@vacbo/opencode-anthropic-fix 0.1.7 → 0.1.9

package/src/commands/oauth-flow.ts

@@ -2,36 +2,37 @@
 // Slash-command OAuth flows (login / reauth)
 // ---------------------------------------------------------------------------
 
+import { resolveIdentityFromOAuthExchange } from "../account-identity.js";
 import { authorize, exchange } from "../oauth.js";
 import { createDefaultStats, loadAccounts, saveAccounts } from "../storage.js";
 
 export const PENDING_OAUTH_TTL_MS = 10 * 60 * 1000;
 
 export interface PendingOAuthEntry {
-  mode: "login" | "reauth";
-  verifier: string;
-  state?: string;
-  targetIndex?: number;
-  createdAt: number;
+    mode: "login" | "reauth";
+    verifier: string;
+    state?: string;
+    targetIndex?: number;
+    createdAt: number;
 }
 
 export interface OAuthFlowDeps {
-  pendingSlashOAuth: Map<string, PendingOAuthEntry>;
-  sendCommandMessage: (sessionID: string, message: string) => Promise<void>;
-  reloadAccountManagerFromDisk: () => Promise<void>;
-  persistOpenCodeAuth: (refresh: string, access: string | undefined, expires: number | undefined) => Promise<void>;
+    pendingSlashOAuth: Map<string, PendingOAuthEntry>;
+    sendCommandMessage: (sessionID: string, message: string) => Promise<void>;
+    reloadAccountManagerFromDisk: () => Promise<void>;
+    persistOpenCodeAuth: (refresh: string, access: string | undefined, expires: number | undefined) => Promise<void>;
 }
 
 /**
  * Remove expired pending OAuth entries from the map.
  */
 export function pruneExpiredPendingOAuth(pendingSlashOAuth: Map<string, PendingOAuthEntry>): void {
-  const now = Date.now();
-  for (const [key, entry] of pendingSlashOAuth) {
-    if (now - entry.createdAt > PENDING_OAUTH_TTL_MS) {
-      pendingSlashOAuth.delete(key);
+    const now = Date.now();
+    for (const [key, entry] of pendingSlashOAuth) {
+        if (now - entry.createdAt > PENDING_OAUTH_TTL_MS) {
+            pendingSlashOAuth.delete(key);
+        }
     }
-  }
 }
 
 /**
@@ -39,178 +40,192 @@ export function pruneExpiredPendingOAuth(pendingSlashOAuth: Map<string, PendingO
  * Sends the authorization URL to the user via sendCommandMessage.
  */
 export async function startSlashOAuth(
-  sessionID: string,
-  mode: "login" | "reauth",
-  targetIndex: number | undefined,
-  deps: OAuthFlowDeps,
+    sessionID: string,
+    mode: "login" | "reauth",
+    targetIndex: number | undefined,
+    deps: OAuthFlowDeps,
 ): Promise<void> {
-  const { pendingSlashOAuth, sendCommandMessage } = deps;
-  pruneExpiredPendingOAuth(pendingSlashOAuth);
-  const { url, verifier, state } = await authorize("max");
-  pendingSlashOAuth.set(sessionID, {
-    mode,
-    verifier,
-    state,
-    targetIndex,
-    createdAt: Date.now(),
-  });
-
-  const action = mode === "login" ? "login" : `reauth ${(targetIndex ?? 0) + 1}`;
-  const followup =
-    mode === "login" ? "/anthropic login complete <code#state>" : "/anthropic reauth complete <code#state>";
-
-  await sendCommandMessage(
-    sessionID,
-    [
-      "▣ Anthropic OAuth",
-      "",
-      `Started ${action} flow.`,
-      "Open this URL in your browser:",
-      url,
-      "",
-      `Then run: ${followup}`,
-      "(Paste the full authorization code, including #state)",
-    ].join("\n"),
-  );
+    const { pendingSlashOAuth, sendCommandMessage } = deps;
+    pruneExpiredPendingOAuth(pendingSlashOAuth);
+    const { url, verifier, state } = await authorize("max");
+    pendingSlashOAuth.set(sessionID, {
+        mode,
+        verifier,
+        state,
+        targetIndex,
+        createdAt: Date.now(),
+    });
+
+    const action = mode === "login" ? "login" : `reauth ${(targetIndex ?? 0) + 1}`;
+    const followup =
+        mode === "login" ? "/anthropic login complete <code#state>" : "/anthropic reauth complete <code#state>";
+
+    await sendCommandMessage(
+        sessionID,
+        [
+            "▣ Anthropic OAuth",
+            "",
+            `Started ${action} flow.`,
+            "Open this URL in your browser:",
+            url,
+            "",
+            `Then run: ${followup}`,
+            "(Paste the full authorization code, including #state)",
+        ].join("\n"),
+    );
 }
 
 /**
  * Complete a pending slash-command OAuth flow.
  */
 export async function completeSlashOAuth(
-  sessionID: string,
-  code: string,
-  deps: OAuthFlowDeps,
+    sessionID: string,
+    code: string,
+    deps: OAuthFlowDeps,
 ): Promise<{ ok: boolean; message: string }> {
-  const { pendingSlashOAuth, reloadAccountManagerFromDisk, persistOpenCodeAuth } = deps;
+    const { pendingSlashOAuth, reloadAccountManagerFromDisk, persistOpenCodeAuth } = deps;
+
+    const pending = pendingSlashOAuth.get(sessionID);
+    if (!pending) {
+        pruneExpiredPendingOAuth(pendingSlashOAuth);
+        return {
+            ok: false,
+            message: "No pending OAuth flow. Start with /anthropic login or /anthropic reauth <N>.",
+        };
+    }
 
-  const pending = pendingSlashOAuth.get(sessionID);
-  if (!pending) {
-    pruneExpiredPendingOAuth(pendingSlashOAuth);
-    return {
-      ok: false,
-      message: "No pending OAuth flow. Start with /anthropic login or /anthropic reauth <N>.",
-    };
-  }
+    if (Date.now() - pending.createdAt > PENDING_OAUTH_TTL_MS) {
+        pendingSlashOAuth.delete(sessionID);
+        return {
+            ok: false,
+            message: "Pending OAuth flow expired. Start again with /anthropic login or /anthropic reauth <N>.",
+        };
+    }
 
-  if (Date.now() - pending.createdAt > PENDING_OAUTH_TTL_MS) {
-    pendingSlashOAuth.delete(sessionID);
-    return {
-      ok: false,
-      message: "Pending OAuth flow expired. Start again with /anthropic login or /anthropic reauth <N>.",
-    };
-  }
+    // Validate state parameter to prevent CSRF attacks
+    const splits = code.split("#");
+    if (pending.state && splits[1] && splits[1] !== pending.state) {
+        pendingSlashOAuth.delete(sessionID);
+        return {
+            ok: false,
+            message: "OAuth state mismatch — possible CSRF attack. Please try again.",
+        };
+    }
 
-  // Validate state parameter to prevent CSRF attacks
-  const splits = code.split("#");
-  if (pending.state && splits[1] && splits[1] !== pending.state) {
-    pendingSlashOAuth.delete(sessionID);
-    return {
-      ok: false,
-      message: "OAuth state mismatch — possible CSRF attack. Please try again.",
-    };
-  }
+    const credentials = await exchange(code, pending.verifier);
+    if (credentials.type === "failed") {
+        return {
+            ok: false,
+            message: credentials.details
+                ? `Token exchange failed (${credentials.details}).`
+                : "Token exchange failed. The code may be invalid or expired.",
+        };
+    }
 
-  const credentials = await exchange(code, pending.verifier);
-  if (credentials.type === "failed") {
-    return {
-      ok: false,
-      message: credentials.details
-        ? `Token exchange failed (${credentials.details}).`
-        : "Token exchange failed. The code may be invalid or expired.",
+    const stored = (await loadAccounts()) ?? {
+        version: 1,
+        accounts: [],
+        activeIndex: 0,
     };
-  }
-
-  const stored = (await loadAccounts()) ?? {
-    version: 1,
-    accounts: [],
-    activeIndex: 0,
-  };
-
-  if (pending.mode === "login") {
-    const existingIdx = stored.accounts.findIndex((acc) => acc.refreshToken === credentials.refresh);
-    if (existingIdx >= 0) {
-      const acc = stored.accounts[existingIdx];
-      acc.access = credentials.access;
-      acc.expires = credentials.expires;
-      if (credentials.email) acc.email = credentials.email;
-      acc.enabled = true;
-      acc.consecutiveFailures = 0;
-      acc.lastFailureTime = null;
-      acc.rateLimitResetTimes = {};
-      await saveAccounts(stored);
-      await persistOpenCodeAuth(acc.refreshToken, acc.access, acc.expires);
-      await reloadAccountManagerFromDisk();
-      pendingSlashOAuth.delete(sessionID);
-      const name = acc.email || `Account ${existingIdx + 1}`;
-      return {
-        ok: true,
-        message: `Updated existing account #${existingIdx + 1} (${name}).`,
-      };
+
+    if (pending.mode === "login") {
+        const existingIdx = stored.accounts.findIndex((acc) => acc.refreshToken === credentials.refresh);
+        if (existingIdx >= 0) {
+            const acc = stored.accounts[existingIdx];
+            const accIsCC = acc.source === "cc-keychain" || acc.source === "cc-file";
+            acc.access = credentials.access;
+            acc.expires = credentials.expires;
+            acc.token_updated_at = Date.now();
+            acc.enabled = true;
+            acc.consecutiveFailures = 0;
+            acc.lastFailureTime = null;
+            acc.rateLimitResetTimes = {};
+            if (!accIsCC) {
+                if (credentials.email) acc.email = credentials.email;
+                acc.identity = resolveIdentityFromOAuthExchange(credentials);
+                acc.source = acc.source ?? "oauth";
+            }
+            await saveAccounts(stored);
+            await persistOpenCodeAuth(acc.refreshToken, acc.access, acc.expires);
+            await reloadAccountManagerFromDisk();
+            pendingSlashOAuth.delete(sessionID);
+            const name = acc.email || `Account ${existingIdx + 1}`;
+            return {
+                ok: true,
+                message: `Updated existing account #${existingIdx + 1} (${name}).`,
+            };
+        }
+
+        if (stored.accounts.length >= 10) {
+            return {
+                ok: false,
+                message: "Maximum of 10 accounts reached. Remove one first.",
+            };
+        }
+
+        const now = Date.now();
+        stored.accounts.push({
+            id: `${now}:${credentials.refresh.slice(0, 12)}`,
+            email: credentials.email,
+            identity: resolveIdentityFromOAuthExchange(credentials),
+            refreshToken: credentials.refresh,
+            access: credentials.access,
+            expires: credentials.expires,
+            token_updated_at: now,
+            addedAt: now,
+            lastUsed: 0,
+            enabled: true,
+            rateLimitResetTimes: {},
+            consecutiveFailures: 0,
+            lastFailureTime: null,
+            stats: createDefaultStats(now),
+            source: "oauth",
+        });
+        await saveAccounts(stored);
+        const newAccount = stored.accounts[stored.accounts.length - 1];
+        await persistOpenCodeAuth(newAccount.refreshToken, newAccount.access, newAccount.expires);
+        await reloadAccountManagerFromDisk();
+        pendingSlashOAuth.delete(sessionID);
+        const label = credentials.email || `Account ${stored.accounts.length}`;
+        return {
+            ok: true,
+            message: `Added account #${stored.accounts.length} (${label}).`,
+        };
     }
 
-    if (stored.accounts.length >= 10) {
-      return {
-        ok: false,
-        message: "Maximum of 10 accounts reached. Remove one first.",
-      };
+    // reauth flow
+    const idx = pending.targetIndex ?? -1;
+    if (idx < 0 || idx >= stored.accounts.length) {
+        pendingSlashOAuth.delete(sessionID);
+        return {
+            ok: false,
+            message: "Target account no longer exists. Start reauth again.",
+        };
+    }
+
+    const existing = stored.accounts[idx];
+    const existingIsCC = existing.source === "cc-keychain" || existing.source === "cc-file";
+    existing.refreshToken = credentials.refresh;
+    existing.access = credentials.access;
+    existing.expires = credentials.expires;
+    existing.token_updated_at = Date.now();
+    existing.enabled = true;
+    existing.consecutiveFailures = 0;
+    existing.lastFailureTime = null;
+    existing.rateLimitResetTimes = {};
+    if (!existingIsCC) {
+        if (credentials.email) existing.email = credentials.email;
+        existing.identity = resolveIdentityFromOAuthExchange(credentials);
+        existing.source = existing.source ?? "oauth";
     }
 
-    const now = Date.now();
-    stored.accounts.push({
-      id: `${now}:${credentials.refresh.slice(0, 12)}`,
-      email: credentials.email,
-      refreshToken: credentials.refresh,
-      access: credentials.access,
-      expires: credentials.expires,
-      token_updated_at: now,
-      addedAt: now,
-      lastUsed: 0,
-      enabled: true,
-      rateLimitResetTimes: {},
-      consecutiveFailures: 0,
-      lastFailureTime: null,
-      stats: createDefaultStats(now),
-    });
     await saveAccounts(stored);
-    const newAccount = stored.accounts[stored.accounts.length - 1];
-    await persistOpenCodeAuth(newAccount.refreshToken, newAccount.access, newAccount.expires);
+    await persistOpenCodeAuth(existing.refreshToken, existing.access, existing.expires);
     await reloadAccountManagerFromDisk();
     pendingSlashOAuth.delete(sessionID);
-    const label = credentials.email || `Account ${stored.accounts.length}`;
+    const name = existing.email || `Account ${idx + 1}`;
     return {
-      ok: true,
-      message: `Added account #${stored.accounts.length} (${label}).`,
-    };
-  }
-
-  // reauth flow
-  const idx = pending.targetIndex ?? -1;
-  if (idx < 0 || idx >= stored.accounts.length) {
-    pendingSlashOAuth.delete(sessionID);
-    return {
-      ok: false,
-      message: "Target account no longer exists. Start reauth again.",
+        ok: true,
+        message: `Re-authenticated account #${idx + 1} (${name}).`,
     };
-  }
-
-  const existing = stored.accounts[idx];
-  existing.refreshToken = credentials.refresh;
-  existing.access = credentials.access;
-  existing.expires = credentials.expires;
-  if (credentials.email) existing.email = credentials.email;
-  existing.enabled = true;
-  existing.consecutiveFailures = 0;
-  existing.lastFailureTime = null;
-  existing.rateLimitResetTimes = {};
-
-  await saveAccounts(stored);
-  await persistOpenCodeAuth(existing.refreshToken, existing.access, existing.expires);
-  await reloadAccountManagerFromDisk();
-  pendingSlashOAuth.delete(sessionID);
-  const name = existing.email || `Account ${idx + 1}`;
-  return {
-    ok: true,
-    message: `Re-authenticated account #${idx + 1} (${name}).`,
-  };
 }

package/src/commands/prompts.ts

@@ -10,82 +10,82 @@ import type { AccountManager } from "../accounts.js";
  * Show the main account menu and return the user's choice.
  */
 export async function promptAccountMenu(
-  accountManager: AccountManager,
+    accountManager: AccountManager,
 ): Promise<"add" | "fresh" | "manage" | "cancel"> {
-  const accounts = accountManager.getAccountsSnapshot();
-  const currentIndex = accountManager.getCurrentIndex();
-  const rl = createInterface({ input: stdin, output: stdout });
+    const accounts = accountManager.getAccountsSnapshot();
+    const currentIndex = accountManager.getCurrentIndex();
+    const rl = createInterface({ input: stdin, output: stdout });
 
-  try {
-    console.log(`\n${accounts.length} account(s) configured:`);
-    for (const acc of accounts) {
-      const name = acc.email || `Account ${acc.index + 1}`;
-      const active = acc.index === currentIndex ? " (active)" : "";
-      const disabled = !acc.enabled ? " [disabled]" : "";
-      console.log(`  ${acc.index + 1}. ${name}${active}${disabled}`);
-    }
-    console.log("");
+    try {
+        console.log(`\n${accounts.length} account(s) configured:`);
+        for (const acc of accounts) {
+            const name = acc.email || `Account ${acc.index + 1}`;
+            const active = acc.index === currentIndex ? " (active)" : "";
+            const disabled = !acc.enabled ? " [disabled]" : "";
+            console.log(`  ${acc.index + 1}. ${name}${active}${disabled}`);
+        }
+        console.log("");
 
-    while (true) {
-      const answer = await rl.question("(a)dd new, (f)resh start, (m)anage, (c)ancel? [a/f/m/c]: ");
-      const normalized = answer.trim().toLowerCase();
-      if (normalized === "a" || normalized === "add") return "add";
-      if (normalized === "f" || normalized === "fresh") return "fresh";
-      if (normalized === "m" || normalized === "manage") return "manage";
-      if (normalized === "c" || normalized === "cancel") return "cancel";
-      console.log("Please enter 'a', 'f', 'm', or 'c'.");
+        while (true) {
+            const answer = await rl.question("(a)dd new, (f)resh start, (m)anage, (c)ancel? [a/f/m/c]: ");
+            const normalized = answer.trim().toLowerCase();
+            if (normalized === "a" || normalized === "add") return "add";
+            if (normalized === "f" || normalized === "fresh") return "fresh";
+            if (normalized === "m" || normalized === "manage") return "manage";
+            if (normalized === "c" || normalized === "cancel") return "cancel";
+            console.log("Please enter 'a', 'f', 'm', or 'c'.");
+        }
+    } finally {
+        rl.close();
     }
-  } finally {
-    rl.close();
-  }
 }
 
 /**
  * Show the manage-accounts sub-menu (toggle/delete accounts).
  */
 export async function promptManageAccounts(accountManager: AccountManager): Promise<void> {
-  const accounts = accountManager.getAccountsSnapshot();
-  const rl = createInterface({ input: stdin, output: stdout });
+    const accounts = accountManager.getAccountsSnapshot();
+    const rl = createInterface({ input: stdin, output: stdout });
 
-  try {
-    console.log("\nManage accounts:");
-    for (const acc of accounts) {
-      const name = acc.email || `Account ${acc.index + 1}`;
-      const status = acc.enabled ? "enabled" : "disabled";
-      console.log(`  ${acc.index + 1}. ${name} [${status}]`);
-    }
-    console.log("");
+    try {
+        console.log("\nManage accounts:");
+        for (const acc of accounts) {
+            const name = acc.email || `Account ${acc.index + 1}`;
+            const status = acc.enabled ? "enabled" : "disabled";
+            console.log(`  ${acc.index + 1}. ${name} [${status}]`);
+        }
+        console.log("");
 
-    while (true) {
-      const answer = await rl.question("Enter account number to toggle, (d)N to delete (e.g. d1), or (b)ack: ");
-      const normalized = answer.trim().toLowerCase();
+        while (true) {
+            const answer = await rl.question("Enter account number to toggle, (d)N to delete (e.g. d1), or (b)ack: ");
+            const normalized = answer.trim().toLowerCase();
 
-      if (normalized === "b" || normalized === "back") return;
+            if (normalized === "b" || normalized === "back") return;
 
-      // Delete: d1, d2, etc.
-      const deleteMatch = normalized.match(/^d(\d+)$/);
-      if (deleteMatch) {
-        const idx = parseInt(deleteMatch[1], 10) - 1;
-        if (idx >= 0 && idx < accounts.length) {
-          accountManager.removeAccount(idx);
-          console.log(`Removed account ${idx + 1}.`);
-          return;
-        }
-        console.log("Invalid account number.");
-        continue;
-      }
+            // Delete: d1, d2, etc.
+            const deleteMatch = normalized.match(/^d(\d+)$/);
+            if (deleteMatch) {
+                const idx = parseInt(deleteMatch[1], 10) - 1;
+                if (idx >= 0 && idx < accounts.length) {
+                    accountManager.removeAccount(idx);
+                    console.log(`Removed account ${idx + 1}.`);
+                    return;
+                }
+                console.log("Invalid account number.");
+                continue;
+            }
 
-      // Toggle: just the number
-      const num = parseInt(normalized, 10);
-      if (!isNaN(num) && num >= 1 && num <= accounts.length) {
-        const newState = accountManager.toggleAccount(num - 1);
-        console.log(`Account ${num} is now ${newState ? "enabled" : "disabled"}.`);
-        continue;
-      }
+            // Toggle: just the number
+            const num = parseInt(normalized, 10);
+            if (!isNaN(num) && num >= 1 && num <= accounts.length) {
+                const newState = accountManager.toggleAccount(num - 1);
+                console.log(`Account ${num} is now ${newState ? "enabled" : "disabled"}.`);
+                continue;
+            }
 
-      console.log("Invalid input.");
+            console.log("Invalid input.");
+        }
+    } finally {
+        rl.close();
     }
-  } finally {
-    rl.close();
-  }
 }