@ottocode/server 0.1.264 → 0.1.266

package/src/routes/auth/providers.ts

@@ -0,0 +1,189 @@
+import type { Hono } from 'hono';
+import {
+	catalog,
+	isBuiltInProviderId,
+	removeAuth,
+	setAuth,
+	type ProviderId,
+} from '@ottocode/sdk';
+import { logger } from '@ottocode/sdk';
+import { openApiRoute } from '../../openapi/route.ts';
+import { serializeError } from '../../runtime/errors/api-error.ts';
+
+export function registerAuthProviderRoutes(app: Hono) {
+	openApiRoute(
+		app,
+		{
+			method: 'post',
+			path: '/v1/auth/{provider}',
+			tags: ['auth'],
+			operationId: 'addProviderApiKey',
+			summary: 'Add API key for a provider',
+			parameters: [
+				{
+					in: 'path',
+					name: 'provider',
+					required: true,
+					schema: {
+						type: 'string',
+					},
+				},
+			],
+			requestBody: {
+				required: true,
+				content: {
+					'application/json': {
+						schema: {
+							type: 'object',
+							properties: {
+								apiKey: {
+									type: 'string',
+								},
+							},
+							required: ['apiKey'],
+						},
+					},
+				},
+			},
+			responses: {
+				'200': {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									success: {
+										type: 'boolean',
+									},
+									provider: {
+										type: 'string',
+									},
+								},
+								required: ['success', 'provider'],
+							},
+						},
+					},
+				},
+				'400': {
+					description: 'Bad Request',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									error: {
+										type: 'string',
+									},
+								},
+								required: ['error'],
+							},
+						},
+					},
+				},
+			},
+		},
+		async (c) => {
+			try {
+				const provider = c.req.param('provider') as ProviderId;
+				const { apiKey } = await c.req.json<{ apiKey: string }>();
+
+				if (!isBuiltInProviderId(provider) || !catalog[provider]) {
+					return c.json({ error: 'Unknown provider' }, 400);
+				}
+
+				if (!apiKey) {
+					return c.json({ error: 'API key required' }, 400);
+				}
+
+				await setAuth(
+					provider,
+					{ type: 'api', key: apiKey },
+					undefined,
+					'global',
+				);
+
+				return c.json({ success: true, provider });
+			} catch (error) {
+				logger.error('Failed to add provider', error);
+				const errorResponse = serializeError(error);
+				return c.json(errorResponse, errorResponse.error.status || 500);
+			}
+		},
+	);
+
+	openApiRoute(
+		app,
+		{
+			method: 'delete',
+			path: '/v1/auth/{provider}',
+			tags: ['auth'],
+			operationId: 'removeProvider',
+			summary: 'Remove auth for a provider',
+			parameters: [
+				{
+					in: 'path',
+					name: 'provider',
+					required: true,
+					schema: {
+						type: 'string',
+					},
+				},
+			],
+			responses: {
+				'200': {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									success: {
+										type: 'boolean',
+									},
+									provider: {
+										type: 'string',
+									},
+								},
+								required: ['success', 'provider'],
+							},
+						},
+					},
+				},
+				'400': {
+					description: 'Bad Request',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									error: {
+										type: 'string',
+									},
+								},
+								required: ['error'],
+							},
+						},
+					},
+				},
+			},
+		},
+		async (c) => {
+			try {
+				const provider = c.req.param('provider') as ProviderId;
+
+				if (!isBuiltInProviderId(provider) || !catalog[provider]) {
+					return c.json({ error: 'Unknown provider' }, 400);
+				}
+
+				await removeAuth(provider, undefined, 'global');
+
+				return c.json({ success: true, provider });
+			} catch (error) {
+				logger.error('Failed to remove provider', error);
+				const errorResponse = serializeError(error);
+				return c.json(errorResponse, errorResponse.error.status || 500);
+			}
+		},
+	);
+}

package/src/routes/auth/service.ts

@@ -0,0 +1,167 @@
+import { spawnSync } from 'node:child_process';
+
+const COPILOT_MODELS_URL = 'https://api.githubcopilot.com/models';
+const GH_CAPABILITY_CACHE_TTL_MS = 60 * 1000;
+
+let ghCapabilityCache: {
+	expiresAt: number;
+	value: { available: boolean; authenticated: boolean; reason?: string };
+} = {
+	expiresAt: 0,
+	value: {
+		available: false,
+		authenticated: false,
+		reason: 'Not checked yet',
+	},
+};
+
+export function getGhImportCapability() {
+	if (ghCapabilityCache.expiresAt > Date.now()) return ghCapabilityCache.value;
+
+	const version = spawnSync('gh', ['--version'], {
+		encoding: 'utf8',
+		stdio: ['ignore', 'pipe', 'pipe'],
+	});
+	if (version.status !== 0) {
+		ghCapabilityCache = {
+			expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+			value: {
+				available: false,
+				authenticated: false,
+				reason: 'GitHub CLI (gh) is not installed',
+			},
+		};
+		return ghCapabilityCache.value;
+	}
+
+	const authStatus = spawnSync('gh', ['auth', 'status', '-h', 'github.com'], {
+		encoding: 'utf8',
+		stdio: ['ignore', 'pipe', 'pipe'],
+	});
+	if (authStatus.status !== 0) {
+		ghCapabilityCache = {
+			expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+			value: {
+				available: true,
+				authenticated: false,
+				reason: 'Run `gh auth login` first',
+			},
+		};
+		return ghCapabilityCache.value;
+	}
+
+	ghCapabilityCache = {
+		expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+		value: {
+			available: true,
+			authenticated: true,
+		},
+	};
+	return ghCapabilityCache.value;
+}
+
+export function parseErrorMessageFromBody(text: string): string | undefined {
+	if (!text) return undefined;
+	try {
+		const parsed = JSON.parse(text) as {
+			message?: string;
+			error?: { message?: string };
+		};
+		return parsed.error?.message ?? parsed.message;
+	} catch {
+		return undefined;
+	}
+}
+
+export async function fetchCopilotModels(token: string): Promise<
+	| {
+			ok: true;
+			models: Set<string>;
+	  }
+	| {
+			ok: false;
+			status: number;
+			message: string;
+	  }
+> {
+	try {
+		const response = await fetch(COPILOT_MODELS_URL, {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'Openai-Intent': 'conversation-edits',
+				'User-Agent': 'ottocode',
+			},
+		});
+		const text = await response.text();
+		if (!response.ok) {
+			return {
+				ok: false,
+				status: response.status,
+				message:
+					parseErrorMessageFromBody(text) ||
+					`Copilot models endpoint returned ${response.status}`,
+			};
+		}
+
+		const payload = JSON.parse(text) as {
+			data?: Array<{ id?: string }>;
+		};
+		const models = new Set(
+			(payload.data ?? [])
+				.map((item) => item.id)
+				.filter((id): id is string => Boolean(id)),
+		);
+		return { ok: true, models };
+	} catch (error) {
+		const message =
+			error instanceof Error ? error.message : 'Failed to fetch Copilot models';
+		return { ok: false, status: 0, message };
+	}
+}
+
+export async function detectOAuthOrgRestriction(token: string): Promise<{
+	restricted: boolean;
+	org?: string;
+	message?: string;
+}> {
+	try {
+		const orgsResponse = await fetch('https://api.github.com/user/orgs', {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'User-Agent': 'ottocode',
+				Accept: 'application/vnd.github+json',
+			},
+		});
+		if (!orgsResponse.ok) {
+			return { restricted: false };
+		}
+
+		const orgs = (await orgsResponse.json()) as Array<{ login?: string }>;
+		for (const org of orgs) {
+			if (!org.login) continue;
+			const membershipResponse = await fetch(
+				`https://api.github.com/user/memberships/orgs/${org.login}`,
+				{
+					headers: {
+						Authorization: `Bearer ${token}`,
+						'User-Agent': 'ottocode',
+						Accept: 'application/vnd.github+json',
+					},
+				},
+			);
+			if (membershipResponse.status !== 403) continue;
+
+			const bodyText = await membershipResponse.text();
+			const message = parseErrorMessageFromBody(bodyText) || bodyText;
+			if (message.includes('enabled OAuth App access restrictions')) {
+				return {
+					restricted: true,
+					org: org.login,
+					message,
+				};
+			}
+		}
+	} catch {}
+
+	return { restricted: false };
+}

package/src/routes/auth/state.ts

@@ -0,0 +1,23 @@
+export const oauthVerifiers = new Map<
+	string,
+	{ verifier: string; provider: string; createdAt: number; callbackUrl: string }
+>();
+
+export const copilotDeviceSessions = new Map<
+	string,
+	{ deviceCode: string; interval: number; provider: string; createdAt: number }
+>();
+
+setInterval(() => {
+	const now = Date.now();
+	for (const [key, value] of oauthVerifiers.entries()) {
+		if (now - value.createdAt > 10 * 60 * 1000) {
+			oauthVerifiers.delete(key);
+		}
+	}
+	for (const [key, value] of copilotDeviceSessions.entries()) {
+		if (now - value.createdAt > 10 * 60 * 1000) {
+			copilotDeviceSessions.delete(key);
+		}
+	}
+}, 60 * 1000);

package/src/routes/auth/status.ts

@@ -0,0 +1,203 @@
+import type { Hono } from 'hono';
+import {
+	catalog,
+	getAllAuth,
+	getOnboardingComplete,
+	getOttoRouterWallet,
+	loadConfig,
+	type ProviderId,
+} from '@ottocode/sdk';
+import { logger } from '@ottocode/sdk';
+import { openApiRoute } from '../../openapi/route.ts';
+import { serializeError } from '../../runtime/errors/api-error.ts';
+import { getProviderDetails } from '../config/utils.ts';
+import { getGhImportCapability } from './service.ts';
+
+export function registerAuthStatusRoutes(app: Hono) {
+	openApiRoute(
+		app,
+		{
+			method: 'get',
+			path: '/v1/auth/status',
+			tags: ['auth'],
+			operationId: 'getAuthStatus',
+			summary: 'Get auth status for all providers',
+			responses: {
+				'200': {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									onboardingComplete: {
+										type: 'boolean',
+									},
+									ottorouter: {
+										type: 'object',
+										properties: {
+											configured: {
+												type: 'boolean',
+											},
+											publicKey: {
+												type: 'string',
+											},
+										},
+										required: ['configured'],
+									},
+									providers: {
+										type: 'object',
+										additionalProperties: {
+											type: 'object',
+											properties: {
+												configured: {
+													type: 'boolean',
+												},
+												type: {
+													type: 'string',
+													enum: ['api', 'oauth', 'wallet'],
+												},
+												label: {
+													type: 'string',
+												},
+												supportsOAuth: {
+													type: 'boolean',
+												},
+												supportsToken: {
+													type: 'boolean',
+												},
+												supportsGhImport: {
+													type: 'boolean',
+												},
+												modelCount: {
+													type: 'integer',
+												},
+												costRange: {
+													type: 'object',
+													nullable: true,
+													properties: {
+														min: {
+															type: 'number',
+														},
+														max: {
+															type: 'number',
+														},
+													},
+													required: ['min', 'max'],
+												},
+											},
+											required: [
+												'configured',
+												'label',
+												'supportsOAuth',
+												'modelCount',
+											],
+										},
+									},
+									defaults: {
+										type: 'object',
+										properties: {
+											agent: {
+												type: 'string',
+											},
+											provider: {
+												type: 'string',
+											},
+											model: {
+												type: 'string',
+											},
+										},
+									},
+								},
+								required: ['onboardingComplete', 'ottorouter', 'providers'],
+							},
+						},
+					},
+				},
+			},
+		},
+		async (c) => {
+			try {
+				const projectRoot = process.cwd();
+				const auth = await getAllAuth(projectRoot);
+				const cfg = await loadConfig(projectRoot);
+				const onboardingComplete = await getOnboardingComplete(projectRoot);
+				const ottorouterWallet = await getOttoRouterWallet(projectRoot);
+				const ghImportCapability = getGhImportCapability();
+
+				const providers: Record<
+					string,
+					{
+						configured: boolean;
+						type?: 'api' | 'oauth' | 'wallet';
+						label: string;
+						supportsOAuth: boolean;
+						supportsToken?: boolean;
+						supportsGhImport?: boolean;
+						custom?: boolean;
+						modelCount: number;
+						costRange?: { min: number; max: number };
+					}
+				> = {};
+
+				for (const [id, entry] of Object.entries(catalog)) {
+					const providerAuth = auth[id as ProviderId];
+					const models = entry.models || [];
+					const costs = models
+						.map((m) => m.cost?.input)
+						.filter((c): c is number => c !== undefined);
+
+					providers[id] = {
+						configured: !!providerAuth,
+						type: providerAuth?.type,
+						label: entry.label || id,
+						supportsOAuth:
+							id === 'anthropic' || id === 'openai' || id === 'copilot',
+						supportsToken: id === 'copilot',
+						supportsGhImport:
+							id === 'copilot' ? ghImportCapability.available : false,
+						modelCount: models.length,
+						costRange:
+							costs.length > 0
+								? {
+										min: Math.min(...costs),
+										max: Math.max(...costs),
+									}
+								: undefined,
+					};
+				}
+
+				const providerDetails = await getProviderDetails(undefined, cfg);
+				for (const detail of providerDetails) {
+					if (!detail.custom || providers[detail.id]) continue;
+					providers[detail.id] = {
+						configured: detail.authorized,
+						type: detail.authType,
+						label: detail.label,
+						supportsOAuth: false,
+						custom: true,
+						modelCount: detail.modelCount,
+					};
+				}
+
+				return c.json({
+					onboardingComplete,
+					ottorouter: ottorouterWallet
+						? {
+								configured: true,
+								publicKey: ottorouterWallet.publicKey,
+							}
+						: {
+								configured: false,
+							},
+					providers,
+					defaults: cfg.defaults,
+				});
+			} catch (error) {
+				logger.error('Failed to get auth status', error);
+				const errorResponse = serializeError(error);
+				return c.json(errorResponse, errorResponse.error.status || 500);
+			}
+		},
+	);
+}