@lobu/gateway 3.0.9 → 3.0.13

package/src/auth/chatgpt/device-code-client.ts

@@ -1,218 +0,0 @@
-import { createLogger } from "@lobu/core";
-
-const logger = createLogger("chatgpt-device-code");
-
-const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
-const DEVICE_CODE_URL =
-  "https://auth.openai.com/api/accounts/deviceauth/usercode";
-const DEVICE_TOKEN_URL =
-  "https://auth.openai.com/api/accounts/deviceauth/token";
-const TOKEN_EXCHANGE_URL = "https://auth.openai.com/oauth/token";
-const DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback";
-const OAUTH_SCOPE =
-  process.env.OPENAI_OAUTH_SCOPE ||
-  [
-    "openid",
-    "profile",
-    "email",
-    "offline_access",
-    "api.model.read",
-    "api.model.request",
-    "api.model.image.request",
-    "api.model.audio.request",
-  ].join(" ");
-const JWT_CLAIM_PATH = "https://api.openai.com/auth";
-const DEVICE_HEADERS = {
-  "Content-Type": "application/json",
-  "User-Agent": "reqwest/0.12.24",
-};
-const TOKEN_HEADERS = {
-  "Content-Type": "application/x-www-form-urlencoded",
-  "User-Agent": "reqwest/0.12.24",
-};
-
-export interface DeviceCodeResponse {
-  userCode: string;
-  deviceAuthId: string;
-  interval: number;
-}
-
-export interface DeviceTokenResult {
-  accessToken: string;
-  refreshToken: string;
-  expiresIn: number;
-  accountId?: string;
-}
-
-/**
- * Client for OpenAI device code authentication flow.
- * Based on sub-bridge's device code implementation.
- */
-export class ChatGPTDeviceCodeClient {
-  /**
-   * Request a device code from OpenAI.
-   * Returns user_code for display and device_auth_id for polling.
-   */
-  async requestDeviceCode(): Promise<DeviceCodeResponse> {
-    const response = await fetch(DEVICE_CODE_URL, {
-      method: "POST",
-      headers: DEVICE_HEADERS,
-      body: JSON.stringify({
-        client_id: CLIENT_ID,
-        scope: OAUTH_SCOPE,
-      }),
-    });
-
-    if (!response.ok) {
-      const text = await response.text().catch(() => "");
-      logger.error("Device code request failed", {
-        status: response.status,
-        body: text,
-      });
-      throw new Error(`Device code request failed: ${response.status}`);
-    }
-
-    const data = (await response.json()) as {
-      device_auth_id: string;
-      user_code: string;
-      interval?: number;
-    };
-
-    return {
-      userCode: data.user_code,
-      deviceAuthId: data.device_auth_id,
-      interval: typeof data.interval === "number" ? data.interval : 5,
-    };
-  }
-
-  /**
-   * Poll for token after user has authorized the device code.
-   * Returns null if still pending, throws on permanent failure.
-   */
-  async pollForToken(
-    deviceAuthId: string,
-    userCode: string
-  ): Promise<DeviceTokenResult | null> {
-    const response = await fetch(DEVICE_TOKEN_URL, {
-      method: "POST",
-      headers: DEVICE_HEADERS,
-      body: JSON.stringify({
-        device_auth_id: deviceAuthId,
-        user_code: userCode,
-      }),
-    });
-
-    // 403/404/429 = user hasn't authorized yet
-    if (
-      response.status === 403 ||
-      response.status === 404 ||
-      response.status === 429
-    ) {
-      return null;
-    }
-
-    if (!response.ok) {
-      const text = await response.text().catch(() => "");
-      logger.error("Device token poll failed", {
-        status: response.status,
-        body: text,
-      });
-      throw new Error(`Device token poll failed: ${response.status}`);
-    }
-
-    const data = (await response.json()) as {
-      authorization_code?: string;
-      code_verifier?: string;
-    };
-
-    if (!data.authorization_code || !data.code_verifier) {
-      logger.warn("Poll response missing authorization fields, still pending");
-      return null;
-    }
-
-    // Exchange authorization code for access token
-    return this.exchangeCode(data.authorization_code, data.code_verifier);
-  }
-
-  /**
-   * Exchange authorization code for access/refresh tokens.
-   */
-  private async exchangeCode(
-    authorizationCode: string,
-    codeVerifier: string
-  ): Promise<DeviceTokenResult> {
-    const response = await fetch(TOKEN_EXCHANGE_URL, {
-      method: "POST",
-      headers: TOKEN_HEADERS,
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        client_id: CLIENT_ID,
-        code: authorizationCode,
-        code_verifier: codeVerifier,
-        redirect_uri: DEVICE_REDIRECT_URI,
-        scope: OAUTH_SCOPE,
-      }).toString(),
-    });
-
-    if (!response.ok) {
-      const text = await response.text().catch(() => "");
-      logger.error("Token exchange failed", {
-        status: response.status,
-        body: text,
-      });
-      throw new Error(`Token exchange failed: ${response.status}`);
-    }
-
-    const data = (await response.json()) as {
-      access_token: string;
-      refresh_token: string;
-      expires_in: number;
-      id_token?: string;
-    };
-
-    if (!data.access_token || !data.refresh_token) {
-      throw new Error("Token response missing required fields");
-    }
-
-    const accountId = this.extractAccountId(data.access_token);
-
-    return {
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      expiresIn: data.expires_in,
-      accountId,
-    };
-  }
-
-  /**
-   * Extract account ID from JWT access token (informational only).
-   * Decodes the JWT payload without signature verification because the token
-   * was obtained directly from OpenAI's token endpoint over HTTPS.
-   * The extracted accountId is used only for logging/display, not for
-   * authorization decisions.
-   */
-  extractAccountId(accessToken: string): string | undefined {
-    try {
-      const parts = accessToken.split(".");
-      if (parts.length < 2) return undefined;
-
-      const payload = JSON.parse(
-        Buffer.from(parts[1]!, "base64url").toString("utf-8")
-      );
-
-      // OpenAI stores account info under the JWT_CLAIM_PATH
-      const authClaim = payload[JWT_CLAIM_PATH];
-      if (authClaim?.organization_id) {
-        return authClaim.organization_id;
-      }
-      if (authClaim?.chatgpt_account_id) {
-        return authClaim.chatgpt_account_id;
-      }
-
-      return undefined;
-    } catch (error) {
-      logger.warn("Failed to extract account ID from JWT", { error });
-      return undefined;
-    }
-  }
-}

package/src/auth/chatgpt/index.ts

@@ -1 +0,0 @@
-export { ChatGPTOAuthModule } from "./chatgpt-oauth-module";

package/src/auth/claude/oauth-module.ts

@@ -1,280 +0,0 @@
-import { createLogger } from "@lobu/core";
-import type { ModelOption } from "../../modules/module-system";
-import { BaseProviderModule } from "../base-provider-module";
-import { resolveEnv } from "../mcp/string-substitution";
-import type { OAuthCredentials } from "../oauth/credentials";
-import {
-  type AuthProfilesManager,
-  createAuthProfileLabel,
-} from "../settings/auth-profiles-manager";
-import type { ModelPreferenceStore } from "../settings/model-preference-store";
-
-const logger = createLogger("claude-oauth-module");
-
-/**
- * Claude OAuth Module - Handles credential injection and model preferences for Claude.
- * OAuth login/logout is handled by the generic settings web page routes.
- */
-export class ClaudeOAuthModule extends BaseProviderModule {
-  private modelPreferenceStore: ModelPreferenceStore;
-
-  constructor(
-    authProfilesManager: AuthProfilesManager,
-    modelPreferenceStore: ModelPreferenceStore
-  ) {
-    super(
-      {
-        providerId: "claude",
-        providerDisplayName: "Claude",
-        providerIconUrl:
-          "https://www.google.com/s2/favicons?domain=anthropic.com&sz=128",
-        credentialEnvVarName: "CLAUDE_CODE_OAUTH_TOKEN",
-        secretEnvVarNames: [
-          "ANTHROPIC_API_KEY",
-          "ANTHROPIC_AUTH_TOKEN",
-          "CLAUDE_CODE_OAUTH_TOKEN",
-        ],
-        slug: "anthropic",
-        upstreamBaseUrl: "https://api.anthropic.com",
-        baseUrlEnvVarName: "ANTHROPIC_BASE_URL",
-        authType: "oauth",
-        supportedAuthTypes: ["oauth", "api-key"],
-        apiKeyInstructions:
-          'Enter your <a href="https://console.anthropic.com/settings/keys" target="_blank" class="text-blue-600 underline">Anthropic API key</a>:',
-        apiKeyPlaceholder: "sk-ant-...",
-        catalogDescription: "Anthropic's Claude AI with OAuth authentication",
-      },
-      authProfilesManager
-    );
-    // Preserve existing module name
-    this.name = "claude-oauth";
-    this.modelPreferenceStore = modelPreferenceStore;
-  }
-
-  // ---- Overrides for multi-env-var logic ----
-
-  override hasSystemKey(): boolean {
-    return !!(
-      resolveEnv("ANTHROPIC_AUTH_TOKEN") ||
-      resolveEnv("CLAUDE_CODE_OAUTH_TOKEN")
-    );
-  }
-
-  override injectSystemKeyFallback(
-    envVars: Record<string, string>
-  ): Record<string, string> {
-    if (!envVars.ANTHROPIC_API_KEY && !envVars.CLAUDE_CODE_OAUTH_TOKEN) {
-      // Prefer ANTHROPIC_AUTH_TOKEN (explicit user config in .env) over
-      // ANTHROPIC_API_KEY (which may be injected by Claude Code's shell env).
-      const systemApiKey =
-        resolveEnv("ANTHROPIC_AUTH_TOKEN") || resolveEnv("ANTHROPIC_API_KEY");
-      const systemOAuthToken = resolveEnv("CLAUDE_CODE_OAUTH_TOKEN");
-
-      if (systemApiKey) {
-        envVars.ANTHROPIC_API_KEY = systemApiKey;
-      } else if (systemOAuthToken) {
-        envVars.CLAUDE_CODE_OAUTH_TOKEN = systemOAuthToken;
-      }
-    }
-    return envVars;
-  }
-
-  override async buildEnvVars(
-    agentId: string,
-    envVars: Record<string, string>
-  ): Promise<Record<string, string>> {
-    const profile = await this.authProfilesManager.getBestProfile(
-      agentId,
-      this.providerId
-    );
-
-    if (profile?.credential) {
-      logger.info(`Injecting ${profile.authType} profile for space ${agentId}`);
-      if (profile.authType === "oauth") {
-        envVars.CLAUDE_CODE_OAUTH_TOKEN = profile.credential;
-      } else {
-        envVars.ANTHROPIC_API_KEY = profile.credential;
-      }
-    }
-
-    // AGENT_DEFAULT_MODEL is now delivered dynamically via session context.
-    // No longer baked into static container env vars.
-
-    return envVars;
-  }
-
-  getCliBackendConfig() {
-    return {
-      name: "claude-code",
-      command: "npx",
-      args: ["-y", "acpx@latest", "claude", "--print"],
-      modelArg: "--model",
-      sessionArg: "--session",
-    };
-  }
-
-  async getModelOptions(
-    agentId: string,
-    userId: string
-  ): Promise<ModelOption[]> {
-    const availableModels = await this.fetchClaudeModels(agentId);
-    if (availableModels.length === 0) return [];
-
-    const preferredModel =
-      await this.modelPreferenceStore.getModelPreference(userId);
-    logger.debug("Building Claude model options", {
-      agentId,
-      userId,
-      preferredModel,
-    });
-    const defaultModel =
-      preferredModel ||
-      process.env.AGENT_DEFAULT_MODEL ||
-      "claude-sonnet-4-20250514";
-    const options: ModelOption[] = [];
-    const seen = new Set<string>();
-
-    const addOption = (value: string, label: string) => {
-      if (seen.has(value)) return;
-      seen.add(value);
-      options.push({ value, label });
-    };
-
-    const defaultEntry = availableModels.find((m) => m.id === defaultModel);
-    if (defaultEntry) {
-      addOption(defaultModel, defaultEntry.display_name || defaultModel);
-    }
-
-    for (const model of availableModels) {
-      addOption(model.id, model.display_name || model.id);
-    }
-
-    return options;
-  }
-
-  async setCredentials(agentId: string, credentials: unknown): Promise<void> {
-    await this.saveOAuthCredentials(agentId, credentials as OAuthCredentials);
-  }
-
-  async deleteCredentials(agentId: string): Promise<void> {
-    await this.authProfilesManager.deleteProviderProfiles(
-      agentId,
-      this.providerId
-    );
-  }
-
-  private async saveOAuthCredentials(
-    agentId: string,
-    credentials: OAuthCredentials
-  ): Promise<void> {
-    await this.authProfilesManager.upsertProfile({
-      agentId,
-      provider: this.providerId,
-      credential: credentials.accessToken,
-      authType: "oauth",
-      label: createAuthProfileLabel(
-        this.providerDisplayName,
-        credentials.accessToken
-      ),
-      metadata: {
-        refreshToken: credentials.refreshToken,
-        expiresAt: credentials.expiresAt,
-      },
-      makePrimary: true,
-    });
-  }
-
-  private static readonly FALLBACK_MODELS: Array<{
-    id: string;
-    display_name: string;
-    type: string;
-  }> = [
-    {
-      id: "claude-sonnet-4-20250514",
-      display_name: "Claude Sonnet 4",
-      type: "model",
-    },
-    {
-      id: "claude-opus-4-20250514",
-      display_name: "Claude Opus 4",
-      type: "model",
-    },
-    {
-      id: "claude-haiku-3-5-20241022",
-      display_name: "Claude Haiku 3.5",
-      type: "model",
-    },
-  ];
-
-  private async fetchClaudeModels(
-    agentId: string
-  ): Promise<Array<{ id: string; display_name: string; type: string }>> {
-    const profile = await this.authProfilesManager.getBestProfile(
-      agentId,
-      this.providerId
-    );
-
-    const oauthToken =
-      profile?.authType === "oauth" ? profile.credential : undefined;
-    const apiKey =
-      profile?.authType !== "oauth"
-        ? profile?.credential
-        : process.env.ANTHROPIC_AUTH_TOKEN || process.env.ANTHROPIC_API_KEY;
-
-    const headers: Record<string, string> = {
-      Accept: "application/json",
-      "anthropic-version": "2023-06-01",
-    };
-    if (oauthToken) {
-      headers.Authorization = `Bearer ${oauthToken}`;
-    } else if (apiKey) {
-      headers["x-api-key"] = apiKey;
-    } else {
-      return ClaudeOAuthModule.FALLBACK_MODELS;
-    }
-
-    const response = await fetch("https://api.anthropic.com/v1/models", {
-      headers,
-    }).catch((err) => {
-      logger.warn(
-        { error: err?.message, agentId },
-        "fetchClaudeModels: fetch failed"
-      );
-      return null;
-    });
-
-    if (!response || !response.ok) {
-      logger.warn(
-        {
-          agentId,
-          status: response?.status,
-          hasOauth: !!oauthToken,
-          hasApiKey: !!apiKey,
-        },
-        "fetchClaudeModels: non-ok response, using fallback models"
-      );
-      return ClaudeOAuthModule.FALLBACK_MODELS;
-    }
-
-    const payload = (await response.json().catch(() => ({}))) as {
-      data?: Array<{ id?: string; display_name?: string; type?: string }>;
-    };
-
-    const models = (payload.data || [])
-      .map((item) => {
-        const id = item.id?.trim();
-        if (!id) return null;
-        return {
-          id,
-          display_name: item.display_name || id,
-          type: item.type || "model",
-        };
-      })
-      .filter(
-        (item): item is { id: string; display_name: string; type: string } =>
-          Boolean(item)
-      );
-
-    return models.length > 0 ? models : ClaudeOAuthModule.FALLBACK_MODELS;
-  }
-}