opencode-gemini-auth-proxy 1.3.10

package/src/plugin/cache.ts

@@ -0,0 +1,65 @@
+import { accessTokenExpired } from "./auth";
+import type { OAuthAuthDetails } from "./types";
+
+const authCache = new Map<string, OAuthAuthDetails>();
+
+/**
+ * Produces a stable cache key from a refresh token string.
+ */
+function normalizeRefreshKey(refresh?: string): string | undefined {
+  const key = refresh?.trim();
+  return key ? key : undefined;
+}
+
+/**
+ * Returns a cached auth snapshot when available, favoring unexpired tokens.
+ */
+export function resolveCachedAuth(auth: OAuthAuthDetails): OAuthAuthDetails {
+  const key = normalizeRefreshKey(auth.refresh);
+  if (!key) {
+    return auth;
+  }
+
+  const cached = authCache.get(key);
+  if (!cached) {
+    authCache.set(key, auth);
+    return auth;
+  }
+
+  if (!accessTokenExpired(auth)) {
+    authCache.set(key, auth);
+    return auth;
+  }
+
+  if (!accessTokenExpired(cached)) {
+    return cached;
+  }
+
+  authCache.set(key, auth);
+  return auth;
+}
+
+/**
+ * Stores the latest auth snapshot keyed by refresh token.
+ */
+export function storeCachedAuth(auth: OAuthAuthDetails): void {
+  const key = normalizeRefreshKey(auth.refresh);
+  if (!key) {
+    return;
+  }
+  authCache.set(key, auth);
+}
+
+/**
+ * Clears cached auth globally or for a specific refresh token.
+ */
+export function clearCachedAuth(refresh?: string): void {
+  if (!refresh) {
+    authCache.clear();
+    return;
+  }
+  const key = normalizeRefreshKey(refresh);
+  if (key) {
+    authCache.delete(key);
+  }
+}

package/src/plugin/debug.ts

@@ -0,0 +1,258 @@
+import { createWriteStream } from "node:fs";
+import { join } from "node:path";
+import { cwd, env } from "node:process";
+
+const DEBUG_FLAG = env.OPENCODE_GEMINI_DEBUG ?? "";
+const MAX_BODY_PREVIEW_CHARS = 2000;
+const debugEnabled = DEBUG_FLAG.trim() === "1";
+const logFilePath = debugEnabled ? defaultLogFilePath() : undefined;
+const logWriter = createLogWriter(logFilePath);
+
+export interface GeminiDebugContext {
+  id: string;
+  streaming: boolean;
+  startedAt: number;
+}
+
+interface GeminiDebugRequestMeta {
+  originalUrl: string;
+  resolvedUrl: string;
+  method?: string;
+  headers?: HeadersInit;
+  body?: BodyInit | null;
+  streaming: boolean;
+  projectId?: string;
+}
+
+interface GeminiDebugResponseMeta {
+  body?: string;
+  note?: string;
+  error?: unknown;
+  headersOverride?: HeadersInit;
+}
+
+let requestCounter = 0;
+
+/**
+ * Returns true when Gemini debug logging is enabled.
+ */
+export function isGeminiDebugEnabled(): boolean {
+  return debugEnabled;
+}
+
+/**
+ * Writes an arbitrary debug line when debugging is enabled.
+ */
+export function logGeminiDebugMessage(message: string): void {
+  if (!debugEnabled) {
+    return;
+  }
+  logDebug(`[Gemini Debug] ${message}`);
+}
+
+/**
+ * Produces a truncated preview of a debug body payload.
+ */
+export function formatDebugBodyPreview(text?: string | null): string | undefined {
+  if (!text) {
+    return undefined;
+  }
+  return truncateForLog(text);
+}
+
+/**
+ * Begins a debug trace for a Gemini request, logging request metadata when debugging is enabled.
+ */
+export function startGeminiDebugRequest(meta: GeminiDebugRequestMeta): GeminiDebugContext | null {
+  if (!debugEnabled) {
+    return null;
+  }
+
+  const id = `GEMINI-${++requestCounter}`;
+  const method = meta.method ?? "GET";
+  logDebug(`[Gemini Debug ${id}] ${method} ${meta.resolvedUrl}`);
+  if (meta.originalUrl && meta.originalUrl !== meta.resolvedUrl) {
+    logDebug(`[Gemini Debug ${id}] Original URL: ${meta.originalUrl}`);
+  }
+  if (meta.projectId) {
+    logDebug(`[Gemini Debug ${id}] Project: ${meta.projectId}`);
+  }
+  logDebug(`[Gemini Debug ${id}] Streaming: ${meta.streaming ? "yes" : "no"}`);
+  logDebug(`[Gemini Debug ${id}] Headers: ${JSON.stringify(maskHeaders(meta.headers))}`);
+  const bodyPreview = formatBodyPreview(meta.body);
+  if (bodyPreview) {
+    logDebug(`[Gemini Debug ${id}] Body Preview: ${bodyPreview}`);
+  }
+
+  return { id, streaming: meta.streaming, startedAt: Date.now() };
+}
+
+/**
+ * Logs response details for a previously started debug trace when debugging is enabled.
+ */
+export function logGeminiDebugResponse(
+  context: GeminiDebugContext | null | undefined,
+  response: Response,
+  meta: GeminiDebugResponseMeta = {},
+): void {
+  if (!debugEnabled || !context) {
+    return;
+  }
+
+  const durationMs = Date.now() - context.startedAt;
+  logDebug(
+    `[Gemini Debug ${context.id}] Response ${response.status} ${response.statusText} (${durationMs}ms)`,
+  );
+  logDebug(
+    `[Gemini Debug ${context.id}] Response Headers: ${JSON.stringify(
+      maskHeaders(meta.headersOverride ?? response.headers),
+    )}`,
+  );
+
+  const traceId = getHeaderValue(meta.headersOverride ?? response.headers, "x-cloudaicompanion-trace-id");
+  if (traceId) {
+    logDebug(`[Gemini Debug ${context.id}] Trace ID: ${traceId}`);
+  }
+
+  if (meta.note) {
+    logDebug(`[Gemini Debug ${context.id}] Note: ${meta.note}`);
+  }
+
+  if (meta.error) {
+    logDebug(`[Gemini Debug ${context.id}] Error: ${formatError(meta.error)}`);
+  }
+
+  if (meta.body) {
+    logDebug(
+      `[Gemini Debug ${context.id}] Response Body Preview: ${truncateForLog(meta.body)}`,
+    );
+  }
+}
+
+/**
+ * Obscures sensitive headers and returns a plain object for logging.
+ */
+function maskHeaders(headers?: HeadersInit | Headers): Record<string, string> {
+  if (!headers) {
+    return {};
+  }
+
+  const result: Record<string, string> = {};
+  const parsed = headers instanceof Headers ? headers : new Headers(headers);
+  parsed.forEach((value, key) => {
+    if (key.toLowerCase() === "authorization") {
+      result[key] = "[redacted]";
+    } else {
+      result[key] = value;
+    }
+  });
+  return result;
+}
+
+/**
+ * Reads a header value from a HeadersInit or Headers instance.
+ */
+function getHeaderValue(headers: HeadersInit | Headers, key: string): string | undefined {
+  const target = key.toLowerCase();
+  if (headers instanceof Headers) {
+    const value = headers.get(key);
+    return value ?? undefined;
+  }
+
+  if (Array.isArray(headers)) {
+    for (const [headerKey, headerValue] of headers) {
+      if (headerKey.toLowerCase() === target) {
+        return headerValue;
+      }
+    }
+    return undefined;
+  }
+
+  const record = headers as Record<string, string | undefined>;
+  for (const [headerKey, headerValue] of Object.entries(record)) {
+    if (headerKey.toLowerCase() === target) {
+      return headerValue ?? undefined;
+    }
+  }
+  return undefined;
+}
+
+/**
+ * Produces a short, type-aware preview of a request/response body for logs.
+ */
+function formatBodyPreview(body?: BodyInit | null): string | undefined {
+  if (body == null) {
+    return undefined;
+  }
+
+  if (typeof body === "string") {
+    return truncateForLog(body);
+  }
+
+  if (body instanceof URLSearchParams) {
+    return truncateForLog(body.toString());
+  }
+
+  if (typeof Blob !== "undefined" && body instanceof Blob) {
+    return `[Blob size=${body.size}]`;
+  }
+
+  if (typeof FormData !== "undefined" && body instanceof FormData) {
+    return "[FormData payload omitted]";
+  }
+
+  return `[${body.constructor?.name ?? typeof body} payload omitted]`;
+}
+
+/**
+ * Truncates long strings to a fixed preview length for logging.
+ */
+function truncateForLog(text: string): string {
+  if (text.length <= MAX_BODY_PREVIEW_CHARS) {
+    return text;
+  }
+  return `${text.slice(0, MAX_BODY_PREVIEW_CHARS)}... (truncated ${text.length - MAX_BODY_PREVIEW_CHARS} chars)`;
+}
+
+/**
+ * Writes a single debug line using the configured writer.
+ */
+function logDebug(line: string): void {
+  logWriter(line);
+}
+
+/**
+ * Converts unknown error-like values into printable strings.
+ */
+function formatError(error: unknown): string {
+  if (error instanceof Error) {
+    return error.stack ?? error.message;
+  }
+  try {
+    return JSON.stringify(error);
+  } catch {
+    return String(error);
+  }
+}
+
+/**
+ * Builds a timestamped log file path in the current working directory.
+ */
+function defaultLogFilePath(): string {
+  const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+  return join(cwd(), `gemini-debug-${timestamp}.log`);
+}
+
+/**
+ * Creates a line writer that appends to a file when provided.
+ */
+function createLogWriter(filePath?: string): (line: string) => void {
+  if (!filePath) {
+    return () => {};
+  }
+
+  const stream = createWriteStream(filePath, { flags: "a" });
+  return (line: string) => {
+    stream.write(`${line}\n`);
+  };
+}

package/src/plugin/project.test.ts

@@ -0,0 +1,112 @@
+import { beforeEach, describe, expect, it, mock } from "bun:test";
+
+import { resolveProjectContextFromAccessToken } from "./project";
+import type { OAuthAuthDetails } from "./types";
+
+const baseAuth: OAuthAuthDetails = {
+  type: "oauth",
+  refresh: "refresh-token",
+  access: "access-token",
+  expires: Date.now() + 60_000,
+};
+
+function toUrlString(input: RequestInfo): string {
+  if (typeof input === "string") {
+    return input;
+  }
+  if (input instanceof URL) {
+    return input.toString();
+  }
+  return (input as Request).url ?? input.toString();
+}
+
+describe("resolveProjectContextFromAccessToken", () => {
+  beforeEach(() => {
+    mock.restore();
+  });
+
+  it("stores managed project id from loadCodeAssist without onboarding", async () => {
+    const fetchMock = mock(async (input: RequestInfo) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            currentTier: { id: "free-tier" },
+            cloudaicompanionProject: "projects/server-project",
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await resolveProjectContextFromAccessToken(
+      baseAuth,
+      baseAuth.access ?? "",
+    );
+
+    expect(result.effectiveProjectId).toBe("projects/server-project");
+    expect(result.auth.refresh).toContain("projects/server-project");
+    expect(fetchMock.mock.calls.length).toBe(1);
+  });
+
+  it("onboards free-tier users without sending a project id", async () => {
+    let onboardBody: Record<string, unknown> | undefined;
+    const fetchMock = mock(async (input: RequestInfo, init?: RequestInit) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            allowedTiers: [{ id: "free-tier", isDefault: true }],
+          }),
+          { status: 200 },
+        );
+      }
+      if (url.includes(":onboardUser")) {
+        const rawBody = typeof init?.body === "string" ? init.body : "{}";
+        onboardBody = JSON.parse(rawBody) as Record<string, unknown>;
+        return new Response(
+          JSON.stringify({
+            done: true,
+            response: { cloudaicompanionProject: { id: "managed-project" } },
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await resolveProjectContextFromAccessToken(
+      baseAuth,
+      baseAuth.access ?? "",
+    );
+
+    expect(result.effectiveProjectId).toBe("managed-project");
+    expect(result.auth.refresh).toContain("managed-project");
+    expect(onboardBody?.cloudaicompanionProject).toBeUndefined();
+    const metadata = onboardBody?.metadata as Record<string, unknown> | undefined;
+    expect(metadata?.duetProject).toBeUndefined();
+  });
+
+  it("throws when a non-free tier requires a project id", async () => {
+    const fetchMock = mock(async (input: RequestInfo) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            allowedTiers: [{ id: "standard-tier", isDefault: true }],
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    await expect(
+      resolveProjectContextFromAccessToken(baseAuth, baseAuth.access ?? ""),
+    ).rejects.toThrow("Google Gemini requires a Google Cloud project");
+  });
+});