@zhafron/opencode-kiro-auth 1.0.0

package/dist/src/kiro/oauth-idc.js

@@ -0,0 +1,99 @@
+import { generatePKCE } from '@openauthjs/openauth/pkce';
+import { KIRO_AUTH_SERVICE, KIRO_CONSTANTS } from '../constants';
+export async function authorizeKiroIDC(region) {
+    const effectiveRegion = region || KIRO_CONSTANTS.DEFAULT_REGION;
+    const pkce = await generatePKCE();
+    const verifier = pkce.verifier;
+    const ssoOIDCEndpoint = KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT.replace('{{region}}', effectiveRegion);
+    const registerResponse = await fetch(`${ssoOIDCEndpoint}/client/register`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT,
+        },
+        body: JSON.stringify({
+            clientName: 'Kiro IDE',
+            clientType: 'public',
+            scopes: KIRO_AUTH_SERVICE.SCOPES,
+            grantTypes: ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token'],
+        }),
+    });
+    if (!registerResponse.ok) {
+        throw new Error(`Client registration failed: ${registerResponse.status}`);
+    }
+    const registerData = await registerResponse.json();
+    const { clientId, clientSecret } = registerData;
+    const deviceAuthResponse = await fetch(`${ssoOIDCEndpoint}/device_authorization`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT,
+        },
+        body: JSON.stringify({
+            clientId,
+            clientSecret,
+            startUrl: KIRO_AUTH_SERVICE.BUILDER_ID_START_URL,
+        }),
+    });
+    if (!deviceAuthResponse.ok) {
+        throw new Error(`Device authorization failed: ${deviceAuthResponse.status}`);
+    }
+    const deviceAuthData = await deviceAuthResponse.json();
+    const state = Buffer.from(JSON.stringify({
+        deviceCode: deviceAuthData.deviceCode,
+        region: effectiveRegion,
+        clientId,
+        clientSecret,
+    })).toString('base64url');
+    return {
+        url: deviceAuthData.verificationUriComplete,
+        verifier,
+        region: effectiveRegion,
+        deviceCode: deviceAuthData.deviceCode,
+        userCode: deviceAuthData.userCode,
+        clientId,
+        clientSecret,
+    };
+}
+export async function exchangeKiroIDC(state) {
+    const decodedState = JSON.parse(Buffer.from(state, 'base64url').toString('utf-8'));
+    const { deviceCode, region, clientId, clientSecret } = decodedState;
+    if (!deviceCode || !region || !clientId || !clientSecret) {
+        throw new Error('Invalid state parameter');
+    }
+    const ssoOIDCEndpoint = KIRO_AUTH_SERVICE.SSO_OIDC_ENDPOINT.replace('{{region}}', region);
+    const tokenResponse = await fetch(`${ssoOIDCEndpoint}/token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT,
+        },
+        body: JSON.stringify({
+            clientId,
+            clientSecret,
+            deviceCode,
+            grantType: 'urn:ietf:params:oauth:grant-type:device_code',
+        }),
+    });
+    if (!tokenResponse.ok) {
+        const errorText = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${tokenResponse.status} ${errorText}`);
+    }
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.accessToken || !tokenData.refreshToken) {
+        throw new Error('Invalid token response: missing required fields');
+    }
+    const expiresIn = tokenData.expiresIn || 3600;
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const email = 'builder-id@aws.amazon.com';
+    return {
+        refreshToken: tokenData.refreshToken,
+        accessToken: tokenData.accessToken,
+        expiresAt,
+        email,
+        clientId,
+        clientSecret,
+        region,
+        authMethod: 'idc',
+    };
+}

package/dist/src/kiro/oauth-social.d.ts

@@ -0,0 +1,17 @@
+import type { KiroRegion } from '../plugin/types';
+export interface KiroSocialAuthorization {
+    url: string;
+    verifier: string;
+    region: KiroRegion;
+}
+export interface KiroSocialTokenResult {
+    refreshToken: string;
+    accessToken: string;
+    expiresAt: number;
+    email: string;
+    profileArn: string;
+    region: KiroRegion;
+    authMethod: 'social';
+}
+export declare function authorizeKiroSocial(region?: KiroRegion): Promise<KiroSocialAuthorization>;
+export declare function exchangeKiroSocial(code: string, state: string): Promise<KiroSocialTokenResult>;

package/dist/src/kiro/oauth-social.js

@@ -0,0 +1,69 @@
+import { generatePKCE } from '@openauthjs/openauth/pkce';
+import { KIRO_AUTH_SERVICE, KIRO_CONSTANTS } from '../constants';
+export async function authorizeKiroSocial(region) {
+    const effectiveRegion = region || KIRO_CONSTANTS.DEFAULT_REGION;
+    const pkce = await generatePKCE();
+    const verifier = pkce.verifier;
+    const challenge = pkce.challenge;
+    const state = Buffer.from(JSON.stringify({
+        verifier,
+        region: effectiveRegion
+    })).toString('base64url');
+    const authServiceEndpoint = KIRO_AUTH_SERVICE.ENDPOINT.replace('{{region}}', effectiveRegion);
+    const redirectUri = 'http://localhost:8080/callback';
+    const params = new URLSearchParams({
+        idp: 'Google',
+        redirect_uri: redirectUri,
+        code_challenge: challenge,
+        code_challenge_method: 'S256',
+        state: state,
+        prompt: 'select_account',
+    });
+    const url = `${authServiceEndpoint}/login?${params.toString()}`;
+    return {
+        url,
+        verifier,
+        region: effectiveRegion,
+    };
+}
+export async function exchangeKiroSocial(code, state) {
+    const decodedState = JSON.parse(Buffer.from(state, 'base64url').toString('utf-8'));
+    const { verifier, region } = decodedState;
+    if (!verifier || !region) {
+        throw new Error('Invalid state parameter');
+    }
+    const authServiceEndpoint = KIRO_AUTH_SERVICE.ENDPOINT.replace('{{region}}', region);
+    const redirectUri = 'http://localhost:8080/callback';
+    const tokenResponse = await fetch(`${authServiceEndpoint}/oauth/token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': KIRO_CONSTANTS.USER_AGENT,
+        },
+        body: JSON.stringify({
+            code,
+            code_verifier: verifier,
+            redirect_uri: redirectUri,
+        }),
+    });
+    if (!tokenResponse.ok) {
+        const errorText = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${tokenResponse.status} ${errorText}`);
+    }
+    const tokenData = await tokenResponse.json();
+    if (!tokenData.accessToken || !tokenData.refreshToken || !tokenData.profileArn) {
+        throw new Error('Invalid token response: missing required fields');
+    }
+    const expiresIn = tokenData.expiresIn || 3600;
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const email = tokenData.email || 'unknown@kiro.dev';
+    return {
+        refreshToken: tokenData.refreshToken,
+        accessToken: tokenData.accessToken,
+        expiresAt,
+        email,
+        profileArn: tokenData.profileArn,
+        region,
+        authMethod: 'social',
+    };
+}

package/dist/src/plugin/accounts.d.ts

@@ -0,0 +1,23 @@
+import type { ManagedAccount, AccountSelectionStrategy, KiroAuthDetails, RefreshParts } from './types';
+export declare function generateAccountId(): string;
+export declare function isAccountAvailable(account: ManagedAccount): boolean;
+export declare function encodeRefreshToken(parts: RefreshParts): string;
+export declare function decodeRefreshToken(encoded: string): RefreshParts;
+export declare class AccountManager {
+    private accounts;
+    private cursor;
+    private strategy;
+    constructor(accounts: ManagedAccount[], strategy?: AccountSelectionStrategy);
+    static loadFromDisk(strategy?: AccountSelectionStrategy): Promise<AccountManager>;
+    getCurrentOrNext(): ManagedAccount | null;
+    markRateLimited(account: ManagedAccount, retryAfterMs: number): void;
+    markUnhealthy(account: ManagedAccount, reason: string, recoveryTime?: number): void;
+    markHealthy(account: ManagedAccount): void;
+    updateFromAuth(account: ManagedAccount, auth: KiroAuthDetails): void;
+    addAccount(account: ManagedAccount): void;
+    removeAccount(account: ManagedAccount): void;
+    getAccounts(): ManagedAccount[];
+    getAccountCount(): number;
+    saveToDisk(): Promise<void>;
+    toAuthDetails(account: ManagedAccount): KiroAuthDetails;
+}

package/dist/src/plugin/accounts.js

@@ -0,0 +1,265 @@
+import { randomBytes } from 'node:crypto';
+import { loadAccounts, saveAccounts } from './storage';
+export function generateAccountId() {
+    return randomBytes(16).toString('hex');
+}
+export function isAccountAvailable(account) {
+    const now = Date.now();
+    if (!account.isHealthy) {
+        if (account.recoveryTime && now < account.recoveryTime) {
+            return false;
+        }
+        if (account.recoveryTime && now >= account.recoveryTime) {
+            return true;
+        }
+        return false;
+    }
+    if (account.rateLimitResetTime && now < account.rateLimitResetTime) {
+        return false;
+    }
+    return true;
+}
+export function encodeRefreshToken(parts) {
+    const segments = [parts.refreshToken];
+    if (parts.profileArn) {
+        segments.push(`profileArn:${parts.profileArn}`);
+    }
+    if (parts.clientId) {
+        segments.push(`clientId:${parts.clientId}`);
+    }
+    if (parts.clientSecret) {
+        segments.push(`clientSecret:${parts.clientSecret}`);
+    }
+    if (parts.authMethod) {
+        segments.push(`authMethod:${parts.authMethod}`);
+    }
+    return segments.join('|');
+}
+export function decodeRefreshToken(encoded) {
+    const segments = encoded.split('|');
+    const parts = {
+        refreshToken: segments[0] || '',
+    };
+    for (let i = 1; i < segments.length; i++) {
+        const segment = segments[i];
+        if (!segment)
+            continue;
+        const colonIndex = segment.indexOf(':');
+        if (colonIndex === -1)
+            continue;
+        const key = segment.substring(0, colonIndex);
+        const value = segment.substring(colonIndex + 1);
+        if (key === 'profileArn') {
+            parts.profileArn = value;
+        }
+        else if (key === 'clientId') {
+            parts.clientId = value;
+        }
+        else if (key === 'clientSecret') {
+            parts.clientSecret = value;
+        }
+        else if (key === 'authMethod') {
+            parts.authMethod = value;
+        }
+    }
+    return parts;
+}
+export class AccountManager {
+    accounts;
+    cursor;
+    strategy;
+    constructor(accounts, strategy = 'sticky') {
+        this.accounts = accounts;
+        this.cursor = 0;
+        this.strategy = strategy;
+    }
+    static async loadFromDisk(strategy) {
+        const storage = await loadAccounts();
+        const accounts = storage.accounts.map((meta) => ({
+            id: meta.id,
+            email: meta.email,
+            authMethod: meta.authMethod,
+            region: meta.region,
+            profileArn: meta.profileArn,
+            clientId: meta.clientId,
+            clientSecret: meta.clientSecret,
+            refreshToken: meta.refreshToken,
+            accessToken: meta.accessToken,
+            expiresAt: meta.expiresAt,
+            rateLimitResetTime: meta.rateLimitResetTime,
+            isHealthy: meta.isHealthy,
+            unhealthyReason: meta.unhealthyReason,
+            recoveryTime: meta.recoveryTime,
+            usedCount: meta.usedCount,
+            limitCount: meta.limitCount,
+        }));
+        return new AccountManager(accounts, strategy || 'sticky');
+    }
+    getCurrentOrNext() {
+        const now = Date.now();
+        const availableAccounts = this.accounts.filter((account) => {
+            if (!account.isHealthy) {
+                if (account.recoveryTime && now >= account.recoveryTime) {
+                    account.isHealthy = true;
+                    delete account.unhealthyReason;
+                    delete account.recoveryTime;
+                    return true;
+                }
+                return false;
+            }
+            if (account.rateLimitResetTime && now < account.rateLimitResetTime) {
+                return false;
+            }
+            return true;
+        });
+        if (availableAccounts.length === 0) {
+            return null;
+        }
+        if (this.strategy === 'sticky') {
+            const currentAccount = this.accounts[this.cursor];
+            if (currentAccount && isAccountAvailable(currentAccount)) {
+                currentAccount.lastUsed = now;
+                return currentAccount;
+            }
+            const nextAvailable = availableAccounts[0];
+            if (nextAvailable) {
+                this.cursor = this.accounts.indexOf(nextAvailable);
+                nextAvailable.lastUsed = now;
+                return nextAvailable;
+            }
+            return null;
+        }
+        if (this.strategy === 'round-robin') {
+            const account = availableAccounts[this.cursor % availableAccounts.length];
+            if (account) {
+                this.cursor = (this.cursor + 1) % availableAccounts.length;
+                account.lastUsed = now;
+                return account;
+            }
+            return null;
+        }
+        return null;
+    }
+    markRateLimited(account, retryAfterMs) {
+        const accountIndex = this.accounts.findIndex((a) => a.id === account.id);
+        if (accountIndex !== -1) {
+            const acc = this.accounts[accountIndex];
+            if (acc) {
+                acc.rateLimitResetTime = Date.now() + retryAfterMs;
+            }
+        }
+    }
+    markUnhealthy(account, reason, recoveryTime) {
+        const accountIndex = this.accounts.findIndex((a) => a.id === account.id);
+        if (accountIndex !== -1) {
+            const acc = this.accounts[accountIndex];
+            if (acc) {
+                acc.isHealthy = false;
+                acc.unhealthyReason = reason;
+                if (recoveryTime) {
+                    acc.recoveryTime = recoveryTime;
+                }
+            }
+        }
+    }
+    markHealthy(account) {
+        const accountIndex = this.accounts.findIndex((a) => a.id === account.id);
+        if (accountIndex !== -1) {
+            const acc = this.accounts[accountIndex];
+            if (acc) {
+                acc.isHealthy = true;
+                delete acc.unhealthyReason;
+                delete acc.recoveryTime;
+            }
+        }
+    }
+    updateFromAuth(account, auth) {
+        const accountIndex = this.accounts.findIndex((a) => a.id === account.id);
+        if (accountIndex !== -1) {
+            const acc = this.accounts[accountIndex];
+            if (acc) {
+                acc.accessToken = auth.access;
+                acc.expiresAt = auth.expires;
+                acc.lastUsed = Date.now();
+                const parts = decodeRefreshToken(auth.refresh);
+                acc.refreshToken = parts.refreshToken;
+                if (parts.profileArn) {
+                    acc.profileArn = parts.profileArn;
+                }
+                if (parts.clientId) {
+                    acc.clientId = parts.clientId;
+                }
+            }
+        }
+    }
+    addAccount(account) {
+        if (!account.id) {
+            account.id = generateAccountId();
+        }
+        this.accounts.push(account);
+    }
+    removeAccount(account) {
+        const accountIndex = this.accounts.findIndex((a) => a.id === account.id);
+        if (accountIndex !== -1) {
+            this.accounts.splice(accountIndex, 1);
+            if (this.cursor >= this.accounts.length && this.accounts.length > 0) {
+                this.cursor = this.accounts.length - 1;
+            }
+            else if (this.accounts.length === 0) {
+                this.cursor = 0;
+            }
+        }
+    }
+    getAccounts() {
+        return [...this.accounts];
+    }
+    getAccountCount() {
+        return this.accounts.length;
+    }
+    async saveToDisk() {
+        const metadata = this.accounts.map((account) => ({
+            id: account.id,
+            email: account.email,
+            authMethod: account.authMethod,
+            region: account.region,
+            profileArn: account.profileArn,
+            clientId: account.clientId,
+            clientSecret: account.clientSecret,
+            refreshToken: account.refreshToken,
+            accessToken: account.accessToken,
+            expiresAt: account.expiresAt,
+            rateLimitResetTime: account.rateLimitResetTime,
+            isHealthy: account.isHealthy,
+            unhealthyReason: account.unhealthyReason,
+            recoveryTime: account.recoveryTime,
+            usedCount: account.usedCount,
+            limitCount: account.limitCount,
+        }));
+        const storage = {
+            version: 1,
+            accounts: metadata,
+            activeIndex: this.cursor,
+        };
+        await saveAccounts(storage);
+    }
+    toAuthDetails(account) {
+        const parts = {
+            refreshToken: account.refreshToken,
+            profileArn: account.profileArn,
+            clientId: account.clientId,
+            clientSecret: account.clientSecret,
+            authMethod: account.authMethod,
+        };
+        return {
+            refresh: encodeRefreshToken(parts),
+            access: account.accessToken,
+            expires: account.expiresAt,
+            authMethod: account.authMethod,
+            region: account.region,
+            profileArn: account.profileArn,
+            clientId: account.clientId,
+            clientSecret: account.clientSecret,
+            email: account.email,
+        };
+    }
+}

package/dist/src/plugin/cli.d.ts

@@ -0,0 +1,6 @@
+import type { KiroAuthMethod, KiroRegion } from './types';
+export declare function promptAuthMethod(): Promise<KiroAuthMethod>;
+export declare function promptRegion(): Promise<KiroRegion>;
+export declare function promptConfirmation(message: string): Promise<boolean>;
+export declare function displayAuthUrl(url: string): void;
+export declare function cleanup(): void;

package/dist/src/plugin/cli.js

@@ -0,0 +1,98 @@
+import { createInterface } from 'node:readline';
+import * as logger from './logger';
+let rl = null;
+function getReadline() {
+    if (!rl) {
+        rl = createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+        rl.on('SIGINT', () => {
+            logger.log('Received SIGINT, closing readline');
+            closeReadline();
+            process.exit(130);
+        });
+    }
+    return rl;
+}
+function closeReadline() {
+    if (rl) {
+        rl.close();
+        rl = null;
+    }
+}
+function question(prompt) {
+    return new Promise((resolve) => {
+        const readline = getReadline();
+        readline.question(prompt, (answer) => {
+            resolve(answer.trim());
+        });
+    });
+}
+function clearLine() {
+    if (process.stdout.isTTY) {
+        process.stdout.clearLine(0);
+        process.stdout.cursorTo(0);
+    }
+}
+export async function promptAuthMethod() {
+    console.log('\nSelect authentication method:');
+    console.log('  1. Social (GitHub, Google, etc.)');
+    console.log('  2. IDC (Identity Center)');
+    while (true) {
+        const answer = await question('\nEnter your choice (1 or 2): ');
+        if (answer === '1' || answer.toLowerCase() === 'social') {
+            clearLine();
+            return 'social';
+        }
+        if (answer === '2' || answer.toLowerCase() === 'idc') {
+            clearLine();
+            return 'idc';
+        }
+        console.log('Invalid choice. Please enter 1 or 2.');
+    }
+}
+export async function promptRegion() {
+    console.log('\nSelect AWS region:');
+    console.log('  1. us-east-1 (default)');
+    console.log('  2. us-west-2');
+    while (true) {
+        const answer = await question('\nEnter your choice (1 or 2, default: 1): ');
+        if (!answer || answer === '1' || answer.toLowerCase() === 'us-east-1') {
+            clearLine();
+            return 'us-east-1';
+        }
+        if (answer === '2' || answer.toLowerCase() === 'us-west-2') {
+            clearLine();
+            return 'us-west-2';
+        }
+        console.log('Invalid choice. Please enter 1 or 2.');
+    }
+}
+export async function promptConfirmation(message) {
+    while (true) {
+        const answer = await question(`${message} (y/n): `);
+        const lower = answer.toLowerCase();
+        if (lower === 'y' || lower === 'yes') {
+            clearLine();
+            return true;
+        }
+        if (lower === 'n' || lower === 'no') {
+            clearLine();
+            return false;
+        }
+        console.log('Invalid input. Please enter y or n.');
+    }
+}
+export function displayAuthUrl(url) {
+    console.log('\n' + '='.repeat(70));
+    console.log('Authentication Required');
+    console.log('='.repeat(70));
+    console.log('\nPlease open the following URL in your browser to authenticate:\n');
+    console.log(`  ${url}\n`);
+    console.log('Waiting for authentication to complete...');
+    console.log('='.repeat(70) + '\n');
+}
+export function cleanup() {
+    closeReadline();
+}

package/dist/src/plugin/config/index.d.ts

@@ -0,0 +1,3 @@
+export { KiroConfigSchema, DEFAULT_CONFIG } from './schema';
+export type { KiroConfig } from './schema';
+export { loadConfig, getUserConfigPath, getProjectConfigPath, getDefaultLogsDir, configExists } from './loader';

package/dist/src/plugin/config/index.js

@@ -0,0 +1,2 @@
+export { KiroConfigSchema, DEFAULT_CONFIG } from './schema';
+export { loadConfig, getUserConfigPath, getProjectConfigPath, getDefaultLogsDir, configExists } from './loader';

package/dist/src/plugin/config/loader.d.ts

@@ -0,0 +1,7 @@
+import { type KiroConfig } from "./schema";
+export declare function getUserConfigPath(): string;
+export declare function getProjectConfigPath(directory: string): string;
+export declare function ensureConfigTemplate(): Promise<void>;
+export declare function loadConfig(directory: string): KiroConfig;
+export declare function configExists(path: string): boolean;
+export declare function getDefaultLogsDir(): string;