@lobu/gateway 3.0.5 → 3.0.6

package/src/auth/api-key-provider-module.ts

@@ -0,0 +1,213 @@
+import type { ConfigProviderMeta } from "@lobu/core";
+import type { ModelOption } from "../modules/module-system";
+import { BaseProviderModule } from "./base-provider-module";
+import type { AgentSettingsStore } from "./settings/agent-settings-store";
+import { AuthProfilesManager } from "./settings/auth-profiles-manager";
+
+export interface ApiKeyProviderConfig {
+  providerId: string;
+  providerDisplayName: string;
+  providerIconUrl: string;
+  envVarName: string;
+  apiKeyInstructions: string;
+  apiKeyPlaceholder: string;
+  systemEnvVarName?: string;
+  /** Provider slug for proxy path routing (e.g. "gemini") */
+  slug?: string;
+  /** Upstream base URL for proxy forwarding (e.g. "https://generativelanguage.googleapis.com") */
+  upstreamBaseUrl?: string;
+  /** Explicit base URL env var name (defaults to envVarName with _KEY replaced by _BASE_URL) */
+  baseUrlEnvVarName?: string;
+  /** Relative path to fetch model list (e.g. "/v1/models"). Enables generic model fetching. */
+  modelsEndpoint?: string;
+  /** SDK compatibility — "openai" means OpenAI-compatible format. Also maps OPENAI_BASE_URL in proxy. */
+  sdkCompat?: "openai";
+  /** Default model ID when none is configured */
+  defaultModel?: string;
+  /** Override provider name for model registry lookup */
+  registryAlias?: string;
+  /** Whether to show in "Add Provider" catalog (default: true) */
+  catalogVisible?: boolean;
+  agentSettingsStore: AgentSettingsStore;
+}
+
+/**
+ * Generic API-key provider module.
+ * Any model provider that only needs a "paste your API key" flow
+ * can be instantiated from this class without writing a full module.
+ *
+ * Config-driven providers (from system-skills.json) set sdkCompat,
+ * defaultModel, and registryAlias to enable dynamic worker model resolution.
+ */
+export class ApiKeyProviderModule extends BaseProviderModule {
+  protected readonly apiKeyConfig: ApiKeyProviderConfig;
+
+  constructor(config: ApiKeyProviderConfig) {
+    const authProfilesManager = new AuthProfilesManager(
+      config.agentSettingsStore
+    );
+    super(
+      {
+        providerId: config.providerId,
+        providerDisplayName: config.providerDisplayName,
+        providerIconUrl: config.providerIconUrl,
+        credentialEnvVarName: config.envVarName,
+        secretEnvVarNames: [config.envVarName],
+        systemEnvVarName: config.systemEnvVarName,
+        slug: config.slug || config.providerId,
+        upstreamBaseUrl: config.upstreamBaseUrl,
+        baseUrlEnvVarName:
+          config.baseUrlEnvVarName ||
+          config.envVarName.replace("_KEY", "_BASE_URL"),
+        authType: "api-key",
+        apiKeyInstructions: config.apiKeyInstructions,
+        apiKeyPlaceholder: config.apiKeyPlaceholder,
+        catalogVisible: config.catalogVisible,
+      },
+      authProfilesManager
+    );
+    this.apiKeyConfig = config;
+    this.name = `${config.providerId}-api-key`;
+  }
+
+  /**
+   * For openai-compatible providers, also map OPENAI_BASE_URL so the
+   * OpenAI SDK resolves through our proxy.
+   */
+  override getProxyBaseUrlMappings(
+    proxyUrl: string,
+    agentId?: string
+  ): Record<string, string> {
+    const mappings = super.getProxyBaseUrlMappings(proxyUrl, agentId);
+    if (this.apiKeyConfig.sdkCompat === "openai") {
+      const slug = this.providerConfig.slug || this.providerId;
+      const base = `${proxyUrl}/${slug}`;
+      mappings.OPENAI_BASE_URL = agentId ? `${base}/a/${agentId}` : base;
+    }
+    return mappings;
+  }
+
+  /**
+   * Returns metadata for config-driven providers (sdkCompat, defaultModel, etc.)
+   * so the worker can register them dynamically. Returns null for hardcoded providers.
+   */
+  getProviderMetadata(): ConfigProviderMeta | null {
+    if (
+      !this.apiKeyConfig.sdkCompat &&
+      !this.apiKeyConfig.defaultModel &&
+      !this.apiKeyConfig.registryAlias
+    ) {
+      return null;
+    }
+    return {
+      sdkCompat: this.apiKeyConfig.sdkCompat,
+      defaultModel: this.apiKeyConfig.defaultModel,
+      registryAlias: this.apiKeyConfig.registryAlias,
+      baseUrlEnvVar:
+        this.providerConfig.baseUrlEnvVarName ||
+        this.apiKeyConfig.envVarName.replace("_KEY", "_BASE_URL"),
+    };
+  }
+
+  async getModelOptions(
+    agentId: string,
+    _userId: string
+  ): Promise<ModelOption[]> {
+    const key = await this.getCredential(agentId);
+    if (!key) return [];
+
+    // Gemini uses a non-standard models endpoint with key-in-query auth
+    if (this.providerId === "gemini") {
+      return this.fetchGeminiModels(key);
+    }
+
+    // Generic modelsEndpoint: supports OpenAI format ({data:[{id}]}) and Ollama format ({models:[{name}]})
+    const modelsEndpoint = this.apiKeyConfig.modelsEndpoint;
+    if (modelsEndpoint && this.apiKeyConfig.upstreamBaseUrl) {
+      return this.fetchModelsGeneric(
+        key,
+        this.apiKeyConfig.upstreamBaseUrl,
+        modelsEndpoint
+      );
+    }
+
+    return [];
+  }
+
+  /**
+   * Generic model fetcher using Bearer auth. Works with OpenAI-compatible
+   * endpoints ({data:[{id}]}) and Ollama ({models:[{name}]}).
+   */
+  private async fetchModelsGeneric(
+    apiKey: string,
+    baseUrl: string,
+    endpoint: string
+  ): Promise<ModelOption[]> {
+    const url = `${baseUrl.replace(/\/$/, "")}${endpoint}`;
+    const response = await fetch(url, {
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${apiKey}`,
+      },
+    }).catch(() => null);
+    if (!response || !response.ok) return [];
+
+    const payload = (await response.json().catch(() => ({}))) as {
+      data?: Array<{ id?: string }>;
+      models?: Array<{ name?: string; model?: string }>;
+    };
+
+    const prefix = this.providerId;
+
+    // OpenAI format: { data: [{ id: "model-name" }] }
+    if (payload.data && Array.isArray(payload.data)) {
+      return payload.data
+        .map((model) => {
+          const id = model.id?.trim();
+          if (!id) return null;
+          return { value: `${prefix}/${id}`, label: id } satisfies ModelOption;
+        })
+        .filter((item): item is ModelOption => Boolean(item));
+    }
+
+    // Ollama format: { models: [{ name: "model-name", model: "model-name" }] }
+    if (payload.models && Array.isArray(payload.models)) {
+      return payload.models
+        .map((model) => {
+          const id = (model.model || model.name)?.trim();
+          if (!id) return null;
+          return { value: `${prefix}/${id}`, label: id } satisfies ModelOption;
+        })
+        .filter((item): item is ModelOption => Boolean(item));
+    }
+
+    return [];
+  }
+
+  private async fetchGeminiModels(apiKey: string): Promise<ModelOption[]> {
+    const url = new URL(
+      "https://generativelanguage.googleapis.com/v1beta/models"
+    );
+    url.searchParams.set("key", apiKey);
+
+    const response = await fetch(url.toString(), {
+      headers: { Accept: "application/json" },
+    }).catch(() => null);
+    if (!response || !response.ok) return [];
+
+    const payload = (await response.json().catch(() => ({}))) as {
+      models?: Array<{ name?: string; displayName?: string }>;
+    };
+
+    return (payload.models || [])
+      .map((model) => {
+        const raw = model.name?.replace(/^models\//, "").trim();
+        if (!raw) return null;
+        return {
+          value: `gemini/${raw}`,
+          label: model.displayName || raw,
+        } satisfies ModelOption;
+      })
+      .filter((item): item is ModelOption => Boolean(item));
+  }
+}

package/src/auth/base-provider-module.ts

@@ -0,0 +1,201 @@
+import { createLogger } from "@lobu/core";
+import { Hono } from "hono";
+import {
+  BaseModule,
+  type ModelProviderModule,
+  type ProviderUpstreamConfig,
+} from "../modules/module-system";
+import { resolveEnv } from "./mcp/string-substitution";
+import type { AuthProfilesManager } from "./settings/auth-profiles-manager";
+
+const logger = createLogger("base-provider-module");
+
+export interface BaseProviderConfig {
+  providerId: string;
+  providerDisplayName: string;
+  providerIconUrl: string;
+  /** Env var name the SDK expects for the API credential (e.g. "ANTHROPIC_API_KEY") */
+  credentialEnvVarName: string;
+  /** All env vars this provider considers secrets */
+  secretEnvVarNames: string[];
+  /** Env var to check for system key (defaults to credentialEnvVarName) */
+  systemEnvVarName?: string;
+  /** Provider slug for proxy path routing (e.g. "anthropic") */
+  slug?: string;
+  /** Upstream base URL for proxy forwarding (e.g. "https://api.anthropic.com") */
+  upstreamBaseUrl?: string;
+  /** Explicit base URL env var name (defaults to slug-derived name) */
+  baseUrlEnvVarName?: string;
+  authType: "oauth" | "device-code" | "api-key";
+  supportedAuthTypes?: ("oauth" | "device-code" | "api-key")[];
+  apiKeyInstructions?: string;
+  apiKeyPlaceholder?: string;
+  catalogDescription?: string;
+  catalogVisible?: boolean;
+}
+
+/**
+ * Base class for model provider modules.
+ * Implements shared logic: credential lookup, proxy mappings, env var injection,
+ * and Hono app management. Save-key and logout routes are handled by the
+ * parameterized auth router in gateway.ts.
+ *
+ * Subclasses provide a config object and optionally override:
+ * - `setupRoutes(app)` to add provider-specific routes
+ * - `getModelOptions()` for model listing
+ * - `buildEnvVars()` for custom env var injection
+ * - `hasSystemKey()` / `injectSystemKeyFallback()` for multi-env-var logic
+ */
+export abstract class BaseProviderModule
+  extends BaseModule
+  implements ModelProviderModule
+{
+  name: string;
+  providerId: string;
+  providerDisplayName: string;
+  providerIconUrl: string;
+  authType: "oauth" | "device-code" | "api-key";
+  supportedAuthTypes?: ("oauth" | "device-code" | "api-key")[];
+  apiKeyInstructions?: string;
+  apiKeyPlaceholder?: string;
+  catalogDescription?: string;
+  catalogVisible?: boolean;
+
+  protected readonly providerConfig: BaseProviderConfig;
+  protected readonly authProfilesManager: AuthProfilesManager;
+  protected readonly app: Hono;
+
+  constructor(
+    config: BaseProviderConfig,
+    authProfilesManager: AuthProfilesManager
+  ) {
+    super();
+    this.providerConfig = config;
+    this.authProfilesManager = authProfilesManager;
+
+    this.providerId = config.providerId;
+    this.name = `${config.providerId}-provider`;
+    this.providerDisplayName = config.providerDisplayName;
+    this.providerIconUrl = config.providerIconUrl;
+    this.authType = config.authType;
+    this.supportedAuthTypes = config.supportedAuthTypes;
+    this.apiKeyInstructions = config.apiKeyInstructions;
+    this.apiKeyPlaceholder = config.apiKeyPlaceholder;
+    this.catalogDescription = config.catalogDescription;
+    this.catalogVisible = config.catalogVisible;
+
+    this.app = new Hono();
+    this.setupRoutes();
+  }
+
+  isEnabled(): boolean {
+    return true;
+  }
+
+  getSecretEnvVarNames(): string[] {
+    return this.providerConfig.secretEnvVarNames;
+  }
+
+  getCredentialEnvVarName(): string {
+    return this.providerConfig.credentialEnvVarName;
+  }
+
+  getUpstreamConfig(): ProviderUpstreamConfig | null {
+    const { slug, upstreamBaseUrl, baseUrlEnvVarName } = this.providerConfig;
+    if (!slug || !upstreamBaseUrl) return null;
+    // Check env for base URL override (e.g., ANTHROPIC_BASE_URL=https://api.z.ai)
+    const envOverride = baseUrlEnvVarName
+      ? resolveEnv(baseUrlEnvVarName)
+      : undefined;
+    return { slug, upstreamBaseUrl: envOverride || upstreamBaseUrl };
+  }
+
+  async hasCredentials(agentId: string): Promise<boolean> {
+    return this.authProfilesManager.hasProviderProfiles(
+      agentId,
+      this.providerId
+    );
+  }
+
+  hasSystemKey(): boolean {
+    const envVar =
+      this.providerConfig.systemEnvVarName ||
+      this.providerConfig.credentialEnvVarName;
+    return !!resolveEnv(envVar);
+  }
+
+  getProxyBaseUrlMappings(
+    proxyUrl: string,
+    agentId?: string
+  ): Record<string, string> {
+    const { slug, baseUrlEnvVarName, credentialEnvVarName } =
+      this.providerConfig;
+    if (!slug) return {};
+    const envVar =
+      baseUrlEnvVarName || credentialEnvVarName.replace("_KEY", "_BASE_URL");
+    const base = `${proxyUrl}/${slug}`;
+    return { [envVar]: agentId ? `${base}/a/${agentId}` : base };
+  }
+
+  injectSystemKeyFallback(
+    envVars: Record<string, string>
+  ): Record<string, string> {
+    const credVar = this.providerConfig.credentialEnvVarName;
+    if (!envVars[credVar]) {
+      const sysVar = this.providerConfig.systemEnvVarName || credVar;
+      const systemKey = resolveEnv(sysVar);
+      if (systemKey) {
+        envVars[credVar] = systemKey;
+      }
+    }
+    return envVars;
+  }
+
+  async buildEnvVars(
+    agentId: string,
+    envVars: Record<string, string>
+  ): Promise<Record<string, string>> {
+    const credVar = this.providerConfig.credentialEnvVarName;
+    if (!envVars[credVar]) {
+      const profile = await this.authProfilesManager.getBestProfile(
+        agentId,
+        this.providerId
+      );
+      if (profile?.credential) {
+        logger.info(
+          `Injecting ${credVar} for agent ${agentId} (${this.providerId})`
+        );
+        envVars[credVar] = profile.credential;
+      }
+    }
+    return envVars;
+  }
+
+  getApp(): Hono {
+    return this.app;
+  }
+
+  protected async getCredential(agentId: string): Promise<string | null> {
+    const profile = await this.authProfilesManager.getBestProfile(
+      agentId,
+      this.providerId
+    );
+    if (profile?.credential) {
+      return profile.credential;
+    }
+    const sysVar =
+      this.providerConfig.systemEnvVarName ||
+      this.providerConfig.credentialEnvVarName;
+    return process.env[sysVar] || null;
+  }
+
+  /** Build a structured placeholder for proxy mode (default: "lobu-proxy"). */
+  buildCredentialPlaceholder(_agentId: string): Promise<string> | string {
+    return "lobu-proxy";
+  }
+
+  /** Override in subclasses to add provider-specific routes. */
+  protected setupRoutes(): void {
+    // Default: no extra routes
+  }
+}

package/src/auth/chatgpt/chatgpt-oauth-module.ts

@@ -0,0 +1,185 @@
+import { createLogger } from "@lobu/core";
+import type { ModelOption } from "../../modules/module-system";
+import { BaseProviderModule } from "../base-provider-module";
+import type { AgentSettingsStore } from "../settings/agent-settings-store";
+import {
+  AuthProfilesManager,
+  createAuthProfileLabel,
+} from "../settings/auth-profiles-manager";
+import { ChatGPTDeviceCodeClient } from "./device-code-client";
+
+const logger = createLogger("chatgpt-oauth-module");
+
+/**
+ * ChatGPT OAuth Module - Handles device code authentication for ChatGPT.
+ * Stores the access token in auth profiles.
+ */
+export class ChatGPTOAuthModule extends BaseProviderModule {
+  private deviceCodeClient: ChatGPTDeviceCodeClient;
+
+  constructor(agentSettingsStore: AgentSettingsStore) {
+    const authProfilesManager = new AuthProfilesManager(agentSettingsStore);
+    super(
+      {
+        providerId: "chatgpt",
+        providerDisplayName: "ChatGPT",
+        providerIconUrl:
+          "https://www.google.com/s2/favicons?domain=chatgpt.com&sz=128",
+        credentialEnvVarName: "OPENAI_API_KEY",
+        secretEnvVarNames: ["OPENAI_API_KEY"],
+        slug: "openai-codex",
+        upstreamBaseUrl: "https://chatgpt.com/backend-api",
+        baseUrlEnvVarName: "OPENAI_BASE_URL",
+        authType: "device-code",
+        supportedAuthTypes: ["device-code", "api-key"],
+        apiKeyInstructions:
+          'Enter your <a href="https://platform.openai.com/api-keys" target="_blank" class="text-blue-600 underline">OpenAI API key</a>:',
+        apiKeyPlaceholder: "sk-...",
+        catalogDescription: "OpenAI's ChatGPT with device code authentication",
+      },
+      authProfilesManager
+    );
+    // Preserve existing module name
+    this.name = "chatgpt-oauth";
+    this.deviceCodeClient = new ChatGPTDeviceCodeClient();
+  }
+
+  async buildCredentialPlaceholder(agentId: string): Promise<string> {
+    const profile = await this.authProfilesManager.getBestProfile(
+      agentId,
+      this.providerId
+    );
+    // Try metadata first, then extract from the stored credential JWT
+    let accountId = profile?.metadata?.accountId as string | undefined;
+    if (!accountId && profile?.credential) {
+      accountId = this.deviceCodeClient.extractAccountId(profile.credential);
+    }
+    if (!accountId) return "lobu-proxy";
+
+    // Minimal JWT with the chatgpt_account_id claim.
+    // Not a valid credential — only used by the codex backend to extract accountId.
+    const header = Buffer.from(
+      JSON.stringify({ alg: "none", typ: "JWT" })
+    ).toString("base64url");
+    const payload = Buffer.from(
+      JSON.stringify({
+        "https://api.openai.com/auth": { chatgpt_account_id: accountId },
+      })
+    ).toString("base64url");
+    return `${header}.${payload}.placeholder`;
+  }
+
+  getCliBackendConfig() {
+    return {
+      name: "codex",
+      command: "npx",
+      args: ["-y", "acpx@latest", "codex", "--quiet"],
+      modelArg: "--model",
+    };
+  }
+
+  async getModelOptions(
+    agentId: string,
+    _userId: string
+  ): Promise<ModelOption[]> {
+    const token = await this.getCredential(agentId);
+    if (!token) return [];
+
+    const response = await fetch("https://chatgpt.com/backend-api/models", {
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${token}`,
+      },
+    }).catch(() => null);
+
+    if (!response || !response.ok) {
+      return [];
+    }
+
+    const payload = (await response.json().catch(() => ({}))) as {
+      models?: Array<{
+        slug?: string;
+        title?: string;
+      }>;
+    };
+
+    return (payload.models || [])
+      .map((model) => {
+        const slug = model.slug?.trim();
+        if (!slug) return null;
+        return {
+          value: `openai-codex/${slug}`,
+          label: model.title?.trim() || slug,
+        } satisfies ModelOption;
+      })
+      .filter((item): item is ModelOption => Boolean(item));
+  }
+
+  async startDeviceCode(agentId: string): Promise<{
+    userCode: string;
+    deviceAuthId: string;
+    interval: number;
+    verificationUrl: string;
+  }> {
+    try {
+      logger.info("Starting ChatGPT device code flow", { agentId });
+      const result = await this.deviceCodeClient.requestDeviceCode();
+      return {
+        userCode: result.userCode,
+        deviceAuthId: result.deviceAuthId,
+        interval: result.interval,
+        verificationUrl: "https://auth.openai.com/codex/device",
+      };
+    } catch (error) {
+      logger.error("Failed to start device code flow", { error });
+      throw new Error("Failed to start device code flow");
+    }
+  }
+
+  async pollDeviceCode(
+    agentId: string,
+    payload: { deviceAuthId: string; userCode: string }
+  ): Promise<{
+    status: "pending" | "success";
+    error?: string;
+    accountId?: string;
+  }> {
+    try {
+      const result = await this.deviceCodeClient.pollForToken(
+        payload.deviceAuthId,
+        payload.userCode
+      );
+
+      if (!result) {
+        return { status: "pending" };
+      }
+
+      await this.authProfilesManager.upsertProfile({
+        agentId,
+        provider: this.providerId,
+        credential: result.accessToken,
+        authType: "device-code",
+        label: createAuthProfileLabel(
+          this.providerDisplayName,
+          result.accessToken,
+          result.accountId
+        ),
+        metadata: {
+          accountId: result.accountId,
+          refreshToken: result.refreshToken,
+          expiresAt: Date.now() + result.expiresIn * 1000,
+        },
+        makePrimary: true,
+      });
+
+      logger.info(`ChatGPT token saved for agent ${agentId}`);
+      return {
+        status: "success",
+        accountId: result.accountId,
+      };
+    } catch (error) {
+      logger.error("Failed to poll for token", { error });
+      throw new Error("Failed to poll for token");
+    }
+  }
+}