@oh-my-pi/pi-ai 6.7.67 → 6.8.0

package/src/utils/oauth/google-gemini-cli.ts

@@ -1,21 +1,19 @@
 /**
  * Gemini CLI OAuth flow (Google Cloud Code Assist)
  * Standard Gemini models only (gemini-2.0-flash, gemini-2.5-*)
- *
- * NOTE: This module uses Node.js http.createServer for the OAuth callback.
- * It is only intended for CLI use, not browser environments.
  */
 
-import type { Server } from "http";
+import { OAuthCallbackFlow } from "./callback-server";
 import { generatePKCE } from "./pkce";
-import type { OAuthCredentials } from "./types";
+import type { OAuthController, OAuthCredentials } from "./types";
 
 const decode = (s: string) => atob(s);
 const CLIENT_ID = decode(
 	"NjgxMjU1ODA5Mzk1LW9vOGZ0Mm9wcmRybnA5ZTNhcWY2YXYzaG1kaWIxMzVqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t",
 );
 const CLIENT_SECRET = decode("R09DU1BYLTR1SGdNUG0tMW83U2stZ2VWNkN1NWNsWEZzeGw=");
-const REDIRECT_URI = "http://localhost:8085/oauth2callback";
+const CALLBACK_PORT = 8085;
+const CALLBACK_PATH = "/oauth2callback";
 const SCOPES = [
 	"https://www.googleapis.com/auth/cloud-platform",
 	"https://www.googleapis.com/auth/userinfo.email",
@@ -25,106 +23,12 @@ const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
 const TOKEN_URL = "https://oauth2.googleapis.com/token";
 const CODE_ASSIST_ENDPOINT = "https://cloudcode-pa.googleapis.com";
 
-type CallbackServerInfo = {
-	server: Server;
-	cancelWait: () => void;
-	waitForCode: () => Promise<{ code: string; state: string } | null>;
-};
-
-/**
- * Start a local HTTP server to receive the OAuth callback
- */
-async function startCallbackServer(): Promise<CallbackServerInfo> {
-	const { createServer } = await import("http");
-
-	return new Promise((resolve, reject) => {
-		let result: { code: string; state: string } | null = null;
-		let cancelled = false;
-
-		const server = createServer((req, res) => {
-			const url = new URL(req.url || "", `http://localhost:8085`);
-
-			if (url.pathname === "/oauth2callback") {
-				const code = url.searchParams.get("code");
-				const state = url.searchParams.get("state");
-				const error = url.searchParams.get("error");
-
-				if (error) {
-					res.writeHead(400, { "Content-Type": "text/html" });
-					res.end(
-						`<html><body><h1>Authentication Failed</h1><p>Error: ${error}</p><p>You can close this window.</p></body></html>`,
-					);
-					return;
-				}
-
-				if (code && state) {
-					res.writeHead(200, { "Content-Type": "text/html" });
-					res.end(
-						`<html><body><h1>Authentication Successful</h1><p>You can close this window and return to the terminal.</p></body></html>`,
-					);
-					result = { code, state };
-				} else {
-					res.writeHead(400, { "Content-Type": "text/html" });
-					res.end(
-						`<html><body><h1>Authentication Failed</h1><p>Missing code or state parameter.</p></body></html>`,
-					);
-				}
-			} else {
-				res.writeHead(404);
-				res.end();
-			}
-		});
-
-		server.on("error", (err) => {
-			reject(err);
-		});
-
-		server.listen(8085, "127.0.0.1", () => {
-			resolve({
-				server,
-				cancelWait: () => {
-					cancelled = true;
-				},
-				waitForCode: async () => {
-					const sleep = () => new Promise((r) => setTimeout(r, 100));
-					while (!result && !cancelled) {
-						await sleep();
-					}
-					return result;
-				},
-			});
-		});
-	});
-}
-
-/**
- * Parse redirect URL to extract code and state
- */
-function parseRedirectUrl(input: string): { code?: string; state?: string } {
-	const value = input.trim();
-	if (!value) return {};
-
-	try {
-		const url = new URL(value);
-		return {
-			code: url.searchParams.get("code") ?? undefined,
-			state: url.searchParams.get("state") ?? undefined,
-		};
-	} catch {
-		// Not a URL, return empty
-		return {};
-	}
-}
-
 interface LoadCodeAssistPayload {
 	cloudaicompanionProject?: string;
 	currentTier?: { id?: string };
 	allowedTiers?: Array<{ id?: string; isDefault?: boolean }>;
 }
 
-/**
- * Long-running operation response from onboardUser
- */
 interface LongRunningOperationResponse {
 	name?: string;
 	done?: boolean;
@@ -133,7 +37,6 @@ interface LongRunningOperationResponse {
 	};
 }
 
-// Tier IDs as used by the Cloud Code API
 const TIER_FREE = "free-tier";
 const TIER_LEGACY = "legacy-tier";
 const TIER_STANDARD = "standard-tier";
@@ -144,16 +47,6 @@ interface GoogleRpcErrorResponse {
 	};
 }
 
-/**
- * Wait helper for onboarding retries
- */
-function wait(ms: number): Promise<void> {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-/**
- * Get default tier from allowed tiers
- */
 function getDefaultTier(allowedTiers?: Array<{ id?: string; isDefault?: boolean }>): { id?: string } {
 	if (!allowedTiers || allowedTiers.length === 0) return { id: TIER_LEGACY };
 	const defaultTier = allowedTiers.find((t) => t.isDefault);
@@ -168,9 +61,6 @@ function isVpcScAffectedUser(payload: unknown): boolean {
 	return error.details.some((detail) => detail.reason === "SECURITY_POLICY_VIOLATED");
 }
 
-/**
- * Poll a long-running operation until completion
- */
 async function pollOperation(
 	operationName: string,
 	headers: Record<string, string>,
@@ -180,7 +70,7 @@ async function pollOperation(
 	while (true) {
 		if (attempt > 0) {
 			onProgress?.(`Waiting for project provisioning (attempt ${attempt + 1})...`);
-			await wait(5000);
+			await Bun.sleep(5000);
 		}
 
 		const response = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal/${operationName}`, {
@@ -201,11 +91,7 @@ async function pollOperation(
 	}
 }
 
-/**
- * Discover or provision a Google Cloud project for the user
- */
 async function discoverProject(accessToken: string, onProgress?: (message: string) => void): Promise<string> {
-	// Check for user-provided project ID via environment variable
 	const envProjectId = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
 
 	const headers = {
@@ -215,7 +101,6 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 		"X-Goog-Api-Client": "gl-node/22.17.0",
 	};
 
-	// Try to load existing project via loadCodeAssist
 	onProgress?.("Checking for existing Cloud Code Assist project...");
 	const loadResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`, {
 		method: "POST",
@@ -251,12 +136,10 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 		data = (await loadResponse.json()) as LoadCodeAssistPayload;
 	}
 
-	// If user already has a current tier and project, use it
 	if (data.currentTier) {
 		if (data.cloudaicompanionProject) {
 			return data.cloudaicompanionProject;
 		}
-		// User has a tier but no managed project - they need to provide one via env var
 		if (envProjectId) {
 			return envProjectId;
 		}
@@ -266,7 +149,6 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 		);
 	}
 
-	// User needs to be onboarded - get the default tier
 	const tier = getDefaultTier(data.allowedTiers);
 	const tierId = tier?.id ?? TIER_FREE;
 
@@ -279,8 +161,6 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 
 	onProgress?.("Provisioning Cloud Code Assist project (this may take a moment)...");
 
-	// Build onboard request - for free tier, don't include project ID (Google provisions one)
-	// For other tiers, include the user's project ID if available
 	const onboardBody: Record<string, unknown> = {
 		tierId,
 		metadata: {
@@ -295,7 +175,6 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 		(onboardBody.metadata as Record<string, unknown>).duetProject = envProjectId;
 	}
 
-	// Start onboarding - this returns a long-running operation
 	const onboardResponse = await fetch(`${CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`, {
 		method: "POST",
 		headers,
@@ -309,18 +188,15 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 
 	let lroData = (await onboardResponse.json()) as LongRunningOperationResponse;
 
-	// If the operation isn't done yet, poll until completion
 	if (!lroData.done && lroData.name) {
 		lroData = await pollOperation(lroData.name, headers, onProgress);
 	}
 
-	// Try to get project ID from the response
 	const projectId = lroData.response?.cloudaicompanionProject?.id;
 	if (projectId) {
 		return projectId;
 	}
 
-	// If no project ID from onboarding, fall back to env var
 	if (envProjectId) {
 		return envProjectId;
 	}
@@ -332,9 +208,6 @@ async function discoverProject(accessToken: string, onProgress?: (message: strin
 	);
 }
 
-/**
- * Get user email from the access token
- */
 async function getUserEmail(accessToken: string): Promise<string | undefined> {
 	try {
 		const response = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", {
@@ -353,165 +226,51 @@ async function getUserEmail(accessToken: string): Promise<string | undefined> {
 	return undefined;
 }
 
-/**
- * Refresh Google Cloud Code Assist token
- */
-export async function refreshGoogleCloudToken(refreshToken: string, projectId: string): Promise<OAuthCredentials> {
-	const response = await fetch(TOKEN_URL, {
-		method: "POST",
-		headers: { "Content-Type": "application/x-www-form-urlencoded" },
-		body: new URLSearchParams({
-			client_id: CLIENT_ID,
-			client_secret: CLIENT_SECRET,
-			refresh_token: refreshToken,
-			grant_type: "refresh_token",
-		}),
-	});
+class GeminiCliOAuthFlow extends OAuthCallbackFlow {
+	private verifier: string = "";
+	private challenge: string = "";
 
-	if (!response.ok) {
-		const error = await response.text();
-		throw new Error(`Google Cloud token refresh failed: ${error}`);
+	constructor(ctrl: OAuthController) {
+		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
 
-	const data = (await response.json()) as {
-		access_token: string;
-		expires_in: number;
-		refresh_token?: string;
-	};
-
-	return {
-		refresh: data.refresh_token || refreshToken,
-		access: data.access_token,
-		expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
-		projectId,
-	};
-}
-
-/**
- * Login with Gemini CLI (Google Cloud Code Assist) OAuth
- *
- * @param onAuth - Callback with URL and optional instructions
- * @param onProgress - Optional progress callback
- * @param onManualCodeInput - Optional promise that resolves with user-pasted redirect URL.
- *                            Races with browser callback - whichever completes first wins.
- */
-export async function loginGeminiCli(
-	onAuth: (info: { url: string; instructions?: string }) => void,
-	onProgress?: (message: string) => void,
-	onManualCodeInput?: () => Promise<string>,
-): Promise<OAuthCredentials> {
-	const { verifier, challenge } = await generatePKCE();
-
-	// Start local server for callback
-	onProgress?.("Starting local server for OAuth callback...");
-	const server = await startCallbackServer();
+	protected async generateAuthUrl(
+		state: string,
+		redirectUri: string,
+	): Promise<{ url: string; instructions?: string }> {
+		const pkce = await generatePKCE();
+		this.verifier = pkce.verifier;
+		this.challenge = pkce.challenge;
 
-	let code: string | undefined;
-
-	try {
-		// Build authorization URL
 		const authParams = new URLSearchParams({
 			client_id: CLIENT_ID,
 			response_type: "code",
-			redirect_uri: REDIRECT_URI,
+			redirect_uri: redirectUri,
 			scope: SCOPES.join(" "),
-			code_challenge: challenge,
+			code_challenge: this.challenge,
 			code_challenge_method: "S256",
-			state: verifier,
+			state,
 			access_type: "offline",
 			prompt: "consent",
 		});
 
-		const authUrl = `${AUTH_URL}?${authParams.toString()}`;
-
-		// Notify caller with URL to open
-		onAuth({
-			url: authUrl,
-			instructions: "Complete the sign-in in your browser.",
-		});
-
-		// Wait for the callback, racing with manual input if provided
-		onProgress?.("Waiting for OAuth callback...");
-
-		if (onManualCodeInput) {
-			// Race between browser callback and manual input
-			let manualInput: string | undefined;
-			let manualError: Error | undefined;
-			const manualPromise = onManualCodeInput()
-				.then((input) => {
-					manualInput = input;
-					server.cancelWait();
-				})
-				.catch((err) => {
-					manualError = err instanceof Error ? err : new Error(String(err));
-					server.cancelWait();
-				});
-
-			const result = await server.waitForCode();
-
-			// If manual input was cancelled, throw that error
-			if (manualError) {
-				throw manualError;
-			}
-
-			if (result?.code) {
-				// Browser callback won - verify state
-				if (result.state !== verifier) {
-					throw new Error("OAuth state mismatch - possible CSRF attack");
-				}
-				code = result.code;
-			} else if (manualInput) {
-				// Manual input won
-				const parsed = parseRedirectUrl(manualInput);
-				if (parsed.state && parsed.state !== verifier) {
-					throw new Error("OAuth state mismatch - possible CSRF attack");
-				}
-				code = parsed.code;
-			}
-
-			// If still no code, wait for manual promise and try that
-			if (!code) {
-				await manualPromise;
-				if (manualError) {
-					throw manualError;
-				}
-				if (manualInput) {
-					const parsed = parseRedirectUrl(manualInput);
-					if (parsed.state && parsed.state !== verifier) {
-						throw new Error("OAuth state mismatch - possible CSRF attack");
-					}
-					code = parsed.code;
-				}
-			}
-		} else {
-			// Original flow: just wait for callback
-			const result = await server.waitForCode();
-			if (result?.code) {
-				if (result.state !== verifier) {
-					throw new Error("OAuth state mismatch - possible CSRF attack");
-				}
-				code = result.code;
-			}
-		}
+		const url = `${AUTH_URL}?${authParams.toString()}`;
+		return { url, instructions: "Complete the sign-in in your browser." };
+	}
 
-		if (!code) {
-			throw new Error("No authorization code received");
-		}
+	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+		this.ctrl.onProgress?.("Exchanging authorization code for tokens...");
 
-		// Exchange code for tokens
-		onProgress?.("Exchanging authorization code for tokens...");
 		const tokenResponse = await fetch(TOKEN_URL, {
 			method: "POST",
-			headers: {
-				"Content-Type": "application/x-www-form-urlencoded",
-			},
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
 			body: new URLSearchParams({
 				client_id: CLIENT_ID,
 				client_secret: CLIENT_SECRET,
 				code,
 				grant_type: "authorization_code",
-				redirect_uri: REDIRECT_URI,
-				code_verifier: verifier,
+				redirect_uri: redirectUri,
+				code_verifier: this.verifier,
 			}),
 		});
 
@@ -530,26 +289,59 @@ export async function loginGeminiCli(
 			throw new Error("No refresh token received. Please try again.");
 		}
 
-		// Get user email
-		onProgress?.("Getting user info...");
+		this.ctrl.onProgress?.("Getting user info...");
 		const email = await getUserEmail(tokenData.access_token);
 
-		// Discover project
-		const projectId = await discoverProject(tokenData.access_token, onProgress);
-
-		// Calculate expiry time (current time + expires_in seconds - 5 min buffer)
-		const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
+		const projectId = await discoverProject(tokenData.access_token, this.ctrl.onProgress);
 
-		const credentials: OAuthCredentials = {
+		return {
 			refresh: tokenData.refresh_token,
 			access: tokenData.access_token,
-			expires: expiresAt,
+			expires: Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000,
 			projectId,
 			email,
 		};
+	}
+}
 
-		return credentials;
-	} finally {
-		server.server.close();
+/**
+ * Login with Gemini CLI (Google Cloud Code Assist) OAuth
+ */
+export async function loginGeminiCli(ctrl: OAuthController): Promise<OAuthCredentials> {
+	const flow = new GeminiCliOAuthFlow(ctrl);
+	return flow.login();
+}
+
+/**
+ * Refresh Google Cloud Code Assist token
+ */
+export async function refreshGoogleCloudToken(refreshToken: string, projectId: string): Promise<OAuthCredentials> {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			client_id: CLIENT_ID,
+			client_secret: CLIENT_SECRET,
+			refresh_token: refreshToken,
+			grant_type: "refresh_token",
+		}),
+	});
+
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Google Cloud token refresh failed: ${error}`);
 	}
+
+	const data = (await response.json()) as {
+		access_token: string;
+		expires_in: number;
+		refresh_token?: string;
+	};
+
+	return {
+		refresh: data.refresh_token || refreshToken,
+		access: data.access_token,
+		expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
+		projectId,
+	};
 }