@oh-my-pi/pi-ai 3.20.0 → 3.34.0

package/src/utils/oauth/google-antigravity.ts

@@ -6,6 +6,7 @@
  * It is only intended for CLI use, not browser environments.
  */
 
+import type { Server } from "http";
 import { generatePKCE } from "./pkce";
 import type { OAuthCredentials } from "./types";
 
@@ -32,71 +33,97 @@ const TOKEN_URL = "https://oauth2.googleapis.com/token";
 // Fallback project ID when discovery fails
 const DEFAULT_PROJECT_ID = "rising-fact-p41fc";
 
+type CallbackServerInfo = {
+	server: Server;
+	cancelWait: () => void;
+	waitForCode: () => Promise<{ code: string; state: string } | null>;
+};
+
 /**
  * Start a local HTTP server to receive the OAuth callback
  */
-async function startCallbackServer(): Promise<{
-	server: { stop: () => void };
-	getCode: () => Promise<{ code: string; state: string }>;
-}> {
+async function startCallbackServer(): Promise<CallbackServerInfo> {
+	const { createServer } = await import("http");
+
 	return new Promise((resolve, reject) => {
-		let codeResolve: (value: { code: string; state: string }) => void;
-		let codeReject: (error: Error) => void;
+		let result: { code: string; state: string } | null = null;
+		let cancelled = false;
 
-		const codePromise = new Promise<{ code: string; state: string }>((res, rej) => {
-			codeResolve = res;
-			codeReject = rej;
-		});
+		const server = createServer((req, res) => {
+			const url = new URL(req.url || "", `http://localhost:51121`);
 
-		const server = Bun.serve({
-			port: 51121,
-			hostname: "127.0.0.1",
-			fetch(req) {
-				const url = new URL(req.url);
-
-				if (url.pathname === "/oauth-callback") {
-					const code = url.searchParams.get("code");
-					const state = url.searchParams.get("state");
-					const error = url.searchParams.get("error");
-
-					if (error) {
-						codeReject(new Error(`OAuth error: ${error}`));
-						return new Response(
-							`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`,
-							{ status: 400, headers: { "Content-Type": "text/html" } },
-						);
-					}
+			if (url.pathname === "/oauth-callback") {
+				const code = url.searchParams.get("code");
+				const state = url.searchParams.get("state");
+				const error = url.searchParams.get("error");
 
-					if (code && state) {
-						codeResolve({ code, state });
-						return new Response(
-							`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`,
-							{ status: 200, headers: { "Content-Type": "text/html" } },
-						);
-					}
+				if (error) {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(
+						`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`,
+					);
+					return;
+				}
 
-					codeReject(new Error("Missing code or state in callback"));
-					return new Response(
+				if (code && state) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(
+						`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`,
+					);
+					result = { code, state };
+				} else {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(
 						`<html><body><h1>Authentication Failed</h1><p>Missing code or state parameter.</p></body></html>`,
-						{ status: 400, headers: { "Content-Type": "text/html" } },
 					);
 				}
+			} else {
+				res.writeHead(404);
+				res.end();
+			}
+		});
 
-				return new Response(null, { status: 404 });
-			},
-			error(err) {
-				reject(err);
-				return new Response("Internal Server Error", { status: 500 });
-			},
+		server.on("error", (err) => {
+			reject(err);
 		});
 
-		resolve({
-			server,
-			getCode: () => codePromise,
+		server.listen(51121, "127.0.0.1", () => {
+			resolve({
+				server,
+				cancelWait: () => {
+					cancelled = true;
+				},
+				waitForCode: async () => {
+					const sleep = () => new Promise((r) => setTimeout(r, 100));
+					while (!result && !cancelled) {
+						await sleep();
+					}
+					return result;
+				},
+			});
 		});
 	});
 }
 
+/**
+ * Parse redirect URL to extract code and state
+ */
+function parseRedirectUrl(input: string): { code?: string; state?: string } {
+	const value = input.trim();
+	if (!value) return {};
+
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? undefined,
+			state: url.searchParams.get("state") ?? undefined,
+		};
+	} catch {
+		// Not a URL, return empty
+		return {};
+	}
+}
+
 interface LoadCodeAssistPayload {
 	cloudaicompanionProject?: string | { id?: string };
 	currentTier?: { id?: string };
@@ -223,16 +250,21 @@ export async function refreshAntigravityToken(refreshToken: string, projectId: s
  *
  * @param onAuth - Callback with URL and optional instructions
  * @param onProgress - Optional progress callback
+ * @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.
+ *                            Races with browser callback - whichever completes first wins.
  */
 export async function loginAntigravity(
 	onAuth: (info: { url: string; instructions?: string }) => void,
 	onProgress?: (message: string) => void,
+	onManualCodeInput?: () => Promise<string>,
 ): Promise<OAuthCredentials> {
 	const { verifier, challenge } = await generatePKCE();
 
 	// Start local server for callback
 	onProgress?.("Starting local server for OAuth callback...");
-	const { server, getCode } = await startCallbackServer();
+	const server = await startCallbackServer();
+
+	let code: string | undefined;
 
 	try {
 		// Build authorization URL
@@ -253,16 +285,75 @@ export async function loginAntigravity(
 		// Notify caller with URL to open
 		onAuth({
 			url: authUrl,
-			instructions: "Complete the sign-in in your browser. The callback will be captured automatically.",
+			instructions: "Complete the sign-in in your browser.",
 		});
 
-		// Wait for the callback
+		// Wait for the callback, racing with manual input if provided
 		onProgress?.("Waiting for OAuth callback...");
-		const { code, state } = await getCode();
 
-		// Verify state matches
-		if (state !== verifier) {
-			throw new Error("OAuth state mismatch - possible CSRF attack");
+		if (onManualCodeInput) {
+			// Race between browser callback and manual input
+			let manualInput: string | undefined;
+			let manualError: Error | undefined;
+			const manualPromise = onManualCodeInput()
+				.then((input) => {
+					manualInput = input;
+					server.cancelWait();
+				})
+				.catch((err) => {
+					manualError = err instanceof Error ? err : new Error(String(err));
+					server.cancelWait();
+				});
+
+			const result = await server.waitForCode();
+
+			// If manual input was cancelled, throw that error
+			if (manualError) {
+				throw manualError;
+			}
+
+			if (result?.code) {
+				// Browser callback won - verify state
+				if (result.state !== verifier) {
+					throw new Error("OAuth state mismatch - possible CSRF attack");
+				}
+				code = result.code;
+			} else if (manualInput) {
+				// Manual input won
+				const parsed = parseRedirectUrl(manualInput);
+				if (parsed.state && parsed.state !== verifier) {
+					throw new Error("OAuth state mismatch - possible CSRF attack");
+				}
+				code = parsed.code;
+			}
+
+			// If still no code, wait for manual promise and try that
+			if (!code) {
+				await manualPromise;
+				if (manualError) {
+					throw manualError;
+				}
+				if (manualInput) {
+					const parsed = parseRedirectUrl(manualInput);
+					if (parsed.state && parsed.state !== verifier) {
+						throw new Error("OAuth state mismatch - possible CSRF attack");
+					}
+					code = parsed.code;
+				}
+			}
+		} else {
+			// Original flow: just wait for callback
+			const result = await server.waitForCode();
+			if (result?.code) {
+				if (result.state !== verifier) {
+					throw new Error("OAuth state mismatch - possible CSRF attack");
+				}
+				code = result.code;
+			}
+		}
+
+		if (!code) {
+			throw new Error("No authorization code received");
 		}
 
 		// Exchange code for tokens
@@ -317,6 +408,6 @@ export async function loginAntigravity(
 
 		return credentials;
 	} finally {
-		server.stop();
+		server.server.close();
 	}
 }

package/src/utils/oauth/google-gemini-cli.ts

@@ -6,6 +6,7 @@
  * It is only intended for CLI use, not browser environments.
  */
 
+import type { Server } from "http";
 import { generatePKCE } from "./pkce";
 import type { OAuthCredentials } from "./types";
 
@@ -24,71 +25,97 @@ const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
 const TOKEN_URL = "https://oauth2.googleapis.com/token";
 const CODE_ASSIST_ENDPOINT = "https://cloudcode-pa.googleapis.com";
 
+type CallbackServerInfo = {
+	server: Server;
+	cancelWait: () => void;
+	waitForCode: () => Promise<{ code: string; state: string } | null>;
+};
+
 /**
  * Start a local HTTP server to receive the OAuth callback
  */
-async function startCallbackServer(): Promise<{
-	server: { stop: () => void };
-	getCode: () => Promise<{ code: string; state: string }>;
-}> {
+async function startCallbackServer(): Promise<CallbackServerInfo> {
+	const { createServer } = await import("http");
+
 	return new Promise((resolve, reject) => {
-		let codeResolve: (value: { code: string; state: string }) => void;
-		let codeReject: (error: Error) => void;
+		let result: { code: string; state: string } | null = null;
+		let cancelled = false;
 
-		const codePromise = new Promise<{ code: string; state: string }>((res, rej) => {
-			codeResolve = res;
-			codeReject = rej;
-		});
+		const server = createServer((req, res) => {
+			const url = new URL(req.url || "", `http://localhost:8085`);
 
-		const server = Bun.serve({
-			port: 8085,
-			hostname: "127.0.0.1",
-			fetch(req) {
-				const url = new URL(req.url);
-
-				if (url.pathname === "/oauth2callback") {
-					const code = url.searchParams.get("code");
-					const state = url.searchParams.get("state");
-					const error = url.searchParams.get("error");
-
-					if (error) {
-						codeReject(new Error(`OAuth error: ${error}`));
-						return new Response(
-							`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`,
-							{ status: 400, headers: { "Content-Type": "text/html" } },
-						);
-					}
+			if (url.pathname === "/oauth2callback") {
+				const code = url.searchParams.get("code");
+				const state = url.searchParams.get("state");
+				const error = url.searchParams.get("error");
 
-					if (code && state) {
-						codeResolve({ code, state });
-						return new Response(
-							`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`,
-							{ status: 200, headers: { "Content-Type": "text/html" } },
-						);
-					}
+				if (error) {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(
+						`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`,
+					);
+					return;
+				}
 
-					codeReject(new Error("Missing code or state in callback"));
-					return new Response(
+				if (code && state) {
+					res.writeHead(200, { "Content-Type": "text/html" });
+					res.end(
+						`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`,
+					);
+					result = { code, state };
+				} else {
+					res.writeHead(400, { "Content-Type": "text/html" });
+					res.end(
 						`<html><body><h1>Authentication Failed</h1><p>Missing code or state parameter.</p></body></html>`,
-						{ status: 400, headers: { "Content-Type": "text/html" } },
 					);
 				}
+			} else {
+				res.writeHead(404);
+				res.end();
+			}
+		});
 
-				return new Response(null, { status: 404 });
-			},
-			error(err) {
-				reject(err);
-				return new Response("Internal Server Error", { status: 500 });
-			},
+		server.on("error", (err) => {
+			reject(err);
 		});
 
-		resolve({
-			server,
-			getCode: () => codePromise,
+		server.listen(8085, "127.0.0.1", () => {
+			resolve({
+				server,
+				cancelWait: () => {
+					cancelled = true;
+				},
+				waitForCode: async () => {
+					const sleep = () => new Promise((r) => setTimeout(r, 100));
+					while (!result && !cancelled) {
+						await sleep();
+					}
+					return result;
+				},
+			});
 		});
 	});
 }
 
+/**
+ * Parse redirect URL to extract code and state
+ */
+function parseRedirectUrl(input: string): { code?: string; state?: string } {
+	const value = input.trim();
+	if (!value) return {};
+
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? undefined,
+			state: url.searchParams.get("state") ?? undefined,
+		};
+	} catch {
+		// Not a URL, return empty
+		return {};
+	}
+}
+
 interface LoadCodeAssistPayload {
 	cloudaicompanionProject?: string;
 	currentTier?: { id?: string };
@@ -254,16 +281,21 @@ export async function refreshGoogleCloudToken(refreshToken: string, projectId: s
  *
  * @param onAuth - Callback with URL and optional instructions
  * @param onProgress - Optional progress callback
+ * @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.
+ *                            Races with browser callback - whichever completes first wins.
  */
 export async function loginGeminiCli(
 	onAuth: (info: { url: string; instructions?: string }) => void,
 	onProgress?: (message: string) => void,
+	onManualCodeInput?: () => Promise<string>,
 ): Promise<OAuthCredentials> {
 	const { verifier, challenge } = await generatePKCE();
 
 	// Start local server for callback
 	onProgress?.("Starting local server for OAuth callback...");
-	const { server, getCode } = await startCallbackServer();
+	const server = await startCallbackServer();
+
+	let code: string | undefined;
 
 	try {
 		// Build authorization URL
@@ -284,16 +316,75 @@ export async function loginGeminiCli(
 		// Notify caller with URL to open
 		onAuth({
 			url: authUrl,
-			instructions: "Complete the sign-in in your browser. The callback will be captured automatically.",
+			instructions: "Complete the sign-in in your browser.",
 		});
 
-		// Wait for the callback
+		// Wait for the callback, racing with manual input if provided
 		onProgress?.("Waiting for OAuth callback...");
-		const { code, state } = await getCode();
 
-		// Verify state matches
-		if (state !== verifier) {
-			throw new Error("OAuth state mismatch - possible CSRF attack");
+		if (onManualCodeInput) {
+			// Race between browser callback and manual input
+			let manualInput: string | undefined;
+			let manualError: Error | undefined;
+			const manualPromise = onManualCodeInput()
+				.then((input) => {
+					manualInput = input;
+					server.cancelWait();
+				})
+				.catch((err) => {
+					manualError = err instanceof Error ? err : new Error(String(err));
+					server.cancelWait();
+				});
+
+			const result = await server.waitForCode();
+
+			// If manual input was cancelled, throw that error
+			if (manualError) {
+				throw manualError;
+			}
+
+			if (result?.code) {
+				// Browser callback won - verify state
+				if (result.state !== verifier) {
+					throw new Error("OAuth state mismatch - possible CSRF attack");
+				}
+				code = result.code;
+			} else if (manualInput) {
+				// Manual input won
+				const parsed = parseRedirectUrl(manualInput);
+				if (parsed.state && parsed.state !== verifier) {
+					throw new Error("OAuth state mismatch - possible CSRF attack");
+				}
+				code = parsed.code;
+			}
+
+			// If still no code, wait for manual promise and try that
+			if (!code) {
+				await manualPromise;
+				if (manualError) {
+					throw manualError;
+				}
+				if (manualInput) {
+					const parsed = parseRedirectUrl(manualInput);
+					if (parsed.state && parsed.state !== verifier) {
+						throw new Error("OAuth state mismatch - possible CSRF attack");
+					}
+					code = parsed.code;
+				}
+			}
+		} else {
+			// Original flow: just wait for callback
+			const result = await server.waitForCode();
+			if (result?.code) {
+				if (result.state !== verifier) {
+					throw new Error("OAuth state mismatch - possible CSRF attack");
+				}
+				code = result.code;
+			}
+		}
+
+		if (!code) {
+			throw new Error("No authorization code received");
 		}
 
 		// Exchange code for tokens
@@ -348,6 +439,6 @@ export async function loginGeminiCli(
 
 		return credentials;
 	} finally {
-		server.stop();
+		server.server.close();
 	}
 }

package/src/utils/oauth/index.ts

@@ -133,6 +133,11 @@ export function getOAuthProviders(): OAuthProviderInfo[] {
 			name: "Anthropic (Claude Pro/Max)",
 			available: true,
 		},
+		{
+			id: "openai-codex",
+			name: "ChatGPT Plus/Pro (Codex Subscription)",
+			available: true,
+		},
 		{
 			id: "github-copilot",
 			name: "GitHub Copilot",
@@ -148,10 +153,5 @@ export function getOAuthProviders(): OAuthProviderInfo[] {
 			name: "Antigravity (Gemini 3, Claude, GPT-OSS)",
 			available: true,
 		},
-		{
-			id: "openai-codex",
-			name: "ChatGPT Plus/Pro (Codex Subscription)",
-			available: true,
-		},
 	];
 }