@zhafron/opencode-kiro-auth 1.2.7 → 1.3.0

package/dist/plugin/storage/sqlite.js

@@ -0,0 +1,104 @@
+import { Database } from 'bun:sqlite';
+import { existsSync, mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+function getBaseDir() {
+    const p = process.platform;
+    if (p === 'win32')
+        return join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'opencode');
+    return join(process.env.XDG_CONFIG_HOME || join(homedir(), '.config'), 'opencode');
+}
+export const DB_PATH = join(getBaseDir(), 'kiro.db');
+export class KiroDatabase {
+    db;
+    constructor(path = DB_PATH) {
+        const dir = join(path, '..');
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        this.db = new Database(path);
+        this.db.run('PRAGMA busy_timeout = 5000');
+        this.init();
+    }
+    init() {
+        this.db.run('PRAGMA journal_mode = WAL');
+        this.db.run(`
+      CREATE TABLE IF NOT EXISTS accounts (
+        id TEXT PRIMARY KEY, email TEXT NOT NULL, real_email TEXT, auth_method TEXT NOT NULL,
+        region TEXT NOT NULL, client_id TEXT, client_secret TEXT, profile_arn TEXT,
+        refresh_token TEXT NOT NULL, access_token TEXT NOT NULL, expires_at INTEGER NOT NULL,
+        rate_limit_reset INTEGER DEFAULT 0, is_healthy INTEGER DEFAULT 1, unhealthy_reason TEXT,
+        recovery_time INTEGER, last_used INTEGER DEFAULT 0
+      )
+    `);
+        this.db.run(`
+      CREATE TABLE IF NOT EXISTS usage (
+        account_id TEXT PRIMARY KEY, used_count INTEGER DEFAULT 0, limit_count INTEGER DEFAULT 0,
+        real_email TEXT, last_sync INTEGER,
+        FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE
+      )
+    `);
+        this.db.run('CREATE TABLE IF NOT EXISTS settings (key TEXT PRIMARY KEY, value TEXT)');
+    }
+    getAccounts() {
+        return this.db.prepare('SELECT * FROM accounts').all();
+    }
+    upsertAccount(acc) {
+        this.db
+            .prepare(`
+      INSERT INTO accounts (
+        id, email, real_email, auth_method, region, client_id, client_secret,
+        profile_arn, refresh_token, access_token, expires_at, rate_limit_reset,
+        is_healthy, unhealthy_reason, recovery_time, last_used
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(id) DO UPDATE SET
+        email=excluded.email, real_email=excluded.real_email, auth_method=excluded.auth_method,
+        region=excluded.region, client_id=excluded.client_id, client_secret=excluded.client_secret,
+        profile_arn=excluded.profile_arn, refresh_token=excluded.refresh_token,
+        access_token=excluded.access_token, expires_at=excluded.expires_at,
+        rate_limit_reset=excluded.rate_limit_reset, is_healthy=excluded.is_healthy,
+        unhealthy_reason=excluded.unhealthy_reason, recovery_time=excluded.recovery_time,
+        last_used=excluded.last_used
+    `)
+            .run(acc.id, acc.email, acc.realEmail || null, acc.authMethod, acc.region, acc.clientId || null, acc.clientSecret || null, acc.profileArn || null, acc.refreshToken, acc.accessToken, acc.expiresAt, acc.rateLimitResetTime || 0, acc.isHealthy ? 1 : 0, acc.unhealthyReason || null, acc.recoveryTime || null, acc.lastUsed || 0);
+    }
+    deleteAccount(id) {
+        this.db.prepare('DELETE FROM accounts WHERE id = ?').run(id);
+    }
+    getUsage() {
+        const rows = this.db.prepare('SELECT * FROM usage').all();
+        const usage = {};
+        for (const r of rows) {
+            usage[r.account_id] = {
+                usedCount: r.used_count,
+                limitCount: r.limit_count,
+                realEmail: r.real_email,
+                lastSync: r.last_sync
+            };
+        }
+        return usage;
+    }
+    upsertUsage(id, meta) {
+        this.db
+            .prepare(`
+      INSERT INTO usage (account_id, used_count, limit_count, real_email, last_sync)
+      VALUES (?, ?, ?, ?, ?)
+      ON CONFLICT(account_id) DO UPDATE SET
+        used_count=excluded.used_count, limit_count=excluded.limit_count,
+        real_email=excluded.real_email, last_sync=excluded.last_sync
+    `)
+            .run(id, meta.usedCount, meta.limitCount, meta.realEmail || null, meta.lastSync);
+    }
+    getSetting(key) {
+        const row = this.db.prepare('SELECT value FROM settings WHERE key = ?').get(key);
+        return row ? row.value : null;
+    }
+    setSetting(key, value) {
+        this.db
+            .prepare('INSERT INTO settings (key, value) VALUES (?, ?) ON CONFLICT(key) DO UPDATE SET value=excluded.value')
+            .run(key, value);
+    }
+    close() {
+        this.db.close();
+    }
+}
+export const kiroDb = new KiroDatabase();

package/dist/plugin/sync/kiro-cli.d.ts

@@ -0,0 +1,2 @@
+export declare function syncFromKiroCli(): Promise<void>;
+export declare function writeToKiroCli(acc: any): Promise<void>;

package/dist/plugin/sync/kiro-cli.js

@@ -0,0 +1,96 @@
+import { Database } from 'bun:sqlite';
+import { existsSync } from 'node:fs';
+import { homedir, platform } from 'node:os';
+import { join } from 'node:path';
+import { createDeterministicAccountId } from '../accounts';
+import * as logger from '../logger';
+import { kiroDb } from '../storage/sqlite';
+function getCliDbPath() {
+    const p = platform();
+    if (p === 'win32')
+        return join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'kiro-cli', 'data.sqlite3');
+    if (p === 'darwin')
+        return join(homedir(), 'Library', 'Application Support', 'kiro-cli', 'data.sqlite3');
+    return join(homedir(), '.local', 'share', 'kiro-cli', 'data.sqlite3');
+}
+export async function syncFromKiroCli() {
+    const dbPath = getCliDbPath();
+    if (!existsSync(dbPath))
+        return;
+    try {
+        const cliDb = new Database(dbPath, { readonly: true });
+        cliDb.run('PRAGMA busy_timeout = 5000');
+        const rows = cliDb.prepare('SELECT key, value FROM auth_kv').all();
+        for (const row of rows) {
+            if (row.key.includes(':token')) {
+                let data;
+                try {
+                    data = JSON.parse(row.value);
+                }
+                catch {
+                    continue;
+                }
+                if (!data.access_token)
+                    continue;
+                const email = data.email || 'cli-account@kiro.dev';
+                const authMethod = row.key.includes('odic') ? 'idc' : 'desktop';
+                const clientId = data.client_id ||
+                    (authMethod === 'idc'
+                        ? JSON.parse(rows.find((r) => r.key.includes('device-registration'))?.value || '{}')
+                            .client_id
+                        : undefined);
+                const clientSecret = data.client_secret ||
+                    (authMethod === 'idc'
+                        ? JSON.parse(rows.find((r) => r.key.includes('device-registration'))?.value || '{}')
+                            .client_secret
+                        : undefined);
+                const id = createDeterministicAccountId(email, authMethod, clientId, data.profile_arn);
+                const existing = kiroDb.getAccounts().find((a) => a.id === id);
+                const cliExpiresAt = data.expires_at ? new Date(data.expires_at).getTime() : 0;
+                if (existing && existing.expires_at >= cliExpiresAt)
+                    continue;
+                kiroDb.upsertAccount({
+                    id,
+                    email,
+                    realEmail: data.real_email || email,
+                    authMethod,
+                    region: data.region || 'us-east-1',
+                    clientId,
+                    clientSecret,
+                    profileArn: data.profile_arn,
+                    refreshToken: data.refresh_token,
+                    accessToken: data.access_token,
+                    expiresAt: cliExpiresAt || Date.now() + 3600000,
+                    isHealthy: 1
+                });
+            }
+        }
+        cliDb.close();
+    }
+    catch (e) {
+        logger.error('Sync failed', e);
+    }
+}
+export async function writeToKiroCli(acc) {
+    const dbPath = getCliDbPath();
+    if (!existsSync(dbPath))
+        return;
+    try {
+        const cliDb = new Database(dbPath);
+        cliDb.exec('PRAGMA busy_timeout = 5000');
+        const rows = cliDb.prepare('SELECT key, value FROM auth_kv').all();
+        const targetKey = acc.authMethod === 'idc' ? 'kirocli:odic:token' : 'kirocli:social:token';
+        const row = rows.find((r) => r.key === targetKey || r.key.endsWith(targetKey));
+        if (row) {
+            const data = JSON.parse(row.value);
+            data.access_token = acc.accessToken;
+            data.refresh_token = acc.refreshToken;
+            data.expires_at = new Date(acc.expiresAt).toISOString();
+            cliDb.prepare('UPDATE auth_kv SET value = ? WHERE key = ?').run(JSON.stringify(data), row.key);
+        }
+        cliDb.close();
+    }
+    catch (e) {
+        logger.warn('Write back failed', e);
+    }
+}

package/dist/plugin/token.js

@@ -1,17 +1,30 @@
-import { KiroTokenRefreshError } from './errors';
+import crypto from 'node:crypto';
 import { decodeRefreshToken, encodeRefreshToken } from '../kiro/auth';
+import { KiroTokenRefreshError } from './errors';
 export async function refreshAccessToken(auth) {
-    const url = `https://oidc.${auth.region}.amazonaws.com/token`;
     const p = decodeRefreshToken(auth.refresh);
-    if (!p.clientId || !p.clientSecret) {
+    const isIdc = auth.authMethod === 'idc';
+    const url = isIdc
+        ? `https://oidc.${auth.region}.amazonaws.com/token`
+        : `https://prod.${auth.region}.auth.desktop.kiro.dev/refreshToken`;
+    if (isIdc && (!p.clientId || !p.clientSecret)) {
         throw new KiroTokenRefreshError('Missing creds', 'MISSING_CREDENTIALS');
     }
-    const requestBody = {
-        refreshToken: p.refreshToken,
-        clientId: p.clientId,
-        clientSecret: p.clientSecret,
-        grantType: 'refresh_token'
-    };
+    const requestBody = isIdc
+        ? {
+            refreshToken: p.refreshToken,
+            clientId: p.clientId,
+            clientSecret: p.clientSecret,
+            grantType: 'refresh_token'
+        }
+        : {
+            refreshToken: p.refreshToken
+        };
+    const machineId = crypto
+        .createHash('sha256')
+        .update(auth.profileArn || auth.clientId || 'KIRO_DEFAULT_MACHINE')
+        .digest('hex');
+    const ua = isIdc ? 'aws-sdk-js/1.0.0' : `KiroIDE-0.7.45-${machineId}`;
     try {
         const res = await fetch(url, {
             method: 'POST',
@@ -20,6 +33,7 @@ export async function refreshAccessToken(auth) {
                 Accept: 'application/json',
                 'amz-sdk-request': 'attempt=1; max=1',
                 'x-amzn-kiro-agent-mode': 'vibe',
+                'user-agent': ua,
                 Connection: 'close'
             },
             body: JSON.stringify(requestBody)
@@ -37,30 +51,28 @@ export async function refreshAccessToken(auth) {
         }
         const d = await res.json();
         const acc = d.access_token || d.accessToken;
-        if (!acc) {
+        if (!acc)
             throw new KiroTokenRefreshError('No access token', 'INVALID_RESPONSE');
-        }
         const upP = {
             refreshToken: d.refresh_token || d.refreshToken || p.refreshToken,
             clientId: p.clientId,
             clientSecret: p.clientSecret,
-            authMethod: 'idc'
+            authMethod: auth.authMethod
         };
         return {
             refresh: encodeRefreshToken(upP),
             access: acc,
-            expires: Date.now() + (d.expires_in || 3600) * 1000,
-            authMethod: 'idc',
+            expires: Date.now() + (d.expires_in || d.expiresIn || 3600) * 1000,
+            authMethod: auth.authMethod,
             region: auth.region,
             clientId: auth.clientId,
             clientSecret: auth.clientSecret,
-            email: auth.email
+            email: auth.email || d.userInfo?.email
         };
     }
     catch (error) {
-        if (error instanceof KiroTokenRefreshError) {
+        if (error instanceof KiroTokenRefreshError)
             throw error;
-        }
         throw new KiroTokenRefreshError(`Token refresh failed: ${error instanceof Error ? error.message : 'Unknown error'}`, 'NETWORK_ERROR', error instanceof Error ? error : undefined);
     }
 }

package/dist/plugin/types.d.ts

@@ -1,4 +1,4 @@
-export type KiroAuthMethod = 'idc';
+export type KiroAuthMethod = 'idc' | 'desktop';
 export type KiroRegion = 'us-east-1' | 'us-west-2';
 export interface KiroAuthDetails {
     refresh: string;
@@ -38,38 +38,12 @@ export interface ManagedAccount {
     limitCount?: number;
     lastUsed?: number;
 }
-export interface AccountMetadata {
-    id: string;
-    email: string;
-    realEmail?: string;
-    authMethod: KiroAuthMethod;
-    region: KiroRegion;
-    clientId?: string;
-    clientSecret?: string;
-    profileArn?: string;
-    refreshToken: string;
-    accessToken: string;
-    expiresAt: number;
-    rateLimitResetTime: number;
-    isHealthy: boolean;
-    unhealthyReason?: string;
-    recoveryTime?: number;
-}
-export interface AccountStorage {
-    version: 1;
-    accounts: AccountMetadata[];
-    activeIndex: number;
-}
 export interface UsageMetadata {
     usedCount: number;
     limitCount: number;
     realEmail?: string;
     lastSync: number;
 }
-export interface UsageStorage {
-    version: 1;
-    usage: Record<string, UsageMetadata>;
-}
 export interface CodeWhispererMessage {
     userInputMessage?: {
         content: string;

package/dist/plugin/usage.d.ts

@@ -1,3 +1,3 @@
-import { ManagedAccount, KiroAuthDetails } from './types';
+import { KiroAuthDetails, ManagedAccount } from './types';
 export declare function fetchUsageLimits(auth: KiroAuthDetails): Promise<any>;
 export declare function updateAccountQuota(account: ManagedAccount, usage: any, accountManager?: any): void;