@zhafron/opencode-kiro-auth 1.2.8 → 1.3.0

package/dist/plugin/sync/kiro-cli.js

@@ -0,0 +1,96 @@
+import { Database } from 'bun:sqlite';
+import { existsSync } from 'node:fs';
+import { homedir, platform } from 'node:os';
+import { join } from 'node:path';
+import { createDeterministicAccountId } from '../accounts';
+import * as logger from '../logger';
+import { kiroDb } from '../storage/sqlite';
+function getCliDbPath() {
+    const p = platform();
+    if (p === 'win32')
+        return join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'kiro-cli', 'data.sqlite3');
+    if (p === 'darwin')
+        return join(homedir(), 'Library', 'Application Support', 'kiro-cli', 'data.sqlite3');
+    return join(homedir(), '.local', 'share', 'kiro-cli', 'data.sqlite3');
+}
+export async function syncFromKiroCli() {
+    const dbPath = getCliDbPath();
+    if (!existsSync(dbPath))
+        return;
+    try {
+        const cliDb = new Database(dbPath, { readonly: true });
+        cliDb.run('PRAGMA busy_timeout = 5000');
+        const rows = cliDb.prepare('SELECT key, value FROM auth_kv').all();
+        for (const row of rows) {
+            if (row.key.includes(':token')) {
+                let data;
+                try {
+                    data = JSON.parse(row.value);
+                }
+                catch {
+                    continue;
+                }
+                if (!data.access_token)
+                    continue;
+                const email = data.email || 'cli-account@kiro.dev';
+                const authMethod = row.key.includes('odic') ? 'idc' : 'desktop';
+                const clientId = data.client_id ||
+                    (authMethod === 'idc'
+                        ? JSON.parse(rows.find((r) => r.key.includes('device-registration'))?.value || '{}')
+                            .client_id
+                        : undefined);
+                const clientSecret = data.client_secret ||
+                    (authMethod === 'idc'
+                        ? JSON.parse(rows.find((r) => r.key.includes('device-registration'))?.value || '{}')
+                            .client_secret
+                        : undefined);
+                const id = createDeterministicAccountId(email, authMethod, clientId, data.profile_arn);
+                const existing = kiroDb.getAccounts().find((a) => a.id === id);
+                const cliExpiresAt = data.expires_at ? new Date(data.expires_at).getTime() : 0;
+                if (existing && existing.expires_at >= cliExpiresAt)
+                    continue;
+                kiroDb.upsertAccount({
+                    id,
+                    email,
+                    realEmail: data.real_email || email,
+                    authMethod,
+                    region: data.region || 'us-east-1',
+                    clientId,
+                    clientSecret,
+                    profileArn: data.profile_arn,
+                    refreshToken: data.refresh_token,
+                    accessToken: data.access_token,
+                    expiresAt: cliExpiresAt || Date.now() + 3600000,
+                    isHealthy: 1
+                });
+            }
+        }
+        cliDb.close();
+    }
+    catch (e) {
+        logger.error('Sync failed', e);
+    }
+}
+export async function writeToKiroCli(acc) {
+    const dbPath = getCliDbPath();
+    if (!existsSync(dbPath))
+        return;
+    try {
+        const cliDb = new Database(dbPath);
+        cliDb.exec('PRAGMA busy_timeout = 5000');
+        const rows = cliDb.prepare('SELECT key, value FROM auth_kv').all();
+        const targetKey = acc.authMethod === 'idc' ? 'kirocli:odic:token' : 'kirocli:social:token';
+        const row = rows.find((r) => r.key === targetKey || r.key.endsWith(targetKey));
+        if (row) {
+            const data = JSON.parse(row.value);
+            data.access_token = acc.accessToken;
+            data.refresh_token = acc.refreshToken;
+            data.expires_at = new Date(acc.expiresAt).toISOString();
+            cliDb.prepare('UPDATE auth_kv SET value = ? WHERE key = ?').run(JSON.stringify(data), row.key);
+        }
+        cliDb.close();
+    }
+    catch (e) {
+        logger.warn('Write back failed', e);
+    }
+}

package/dist/plugin/token.js

@@ -1,17 +1,30 @@
-import { KiroTokenRefreshError } from './errors';
+import crypto from 'node:crypto';
 import { decodeRefreshToken, encodeRefreshToken } from '../kiro/auth';
+import { KiroTokenRefreshError } from './errors';
 export async function refreshAccessToken(auth) {
-    const url = `https://oidc.${auth.region}.amazonaws.com/token`;
     const p = decodeRefreshToken(auth.refresh);
-    if (!p.clientId || !p.clientSecret) {
+    const isIdc = auth.authMethod === 'idc';
+    const url = isIdc
+        ? `https://oidc.${auth.region}.amazonaws.com/token`
+        : `https://prod.${auth.region}.auth.desktop.kiro.dev/refreshToken`;
+    if (isIdc && (!p.clientId || !p.clientSecret)) {
         throw new KiroTokenRefreshError('Missing creds', 'MISSING_CREDENTIALS');
     }
-    const requestBody = {
-        refreshToken: p.refreshToken,
-        clientId: p.clientId,
-        clientSecret: p.clientSecret,
-        grantType: 'refresh_token'
-    };
+    const requestBody = isIdc
+        ? {
+            refreshToken: p.refreshToken,
+            clientId: p.clientId,
+            clientSecret: p.clientSecret,
+            grantType: 'refresh_token'
+        }
+        : {
+            refreshToken: p.refreshToken
+        };
+    const machineId = crypto
+        .createHash('sha256')
+        .update(auth.profileArn || auth.clientId || 'KIRO_DEFAULT_MACHINE')
+        .digest('hex');
+    const ua = isIdc ? 'aws-sdk-js/1.0.0' : `KiroIDE-0.7.45-${machineId}`;
     try {
         const res = await fetch(url, {
             method: 'POST',
@@ -20,6 +33,7 @@ export async function refreshAccessToken(auth) {
                 Accept: 'application/json',
                 'amz-sdk-request': 'attempt=1; max=1',
                 'x-amzn-kiro-agent-mode': 'vibe',
+                'user-agent': ua,
                 Connection: 'close'
             },
             body: JSON.stringify(requestBody)
@@ -37,30 +51,28 @@ export async function refreshAccessToken(auth) {
         }
         const d = await res.json();
         const acc = d.access_token || d.accessToken;
-        if (!acc) {
+        if (!acc)
             throw new KiroTokenRefreshError('No access token', 'INVALID_RESPONSE');
-        }
         const upP = {
             refreshToken: d.refresh_token || d.refreshToken || p.refreshToken,
             clientId: p.clientId,
             clientSecret: p.clientSecret,
-            authMethod: 'idc'
+            authMethod: auth.authMethod
         };
         return {
             refresh: encodeRefreshToken(upP),
             access: acc,
-            expires: Date.now() + (d.expires_in || 3600) * 1000,
-            authMethod: 'idc',
+            expires: Date.now() + (d.expires_in || d.expiresIn || 3600) * 1000,
+            authMethod: auth.authMethod,
             region: auth.region,
             clientId: auth.clientId,
             clientSecret: auth.clientSecret,
-            email: auth.email
+            email: auth.email || d.userInfo?.email
         };
     }
     catch (error) {
-        if (error instanceof KiroTokenRefreshError) {
+        if (error instanceof KiroTokenRefreshError)
             throw error;
-        }
         throw new KiroTokenRefreshError(`Token refresh failed: ${error instanceof Error ? error.message : 'Unknown error'}`, 'NETWORK_ERROR', error instanceof Error ? error : undefined);
     }
 }

package/dist/plugin/types.d.ts

@@ -1,4 +1,4 @@
-export type KiroAuthMethod = 'idc';
+export type KiroAuthMethod = 'idc' | 'desktop';
 export type KiroRegion = 'us-east-1' | 'us-west-2';
 export interface KiroAuthDetails {
     refresh: string;
@@ -38,38 +38,12 @@ export interface ManagedAccount {
     limitCount?: number;
     lastUsed?: number;
 }
-export interface AccountMetadata {
-    id: string;
-    email: string;
-    realEmail?: string;
-    authMethod: KiroAuthMethod;
-    region: KiroRegion;
-    clientId?: string;
-    clientSecret?: string;
-    profileArn?: string;
-    refreshToken: string;
-    accessToken: string;
-    expiresAt: number;
-    rateLimitResetTime: number;
-    isHealthy: boolean;
-    unhealthyReason?: string;
-    recoveryTime?: number;
-}
-export interface AccountStorage {
-    version: 1;
-    accounts: AccountMetadata[];
-    activeIndex: number;
-}
 export interface UsageMetadata {
     usedCount: number;
     limitCount: number;
     realEmail?: string;
     lastSync: number;
 }
-export interface UsageStorage {
-    version: 1;
-    usage: Record<string, UsageMetadata>;
-}
 export interface CodeWhispererMessage {
     userInputMessage?: {
         content: string;

package/dist/plugin/usage.d.ts

@@ -1,3 +1,3 @@
-import { ManagedAccount, KiroAuthDetails } from './types';
+import { KiroAuthDetails, ManagedAccount } from './types';
 export declare function fetchUsageLimits(auth: KiroAuthDetails): Promise<any>;
 export declare function updateAccountQuota(account: ManagedAccount, usage: any, accountManager?: any): void;