opencode-auth-proxy 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2024-01-01
+
+### Added
+- Initial release of OpenCode Auth Proxy Plugin
+- Google OAuth 2.0 authentication with PKCE support
+- Session management with HMAC-signed cookies
+- Token persistence to local filesystem
+- WebSocket proxy support
+- Health check endpoints
+- Configurable via environment variables or config file
+
+### Security
+- PKCE (Proof Key for Code Exchange) implementation
+- HMAC-SHA256 session cookie signing
+- HttpOnly and SameSite cookie attributes
+- Automatic secure cookie detection for HTTPS

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 milc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,265 @@
+# OpenCode Auth Proxy Plugin
+
+![License](https://img.shields.io/npm/l/opencode-auth-proxy)
+![Version](https://img.shields.io/npm/v/opencode-auth-proxy)
+
+**Google OAuth authentication proxy for OpenCode.** This plugin provides a secure OAuth 2.0 flow with PKCE (Proof Key for Code Exchange) for authenticating with Google services, managing sessions, and proxying requests to protected endpoints.
+
+## Features
+
+- 🔐 Secure OAuth 2.0 flow with PKCE
+- 🍪 Session management with HMAC-signed cookies
+- 🔄 Automatic token refresh and persistence
+- 🛡️ Request proxying with authentication checks
+- 🌐 WebSocket support for real-time connections
+- ⚙️ Configurable via environment variables or config file
+
+## Prerequisites
+
+- [Opencode CLI](https://opencode.ai) installed
+- A Google Cloud project with OAuth 2.0 credentials
+- Node.js 20 or higher
+
+## Installation
+
+Add the plugin to your OpenCode server configuration file (`opencode.server.json`):
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-auth-proxy"]
+}
+```
+
+## Configuration
+
+The plugin can be configured via environment variables or the OpenCode config file.
+
+### Environment Variables
+
+```bash
+PORT=4096                                    # Proxy server port (default: 4096)
+TARGET_HOST=127.0.0.1                        # Target server host (default: 127.0.0.1)
+TARGET_PORT=4097                             # Target server port (default: 4097)
+GOOGLE_REDIRECT_CLIENT_ID=your-client-id     # Google OAuth client ID (required)
+GOOGLE_REDIRECT_CLIENT_SECRET=your-secret    # Google OAuth client secret (required)
+GOOGLE_REDIRECT_URI=http://localhost:4096/auth/google/callback  # OAuth redirect URI
+SESSION_SECRET=your-secret-key               # Session signing secret (required)
+SESSION_COOKIE_NAME=opencode_session        # Session cookie name (default: opencode_session)
+COOKIE_SECURE=false                          # Use secure cookies (default: auto-detect)
+TOKEN_PATH=~/.opencode-proxy/google-auth.json  # Token storage path
+```
+
+### Config File
+
+Add configuration to your `opencode.json`:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "authProxy": {
+    "port": 4096,
+    "targetHost": "127.0.0.1",
+    "targetPort": 4097,
+    "googleClientId": "your-client-id",
+    "googleClientSecret": "your-client-secret",
+    "googleRedirectUri": "http://localhost:4096/auth/google/callback",
+    "sessionSecret": "your-secret-key",
+    "sessionCookieName": "opencode_session",
+    "cookieSecure": false,
+    "tokenPath": "~/.opencode-proxy/google-auth.json"
+  }
+}
+```
+
+## Google Cloud Setup
+
+1. Go to the [Google Cloud Console](https://console.cloud.google.com/)
+2. Create or select a project
+3. Enable the **Google+ API** and **OAuth2 API**
+4. Go to **APIs & Services** > **Credentials**
+5. Create an **OAuth 2.0 Client ID**
+   - Application type: **Web application**
+   - Authorized redirect URIs: `http://localhost:4096/auth/google/callback` (or your configured redirect URI)
+6. Copy the **Client ID** and **Client Secret**
+
+## Usage
+
+### Starting Authentication
+
+Navigate to `/auth/google/start` in your browser or use:
+
+```bash
+curl http://localhost:4096/auth/google/start
+```
+
+You can optionally pass a `project` query parameter:
+
+```bash
+curl "http://localhost:4096/auth/google/start?project=my-project-id"
+```
+
+### OAuth Flow
+
+1. User visits `/auth/google/start`
+2. Plugin redirects to Google OAuth consent screen
+3. User authorizes the application
+4. Google redirects to `/auth/google/callback`
+5. Plugin exchanges authorization code for tokens
+6. Session cookie is set
+7. User is redirected to the application
+
+### Accessing Protected Endpoints
+
+Once authenticated, the plugin will:
+- Check for a valid session cookie on all non-public paths
+- Proxy authenticated requests to the target server
+- Reject unauthenticated requests with 401 or redirect to login
+
+### Public Endpoints
+
+The following paths are publicly accessible (no authentication required):
+
+- `/health` - Health check endpoint
+- `/global/health` - Global health check
+- `/auth/google/start` - Start OAuth flow
+- `/auth/google/config` - OAuth configuration info
+- `/auth/google/callback` - OAuth callback handler
+
+### Token Management
+
+Tokens are automatically persisted to the configured `tokenPath`. To retrieve the current token:
+
+```bash
+curl http://localhost:4096/auth/google/token
+```
+
+## API Endpoints
+
+### `GET /health` or `GET /global/health`
+
+Health check endpoint that also checks upstream server status.
+
+**Response:**
+```json
+{
+  "status": "ok",
+  "healthy": true,
+  "target": "http://127.0.0.1:4097",
+  "upstream": {
+    "ok": true,
+    "status": 200,
+    "body": { ... }
+  }
+}
+```
+
+### `GET /auth/google/config`
+
+Returns OAuth configuration (client ID is partially masked).
+
+**Response:**
+```json
+{
+  "redirect_uri": "http://localhost:4096/auth/google/callback",
+  "callback_path": "/auth/google/callback",
+  "client_id": "12345678901234567890...",
+  "client_secret_set": true,
+  "scopes": [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+    "https://www.googleapis.com/auth/userinfo.profile"
+  ]
+}
+```
+
+### `GET /auth/google/start?project=<project-id>`
+
+Initiates the OAuth flow. Redirects to Google's consent screen.
+
+### `GET /auth/google/callback`
+
+OAuth callback handler. Processes the authorization code and sets session cookie.
+
+### `GET /auth/google/token`
+
+Retrieves the stored OAuth token.
+
+**Response:**
+```json
+{
+  "token": {
+    "type": "success",
+    "refresh": "refresh-token",
+    "access": "access-token",
+    "expires": 1234567890,
+    "email": "user@example.com",
+    "projectId": "project-id",
+    "storedAt": "2024-01-01T00:00:00.000Z"
+  }
+}
+```
+
+## Security
+
+- **PKCE**: Uses Proof Key for Code Exchange to prevent authorization code interception
+- **HMAC Signing**: Session cookies are signed with HMAC-SHA256
+- **HttpOnly Cookies**: Session cookies are marked HttpOnly to prevent XSS attacks
+- **SameSite**: Cookies use SameSite=Lax to prevent CSRF attacks
+- **Secure Cookies**: Automatically enabled for HTTPS redirect URIs
+
+## Troubleshooting
+
+### Port Already in Use
+
+If the default port (4096) is in use, configure a different port:
+
+```json
+{
+  "authProxy": {
+    "port": 5000
+  }
+}
+```
+
+Or set the `PORT` environment variable.
+
+### Session Not Persisting
+
+Ensure `SESSION_SECRET` is set and consistent across restarts. The secret is used to sign and verify session cookies.
+
+### OAuth Errors
+
+Check the OpenCode logs for detailed OAuth error messages. Common issues:
+
+- **Invalid redirect URI**: Ensure the redirect URI in Google Cloud Console matches exactly
+- **Missing scopes**: The plugin requests cloud-platform, userinfo.email, and userinfo.profile scopes
+- **Client secret mismatch**: Verify the client secret is correct
+
+### Debugging
+
+Check OpenCode server logs for detailed plugin logs. The plugin logs all authentication attempts, proxy errors, and configuration issues.
+
+## Development
+
+To develop on this plugin locally:
+
+1. **Clone or navigate to the plugin directory**
+
+2. **Link**: Update your OpenCode server config to point to your local directory:
+
+   ```json
+   {
+     "plugin": ["file:///absolute/path/to/opencode-auth-proxy"]
+   }
+   ```
+
+3. **Install dependencies**:
+
+   ```bash
+   npm install
+   ```
+
+## License
+
+MIT

package/opencode-auth-proxy.ts

@@ -0,0 +1,588 @@
+import type { Plugin } from "@opencode-ai/plugin"
+import http, { IncomingMessage, ServerResponse } from "http"
+import httpProxy from "http-proxy"
+import fs from "fs"
+import path from "path"
+import crypto from "crypto"
+import os from "os"
+
+type AuthProxyConfig = {
+  port?: number
+  targetPort?: number
+  targetHost?: string
+  googleClientId?: string
+  googleClientSecret?: string
+  googleRedirectUri?: string
+  sessionSecret?: string
+  sessionCookieName?: string
+  cookieSecure?: boolean
+  tokenPath?: string
+}
+
+type TokenSuccess = {
+  type: "success"
+  refresh: string
+  access: string
+  expires: number
+  email?: string
+  projectId: string
+}
+
+type TokenPayload = TokenSuccess | { type: "failed"; error: string }
+
+const GOOGLE_SCOPES = [
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/userinfo.profile",
+]
+
+function base64url(buf: Buffer): string {
+  return buf
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "")
+}
+
+function encodeState(payload: { verifier: string; projectId: string }): string {
+  return Buffer.from(JSON.stringify(payload), "utf8").toString("base64url")
+}
+
+function decodeState(state: string): { verifier: string; projectId: string } {
+  const normalized = state.replace(/-/g, "+").replace(/_/g, "/")
+  const padded = normalized.padEnd(normalized.length + ((4 - (normalized.length % 4)) % 4), "=")
+  const json = Buffer.from(padded, "base64").toString("utf8")
+  const parsed = JSON.parse(json)
+  return { verifier: parsed.verifier || "", projectId: parsed.projectId || "" }
+}
+
+function generatePkce() {
+  const verifier = base64url(crypto.randomBytes(32))
+  const challenge = base64url(crypto.createHash("sha256").update(verifier).digest())
+  return { verifier, challenge }
+}
+
+function parseCookies(req: IncomingMessage): Record<string, string> {
+  const header = req.headers.cookie
+  if (!header) return {}
+  return header.split(";").reduce<Record<string, string>>((acc, part) => {
+    const [key, ...valueParts] = part.trim().split("=")
+    if (!key) return acc
+    acc[key] = valueParts.join("=")
+    return acc
+  }, {})
+}
+
+function signSession(sessionSecret: string): string {
+  const sessionData = Buffer.from("authenticated", "utf8").toString("base64url")
+  const signature = crypto.createHmac("sha256", sessionSecret).update(sessionData).digest("hex")
+  return `${sessionData}.${signature}`
+}
+
+function verifySession(token: string, sessionSecret: string): boolean {
+  const [sessionPart, signature] = token.split(".")
+  if (!sessionPart || !signature) return false
+  const expected = crypto.createHmac("sha256", sessionSecret).update(sessionPart).digest("hex")
+  return crypto.timingSafeEqual(Buffer.from(signature, "utf8"), Buffer.from(expected, "utf8"))
+}
+
+function expandPath(filePath: string): string {
+  if (filePath.startsWith("~/")) {
+    return path.join(os.homedir(), filePath.slice(2))
+  }
+  return filePath
+}
+
+function loadToken(tokenPath: string): TokenSuccess | null {
+  try {
+    const expandedPath = expandPath(tokenPath)
+    const raw = fs.readFileSync(expandedPath, "utf8")
+    const parsed = JSON.parse(raw)
+    if (typeof parsed !== "object" || !parsed) return null
+    if ("access" in parsed && "refresh" in parsed) {
+      return parsed as TokenSuccess
+    }
+    return null
+  } catch {
+    return null
+  }
+}
+
+function persistToken(token: TokenSuccess, tokenPath: string) {
+  const expandedPath = expandPath(tokenPath)
+  const dir = path.dirname(expandedPath)
+  fs.mkdirSync(dir, { recursive: true })
+  fs.writeFileSync(expandedPath, JSON.stringify(token, null, 2))
+}
+
+async function fetchWithTimeout(url: string, options: RequestInit, timeoutMs = 10000): Promise<Response> {
+  const controller = new AbortController()
+  const timeout = setTimeout(() => controller.abort(), timeoutMs)
+  try {
+    return await fetch(url, { ...options, signal: controller.signal })
+  } finally {
+    clearTimeout(timeout)
+  }
+}
+
+async function authorizeGoogle(
+  clientId: string,
+  redirectUri: string,
+  projectId = "",
+): Promise<{ url: string; verifier: string; projectId: string }> {
+  const pkce = generatePkce()
+  const url = new URL("https://accounts.google.com/o/oauth2/v2/auth")
+  url.searchParams.set("client_id", clientId)
+  url.searchParams.set("response_type", "code")
+  url.searchParams.set("redirect_uri", redirectUri)
+  url.searchParams.set("scope", GOOGLE_SCOPES.join(" "))
+  url.searchParams.set("code_challenge", pkce.challenge)
+  url.searchParams.set("code_challenge_method", "S256")
+  url.searchParams.set("state", encodeState({ verifier: pkce.verifier, projectId: projectId || "" }))
+  url.searchParams.set("access_type", "offline")
+  url.searchParams.set("prompt", "consent")
+  return { url: url.toString(), verifier: pkce.verifier, projectId: projectId || "" }
+}
+
+async function exchangeGoogle(
+  code: string,
+  state: string,
+  clientId: string,
+  clientSecret: string,
+  redirectUri: string,
+  log: (data: any) => Promise<void>,
+): Promise<TokenPayload> {
+  try {
+    const { verifier } = decodeState(state || "")
+    const startTime = Date.now()
+    const requestBody = new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: redirectUri,
+      code_verifier: verifier,
+    })
+    await log({
+      service: "opencode-auth-proxy",
+      level: "info",
+      message: "OAuth token exchange request",
+      extra: {
+        redirect_uri: redirectUri,
+        client_id: clientId,
+        client_secret_length: clientSecret?.length || 0,
+        code_length: code?.length || 0,
+        has_verifier: !!verifier,
+      },
+    })
+    const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: requestBody,
+    })
+    if (!tokenResponse.ok) {
+      const errorText = await tokenResponse.text()
+      let parsedError: any = {}
+      try {
+        parsedError = JSON.parse(errorText)
+      } catch {
+        parsedError = { raw: errorText }
+      }
+      await log({
+        service: "opencode-auth-proxy",
+        level: "error",
+        message: "OAuth token exchange failed",
+        extra: {
+          status: tokenResponse.status,
+          statusText: tokenResponse.statusText,
+          error: parsedError,
+          redirect_uri: redirectUri,
+          redirect_uri_length: redirectUri.length,
+          client_id: clientId,
+          client_id_length: clientId.length,
+          client_secret_set: !!clientSecret,
+          client_secret_length: clientSecret?.length || 0,
+        },
+      })
+      const errorMessage = parsedError.error_description || parsedError.error || errorText
+      return { type: "failed", error: errorMessage }
+    }
+
+    const tokenPayload = (await tokenResponse.json()) as {
+      access_token: string
+      expires_in: number
+      refresh_token?: string
+    }
+    const userInfoResponse = await fetch("https://www.googleapis.com/oauth2/v1/userinfo?alt=json", {
+      headers: { Authorization: `Bearer ${tokenPayload.access_token}` },
+    })
+    const userInfo = userInfoResponse.ok ? ((await userInfoResponse.json()) as { email?: string }) : {}
+
+    const refreshToken = tokenPayload.refresh_token
+    if (!refreshToken) return { type: "failed", error: "Missing refresh token in response" }
+
+    return {
+      type: "success",
+      refresh: refreshToken,
+      access: tokenPayload.access_token,
+      expires: startTime + (tokenPayload.expires_in || 0) * 1000,
+      email: userInfo.email,
+      projectId: "",
+    }
+  } catch (error) {
+    return { type: "failed", error: error instanceof Error ? error.message : "Unknown error" }
+  }
+}
+
+function normalizeRedirectUri(uri: string | undefined, defaultPort: number): string {
+  const defaultUri = `http://localhost:${defaultPort}/auth/google/callback`
+  const rawUri = uri?.trim() || defaultUri
+  try {
+    const url = new URL(rawUri)
+    if (url.pathname.endsWith("/") && url.pathname !== "/") {
+      url.pathname = url.pathname.replace(/\/+$/, "")
+      return url.toString()
+    }
+    return rawUri
+  } catch (err) {
+    return rawUri
+  }
+}
+
+function getCallbackPath(redirectUri: string): string {
+  try {
+    const url = new URL(redirectUri)
+    return url.pathname || "/auth/google/callback"
+  } catch {
+    return "/auth/google/callback"
+  }
+}
+
+const opencodeAuthProxy: Plugin = async ({ client, directory }) => {
+  await client.app.log({
+    service: "opencode-auth-proxy",
+    level: "info",
+    message: "Plugin initializing",
+    extra: {
+      hasEnvPort: !!process.env.PORT,
+      hasEnvSessionSecret: !!process.env.SESSION_SECRET,
+      hasEnvGoogleId: !!process.env.GOOGLE_REDIRECT_CLIENT_ID,
+      directory,
+    },
+  })
+
+  const config = (client.app.config as { authProxy?: AuthProxyConfig })?.authProxy
+
+  const PORT = config?.port ?? Number(process.env.PORT ?? 4096)
+  const TARGET_HOST = config?.targetHost ?? (process.env.TARGET_HOST ?? "127.0.0.1")
+  const TARGET_PORT = config?.targetPort ?? Number(process.env.TARGET_PORT ?? 4097)
+  const GOOGLE_CLIENT_ID =
+    process.env.GOOGLE_REDIRECT_CLIENT_ID?.trim() ?? config?.googleClientId?.trim() ?? ""
+  const GOOGLE_CLIENT_SECRET =
+    process.env.GOOGLE_REDIRECT_CLIENT_SECRET?.trim() ?? config?.googleClientSecret?.trim() ?? ""
+  const GOOGLE_REDIRECT_URI = normalizeRedirectUri(
+    config?.googleRedirectUri ?? process.env.GOOGLE_REDIRECT_URI,
+    PORT,
+  )
+  const providedSessionSecret = process.env.SESSION_SECRET?.trim() ?? config?.sessionSecret?.trim()
+  const SESSION_SECRET = providedSessionSecret ?? crypto.randomBytes(32).toString("hex")
+  if (!providedSessionSecret) {
+    await client.app.log({
+      service: "opencode-auth-proxy",
+      level: "warn",
+      message: "SESSION_SECRET not provided, auto-generating. Sessions will not persist across restarts.",
+    })
+  }
+  const SESSION_COOKIE_NAME = config?.sessionCookieName ?? process.env.SESSION_COOKIE_NAME ?? "opencode_session"
+  const TOKEN_PATH =
+    config?.tokenPath || process.env.TOKEN_PATH || path.join(os.homedir(), ".opencode-proxy", "google-auth.json")
+
+  const COOKIE_SECURE = (() => {
+    if (config?.cookieSecure !== undefined) return config.cookieSecure
+    if (process.env.COOKIE_SECURE !== undefined) return process.env.COOKIE_SECURE !== "false"
+    try {
+      const redirectUrl = new URL(GOOGLE_REDIRECT_URI)
+      return redirectUrl.protocol === "https:"
+    } catch {
+      return false
+    }
+  })()
+
+
+  if (!GOOGLE_CLIENT_ID || !GOOGLE_CLIENT_SECRET) {
+    await client.app.log({
+      service: "opencode-auth-proxy",
+      level: "error",
+      message: "Google OAuth credentials are required (GOOGLE_REDIRECT_CLIENT_ID and GOOGLE_REDIRECT_CLIENT_SECRET)",
+      extra: {
+        hasClientId: !!GOOGLE_CLIENT_ID,
+        hasClientSecret: !!GOOGLE_CLIENT_SECRET,
+        hasEnvClientId: !!process.env.GOOGLE_REDIRECT_CLIENT_ID,
+        hasEnvClientSecret: !!process.env.GOOGLE_REDIRECT_CLIENT_SECRET,
+      },
+    })
+    return {}
+  }
+
+  const target = `http://${TARGET_HOST}:${TARGET_PORT}`
+  const CALLBACK_PATH = getCallbackPath(GOOGLE_REDIRECT_URI)
+  const PUBLIC_PATHS = new Set([
+    "/health",
+    "/global/health",
+    "/auth/google/start",
+    "/auth/google/config",
+    CALLBACK_PATH,
+    "/auth/google/callback",
+  ])
+
+  function isPublicPath(pathname: string): boolean {
+    return PUBLIC_PATHS.has(pathname)
+  }
+
+  const proxy = httpProxy.createProxyServer({
+    target,
+    changeOrigin: true,
+    ws: true,
+  })
+
+  proxy.on("error", async (err: any, req: IncomingMessage, res: any) => {
+    const url = req.url || "/"
+    const method = req.method || "UNKNOWN"
+    await client.app.log({
+      service: "opencode-auth-proxy",
+      level: "error",
+      message: "Proxy error",
+      extra: {
+        message: err?.message,
+        code: err?.code,
+        errno: err?.errno,
+        syscall: err?.syscall,
+        target,
+        url,
+        method,
+        stack: err?.stack,
+      },
+    })
+    const response = res as ServerResponse | undefined
+    if (response && !response.headersSent) {
+      response.writeHead(502, { "Content-Type": "application/json" })
+      response.end(
+        JSON.stringify({
+          error: "Proxy error",
+          message: err?.message,
+          code: err?.code,
+          target,
+        }),
+      )
+    }
+  })
+
+  const server = http.createServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`)
+    const pathname = url.pathname || "/"
+    const accept = String(req.headers.accept || "")
+    const isSSE = accept.includes("text/event-stream") || pathname === "/event" || pathname === "/global/event"
+
+    const rejectRequest = async () => {
+      if (isSSE) {
+        await client.app.log({
+          service: "opencode-auth-proxy",
+          level: "warn",
+          message: "Unauthorized request",
+          extra: { method: req.method, path: pathname, kind: "sse" },
+        })
+        res.writeHead(401, { "Content-Type": "application/json" })
+        res.write(JSON.stringify({ error: "unauthorized" }))
+      } else if (req.method && req.method.toUpperCase() === "GET") {
+        await client.app.log({
+          service: "opencode-auth-proxy",
+          level: "warn",
+          message: "Unauthorized request",
+          extra: { method: req.method, path: pathname, kind: "redirect" },
+        })
+        res.writeHead(302, { Location: "/auth/google/start" })
+      } else {
+        await client.app.log({
+          service: "opencode-auth-proxy",
+          level: "warn",
+          message: "Unauthorized request",
+          extra: { method: req.method, path: pathname, kind: "api" },
+        })
+        res.writeHead(401, { "Content-Type": "application/json" })
+        res.write(JSON.stringify({ error: "unauthorized" }))
+      }
+      res.end()
+    }
+
+    if (!isPublicPath(pathname)) {
+      const cookies = parseCookies(req)
+      const isAuthenticated = cookies[SESSION_COOKIE_NAME]
+        ? verifySession(cookies[SESSION_COOKIE_NAME], SESSION_SECRET)
+        : false
+      if (!isAuthenticated) {
+        await rejectRequest()
+        return
+      }
+    }
+
+    if (pathname === "/health" || pathname === "/global/health") {
+      const upstream = await (async () => {
+        try {
+          const response = await fetchWithTimeout(`${target}/global/health`, { method: "GET" }, 2000)
+          const body = await response
+            .json()
+            .catch(async () => ({ text: await response.text().catch(() => "") }))
+          return { ok: response.ok, status: response.status, body }
+        } catch (e) {
+          return { ok: false, error: e instanceof Error ? e.message : String(e) }
+        }
+      })()
+      res.writeHead(200, { "Content-Type": "application/json" })
+      res.end(JSON.stringify({ status: "ok", healthy: true, target, upstream }))
+      return
+    }
+
+    if (pathname === "/auth/google/config") {
+      res.writeHead(200, { "Content-Type": "application/json" })
+      res.end(
+        JSON.stringify({
+          redirect_uri: GOOGLE_REDIRECT_URI,
+          callback_path: CALLBACK_PATH,
+          client_id: GOOGLE_CLIENT_ID.substring(0, 20) + "...",
+          client_secret_set: !!GOOGLE_CLIENT_SECRET,
+          scopes: GOOGLE_SCOPES,
+        }),
+      )
+      return
+    }
+
+    if (pathname === "/auth/google/start") {
+      try {
+        const projectId = url.searchParams.get("project") || ""
+        const result = await authorizeGoogle(GOOGLE_CLIENT_ID, GOOGLE_REDIRECT_URI, projectId)
+        res.writeHead(302, { Location: result.url })
+        res.end()
+      } catch (err) {
+        await client.app.log({
+          service: "opencode-auth-proxy",
+          level: "error",
+          message: "Auth start error",
+          extra: { error: err instanceof Error ? err.message : String(err) },
+        })
+        res.writeHead(500, { "Content-Type": "application/json" })
+        res.end(JSON.stringify({ error: (err as Error)?.message || "auth start failed" }))
+      }
+      return
+    }
+
+    if (pathname === CALLBACK_PATH || pathname === "/auth/google/callback") {
+      const code = url.searchParams.get("code")
+      const state = url.searchParams.get("state") || ""
+      if (!code) {
+        res.writeHead(400, { "Content-Type": "application/json" })
+        res.end(JSON.stringify({ error: "missing code" }))
+        return
+      }
+      try {
+        const result = await exchangeGoogle(
+          code,
+          state,
+          GOOGLE_CLIENT_ID,
+          GOOGLE_CLIENT_SECRET,
+          GOOGLE_REDIRECT_URI,
+          client.app.log.bind(client.app),
+        )
+        if (result.type !== "success") {
+          res.writeHead(500, { "Content-Type": "application/json" })
+          res.end(JSON.stringify(result))
+          return
+        }
+        const payload = { ...result, storedAt: new Date().toISOString() }
+        persistToken(payload, TOKEN_PATH)
+
+        const cookie = `${SESSION_COOKIE_NAME}=${signSession(SESSION_SECRET)}; Path=/; HttpOnly; SameSite=Lax${COOKIE_SECURE ? "; Secure" : ""}`
+        const redirectTo = url.searchParams.get("redirect")
+        const targetPath = redirectTo && redirectTo.startsWith("/") ? redirectTo : "/"
+
+        res.writeHead(302, { Location: targetPath, "Set-Cookie": cookie })
+        res.end()
+      } catch (err) {
+        await client.app.log({
+          service: "opencode-auth-proxy",
+          level: "error",
+          message: "Auth callback error",
+          extra: { error: err instanceof Error ? err.message : String(err) },
+        })
+        res.writeHead(500, { "Content-Type": "application/json" })
+        res.end(JSON.stringify({ error: (err as Error)?.message || "auth callback failed" }))
+      }
+      return
+    }
+
+    if (url.pathname === "/auth/google/token") {
+      const token = loadToken(TOKEN_PATH)
+      if (!token) {
+        res.writeHead(404, { "Content-Type": "application/json" })
+        res.end(JSON.stringify({ error: "token not found" }))
+        return
+      }
+      res.writeHead(200, { "Content-Type": "application/json" })
+      res.end(JSON.stringify({ token }))
+      return
+    }
+
+    proxy.web(req, res, { target })
+  })
+
+  server.on("upgrade", async (req, socket, head) => {
+    const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`)
+    if (!isPublicPath(url.pathname || "/")) {
+      const cookies = parseCookies(req)
+      const isAuthenticated = cookies[SESSION_COOKIE_NAME]
+        ? verifySession(cookies[SESSION_COOKIE_NAME], SESSION_SECRET)
+        : false
+      if (!isAuthenticated) {
+        await client.app.log({
+          service: "opencode-auth-proxy",
+          level: "warn",
+          message: "Unauthorized WebSocket upgrade",
+          extra: { method: "UPGRADE", path: url.pathname || "/" },
+        })
+        socket.destroy()
+        return
+      }
+    }
+    proxy.ws(req, socket, head)
+  })
+
+  try {
+    server.listen(PORT, async () => {
+      await client.app.log({
+        service: "opencode-auth-proxy",
+        level: "info",
+        message: `Proxy server started`,
+        extra: {
+          port: PORT,
+          target,
+        },
+      })
+    })
+  } catch (error) {
+    await client.app.log({
+      service: "opencode-auth-proxy",
+      level: "error",
+      message: "Failed to start proxy server",
+      extra: {
+        error: error instanceof Error ? error.message : String(error),
+        port: PORT,
+      },
+    })
+  }
+
+  return {
+    event: async () => {},
+  }
+}
+
+export { opencodeAuthProxy }
+export default opencodeAuthProxy

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "opencode-auth-proxy",
+  "version": "1.0.0",
+  "description": "Google OAuth authentication proxy plugin for OpenCode - provides secure OAuth flow with session management",
+  "type": "module",
+  "module": "opencode-auth-proxy.ts",
+  "main": "opencode-auth-proxy.ts",
+  "exports": {
+    ".": "./opencode-auth-proxy.ts"
+  },
+  "files": [
+    "opencode-auth-proxy.ts",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "keywords": [
+    "opencode",
+    "google",
+    "oauth",
+    "plugin",
+    "auth",
+    "proxy",
+    "authentication"
+  ],
+  "author": "milc",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opencode-ai/opencode-auth-proxy.git"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "1.0.220",
+    "http-proxy": "^1.18.1"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0"
+  }
+}