@oevortex/opencode-qwen-auth 0.1.0

package/src/plugin.ts

@@ -0,0 +1,444 @@
+/**
+ * Main Qwen OAuth Plugin for OpenCode
+ * Provides authentication with Qwen/Alibaba Cloud DashScope API
+ */
+
+import {
+  QWEN_PROVIDER_ID,
+  QWEN_CALLBACK_PORT,
+  QWEN_REDIRECT_URI,
+  QWEN_OAUTH_BASE_URL,
+  QWEN_OAUTH_CLIENT_ID,
+  QWEN_PORTAL_BASE_URL,
+} from "./constants";
+
+import type {
+  AuthDetails,
+  OAuthAuthDetails,
+  PluginContext,
+  PluginResult,
+  GetAuth,
+  Provider,
+  LoaderResult,
+  TokenExchangeResult,
+  AuthorizeResult,
+} from "./types";
+
+import {
+  isOAuthAuth,
+  accessTokenExpired,
+  parseRefreshParts,
+  formatRefreshParts,
+} from "./plugin/auth";
+import { refreshAccessToken } from "./plugin/token";
+import { createQwenFetch } from "./plugin/fetch-wrapper";
+import { startOAuthListener, type OAuthListener } from "./plugin/server";
+import { openBrowser, isHeadless } from "./plugin/browser";
+import { createLogger, initLogger } from "./plugin/logger";
+
+const log = createLogger("plugin");
+
+/**
+ * Generate a random state string for OAuth CSRF protection.
+ */
+function generateState(): string {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join(
+    "",
+  );
+}
+
+/**
+ * Generate the OAuth authorization URL for Qwen.
+ */
+function generateAuthorizationUrl(state: string, redirectUri: string): string {
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: QWEN_OAUTH_CLIENT_ID,
+    redirect_uri: redirectUri,
+    state: state,
+    scope: "openid profile",
+  });
+
+  return `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/authorize?${params.toString()}`;
+}
+
+/**
+ * Exchange authorization code for tokens.
+ */
+async function exchangeCodeForTokens(
+  code: string,
+  state: string,
+  redirectUri: string,
+): Promise<TokenExchangeResult> {
+  try {
+    const tokenUrl = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
+
+    const bodyData = new URLSearchParams({
+      grant_type: "authorization_code",
+      code: code,
+      client_id: QWEN_OAUTH_CLIENT_ID,
+      redirect_uri: redirectUri,
+      state: state,
+    });
+
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+        "User-Agent":
+          "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+      },
+      body: bodyData.toString(),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      log.error("Token exchange failed", {
+        status: response.status,
+        error: errorText.slice(0, 200),
+      });
+      return {
+        type: "failed",
+        error: `Token exchange failed: ${response.status} ${response.statusText}`,
+      };
+    }
+
+    const tokenData = (await response.json()) as {
+      access_token: string;
+      refresh_token: string;
+      expires_in: number;
+      token_type?: string;
+      error?: string;
+      error_description?: string;
+    };
+
+    if (tokenData.error) {
+      return {
+        type: "failed",
+        error: `${tokenData.error}: ${tokenData.error_description || "Unknown error"}`,
+      };
+    }
+
+    const expiresAt = Date.now() + tokenData.expires_in * 1000;
+
+    // Build refresh string with resource URL
+    const refreshParts = {
+      refreshToken: tokenData.refresh_token,
+      resourceUrl: QWEN_PORTAL_BASE_URL,
+    };
+
+    return {
+      type: "success",
+      access: tokenData.access_token,
+      refresh: formatRefreshParts(refreshParts),
+      expires: expiresAt,
+      resourceUrl: QWEN_PORTAL_BASE_URL,
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    log.error("Token exchange exception", { error: errorMessage });
+    return {
+      type: "failed",
+      error: `Token exchange failed: ${errorMessage}`,
+    };
+  }
+}
+
+/**
+ * Perform OAuth authentication flow.
+ */
+async function authenticateWithOAuth(
+  client: PluginContext["client"],
+): Promise<TokenExchangeResult> {
+  const headless = isHeadless();
+  const state = generateState();
+  const redirectUri = QWEN_REDIRECT_URI;
+  const authUrl = generateAuthorizationUrl(state, redirectUri);
+
+  let listener: OAuthListener | null = null;
+
+  // Try to start callback listener (non-headless only)
+  if (!headless) {
+    try {
+      listener = await startOAuthListener(QWEN_CALLBACK_PORT);
+      log.info("OAuth callback server started", { port: listener.port });
+    } catch (error) {
+      log.warn("Could not start callback listener", {
+        error: error instanceof Error ? error.message : String(error),
+      });
+      await client.tui.showToast({
+        body: {
+          message:
+            "Couldn't start callback listener. Falling back to manual copy/paste.",
+          variant: "warning",
+        },
+      });
+    }
+  }
+
+  // Try to open browser
+  if (!headless) {
+    try {
+      await openBrowser(authUrl);
+      log.info("Browser opened for authentication");
+    } catch {
+      await client.tui.showToast({
+        body: {
+          message:
+            "Could not open browser automatically. Please copy/paste the URL.",
+          variant: "warning",
+        },
+      });
+    }
+  }
+
+  // Handle authentication based on mode
+  if (listener) {
+    // Automatic mode - wait for callback
+    await client.tui.showToast({
+      body: {
+        message: "Waiting for browser authentication...",
+        variant: "info",
+      },
+    });
+
+    try {
+      const callbackUrl = await listener.waitForCallback();
+      const code = callbackUrl.searchParams.get("code");
+      const returnedState = callbackUrl.searchParams.get("state");
+
+      if (!code) {
+        return {
+          type: "failed",
+          error: "Missing authorization code in callback",
+        };
+      }
+
+      if (returnedState !== state) {
+        return {
+          type: "failed",
+          error: "State mismatch - possible CSRF attack",
+        };
+      }
+
+      return exchangeCodeForTokens(code, state, redirectUri);
+    } catch (error) {
+      return {
+        type: "failed",
+        error:
+          error instanceof Error ? error.message : "Unknown callback error",
+      };
+    } finally {
+      try {
+        await listener.close();
+      } catch {}
+    }
+  } else {
+    // Manual mode - prompt for callback URL
+    console.log("\n=== Qwen OAuth Setup ===");
+    console.log(`Open this URL in your browser:\n${authUrl}\n`);
+
+    // Dynamic import for readline to avoid module resolution issues
+    const readlineModule = await import("readline");
+    const rl = readlineModule.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+
+    const question = (prompt: string): Promise<string> => {
+      return new Promise((resolve) => {
+        rl.question(prompt, (answer) => {
+          resolve(answer as string);
+        });
+      });
+    };
+
+    try {
+      const callbackUrlStr = await question(
+        "Paste the full redirect URL here: ",
+      );
+      const callbackUrl = new URL(callbackUrlStr);
+      const code = callbackUrl.searchParams.get("code");
+      const returnedState = callbackUrl.searchParams.get("state");
+
+      if (!code) {
+        return {
+          type: "failed",
+          error: "Missing authorization code in callback URL",
+        };
+      }
+
+      if (returnedState !== state) {
+        return {
+          type: "failed",
+          error: "State mismatch - possible CSRF attack",
+        };
+      }
+
+      return exchangeCodeForTokens(code, state, redirectUri);
+    } catch (error) {
+      return {
+        type: "failed",
+        error:
+          error instanceof Error
+            ? error.message
+            : "Failed to parse callback URL",
+      };
+    } finally {
+      rl.close();
+    }
+  }
+}
+
+/**
+ * Main Qwen OAuth Plugin export.
+ *
+ * This plugin provides:
+ * - OAuth authentication with Qwen/Alibaba Cloud
+ * - Automatic token refresh
+ * - Request handling with proper authentication headers
+ */
+export async function QwenOAuthPlugin({
+  client,
+}: PluginContext): Promise<PluginResult> {
+  // Initialize logger with plugin client
+  initLogger(client);
+  log.info("Qwen OAuth Plugin initialized");
+
+  // Cache for getAuth function
+  let cachedGetAuth: GetAuth | null = null;
+
+  return {
+    auth: {
+      provider: QWEN_PROVIDER_ID,
+
+      /**
+       * Loader function called when the provider is used.
+       * Returns configuration for API calls.
+       */
+      loader: async (
+        getAuth: GetAuth,
+        provider: Provider,
+      ): Promise<LoaderResult | Record<string, unknown>> => {
+        cachedGetAuth = getAuth;
+
+        const auth = await getAuth();
+
+        if (!isOAuthAuth(auth)) {
+          // Not OAuth auth - return empty config
+          return {};
+        }
+
+        log.debug("Loading Qwen provider configuration");
+
+        // Set cost to 0 for all models (free with OAuth)
+        if (provider.models) {
+          for (const model of Object.values(provider.models)) {
+            if (model) {
+              model.cost = { input: 0, output: 0 };
+            }
+          }
+        }
+
+        // Ensure we have a valid access token
+        let currentAuth = auth;
+        if (accessTokenExpired(currentAuth)) {
+          log.info("Access token expired, refreshing...");
+          const refreshed = await refreshAccessToken(currentAuth, client);
+          if (refreshed) {
+            currentAuth = refreshed;
+
+            // Save refreshed auth
+            try {
+              await client.auth.set({
+                path: { id: QWEN_PROVIDER_ID },
+                body: {
+                  type: "oauth",
+                  access: refreshed.access,
+                  refresh: refreshed.refresh,
+                  expires: refreshed.expires,
+                },
+              });
+            } catch (error) {
+              log.warn("Failed to save refreshed auth", {
+                error: error instanceof Error ? error.message : String(error),
+              });
+            }
+          }
+        }
+
+        // Get base URL from auth
+        const parts = parseRefreshParts(currentAuth.refresh);
+        let baseUrl = parts.resourceUrl || QWEN_PORTAL_BASE_URL;
+        if (!baseUrl.endsWith("/v1")) {
+          baseUrl = baseUrl.replace(/\/+$/, "") + "/v1";
+        }
+
+        // Create fetch wrapper with auth handling
+        const qwenFetch = createQwenFetch(getAuth, client);
+
+        return {
+          apiKey: "", // Empty - using OAuth
+          baseUrl: baseUrl,
+          fetch: qwenFetch,
+        };
+      },
+
+      /**
+       * Authentication methods available to the user.
+       */
+      methods: [
+        {
+          label: "OAuth with Qwen (Alibaba Cloud)",
+          type: "oauth",
+          authorize: async (): Promise<AuthorizeResult> => {
+            const result = await authenticateWithOAuth(client);
+
+            if (result.type === "failed") {
+              await client.tui.showToast({
+                body: {
+                  message: `Authentication failed: ${result.error}`,
+                  variant: "error",
+                },
+              });
+            } else {
+              await client.tui.showToast({
+                body: {
+                  message: "Successfully authenticated with Qwen!",
+                  variant: "success",
+                },
+              });
+            }
+
+            return {
+              url: "",
+              instructions:
+                result.type === "success"
+                  ? "Authentication complete!"
+                  : result.error || "Authentication failed",
+              method: "auto",
+              callback: async () => result,
+            };
+          },
+        },
+        {
+          label: "Manually enter API Key",
+          type: "api",
+          prompts: [
+            {
+              type: "text",
+              message: "Enter your DashScope API Key",
+              key: "apiKey",
+            },
+          ],
+        },
+      ],
+    },
+  };
+}
+
+// Default export for convenience
+export default QwenOAuthPlugin;

package/src/qwen/oauth.ts

@@ -0,0 +1,271 @@
+/**
+ * Qwen OAuth Manager
+ * Handles OAuth token management for Qwen Code API
+ * Based on revibe/core/llm/backend/qwen/oauth.py
+ */
+
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
+
+import {
+  QWEN_DIR,
+  QWEN_CREDENTIAL_FILENAME,
+  QWEN_OAUTH_TOKEN_ENDPOINT,
+  QWEN_OAUTH_CLIENT_ID,
+  QWEN_DEFAULT_BASE_URL,
+  TOKEN_REFRESH_BUFFER_MS,
+  HTTP_OK,
+} from "../constants";
+
+import type { QwenOAuthCredentials, QwenTokenResponse } from "../types";
+
+/**
+ * Get the path to the cached OAuth credentials file.
+ */
+export function getQwenCachedCredentialPath(customPath?: string): string {
+  if (customPath) {
+    if (customPath.startsWith("~/")) {
+      return join(homedir(), customPath.slice(2));
+    }
+    return customPath;
+  }
+  return join(homedir(), QWEN_DIR, QWEN_CREDENTIAL_FILENAME);
+}
+
+/**
+ * Convert an object to URL-encoded form data string.
+ */
+function objectToUrlEncoded(data: Record<string, string>): string {
+  return Object.entries(data)
+    .map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
+    .join("&");
+}
+
+/**
+ * Manages OAuth authentication for Qwen Code API.
+ */
+export class QwenOAuthManager {
+  private oauthPath?: string;
+  private credentials: QwenOAuthCredentials | null = null;
+  private refreshLock = false;
+
+  constructor(oauthPath?: string) {
+    this.oauthPath = oauthPath;
+  }
+
+  /**
+   * Load OAuth credentials from the cached file.
+   */
+  private loadCachedCredentials(): QwenOAuthCredentials {
+    const keyFile = getQwenCachedCredentialPath(this.oauthPath);
+
+    if (!existsSync(keyFile)) {
+      throw new Error(
+        `Qwen OAuth credentials not found at ${keyFile}. ` +
+        "Please login using the Qwen Code CLI first: qwen-code auth login"
+      );
+    }
+
+    try {
+      const content = readFileSync(keyFile, "utf-8");
+      const data = JSON.parse(content) as Record<string, unknown>;
+
+      if (!data.access_token || !data.refresh_token || !data.expiry_date) {
+        throw new Error("Missing required fields in credentials file");
+      }
+
+      return {
+        access_token: data.access_token as string,
+        refresh_token: data.refresh_token as string,
+        token_type: (data.token_type as string) || "Bearer",
+        expiry_date: data.expiry_date as number,
+        resource_url: data.resource_url as string | undefined,
+      };
+    } catch (error) {
+      if (error instanceof SyntaxError) {
+        throw new Error(`Invalid Qwen OAuth credentials file: ${error.message}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Refresh the OAuth access token.
+   */
+  async refreshAccessToken(credentials: QwenOAuthCredentials): Promise<QwenOAuthCredentials> {
+    if (this.refreshLock) {
+      // Wait for ongoing refresh
+      while (this.refreshLock) {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+      }
+      return this.credentials || credentials;
+    }
+
+    this.refreshLock = true;
+
+    try {
+      if (!credentials.refresh_token) {
+        throw new Error("No refresh token available in credentials.");
+      }
+
+      const bodyData = {
+        grant_type: "refresh_token",
+        refresh_token: credentials.refresh_token,
+        client_id: QWEN_OAUTH_CLIENT_ID,
+      };
+
+      const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Accept": "application/json",
+          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+        },
+        body: objectToUrlEncoded(bodyData),
+      });
+
+      if (response.status !== HTTP_OK) {
+        const errorText = await response.text();
+        throw new Error(
+          `Token refresh failed: ${response.status} ${response.statusText}. Response: ${errorText}`
+        );
+      }
+
+      let tokenData: QwenTokenResponse;
+      try {
+        tokenData = (await response.json()) as QwenTokenResponse;
+      } catch {
+        const text = await response.text();
+        throw new Error(
+          `Token refresh failed: Invalid JSON response from OAuth endpoint. Response: ${text.slice(0, 200)}`
+        );
+      }
+
+      if (tokenData.error) {
+        throw new Error(
+          `Token refresh failed: ${tokenData.error} - ${tokenData.error_description || "Unknown error"}`
+        );
+      }
+
+      const newCredentials: QwenOAuthCredentials = {
+        access_token: tokenData.access_token,
+        token_type: tokenData.token_type || "Bearer",
+        refresh_token: tokenData.refresh_token || credentials.refresh_token,
+        expiry_date: Date.now() + tokenData.expires_in * 1000,
+        resource_url: credentials.resource_url,
+      };
+
+      // Save refreshed credentials
+      this.saveCredentials(newCredentials);
+      this.credentials = newCredentials;
+
+      return newCredentials;
+    } finally {
+      this.refreshLock = false;
+    }
+  }
+
+  /**
+   * Save credentials to the cache file.
+   */
+  private saveCredentials(credentials: QwenOAuthCredentials): void {
+    const filePath = getQwenCachedCredentialPath(this.oauthPath);
+
+    try {
+      const dir = join(filePath, "..");
+      if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+      }
+
+      writeFileSync(
+        filePath,
+        JSON.stringify(
+          {
+            access_token: credentials.access_token,
+            refresh_token: credentials.refresh_token,
+            token_type: credentials.token_type,
+            expiry_date: credentials.expiry_date,
+            resource_url: credentials.resource_url,
+          },
+          null,
+          2
+        ),
+        "utf-8"
+      );
+    } catch (error) {
+      // Continue with refreshed token in memory even if file write fails
+      console.warn(`Warning: Failed to save refreshed credentials: ${error}`);
+    }
+  }
+
+  /**
+   * Check if the access token is still valid.
+   */
+  private isTokenValid(credentials: QwenOAuthCredentials): boolean {
+    if (!credentials.expiry_date) {
+      return false;
+    }
+    return Date.now() < credentials.expiry_date - TOKEN_REFRESH_BUFFER_MS;
+  }
+
+  /**
+   * Invalidate cached credentials to force a refresh on next request.
+   */
+  invalidateCredentials(): void {
+    this.credentials = null;
+  }
+
+  /**
+   * Ensure we have valid authentication credentials.
+   * @returns Tuple of [access_token, base_url]
+   */
+  async ensureAuthenticated(forceRefresh = false): Promise<[string, string]> {
+    // Always reload credentials from file to pick up external updates
+    this.credentials = this.loadCachedCredentials();
+
+    if (forceRefresh || !this.isTokenValid(this.credentials)) {
+      this.credentials = await this.refreshAccessToken(this.credentials);
+    }
+
+    return [this.credentials.access_token, this.getBaseUrl(this.credentials)];
+  }
+
+  /**
+   * Get the API base URL from credentials.
+   */
+  private getBaseUrl(credentials: QwenOAuthCredentials): string {
+    let baseUrl = credentials.resource_url || QWEN_DEFAULT_BASE_URL;
+
+    if (!baseUrl.startsWith("http://") && !baseUrl.startsWith("https://")) {
+      baseUrl = `https://${baseUrl}`;
+    }
+
+    // Remove trailing slashes and add /v1 if not present
+    baseUrl = baseUrl.replace(/\/+$/, "");
+    if (!baseUrl.endsWith("/v1")) {
+      baseUrl = `${baseUrl}/v1`;
+    }
+
+    return baseUrl;
+  }
+
+  /**
+   * Get the current credentials, refreshing if needed.
+   */
+  async getCredentials(): Promise<QwenOAuthCredentials> {
+    await this.ensureAuthenticated();
+    if (!this.credentials) {
+      throw new Error("Failed to get credentials");
+    }
+    return this.credentials;
+  }
+}
+
+/**
+ * Check if OAuth credentials exist.
+ */
+export function hasQwenCredentials(customPath?: string): boolean {
+  const keyFile = getQwenCachedCredentialPath(customPath);
+  return existsSync(keyFile);
+}