@lobu/gateway 3.0.5 → 3.0.6

package/src/auth/chatgpt/device-code-client.ts

@@ -0,0 +1,218 @@
+import { createLogger } from "@lobu/core";
+
+const logger = createLogger("chatgpt-device-code");
+
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const DEVICE_CODE_URL =
+  "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL =
+  "https://auth.openai.com/api/accounts/deviceauth/token";
+const TOKEN_EXCHANGE_URL = "https://auth.openai.com/oauth/token";
+const DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback";
+const OAUTH_SCOPE =
+  process.env.OPENAI_OAUTH_SCOPE ||
+  [
+    "openid",
+    "profile",
+    "email",
+    "offline_access",
+    "api.model.read",
+    "api.model.request",
+    "api.model.image.request",
+    "api.model.audio.request",
+  ].join(" ");
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+const DEVICE_HEADERS = {
+  "Content-Type": "application/json",
+  "User-Agent": "reqwest/0.12.24",
+};
+const TOKEN_HEADERS = {
+  "Content-Type": "application/x-www-form-urlencoded",
+  "User-Agent": "reqwest/0.12.24",
+};
+
+export interface DeviceCodeResponse {
+  userCode: string;
+  deviceAuthId: string;
+  interval: number;
+}
+
+export interface DeviceTokenResult {
+  accessToken: string;
+  refreshToken: string;
+  expiresIn: number;
+  accountId?: string;
+}
+
+/**
+ * Client for OpenAI device code authentication flow.
+ * Based on sub-bridge's device code implementation.
+ */
+export class ChatGPTDeviceCodeClient {
+  /**
+   * Request a device code from OpenAI.
+   * Returns user_code for display and device_auth_id for polling.
+   */
+  async requestDeviceCode(): Promise<DeviceCodeResponse> {
+    const response = await fetch(DEVICE_CODE_URL, {
+      method: "POST",
+      headers: DEVICE_HEADERS,
+      body: JSON.stringify({
+        client_id: CLIENT_ID,
+        scope: OAUTH_SCOPE,
+      }),
+    });
+
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      logger.error("Device code request failed", {
+        status: response.status,
+        body: text,
+      });
+      throw new Error(`Device code request failed: ${response.status}`);
+    }
+
+    const data = (await response.json()) as {
+      device_auth_id: string;
+      user_code: string;
+      interval?: number;
+    };
+
+    return {
+      userCode: data.user_code,
+      deviceAuthId: data.device_auth_id,
+      interval: typeof data.interval === "number" ? data.interval : 5,
+    };
+  }
+
+  /**
+   * Poll for token after user has authorized the device code.
+   * Returns null if still pending, throws on permanent failure.
+   */
+  async pollForToken(
+    deviceAuthId: string,
+    userCode: string
+  ): Promise<DeviceTokenResult | null> {
+    const response = await fetch(DEVICE_TOKEN_URL, {
+      method: "POST",
+      headers: DEVICE_HEADERS,
+      body: JSON.stringify({
+        device_auth_id: deviceAuthId,
+        user_code: userCode,
+      }),
+    });
+
+    // 403/404/429 = user hasn't authorized yet
+    if (
+      response.status === 403 ||
+      response.status === 404 ||
+      response.status === 429
+    ) {
+      return null;
+    }
+
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      logger.error("Device token poll failed", {
+        status: response.status,
+        body: text,
+      });
+      throw new Error(`Device token poll failed: ${response.status}`);
+    }
+
+    const data = (await response.json()) as {
+      authorization_code?: string;
+      code_verifier?: string;
+    };
+
+    if (!data.authorization_code || !data.code_verifier) {
+      logger.warn("Poll response missing authorization fields, still pending");
+      return null;
+    }
+
+    // Exchange authorization code for access token
+    return this.exchangeCode(data.authorization_code, data.code_verifier);
+  }
+
+  /**
+   * Exchange authorization code for access/refresh tokens.
+   */
+  private async exchangeCode(
+    authorizationCode: string,
+    codeVerifier: string
+  ): Promise<DeviceTokenResult> {
+    const response = await fetch(TOKEN_EXCHANGE_URL, {
+      method: "POST",
+      headers: TOKEN_HEADERS,
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: CLIENT_ID,
+        code: authorizationCode,
+        code_verifier: codeVerifier,
+        redirect_uri: DEVICE_REDIRECT_URI,
+        scope: OAUTH_SCOPE,
+      }).toString(),
+    });
+
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      logger.error("Token exchange failed", {
+        status: response.status,
+        body: text,
+      });
+      throw new Error(`Token exchange failed: ${response.status}`);
+    }
+
+    const data = (await response.json()) as {
+      access_token: string;
+      refresh_token: string;
+      expires_in: number;
+      id_token?: string;
+    };
+
+    if (!data.access_token || !data.refresh_token) {
+      throw new Error("Token response missing required fields");
+    }
+
+    const accountId = this.extractAccountId(data.access_token);
+
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      accountId,
+    };
+  }
+
+  /**
+   * Extract account ID from JWT access token (informational only).
+   * Decodes the JWT payload without signature verification because the token
+   * was obtained directly from OpenAI's token endpoint over HTTPS.
+   * The extracted accountId is used only for logging/display, not for
+   * authorization decisions.
+   */
+  extractAccountId(accessToken: string): string | undefined {
+    try {
+      const parts = accessToken.split(".");
+      if (parts.length < 2) return undefined;
+
+      const payload = JSON.parse(
+        Buffer.from(parts[1]!, "base64url").toString("utf-8")
+      );
+
+      // OpenAI stores account info under the JWT_CLAIM_PATH
+      const authClaim = payload[JWT_CLAIM_PATH];
+      if (authClaim?.organization_id) {
+        return authClaim.organization_id;
+      }
+      if (authClaim?.chatgpt_account_id) {
+        return authClaim.chatgpt_account_id;
+      }
+
+      return undefined;
+    } catch (error) {
+      logger.warn("Failed to extract account ID from JWT", { error });
+      return undefined;
+    }
+  }
+}

package/src/auth/chatgpt/index.ts

@@ -0,0 +1 @@
+export { ChatGPTOAuthModule } from "./chatgpt-oauth-module";

package/src/auth/claude/oauth-module.ts

@@ -0,0 +1,280 @@
+import { createLogger } from "@lobu/core";
+import type { ModelOption } from "../../modules/module-system";
+import { BaseProviderModule } from "../base-provider-module";
+import { resolveEnv } from "../mcp/string-substitution";
+import type { OAuthCredentials } from "../oauth/credentials";
+import {
+  type AuthProfilesManager,
+  createAuthProfileLabel,
+} from "../settings/auth-profiles-manager";
+import type { ModelPreferenceStore } from "../settings/model-preference-store";
+
+const logger = createLogger("claude-oauth-module");
+
+/**
+ * Claude OAuth Module - Handles credential injection and model preferences for Claude.
+ * OAuth login/logout is handled by the generic settings web page routes.
+ */
+export class ClaudeOAuthModule extends BaseProviderModule {
+  private modelPreferenceStore: ModelPreferenceStore;
+
+  constructor(
+    authProfilesManager: AuthProfilesManager,
+    modelPreferenceStore: ModelPreferenceStore
+  ) {
+    super(
+      {
+        providerId: "claude",
+        providerDisplayName: "Claude",
+        providerIconUrl:
+          "https://www.google.com/s2/favicons?domain=anthropic.com&sz=128",
+        credentialEnvVarName: "CLAUDE_CODE_OAUTH_TOKEN",
+        secretEnvVarNames: [
+          "ANTHROPIC_API_KEY",
+          "ANTHROPIC_AUTH_TOKEN",
+          "CLAUDE_CODE_OAUTH_TOKEN",
+        ],
+        slug: "anthropic",
+        upstreamBaseUrl: "https://api.anthropic.com",
+        baseUrlEnvVarName: "ANTHROPIC_BASE_URL",
+        authType: "oauth",
+        supportedAuthTypes: ["oauth", "api-key"],
+        apiKeyInstructions:
+          'Enter your <a href="https://console.anthropic.com/settings/keys" target="_blank" class="text-blue-600 underline">Anthropic API key</a>:',
+        apiKeyPlaceholder: "sk-ant-...",
+        catalogDescription: "Anthropic's Claude AI with OAuth authentication",
+      },
+      authProfilesManager
+    );
+    // Preserve existing module name
+    this.name = "claude-oauth";
+    this.modelPreferenceStore = modelPreferenceStore;
+  }
+
+  // ---- Overrides for multi-env-var logic ----
+
+  override hasSystemKey(): boolean {
+    return !!(
+      resolveEnv("ANTHROPIC_AUTH_TOKEN") ||
+      resolveEnv("CLAUDE_CODE_OAUTH_TOKEN")
+    );
+  }
+
+  override injectSystemKeyFallback(
+    envVars: Record<string, string>
+  ): Record<string, string> {
+    if (!envVars.ANTHROPIC_API_KEY && !envVars.CLAUDE_CODE_OAUTH_TOKEN) {
+      // Prefer ANTHROPIC_AUTH_TOKEN (explicit user config in .env) over
+      // ANTHROPIC_API_KEY (which may be injected by Claude Code's shell env).
+      const systemApiKey =
+        resolveEnv("ANTHROPIC_AUTH_TOKEN") || resolveEnv("ANTHROPIC_API_KEY");
+      const systemOAuthToken = resolveEnv("CLAUDE_CODE_OAUTH_TOKEN");
+
+      if (systemApiKey) {
+        envVars.ANTHROPIC_API_KEY = systemApiKey;
+      } else if (systemOAuthToken) {
+        envVars.CLAUDE_CODE_OAUTH_TOKEN = systemOAuthToken;
+      }
+    }
+    return envVars;
+  }
+
+  override async buildEnvVars(
+    agentId: string,
+    envVars: Record<string, string>
+  ): Promise<Record<string, string>> {
+    const profile = await this.authProfilesManager.getBestProfile(
+      agentId,
+      this.providerId
+    );
+
+    if (profile?.credential) {
+      logger.info(`Injecting ${profile.authType} profile for space ${agentId}`);
+      if (profile.authType === "oauth") {
+        envVars.CLAUDE_CODE_OAUTH_TOKEN = profile.credential;
+      } else {
+        envVars.ANTHROPIC_API_KEY = profile.credential;
+      }
+    }
+
+    // AGENT_DEFAULT_MODEL is now delivered dynamically via session context.
+    // No longer baked into static container env vars.
+
+    return envVars;
+  }
+
+  getCliBackendConfig() {
+    return {
+      name: "claude-code",
+      command: "npx",
+      args: ["-y", "acpx@latest", "claude", "--print"],
+      modelArg: "--model",
+      sessionArg: "--session",
+    };
+  }
+
+  async getModelOptions(
+    agentId: string,
+    userId: string
+  ): Promise<ModelOption[]> {
+    const availableModels = await this.fetchClaudeModels(agentId);
+    if (availableModels.length === 0) return [];
+
+    const preferredModel =
+      await this.modelPreferenceStore.getModelPreference(userId);
+    logger.debug("Building Claude model options", {
+      agentId,
+      userId,
+      preferredModel,
+    });
+    const defaultModel =
+      preferredModel ||
+      process.env.AGENT_DEFAULT_MODEL ||
+      "claude-sonnet-4-20250514";
+    const options: ModelOption[] = [];
+    const seen = new Set<string>();
+
+    const addOption = (value: string, label: string) => {
+      if (seen.has(value)) return;
+      seen.add(value);
+      options.push({ value, label });
+    };
+
+    const defaultEntry = availableModels.find((m) => m.id === defaultModel);
+    if (defaultEntry) {
+      addOption(defaultModel, defaultEntry.display_name || defaultModel);
+    }
+
+    for (const model of availableModels) {
+      addOption(model.id, model.display_name || model.id);
+    }
+
+    return options;
+  }
+
+  async setCredentials(agentId: string, credentials: unknown): Promise<void> {
+    await this.saveOAuthCredentials(agentId, credentials as OAuthCredentials);
+  }
+
+  async deleteCredentials(agentId: string): Promise<void> {
+    await this.authProfilesManager.deleteProviderProfiles(
+      agentId,
+      this.providerId
+    );
+  }
+
+  private async saveOAuthCredentials(
+    agentId: string,
+    credentials: OAuthCredentials
+  ): Promise<void> {
+    await this.authProfilesManager.upsertProfile({
+      agentId,
+      provider: this.providerId,
+      credential: credentials.accessToken,
+      authType: "oauth",
+      label: createAuthProfileLabel(
+        this.providerDisplayName,
+        credentials.accessToken
+      ),
+      metadata: {
+        refreshToken: credentials.refreshToken,
+        expiresAt: credentials.expiresAt,
+      },
+      makePrimary: true,
+    });
+  }
+
+  private static readonly FALLBACK_MODELS: Array<{
+    id: string;
+    display_name: string;
+    type: string;
+  }> = [
+    {
+      id: "claude-sonnet-4-20250514",
+      display_name: "Claude Sonnet 4",
+      type: "model",
+    },
+    {
+      id: "claude-opus-4-20250514",
+      display_name: "Claude Opus 4",
+      type: "model",
+    },
+    {
+      id: "claude-haiku-3-5-20241022",
+      display_name: "Claude Haiku 3.5",
+      type: "model",
+    },
+  ];
+
+  private async fetchClaudeModels(
+    agentId: string
+  ): Promise<Array<{ id: string; display_name: string; type: string }>> {
+    const profile = await this.authProfilesManager.getBestProfile(
+      agentId,
+      this.providerId
+    );
+
+    const oauthToken =
+      profile?.authType === "oauth" ? profile.credential : undefined;
+    const apiKey =
+      profile?.authType !== "oauth"
+        ? profile?.credential
+        : process.env.ANTHROPIC_AUTH_TOKEN || process.env.ANTHROPIC_API_KEY;
+
+    const headers: Record<string, string> = {
+      Accept: "application/json",
+      "anthropic-version": "2023-06-01",
+    };
+    if (oauthToken) {
+      headers.Authorization = `Bearer ${oauthToken}`;
+    } else if (apiKey) {
+      headers["x-api-key"] = apiKey;
+    } else {
+      return ClaudeOAuthModule.FALLBACK_MODELS;
+    }
+
+    const response = await fetch("https://api.anthropic.com/v1/models", {
+      headers,
+    }).catch((err) => {
+      logger.warn(
+        { error: err?.message, agentId },
+        "fetchClaudeModels: fetch failed"
+      );
+      return null;
+    });
+
+    if (!response || !response.ok) {
+      logger.warn(
+        {
+          agentId,
+          status: response?.status,
+          hasOauth: !!oauthToken,
+          hasApiKey: !!apiKey,
+        },
+        "fetchClaudeModels: non-ok response, using fallback models"
+      );
+      return ClaudeOAuthModule.FALLBACK_MODELS;
+    }
+
+    const payload = (await response.json().catch(() => ({}))) as {
+      data?: Array<{ id?: string; display_name?: string; type?: string }>;
+    };
+
+    const models = (payload.data || [])
+      .map((item) => {
+        const id = item.id?.trim();
+        if (!id) return null;
+        return {
+          id,
+          display_name: item.display_name || id,
+          type: item.type || "model",
+        };
+      })
+      .filter(
+        (item): item is { id: string; display_name: string; type: string } =>
+          Boolean(item)
+      );
+
+    return models.length > 0 ? models : ClaudeOAuthModule.FALLBACK_MODELS;
+  }
+}