {
+                const url = extractGoogleAccountVerificationUrl(msg);
+                if (url) {
+                    void openGoogleAccountVerificationInCamoufox({
+                        providerType,
+                        auth: auth,
+                        url
+                    }).catch(() => { });
+                }
+                return false;
             }
-        }
-        // 对于 gemini / gemini-cli / antigravity，排除纯服务开关类错误，
-        // 但如果明确提示缺少 project_id 或需要重新 OAuth，则视为令牌失效。
-        if (pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity') {
-            if (/service_disabled/.test(lower) || lower.includes('has not been used in project')) {
-                looksInvalid = false;
+            try {
+                await withOAuthRepairEnv(providerType, async () => {
+                    await ensureValid(providerType, auth, {
+                        forceReacquireIfRefreshFails: false,
+                        openBrowser: false,
+                        forceReauthorize: false
+                    });
+                });
+                return true;
             }
-            if (lower.includes('project_id not found in token') ||
-                lower.includes('please authenticate with google oauth first')) {
-                looksInvalid = true;
+            catch {
+                // ignore silent refresh errors; fall through to background interactive flow
             }
-        }
-        if (!looksInvalid) {
+            const interactiveOpts = {
+                forceReacquireIfRefreshFails: true,
+                openBrowser: true,
+                // 上游已经明确返回“认证失效”（包括 iflow 的 406/439），
+                // 此时强制跳过节流并允许走完整 OAuth 流程。
+                forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
+            };
+            void withOAuthRepairEnv(providerType, async () => {
+                await ensureValid(providerType, auth, interactiveOpts);
+            }).catch(() => {
+                // background repair failure must never block requests
+            });
             return false;
         }
         const opts = {
@@ -1004,13 +1264,54 @@ export async function handleUpstreamInvalidOAuthToken(providerType, auth, upstre
             // 此时强制跳过节流并允许走完整 OAuth 流程。
             forceReauthorize: pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity' || pt === 'iflow' || pt === 'qwen'
         };
-        await ensureValidOAuthToken(providerType, auth, opts);
+        await withOAuthRepairEnv(providerType, async () => {
+            await ensureValid(providerType, auth, opts);
+        });
         return true;
     }
     catch {
         return false;
     }
 }
+export function shouldTriggerInteractiveOAuthRepair(providerType, upstreamError) {
+    const pt = providerType.toLowerCase();
+    const msg = upstreamError instanceof Error
+        ? upstreamError.message
+        : upstreamError && typeof upstreamError === 'object' && typeof upstreamError.message === 'string'
+            ? String(upstreamError.message)
+            : String(upstreamError || '');
+    const lower = msg.toLowerCase();
+    const statusCode = extractStatusCode(upstreamError);
+    // 基本令牌失效判定：只看典型 OAuth 文案
+    let looksInvalid = /invalid[_-]?token|invalid[_-]?grant|unauthenticated|unauthorized|token has expired|access token expired/.test(lower);
+    // 对于 iflow / qwen，保留基于 401/403 的宽松判定，避免破坏既有行为。
+    if (!looksInvalid && (pt === 'iflow' || pt === 'qwen')) {
+        if (statusCode === 401 ||
+            statusCode === 403 ||
+            /\b401\b|\b403\b|40308/.test(msg)) {
+            looksInvalid = true;
+        }
+    }
+    // 对于 gemini / gemini-cli / antigravity，排除纯服务开关类错误，
+    // 但如果明确提示缺少 project_id 或需要重新 OAuth，则视为令牌失效。
+    if (pt === 'gemini' || pt === 'gemini-cli' || pt === 'antigravity') {
+        if (/service_disabled/.test(lower) || lower.includes('has not been used in project')) {
+            looksInvalid = false;
+        }
+        if (lower.includes('project_id not found in token') ||
+            lower.includes('please authenticate with google oauth first')) {
+            looksInvalid = true;
+        }
+        // Antigravity/Gemini may return 403 "verify your account" / validation_required.
+        // This is not a token-expired case, but it still requires an interactive OAuth/browser flow
+        // to unblock the account. Treat it as "needs interactive reauth".
+        if (statusCode === 403 &&
+            isGoogleAccountVerificationRequiredMessage(lower)) {
+            looksInvalid = true;
+        }
+    }
+    return looksInvalid;
+}
 async function inferIflowClientCredsFromLog() {
     try {
         const home = process.env.HOME || '';