hedgequantx 2.6.68 → 2.6.70

package/src/services/ai/oauth-iflow.js

@@ -0,0 +1,269 @@
+/**
+ * iFlow OAuth Authentication
+ * 
+ * Implements OAuth 2.0 for iFlow subscription.
+ * Based on the public OAuth flow used by iFlow CLI.
+ * 
+ * Data source: iFlow OAuth API (https://iflow.cn/oauth)
+ */
+
+const crypto = require('crypto');
+const https = require('https');
+
+// Public OAuth Client ID and Secret (from iFlow CLI)
+const CLIENT_ID = '10009311001';
+const CLIENT_SECRET = '4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW';
+const AUTH_URL = 'https://iflow.cn/oauth';
+const TOKEN_URL = 'https://iflow.cn/oauth/token';
+const USER_INFO_URL = 'https://iflow.cn/api/oauth/getUserInfo';
+const CALLBACK_PORT = 11451;
+
+/**
+ * Generate state token
+ * @returns {string}
+ */
+const generateState = () => {
+  return crypto.randomBytes(16).toString('hex');
+};
+
+/**
+ * Generate OAuth authorization URL
+ * @param {number} port - Callback port (default 11451)
+ * @returns {Object} { url: string, state: string, redirectUri: string }
+ */
+const authorize = (port = CALLBACK_PORT) => {
+  const state = generateState();
+  const redirectUri = `http://localhost:${port}/oauth2callback`;
+  
+  const url = new URL(AUTH_URL);
+  url.searchParams.set('loginMethod', 'phone');
+  url.searchParams.set('type', 'phone');
+  url.searchParams.set('redirect', redirectUri);
+  url.searchParams.set('state', state);
+  url.searchParams.set('client_id', CLIENT_ID);
+  
+  return {
+    url: url.toString(),
+    state,
+    redirectUri
+  };
+};
+
+/**
+ * Make HTTPS request
+ */
+const makeRequest = (urlStr, options) => {
+  return new Promise((resolve, reject) => {
+    const url = new URL(urlStr);
+    const req = https.request({
+      hostname: url.hostname,
+      port: url.port || 443,
+      path: url.pathname + url.search,
+      method: options.method || 'POST',
+      headers: options.headers || {}
+    }, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(data);
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            resolve(json);
+          } else {
+            reject(new Error(json.error_description || json.error || json.message || `HTTP ${res.statusCode}`));
+          }
+        } catch (e) {
+          reject(new Error(`Invalid JSON response: ${data.substring(0, 200)}`));
+        }
+      });
+    });
+    
+    req.on('error', reject);
+    
+    if (options.body) {
+      req.write(options.body);
+    }
+    req.end();
+  });
+};
+
+/**
+ * Exchange authorization code for tokens
+ * @param {string} code - Authorization code from callback
+ * @param {string} redirectUri - Redirect URI used in authorization
+ * @returns {Promise<Object>}
+ */
+const exchange = async (code, redirectUri) => {
+  try {
+    const body = new URLSearchParams({
+      grant_type: 'authorization_code',
+      code: code,
+      redirect_uri: redirectUri,
+      client_id: CLIENT_ID,
+      client_secret: CLIENT_SECRET
+    }).toString();
+    
+    const basicAuth = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64');
+    
+    const response = await makeRequest(TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json',
+        'Authorization': `Basic ${basicAuth}`
+      },
+      body
+    });
+    
+    if (!response.access_token) {
+      return {
+        type: 'failed',
+        error: 'No access token in response'
+      };
+    }
+    
+    // Fetch user info to get API key
+    const userInfo = await fetchUserInfo(response.access_token);
+    
+    return {
+      type: 'success',
+      access: response.access_token,
+      refresh: response.refresh_token,
+      expires: Date.now() + (response.expires_in * 1000),
+      apiKey: userInfo.apiKey,
+      email: userInfo.email || userInfo.phone
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Fetch user info including API key
+ * @param {string} accessToken - Access token
+ * @returns {Promise<Object>}
+ */
+const fetchUserInfo = async (accessToken) => {
+  const url = `${USER_INFO_URL}?accessToken=${encodeURIComponent(accessToken)}`;
+  
+  const response = await makeRequest(url, {
+    method: 'GET',
+    headers: {
+      'Accept': 'application/json'
+    }
+  });
+  
+  if (!response.success || !response.data) {
+    throw new Error('Failed to fetch user info');
+  }
+  
+  return response.data;
+};
+
+/**
+ * Refresh access token using refresh token
+ * @param {string} refreshTokenValue - The refresh token
+ * @returns {Promise<Object>}
+ */
+const refreshToken = async (refreshTokenValue) => {
+  try {
+    const body = new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: refreshTokenValue,
+      client_id: CLIENT_ID,
+      client_secret: CLIENT_SECRET
+    }).toString();
+    
+    const basicAuth = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64');
+    
+    const response = await makeRequest(TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json',
+        'Authorization': `Basic ${basicAuth}`
+      },
+      body
+    });
+    
+    if (!response.access_token) {
+      return {
+        type: 'failed',
+        error: 'No access token in refresh response'
+      };
+    }
+    
+    // Fetch updated user info
+    const userInfo = await fetchUserInfo(response.access_token);
+    
+    return {
+      type: 'success',
+      access: response.access_token,
+      refresh: response.refresh_token,
+      expires: Date.now() + (response.expires_in * 1000),
+      apiKey: userInfo.apiKey,
+      email: userInfo.email || userInfo.phone
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Get valid access token (refresh if expired)
+ * @param {Object} oauthData - OAuth data { access, refresh, expires }
+ * @returns {Promise<Object>}
+ */
+const getValidToken = async (oauthData) => {
+  if (!oauthData || !oauthData.refresh) {
+    return null;
+  }
+  
+  const expirationBuffer = 5 * 60 * 1000; // 5 minutes
+  if (oauthData.expires && oauthData.expires > Date.now() + expirationBuffer) {
+    return {
+      ...oauthData,
+      refreshed: false
+    };
+  }
+  
+  const result = await refreshToken(oauthData.refresh);
+  if (result.type === 'success') {
+    return {
+      access: result.access,
+      refresh: result.refresh,
+      expires: result.expires,
+      apiKey: result.apiKey,
+      email: result.email,
+      refreshed: true
+    };
+  }
+  
+  return null;
+};
+
+/**
+ * Check if credentials are OAuth tokens
+ */
+const isOAuthCredentials = (credentials) => {
+  return credentials && credentials.oauth && credentials.oauth.refresh;
+};
+
+module.exports = {
+  CLIENT_ID,
+  CLIENT_SECRET,
+  CALLBACK_PORT,
+  generateState,
+  authorize,
+  exchange,
+  fetchUserInfo,
+  refreshToken,
+  getValidToken,
+  isOAuthCredentials
+};

package/src/services/ai/oauth-openai.js

@@ -0,0 +1,233 @@
+/**
+ * OpenAI OAuth Authentication (Codex)
+ * 
+ * Implements OAuth 2.0 with PKCE for OpenAI ChatGPT Plus/Pro plans.
+ * Based on the public OAuth flow used by OpenAI Codex CLI.
+ * 
+ * Data source: OpenAI OAuth API (https://auth.openai.com/oauth/token)
+ */
+
+const crypto = require('crypto');
+const https = require('https');
+
+// Public OAuth Client ID (from OpenAI Codex CLI)
+const CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const REDIRECT_URI = 'http://localhost:1455/auth/callback';
+const AUTH_URL = 'https://auth.openai.com/oauth/authorize';
+const TOKEN_URL = 'https://auth.openai.com/oauth/token';
+
+/**
+ * Generate PKCE code verifier and challenge
+ * @returns {Object} { verifier: string, challenge: string }
+ */
+const generatePKCE = () => {
+  // Generate a random 32-byte code verifier (base64url encoded)
+  const verifier = crypto.randomBytes(32)
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+  
+  // Generate SHA256 hash of verifier, then base64url encode it
+  const challenge = crypto.createHash('sha256')
+    .update(verifier)
+    .digest('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+  
+  return { verifier, challenge };
+};
+
+/**
+ * Generate OAuth authorization URL
+ * @returns {Object} { url: string, verifier: string }
+ */
+const authorize = () => {
+  const pkce = generatePKCE();
+  const state = crypto.randomBytes(16).toString('hex');
+  
+  const url = new URL(AUTH_URL);
+  url.searchParams.set('client_id', CLIENT_ID);
+  url.searchParams.set('response_type', 'code');
+  url.searchParams.set('redirect_uri', REDIRECT_URI);
+  url.searchParams.set('scope', 'openid email profile offline_access');
+  url.searchParams.set('state', state);
+  url.searchParams.set('code_challenge', pkce.challenge);
+  url.searchParams.set('code_challenge_method', 'S256');
+  url.searchParams.set('prompt', 'login');
+  url.searchParams.set('id_token_add_organizations', 'true');
+  url.searchParams.set('codex_cli_simplified_flow', 'true');
+  
+  return {
+    url: url.toString(),
+    verifier: pkce.verifier,
+    state
+  };
+};
+
+/**
+ * Make HTTPS request
+ */
+const makeRequest = (urlStr, options) => {
+  return new Promise((resolve, reject) => {
+    const url = new URL(urlStr);
+    const req = https.request({
+      hostname: url.hostname,
+      port: url.port || 443,
+      path: url.pathname + url.search,
+      method: options.method || 'POST',
+      headers: options.headers || {}
+    }, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(data);
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            resolve(json);
+          } else {
+            reject(new Error(json.error_description || json.error || `HTTP ${res.statusCode}`));
+          }
+        } catch (e) {
+          reject(new Error(`Invalid JSON response: ${data.substring(0, 200)}`));
+        }
+      });
+    });
+    
+    req.on('error', reject);
+    
+    if (options.body) {
+      req.write(options.body);
+    }
+    req.end();
+  });
+};
+
+/**
+ * Exchange authorization code for tokens
+ * @param {string} code - Authorization code from callback
+ * @param {string} verifier - PKCE code verifier
+ * @returns {Promise<Object>} { type: 'success', access: string, refresh: string, expires: number }
+ */
+const exchange = async (code, verifier) => {
+  try {
+    const body = new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: CLIENT_ID,
+      code: code,
+      redirect_uri: REDIRECT_URI,
+      code_verifier: verifier
+    }).toString();
+    
+    const response = await makeRequest(TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json'
+      },
+      body
+    });
+    
+    return {
+      type: 'success',
+      access: response.access_token,
+      refresh: response.refresh_token,
+      idToken: response.id_token,
+      expires: Date.now() + (response.expires_in * 1000)
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Refresh access token using refresh token
+ * @param {string} refreshTokenValue - The refresh token
+ * @returns {Promise<Object>}
+ */
+const refreshToken = async (refreshTokenValue) => {
+  try {
+    const body = new URLSearchParams({
+      client_id: CLIENT_ID,
+      grant_type: 'refresh_token',
+      refresh_token: refreshTokenValue,
+      scope: 'openid profile email'
+    }).toString();
+    
+    const response = await makeRequest(TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json'
+      },
+      body
+    });
+    
+    return {
+      type: 'success',
+      access: response.access_token,
+      refresh: response.refresh_token,
+      idToken: response.id_token,
+      expires: Date.now() + (response.expires_in * 1000)
+    };
+  } catch (error) {
+    return {
+      type: 'failed',
+      error: error.message
+    };
+  }
+};
+
+/**
+ * Get valid access token (refresh if expired)
+ * @param {Object} oauthData - OAuth data { access, refresh, expires }
+ * @returns {Promise<Object>}
+ */
+const getValidToken = async (oauthData) => {
+  if (!oauthData || !oauthData.refresh) {
+    return null;
+  }
+  
+  const expirationBuffer = 5 * 60 * 1000; // 5 minutes
+  if (oauthData.expires && oauthData.expires > Date.now() + expirationBuffer) {
+    return {
+      ...oauthData,
+      refreshed: false
+    };
+  }
+  
+  const result = await refreshToken(oauthData.refresh);
+  if (result.type === 'success') {
+    return {
+      access: result.access,
+      refresh: result.refresh,
+      expires: result.expires,
+      refreshed: true
+    };
+  }
+  
+  return null;
+};
+
+/**
+ * Check if credentials are OAuth tokens
+ */
+const isOAuthCredentials = (credentials) => {
+  return credentials && credentials.oauth && credentials.oauth.refresh;
+};
+
+module.exports = {
+  CLIENT_ID,
+  REDIRECT_URI,
+  CALLBACK_PORT: 1455,
+  generatePKCE,
+  authorize,
+  exchange,
+  refreshToken,
+  getValidToken,
+  isOAuthCredentials
+};