agentgui 1.0.209 → 1.0.211

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.209",
+  "version": "1.0.211",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "server.js",

package/server.js

@@ -246,6 +246,9 @@ function extractOAuthFromFile(oauth2Path) {
 }
 
 function getGeminiOAuthCreds() {
+  if (process.env.GOOGLE_OAUTH_CLIENT_ID && process.env.GOOGLE_OAUTH_CLIENT_SECRET) {
+    return { clientId: process.env.GOOGLE_OAUTH_CLIENT_ID, clientSecret: process.env.GOOGLE_OAUTH_CLIENT_SECRET, custom: true };
+  }
   const oauthRelPath = path.join('node_modules', '@google', 'gemini-cli-core', 'dist', 'src', 'code_assist', 'oauth2.js');
   try {
     const geminiPath = findCommand('gemini');
@@ -333,13 +336,24 @@ function geminiOAuthResultPage(title, message, success) {
 </div></body></html>`;
 }
 
-async function startGeminiOAuth(baseUrl) {
+function isRemoteRequest(req) {
+  return !!(req && (req.headers['x-forwarded-for'] || req.headers['x-forwarded-host'] || req.headers['x-forwarded-proto']));
+}
+
+async function startGeminiOAuth(req) {
   const creds = getGeminiOAuthCreds();
   if (!creds) throw new Error('Could not find Gemini CLI OAuth credentials. Install gemini CLI first.');
 
-  const redirectUri = `${baseUrl}${BASE_URL}/oauth2callback`;
-  const state = crypto.randomBytes(32).toString('hex');
+  const useCustomClient = !!creds.custom;
+  const remote = isRemoteRequest(req);
+  let redirectUri;
+  if (useCustomClient && req) {
+    redirectUri = `${buildBaseUrl(req)}${BASE_URL}/oauth2callback`;
+  } else {
+    redirectUri = `http://localhost:${PORT}${BASE_URL}/oauth2callback`;
+  }
 
+  const state = crypto.randomBytes(32).toString('hex');
   const client = new OAuth2Client({
     clientId: creds.clientId,
     clientSecret: creds.clientSecret,
@@ -352,6 +366,7 @@ async function startGeminiOAuth(baseUrl) {
     state,
   });
 
+  const mode = useCustomClient ? 'custom' : (remote ? 'cli-remote' : 'cli-local');
   geminiOAuthPending = { client, redirectUri, state };
   geminiOAuthState = { status: 'pending', error: null, email: null };
 
@@ -362,74 +377,77 @@ async function startGeminiOAuth(baseUrl) {
     }
   }, 5 * 60 * 1000);
 
-  return authUrl;
+  return { authUrl, mode };
 }
 
-async function handleGeminiOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, buildBaseUrl(req));
-
-  if (!geminiOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-
-  const error = reqUrl.searchParams.get('error');
-  if (error) {
-    const desc = reqUrl.searchParams.get('error_description') || error;
-    geminiOAuthState = { status: 'error', error: desc, email: null };
-    geminiOAuthPending = null;
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', desc, false));
-    return;
-  }
+async function exchangeGeminiOAuthCode(code, state) {
+  if (!geminiOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
 
   const { client, redirectUri, state: expectedState } = geminiOAuthPending;
 
-  if (reqUrl.searchParams.get('state') !== expectedState) {
+  if (state !== expectedState) {
     geminiOAuthState = { status: 'error', error: 'State mismatch', email: null };
     geminiOAuthPending = null;
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', 'State mismatch.', false));
-    return;
+    throw new Error('State mismatch - possible CSRF attack.');
   }
 
-  const code = reqUrl.searchParams.get('code');
   if (!code) {
-    geminiOAuthState = { status: 'error', error: 'No authorization code', email: null };
+    geminiOAuthState = { status: 'error', error: 'No authorization code received', email: null };
     geminiOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+
+  const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
+  client.setCredentials(tokens);
+
+  let email = '';
+  try {
+    const { token } = await client.getAccessToken();
+    if (token) {
+      const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      if (resp.ok) {
+        const info = await resp.json();
+        email = info.email || '';
+      }
+    }
+  } catch (_) {}
+
+  saveGeminiCredentials(tokens, email);
+  geminiOAuthState = { status: 'success', error: null, email };
+  geminiOAuthPending = null;
+
+  return email;
+}
+
+async function handleGeminiOAuthCallback(req, res) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+
+  if (!geminiOAuthPending) {
     res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', 'No authorization code received.', false));
+    res.end(geminiOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
     return;
   }
 
   try {
-    const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
-    client.setCredentials(tokens);
-
-    let email = '';
-    try {
-      const { token } = await client.getAccessToken();
-      if (token) {
-        const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
-          headers: { Authorization: `Bearer ${token}` }
-        });
-        if (resp.ok) {
-          const info = await resp.json();
-          email = info.email || '';
-        }
-      }
-    } catch (_) {}
+    const error = reqUrl.searchParams.get('error');
+    if (error) {
+      const desc = reqUrl.searchParams.get('error_description') || error;
+      geminiOAuthState = { status: 'error', error: desc, email: null };
+      geminiOAuthPending = null;
+      res.writeHead(200, { 'Content-Type': 'text/html' });
+      res.end(geminiOAuthResultPage('Authentication Failed', desc, false));
+      return;
+    }
 
-    saveGeminiCredentials(tokens, email);
-    geminiOAuthState = { status: 'success', error: null, email };
-    geminiOAuthPending = null;
+    const code = reqUrl.searchParams.get('code');
+    const state = reqUrl.searchParams.get('state');
+    const email = await exchangeGeminiOAuthCode(code, state);
 
     res.writeHead(200, { 'Content-Type': 'text/html' });
     res.end(geminiOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Gemini CLI credentials saved.', true));
   } catch (e) {
-    geminiOAuthState = { status: 'error', error: e.message, email: null };
-    geminiOAuthPending = null;
     res.writeHead(200, { 'Content-Type': 'text/html' });
     res.end(geminiOAuthResultPage('Authentication Failed', e.message, false));
   }
@@ -1127,8 +1145,8 @@ const server = http.createServer(async (req, res) => {
 
     if (pathOnly === '/api/gemini-oauth/start' && req.method === 'POST') {
       try {
-        const authUrl = await startGeminiOAuth(buildBaseUrl(req));
-        sendJSON(req, res, 200, { authUrl });
+        const result = await startGeminiOAuth(req);
+        sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[gemini-oauth] /api/gemini-oauth/start failed:', e);
         sendJSON(req, res, 500, { error: e.message });
@@ -1141,6 +1159,42 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (pathOnly === '/api/gemini-oauth/complete' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req);
+        const pastedUrl = (body.url || '').trim();
+        if (!pastedUrl) {
+          sendJSON(req, res, 400, { error: 'No URL provided' });
+          return;
+        }
+
+        let parsed;
+        try { parsed = new URL(pastedUrl); } catch (_) {
+          sendJSON(req, res, 400, { error: 'Invalid URL. Paste the full URL from the browser address bar.' });
+          return;
+        }
+
+        const error = parsed.searchParams.get('error');
+        if (error) {
+          const desc = parsed.searchParams.get('error_description') || error;
+          geminiOAuthState = { status: 'error', error: desc, email: null };
+          geminiOAuthPending = null;
+          sendJSON(req, res, 200, { error: desc });
+          return;
+        }
+
+        const code = parsed.searchParams.get('code');
+        const state = parsed.searchParams.get('state');
+        const email = await exchangeGeminiOAuthCode(code, state);
+        sendJSON(req, res, 200, { success: true, email });
+      } catch (e) {
+        geminiOAuthState = { status: 'error', error: e.message, email: null };
+        geminiOAuthPending = null;
+        sendJSON(req, res, 400, { error: e.message });
+      }
+      return;
+    }
+
     const agentAuthMatch = pathOnly.match(/^\/api\/agents\/([^/]+)\/auth$/);
     if (agentAuthMatch && req.method === 'POST') {
       const agentId = agentAuthMatch[1];
@@ -1149,10 +1203,10 @@ const server = http.createServer(async (req, res) => {
 
       if (agentId === 'gemini') {
         try {
-          const authUrl = await startGeminiOAuth(buildBaseUrl(req));
+          const result = await startGeminiOAuth(req);
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-gemini', agentId: 'gemini', timestamp: Date.now() });
-          broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening Google OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
+          broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening Google OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
 
           const pollId = setInterval(() => {
             if (geminiOAuthState.status === 'success') {
@@ -1169,7 +1223,7 @@ const server = http.createServer(async (req, res) => {
 
           setTimeout(() => clearInterval(pollId), 5 * 60 * 1000);
 
-          sendJSON(req, res, 200, { ok: true, agentId, authUrl });
+          sendJSON(req, res, 200, { ok: true, agentId, authUrl: result.authUrl, mode: result.mode });
           return;
         } catch (e) {
           console.error('[gemini-oauth] /api/agents/gemini/auth failed:', e);

package/static/js/agent-auth.js

@@ -130,6 +130,81 @@
 
   function closeDropdown() { dropdown.classList.remove('open'); editingProvider = null; }
 
+  var oauthPollInterval = null, oauthPollTimeout = null;
+
+  function cleanupOAuthPolling() {
+    if (oauthPollInterval) { clearInterval(oauthPollInterval); oauthPollInterval = null; }
+    if (oauthPollTimeout) { clearTimeout(oauthPollTimeout); oauthPollTimeout = null; }
+  }
+
+  function showOAuthPasteModal() {
+    removeOAuthPasteModal();
+    var overlay = document.createElement('div');
+    overlay.id = 'oauthPasteModal';
+    overlay.style.cssText = 'position:fixed;inset:0;background:rgba(0,0,0,0.7);display:flex;align-items:center;justify-content:center;z-index:9999;';
+    var s = function(c) { return 'font-size:0.8rem;color:var(--color-text-secondary,#d1d5db);margin:0 0 ' + (c ? '0' : '0.5rem') + ';'; };
+    overlay.innerHTML = '<div style="background:var(--color-bg-secondary,#1f2937);border-radius:1rem;padding:2rem;max-width:28rem;width:calc(100% - 2rem);box-shadow:0 25px 50px rgba(0,0,0,0.5);color:var(--color-text-primary,white);font-family:system-ui,sans-serif;" onclick="event.stopPropagation()">' +
+      '<div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:1rem;">' +
+      '<h2 style="font-size:1.125rem;font-weight:700;margin:0;">Complete Google Sign-In</h2>' +
+      '<button id="oauthPasteClose" style="background:none;border:none;color:var(--color-text-secondary,#9ca3af);font-size:1.5rem;cursor:pointer;padding:0;line-height:1;">\u00d7</button></div>' +
+      '<div style="margin-bottom:1rem;padding:1rem;background:var(--color-bg-tertiary,rgba(255,255,255,0.05));border-radius:0.5rem;">' +
+      '<p style="' + s() + '">1. A Google sign-in page has opened in a new tab.</p>' +
+      '<p style="' + s() + '">2. Complete the sign-in process with Google.</p>' +
+      '<p style="' + s() + '">3. After signing in, you will be redirected to a page that <span style="color:#facc15;font-weight:600;">may not load</span> (this is expected).</p>' +
+      '<p style="' + s(1) + '">4. Copy the <span style="color:white;font-weight:600;">entire URL</span> from the address bar and paste it below.</p></div>' +
+      '<label style="display:block;font-size:0.8rem;color:var(--color-text-secondary,#d1d5db);margin-bottom:0.5rem;">Paste the redirect URL here:</label>' +
+      '<input type="text" id="oauthPasteInput" placeholder="http://localhost:3000/gm/oauth2callback?code=..." style="width:100%;box-sizing:border-box;padding:0.75rem 1rem;background:var(--color-bg-primary,#374151);border:1px solid var(--color-border,#4b5563);border-radius:0.5rem;color:var(--color-text-primary,white);font-size:0.8rem;font-family:monospace;outline:none;" />' +
+      '<p id="oauthPasteError" style="font-size:0.75rem;color:#ef4444;margin:0.5rem 0 0;display:none;"></p>' +
+      '<div style="display:flex;gap:0.75rem;margin-top:1.25rem;">' +
+      '<button id="oauthPasteCancel" style="flex:1;padding:0.625rem;border-radius:0.5rem;border:1px solid var(--color-border,#4b5563);background:transparent;color:var(--color-text-primary,white);font-size:0.8rem;cursor:pointer;font-weight:600;">Cancel</button>' +
+      '<button id="oauthPasteSubmit" style="flex:1;padding:0.625rem;border-radius:0.5rem;border:none;background:var(--color-primary,#3b82f6);color:white;font-size:0.8rem;cursor:pointer;font-weight:600;">Complete Sign-In</button></div>' +
+      '<p style="font-size:0.7rem;color:var(--color-text-secondary,#6b7280);margin-top:1rem;text-align:center;">If the redirect page loaded successfully, this dialog will close automatically.</p></div>';
+    document.body.appendChild(overlay);
+    var dismiss = function() { cleanupOAuthPolling(); authRunning = false; removeOAuthPasteModal(); };
+    document.getElementById('oauthPasteClose').addEventListener('click', dismiss);
+    document.getElementById('oauthPasteCancel').addEventListener('click', dismiss);
+    document.getElementById('oauthPasteSubmit').addEventListener('click', submitOAuthPasteUrl);
+    document.getElementById('oauthPasteInput').addEventListener('keydown', function(e) { if (e.key === 'Enter') submitOAuthPasteUrl(); });
+    setTimeout(function() { var i = document.getElementById('oauthPasteInput'); if (i) i.focus(); }, 100);
+  }
+
+  function removeOAuthPasteModal() {
+    var el = document.getElementById('oauthPasteModal');
+    if (el) el.remove();
+  }
+
+  function submitOAuthPasteUrl() {
+    var input = document.getElementById('oauthPasteInput');
+    var errorEl = document.getElementById('oauthPasteError');
+    var submitBtn = document.getElementById('oauthPasteSubmit');
+    if (!input) return;
+    var url = input.value.trim();
+    if (!url) {
+      if (errorEl) { errorEl.textContent = 'Please paste the URL from the redirected page.'; errorEl.style.display = 'block'; }
+      return;
+    }
+    if (submitBtn) { submitBtn.disabled = true; submitBtn.textContent = 'Verifying...'; }
+    if (errorEl) errorEl.style.display = 'none';
+
+    fetch(BASE + '/api/gemini-oauth/complete', {
+      method: 'POST', headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ url: url })
+    }).then(function(r) { return r.json(); }).then(function(data) {
+      if (data.success) {
+        cleanupOAuthPolling();
+        authRunning = false;
+        removeOAuthPasteModal();
+        refresh();
+      } else {
+        if (errorEl) { errorEl.textContent = data.error || 'Failed to complete authentication.'; errorEl.style.display = 'block'; }
+        if (submitBtn) { submitBtn.disabled = false; submitBtn.textContent = 'Complete Sign-In'; }
+      }
+    }).catch(function(e) {
+      if (errorEl) { errorEl.textContent = e.message; errorEl.style.display = 'block'; }
+      if (submitBtn) { submitBtn.disabled = false; submitBtn.textContent = 'Complete Sign-In'; }
+    });
+  }
+
   function triggerAuth(agentId) {
     if (authRunning) return;
     fetch(BASE + '/api/agents/' + agentId + '/auth', {
@@ -141,6 +216,29 @@
         if (term) { term.clear(); term.writeln('\x1b[36m[authenticating ' + agentId + ']\x1b[0m\r\n'); }
         if (data.authUrl) {
           window.open(data.authUrl, '_blank');
+          if (agentId === 'gemini') {
+            var needsPaste = data.mode === 'cli-remote';
+            if (needsPaste) showOAuthPasteModal();
+            cleanupOAuthPolling();
+            oauthPollInterval = setInterval(function() {
+              fetch(BASE + '/api/gemini-oauth/status').then(function(r) { return r.json(); }).then(function(status) {
+                if (status.status === 'success') {
+                  cleanupOAuthPolling();
+                  authRunning = false;
+                  removeOAuthPasteModal();
+                  refresh();
+                } else if (status.status === 'error') {
+                  cleanupOAuthPolling();
+                  authRunning = false;
+                  removeOAuthPasteModal();
+                }
+              }).catch(function() {});
+            }, 1500);
+            oauthPollTimeout = setTimeout(function() {
+              cleanupOAuthPolling();
+              if (authRunning) { authRunning = false; removeOAuthPasteModal(); }
+            }, 5 * 60 * 1000);
+          }
         }
       }
     }).catch(function() {});
@@ -159,6 +257,8 @@
       if (term) term.write(data.data);
     } else if (data.type === 'script_stopped') {
       authRunning = false;
+      removeOAuthPasteModal();
+      cleanupOAuthPolling();
       var term = getTerminal();
       var msg = data.error ? data.error : ('exited with code ' + (data.code || 0));
       if (term) term.writeln('\r\n\x1b[90m[auth ' + msg + ']\x1b[0m');