@kervnet/opencode-kiro-auth 1.7.17 → 1.7.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/core/auth/auth-handler.js +24 -8
  2. package/dist/core/auth/token-refresher.js +35 -16
  3. package/dist/core/request/request-handler.d.ts +1 -0
  4. package/dist/core/request/request-handler.js +29 -20
  5. package/package.json +1 -1
package/dist/core/auth/auth-handler.js CHANGED
@@ -25,7 +25,19 @@ export class AuthHandler {
25
25
  try {
26
26
  const logger = await import('../../plugin/logger.js');
27
27
  logger.log('Background token refresh starting...');
28
- // Check if kiro-cli has valid tokens before syncing
28
+ const bufferMs = this.config.token_expiry_buffer_ms || 120000;
29
+ let needsRefresh = false;
30
+ // Check if any plugin account token is expiring within buffer
31
+ if (this.accountManager) {
32
+ const accounts = this.accountManager.getAccounts();
33
+ for (const acc of accounts) {
34
+ if (acc.expiresAt && Date.now() >= acc.expiresAt - bufferMs - 5 * 60 * 1000) {
35
+ logger.log(`Background token refresh: account ${acc.email} token expiring soon (${new Date(acc.expiresAt).toLocaleString()}), forcing refresh`);
36
+ needsRefresh = true;
37
+ break;
38
+ }
39
+ }
40
+ }
29
41
  try {
30
42
  const { existsSync } = await import('node:fs');
31
43
  const { Database } = await import('bun:sqlite');
@@ -41,24 +53,28 @@ export class AuthHandler {
41
53
  .prepare("SELECT json_extract(value, '$.expires_at') as expires FROM auth_kv WHERE key LIKE '%token' LIMIT 1")
42
54
  .get();
43
55
  cliDb.close();
44
- if (!tokenRow || !tokenRow.expires || tokenRow.expires < Date.now()) {
45
- logger.log('Background token refresh: kiro-cli token expired, forcing refresh via kiro-cli whoami...');
56
+ const cliExpires = tokenRow?.expires ? new Date(tokenRow.expires).getTime() : 0;
57
+ if (!cliExpires || Date.now() >= cliExpires - bufferMs - 5 * 60 * 1000) {
58
+ needsRefresh = true;
59
+ }
60
+ if (needsRefresh) {
61
+ logger.log('Background token refresh: forcing kiro-cli whoami...');
62
+ const { execSync } = await import('node:child_process');
46
63
  try {
47
- const { execSync } = await import('node:child_process');
48
64
  execSync('kiro-cli whoami', { timeout: 15000, stdio: 'pipe' });
49
- logger.log('Background token refresh: kiro-cli token refreshed successfully');
65
+ logger.log('Background token refresh: kiro-cli whoami succeeded');
50
66
  }
51
67
  catch {
52
- logger.log('Background token refresh: kiro-cli refresh failed, skipping');
68
+ logger.log('Background token refresh: kiro-cli whoami failed, skipping');
53
69
  return;
54
70
  }
55
71
  }
56
72
  else {
57
- logger.log(`Background token refresh: kiro-cli token valid until ${new Date(tokenRow.expires).toLocaleString()}`);
73
+ logger.log(`Background token refresh: tokens valid, syncing`);
58
74
  }
59
75
  }
60
76
  catch (e) {
61
- logger.warn('Background token refresh: failed to check kiro-cli token status', e);
77
+ logger.warn('Background token refresh: failed to check token status', e);
62
78
  return;
63
79
  }
64
80
  const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
package/dist/core/auth/token-refresher.js CHANGED
@@ -18,56 +18,75 @@ export class TokenRefresher {
18
18
  if (!accessTokenExpired(auth, this.config.token_expiry_buffer_ms)) {
19
19
  return { account, shouldContinue: false };
20
20
  }
21
+ const logger = await import('../../plugin/logger.js');
22
+ logger.log(`[TokenRefresher] Access token expired for ${account.email}, attempting OIDC refresh...`);
21
23
  try {
22
24
  const newAuth = await refreshAccessToken(auth);
25
+ logger.log(`[TokenRefresher] OIDC refresh succeeded for ${account.email}`);
23
26
  this.accountManager.updateFromAuth(account, newAuth);
24
27
  await this.repository.batchSave(this.accountManager.getAccounts());
25
28
  return { account, shouldContinue: false };
26
29
  }
27
30
  catch (e) {
31
+ logger.log(`[TokenRefresher] OIDC refresh failed for ${account.email}: ${e.message}`);
28
32
  return await this.handleRefreshError(e, account, showToast);
29
33
  }
30
34
  }
31
35
  async handleRefreshError(error, account, showToast) {
32
- // Only sync if cooldown period has passed
36
+ const logger = await import('../../plugin/logger.js');
33
37
  const now = Date.now();
34
38
  if (this.config.auto_sync_kiro_cli && now - this.lastSyncTime > this.SYNC_COOLDOWN_MS) {
35
39
  this.lastSyncTime = now;
36
- // Force kiro-cli to refresh its token
40
+ // Force kiro-cli to refresh its tokens
41
+ logger.log('[TokenRefresher] Forcing kiro-cli token refresh via whoami...');
37
42
  try {
38
43
  const { execSync } = await import('node:child_process');
39
44
  execSync('kiro-cli whoami', { timeout: 15000, stdio: 'pipe' });
45
+ logger.log('[TokenRefresher] kiro-cli whoami succeeded');
40
46
  }
41
- catch {
42
- // Continue with sync anyway
47
+ catch (e) {
48
+ logger.warn(`[TokenRefresher] kiro-cli whoami failed: ${e.message}`);
43
49
  }
50
+ logger.log('[TokenRefresher] Syncing accounts from kiro-cli DB...');
44
51
  await this.syncFromKiroCli();
52
+ // Reload fresh accounts from DB into accountManager
53
+ this.repository.invalidateCache();
54
+ const freshAccounts = await this.repository.findAll();
55
+ this.accountManager.replaceAccounts(freshAccounts);
45
56
  }
46
- this.repository.invalidateCache();
47
- const accounts = await this.repository.findAll();
57
+ else if (this.config.auto_sync_kiro_cli) {
58
+ logger.log(`[TokenRefresher] Sync cooldown active (${Math.ceil((this.SYNC_COOLDOWN_MS - (now - this.lastSyncTime)) / 1000)}s remaining)`);
59
+ }
60
+ // Re-check the account after sync
61
+ const accounts = this.accountManager.getAccounts();
48
62
  const stillAcc = accounts.find((a) => a.id === account.id);
49
- if (stillAcc &&
50
- !accessTokenExpired(this.accountManager.toAuthDetails(stillAcc), this.config.token_expiry_buffer_ms)) {
51
- // Reset health status since we have fresh credentials
52
- stillAcc.isHealthy = true;
53
- stillAcc.failCount = 0;
54
- stillAcc.unhealthyReason = undefined;
55
- await this.repository.batchSave([stillAcc]);
56
- showToast('Credentials recovered from Kiro CLI sync.', 'info');
57
- return { account: stillAcc, shouldContinue: false };
63
+ if (stillAcc) {
64
+ const freshAuth = this.accountManager.toAuthDetails(stillAcc);
65
+ const stillExpired = accessTokenExpired(freshAuth, this.config.token_expiry_buffer_ms);
66
+ logger.log(`[TokenRefresher] After sync: account ${stillAcc.email} token expired=${stillExpired}`);
67
+ if (!stillExpired) {
68
+ stillAcc.isHealthy = true;
69
+ stillAcc.failCount = 0;
70
+ stillAcc.unhealthyReason = undefined;
71
+ await this.repository.batchSave([stillAcc]);
72
+ logger.log('[TokenRefresher] Recovery successful!');
73
+ return { account: stillAcc, shouldContinue: false };
74
+ }
58
75
  }
76
+ // Token still expired after sync — mark unhealthy
59
77
  if (error instanceof KiroTokenRefreshError &&
60
78
  (error.code === 'ExpiredTokenException' ||
61
79
  error.code === 'InvalidTokenException' ||
62
80
  error.code === 'HTTP_401' ||
63
81
  error.message.includes('Invalid refresh token provided'))) {
82
+ logger.log(`[TokenRefresher] Marking account ${account.email} as permanently unhealthy: ${error.message}`);
64
83
  this.accountManager.markUnhealthy(account, error.message);
65
84
  await this.repository.batchSave(this.accountManager.getAccounts());
66
85
  return { account, shouldContinue: true };
67
86
  }
68
- // For HTTP_403, only mark unhealthy after multiple failures
69
87
  if (error instanceof KiroTokenRefreshError && error.code === 'HTTP_403') {
70
88
  account.failCount = (account.failCount || 0) + 1;
89
+ logger.log(`[TokenRefresher] HTTP 403, failCount=${account.failCount}`);
71
90
  if (account.failCount >= 3) {
72
91
  this.accountManager.markUnhealthy(account, error.message);
73
92
  }
package/dist/core/request/request-handler.d.ts CHANGED
@@ -22,6 +22,7 @@ export declare class RequestHandler {
22
22
  private logResponse;
23
23
  private logError;
24
24
  private allAccountsPermanentlyUnhealthy;
25
+ private forceKiroCliRefreshAndSync;
25
26
  private sleep;
26
27
  }
27
28
  export {};
package/dist/core/request/request-handler.js CHANGED
@@ -52,27 +52,8 @@ export class RequestHandler {
52
52
  throw new Error(check.error);
53
53
  }
54
54
  if (this.allAccountsPermanentlyUnhealthy()) {
55
- // Try to recover by syncing from kiro-cli
56
55
  if (this.config.auto_sync_kiro_cli) {
57
- showToast('All accounts unhealthy. Forcing kiro-cli token refresh...', 'warning');
58
- try {
59
- const { execSync } = await import('node:child_process');
60
- execSync('kiro-cli chat --model claude-haiku-4.5 --no-interactive "hi"', { timeout: 30000, stdio: 'pipe' });
61
- }
62
- catch {
63
- throw new Error('All accounts are unhealthy and kiro-cli token refresh failed. Please run: kiro-cli login');
64
- }
65
- const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
66
- await syncFromKiroCli();
67
- // Reset all accounts to healthy and clear fail counts
68
- const accounts = this.accountManager.getAccounts();
69
- for (const acc of accounts) {
70
- acc.isHealthy = true;
71
- acc.failCount = 0;
72
- acc.unhealthyReason = undefined;
73
- }
74
- await this.repository.batchSave(accounts);
75
- // Give it one more chance
56
+ await this.forceKiroCliRefreshAndSync(showToast);
76
57
  continue;
77
58
  }
78
59
  throw new Error('All accounts are permanently unhealthy (quota exceeded or suspended)');
@@ -89,6 +70,7 @@ export class RequestHandler {
89
70
  const tokenResult = await this.tokenRefresher.refreshIfNeeded(acc, auth, showToast);
90
71
  if (tokenResult.shouldContinue) {
91
72
  acc = tokenResult.account;
73
+ logger.log(`[RequestHandler] Token refresh returned shouldContinue=true for ${acc.email}, retrying in 500ms (iteration ${retryContext.iterations})`);
92
74
  await this.sleep(500);
93
75
  continue;
94
76
  }
@@ -216,6 +198,33 @@ export class RequestHandler {
216
198
  }
217
199
  return accounts.every((acc) => !acc.isHealthy && isPermanentError(acc.unhealthyReason));
218
200
  }
201
+ async forceKiroCliRefreshAndSync(showToast) {
202
+ logger.log('[RequestHandler] All accounts permanently unhealthy. Forcing kiro-cli token refresh...');
203
+ showToast('All accounts unhealthy. Forcing kiro-cli token refresh...', 'warning');
204
+ try {
205
+ const { execSync } = await import('node:child_process');
206
+ execSync('kiro-cli whoami', { timeout: 15000, stdio: 'pipe' });
207
+ logger.log('[RequestHandler] kiro-cli whoami succeeded');
208
+ }
209
+ catch (e) {
210
+ logger.warn(`[RequestHandler] kiro-cli whoami failed: ${e.message}`);
211
+ throw new Error('All accounts are unhealthy and kiro-cli token refresh failed. Please run: kiro-cli login');
212
+ }
213
+ const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
214
+ await syncFromKiroCli();
215
+ // Reload fresh accounts from DB into accountManager
216
+ this.repository.invalidateCache();
217
+ const freshAccounts = await this.repository.findAll();
218
+ this.accountManager.replaceAccounts(freshAccounts);
219
+ // Reset health on all accounts
220
+ const accounts = this.accountManager.getAccounts();
221
+ for (const acc of accounts) {
222
+ acc.isHealthy = true;
223
+ acc.failCount = 0;
224
+ acc.unhealthyReason = undefined;
225
+ }
226
+ await this.repository.batchSave(accounts);
227
+ }
219
228
  sleep(ms) {
220
229
  return new Promise((resolve) => setTimeout(resolve, ms));
221
230
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kervnet/opencode-kiro-auth",
3
- "version": "1.7.17",
3
+ "version": "1.7.19",
4
4
  "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) with IAM Identity Center profile support",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",