opencode-gemini-auth-proxy 1.3.10

package/src/plugin/server.ts

@@ -0,0 +1,246 @@
+import { createServer } from "node:http";
+
+import { GEMINI_REDIRECT_URI } from "../constants";
+
+interface OAuthListenerOptions {
+  /**
+   * How long to wait for the OAuth redirect before timing out (in milliseconds).
+   */
+  timeoutMs?: number;
+}
+
+export interface OAuthListener {
+  /**
+   * Resolves with the callback URL once Google redirects back to the local server.
+   */
+  waitForCallback(): Promise<URL>;
+  /**
+   * Cleanly stop listening for callbacks.
+   */
+  close(): Promise<void>;
+}
+
+const redirectUri = new URL(GEMINI_REDIRECT_URI);
+const callbackPath = redirectUri.pathname || "/";
+
+/**
+ * Starts a lightweight HTTP server that listens for the Gemini OAuth redirect
+ * and resolves with the captured callback URL.
+ */
+export async function startOAuthListener(
+  { timeoutMs = 5 * 60 * 1000 }: OAuthListenerOptions = {},
+): Promise<OAuthListener> {
+  const port = redirectUri.port
+    ? Number.parseInt(redirectUri.port, 10)
+    : redirectUri.protocol === "https:"
+    ? 443
+    : 80;
+  const origin = `${redirectUri.protocol}//${redirectUri.host}`;
+
+  let settled = false;
+  let resolveCallback: (url: URL) => void;
+  let rejectCallback: (error: Error) => void;
+  const callbackPromise = new Promise<URL>((resolve, reject) => {
+    resolveCallback = (url: URL) => {
+      if (settled) return;
+      settled = true;
+      if (timeoutHandle) clearTimeout(timeoutHandle);
+      resolve(url);
+    };
+    rejectCallback = (error: Error) => {
+      if (settled) return;
+      settled = true;
+      if (timeoutHandle) clearTimeout(timeoutHandle);
+      reject(error);
+    };
+  });
+
+const successResponse = `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>Opencode Gemini OAuth</title>
+    <style>
+      :root { color-scheme: light dark; }
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        font-family: "Roboto", "Google Sans", arial, sans-serif;
+        background: #f1f3f4;
+        color: #202124;
+      }
+      main {
+        width: min(448px, calc(100% - 3rem));
+        background: #ffffff;
+        border-radius: 28px;
+        padding: 2.5rem 2.75rem;
+        box-shadow: 0 1px 2px rgba(60, 64, 67, 0.3), 0 2px 6px rgba(60, 64, 67, 0.15);
+      }
+      header {
+        display: flex;
+        align-items: center;
+        gap: 0.75rem;
+        margin-bottom: 1.5rem;
+      }
+      .logo {
+        width: 40px;
+        height: 40px;
+        display: inline-flex;
+      }
+      .logo svg {
+        width: 100%;
+        height: 100%;
+      }
+      .brand {
+        font-size: 1.1rem;
+        font-weight: 500;
+        letter-spacing: 0.01em;
+      }
+      h1 {
+        margin: 0 0 0.75rem;
+        font-size: 1.75rem;
+        font-weight: 500;
+        letter-spacing: -0.01em;
+      }
+      p {
+        margin: 0 0 1.75rem;
+        font-size: 1.05rem;
+        line-height: 1.6;
+        color: #3c4043;
+      }
+      .note {
+        margin: 1.5rem 0 0;
+        font-size: 0.92rem;
+        color: #5f6368;
+      }
+      .action {
+        display: inline-flex;
+        align-items: center;
+        justify-content: center;
+        padding: 0.65rem 1.85rem;
+        border-radius: 999px;
+        background: #1a73e8;
+        color: #ffffff;
+        font-weight: 500;
+        font-size: 0.95rem;
+        letter-spacing: 0.02em;
+        text-decoration: none;
+        transition: box-shadow 0.2s ease, transform 0.2s ease;
+      }
+      .action:hover {
+        transform: translateY(-1px);
+        box-shadow: 0 1px 2px rgba(0, 0, 0, 0.3), 0 1px 3px rgba(60, 64, 67, 0.15);
+      }
+      .action:focus-visible {
+        outline: none;
+        box-shadow: 0 0 0 3px rgba(26, 115, 232, 0.3);
+      }
+      @media (prefers-color-scheme: dark) {
+        body {
+          background: #131314;
+          color: #e8eaed;
+        }
+        main {
+          background: #202124;
+          box-shadow: 0 1px 2px rgba(0, 0, 0, 0.5), 0 2px 6px rgba(0, 0, 0, 0.4);
+        }
+        p {
+          color: #e8eaed;
+        }
+        .note {
+          color: #bdc1c6;
+        }
+        .action {
+          background: #8ab4f8;
+          color: #202124;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <header>
+        <span class="logo" aria-hidden="true">
+          <svg viewBox="0 0 46 46" xmlns="http://www.w3.org/2000/svg" role="img">
+            <title>Gemini linked to Opencode</title>
+            <path fill="#4285F4" d="M43.6 23.5c0-1.5-.1-3-.4-4.4H23v8.3h11.6c-.5 2.8-2 5.1-4.2 6.7v5.5h6.8c4-3.7 6.4-9.1 6.4-16.1z"/>
+            <path fill="#34A853" d="M23 45c5.8 0 10.6-1.9 14.1-5.2l-6.8-5.5c-1.9 1.3-4.3 2-7.3 2-5.6 0-10.4-3.7-12.1-8.7H3.8v5.6C7.3 39.9 14.6 45 23 45z"/>
+            <path fill="#FBBC04" d="M10.9 28.6c-.5-1.3-.8-2.7-.8-4.1 0-1.5.3-2.8.8-4.1v-5.6H3.8C2.3 17.7 1.5 20.2 1.5 24s.8 6.3 2.3 9.2l6.9-5.6z"/>
+            <path fill="#EA4335" d="M23 9.5c3.2 0 6 .9 8.3 2.7l6.2-6.2C33.6 2.2 28.8 0 23 0 14.6 0 7.3 5.1 3.8 12.4l7.1 5.6c1.7-5 6.5-8.5 12.1-8.5z"/>
+          </svg>
+        </span>
+        <span class="brand">Gemini linked to Opencode</span>
+      </header>
+      <h1>You're connected to Opencode</h1>
+      <p>Your Google account is now linked to Opencode. You can close this window and continue in the CLI.</p>
+      <a class="action" href="javascript:window.close()">Close window</a>
+      <p class="note">Need to reconnect later? Re-run the authentication command in Opencode.</p>
+    </main>
+  </body>
+</html>`;
+
+  const timeoutHandle = setTimeout(() => {
+    rejectCallback(new Error("Timed out waiting for OAuth callback"));
+  }, timeoutMs);
+  timeoutHandle.unref?.();
+
+  const server = createServer((request, response) => {
+    if (!request.url) {
+      response.writeHead(400, { "Content-Type": "text/plain" });
+      response.end("Invalid request");
+      return;
+    }
+
+    const url = new URL(request.url, origin);
+    if (url.pathname !== callbackPath) {
+      response.writeHead(404, { "Content-Type": "text/plain" });
+      response.end("Not found");
+      return;
+    }
+
+    response.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+    response.end(successResponse);
+
+    resolveCallback(url);
+
+    setImmediate(() => {
+      server.close();
+    });
+  });
+
+  await new Promise<void>((resolve, reject) => {
+    const handleError = (error: Error) => {
+      server.off("error", handleError);
+      reject(error);
+    };
+    server.once("error", handleError);
+    server.listen(port, "127.0.0.1", () => {
+      server.off("error", handleError);
+      resolve();
+    });
+  });
+
+  server.on("error", (error) => {
+    rejectCallback(error instanceof Error ? error : new Error(String(error)));
+  });
+
+  return {
+    waitForCallback: () => callbackPromise,
+    close: () =>
+      new Promise<void>((resolve, reject) => {
+        server.close((error) => {
+          if (error && (error as NodeJS.ErrnoException).code !== "ERR_SERVER_NOT_RUNNING") {
+            reject(error);
+            return;
+          }
+          if (!settled) {
+            rejectCallback(new Error("OAuth listener closed before callback"));
+          }
+          resolve();
+        });
+      }),
+  };
+}

package/src/plugin/token.test.ts

@@ -0,0 +1,74 @@
+import { beforeEach, describe, expect, it, mock } from "bun:test";
+
+import { GEMINI_PROVIDER_ID } from "../constants";
+import { refreshAccessToken } from "./token";
+import type { OAuthAuthDetails, PluginClient } from "./types";
+
+const baseAuth: OAuthAuthDetails = {
+  type: "oauth",
+  refresh: "refresh-token|project-123",
+  access: "old-access",
+  expires: Date.now() - 1000,
+};
+
+function createClient() {
+  return {
+    auth: {
+      set: mock(async () => {}),
+    },
+  } as PluginClient & {
+    auth: { set: ReturnType<typeof mock<(input: any) => Promise<void>>> };
+  };
+}
+
+describe("refreshAccessToken", () => {
+  beforeEach(() => {
+    mock.restore();
+  });
+
+  it("updates the caller but skips persisting when refresh token is unchanged", async () => {
+    const client = createClient();
+    const fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          access_token: "new-access",
+          expires_in: 3600,
+        }),
+        { status: 200 },
+      );
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await refreshAccessToken(baseAuth, client);
+
+    expect(result?.access).toBe("new-access");
+    expect(client.auth.set.mock.calls.length).toBe(0);
+  });
+
+  it("persists when Google rotates the refresh token", async () => {
+    const client = createClient();
+    const fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          access_token: "next-access",
+          expires_in: 3600,
+          refresh_token: "rotated-token",
+        }),
+        { status: 200 },
+      );
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await refreshAccessToken(baseAuth, client);
+
+    expect(result?.access).toBe("next-access");
+    expect(client.auth.set.mock.calls.length).toBe(1);
+    expect(client.auth.set.mock.calls[0]?.[0]).toEqual({
+      path: { id: GEMINI_PROVIDER_ID },
+      body: expect.objectContaining({
+        type: "oauth",
+        refresh: expect.stringContaining("rotated-token"),
+      }),
+    });
+  });
+});

package/src/plugin/token.ts

@@ -0,0 +1,188 @@
+import {
+  GEMINI_CLIENT_ID,
+  GEMINI_CLIENT_SECRET,
+  GEMINI_PROVIDER_ID,
+} from "../constants";
+import { formatRefreshParts, parseRefreshParts } from "./auth";
+import { clearCachedAuth, storeCachedAuth } from "./cache";
+import {
+  formatDebugBodyPreview,
+  isGeminiDebugEnabled,
+  logGeminiDebugMessage,
+} from "./debug";
+import { invalidateProjectContextCache } from "./project";
+import type { OAuthAuthDetails, PluginClient, RefreshParts } from "./types";
+import proxyFetch from '../fetch';
+
+interface OAuthErrorPayload {
+  error?:
+    | string
+    | {
+        code?: string;
+        status?: string;
+        message?: string;
+      };
+  error_description?: string;
+}
+
+/**
+ * Parses OAuth error payloads returned by Google token endpoints, tolerating varied shapes.
+ */
+function parseOAuthErrorPayload(text: string | undefined): { code?: string; description?: string } {
+  if (!text) {
+    return {};
+  }
+
+  try {
+    const payload = JSON.parse(text) as OAuthErrorPayload;
+    if (!payload || typeof payload !== "object") {
+      return { description: text };
+    }
+
+    let code: string | undefined;
+    if (typeof payload.error === "string") {
+      code = payload.error;
+    } else if (payload.error && typeof payload.error === "object") {
+      code = payload.error.status ?? payload.error.code;
+      if (!payload.error_description && payload.error.message) {
+        return { code, description: payload.error.message };
+      }
+    }
+
+    const description = payload.error_description;
+    if (description) {
+      return { code, description };
+    }
+
+    if (payload.error && typeof payload.error === "object" && payload.error.message) {
+      return { code, description: payload.error.message };
+    }
+
+    return { code };
+  } catch {
+    return { description: text };
+  }
+}
+
+/**
+ * Refreshes a Gemini OAuth access token, updates persisted credentials, and handles revocation.
+ */
+export async function refreshAccessToken(
+  auth: OAuthAuthDetails,
+  client: PluginClient,
+): Promise<OAuthAuthDetails | undefined> {
+  const parts = parseRefreshParts(auth.refresh);
+  if (!parts.refreshToken) {
+    return undefined;
+  }
+
+  try {
+    if (isGeminiDebugEnabled()) {
+      logGeminiDebugMessage("OAuth refresh: POST https://oauth2.googleapis.com/token");
+    }
+    const response = await proxyFetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: parts.refreshToken,
+        client_id: GEMINI_CLIENT_ID,
+        client_secret: GEMINI_CLIENT_SECRET,
+      }),
+    });
+
+    if (!response.ok) {
+      let errorText: string | undefined;
+      try {
+        errorText = await response.text();
+      } catch {
+        errorText = undefined;
+      }
+      if (isGeminiDebugEnabled()) {
+        logGeminiDebugMessage(
+          `OAuth refresh response: ${response.status} ${response.statusText}`,
+        );
+        const preview = formatDebugBodyPreview(errorText);
+        if (preview) {
+          logGeminiDebugMessage(`OAuth refresh error body: ${preview}`);
+        }
+      }
+
+      const { code, description } = parseOAuthErrorPayload(errorText);
+      const details = [code, description ?? errorText].filter(Boolean).join(": ");
+      const baseMessage = `Gemini token refresh failed (${response.status} ${response.statusText})`;
+      console.warn(`[Gemini OAuth] ${details ? `${baseMessage} - ${details}` : baseMessage}`);
+
+      if (code === "invalid_grant") {
+        console.warn(
+          "[Gemini OAuth] Google revoked the stored refresh token. Run `opencode auth login` and reauthenticate the Google provider.",
+        );
+        invalidateProjectContextCache(auth.refresh);
+        try {
+          const clearedAuth: OAuthAuthDetails = {
+            type: "oauth",
+            refresh: formatRefreshParts({
+              refreshToken: "",
+              projectId: parts.projectId,
+              managedProjectId: parts.managedProjectId,
+            }),
+          };
+          await client.auth.set({
+            path: { id: GEMINI_PROVIDER_ID },
+            body: clearedAuth,
+          });
+        } catch (storeError) {
+          console.error("Failed to clear stored Gemini OAuth credentials:", storeError);
+        }
+      }
+
+      return undefined;
+    }
+
+    const payload = (await response.json()) as {
+      access_token: string;
+      expires_in: number;
+      refresh_token?: string;
+    };
+    if (isGeminiDebugEnabled()) {
+      const rotated = payload.refresh_token && payload.refresh_token !== parts.refreshToken;
+      logGeminiDebugMessage(
+        `OAuth refresh success: expires_in=${payload.expires_in}s refresh_rotated=${rotated ? "yes" : "no"}`,
+      );
+    }
+
+    const refreshedParts: RefreshParts = {
+      refreshToken: payload.refresh_token ?? parts.refreshToken,
+      projectId: parts.projectId,
+      managedProjectId: parts.managedProjectId,
+    };
+
+    const updatedAuth: OAuthAuthDetails = {
+      ...auth,
+      access: payload.access_token,
+      expires: Date.now() + payload.expires_in * 1000,
+      refresh: formatRefreshParts(refreshedParts),
+    };
+
+    storeCachedAuth(updatedAuth);
+    invalidateProjectContextCache(auth.refresh);
+
+    if (refreshedParts.refreshToken !== parts.refreshToken) {
+      try {
+        await client.auth.set({
+          path: { id: GEMINI_PROVIDER_ID },
+          body: updatedAuth,
+        });
+      } catch (storeError) {
+        console.error("Failed to persist refreshed Gemini OAuth credentials:", storeError);
+      }
+    }
+
+    return updatedAuth;
+  } catch (error) {
+    console.error("Failed to refresh Gemini access token due to an unexpected error:", error);
+    return undefined;
+  }
+}

package/src/plugin/types.ts

@@ -0,0 +1,76 @@
+import type { GeminiTokenExchangeResult } from "../gemini/oauth";
+
+export interface OAuthAuthDetails {
+  type: "oauth";
+  refresh: string;
+  access?: string;
+  expires?: number;
+}
+
+export interface NonOAuthAuthDetails {
+  type: string;
+  [key: string]: unknown;
+}
+
+export type AuthDetails = OAuthAuthDetails | NonOAuthAuthDetails;
+
+export type GetAuth = () => Promise<AuthDetails>;
+
+export interface ProviderModel {
+  cost?: {
+    input: number;
+    output: number;
+  };
+  [key: string]: unknown;
+}
+
+export interface Provider {
+  models?: Record<string, ProviderModel>;
+  options?: Record<string, unknown>;
+}
+
+export interface LoaderResult {
+  apiKey: string;
+  fetch(input: RequestInfo, init?: RequestInit): Promise<Response>;
+}
+
+export interface AuthMethod {
+  provider?: string;
+  label: string;
+  type: "oauth" | "api";
+  authorize?: () => Promise<{
+    url: string;
+    instructions: string;
+    method: string;
+    callback: (() => Promise<GeminiTokenExchangeResult>) | ((callbackUrl: string) => Promise<GeminiTokenExchangeResult>);
+  }>;
+}
+
+export interface PluginClient {
+  auth: {
+    set(input: { path: { id: string }; body: OAuthAuthDetails }): Promise<void>;
+  };
+}
+
+export interface PluginContext {
+  client: PluginClient;
+}
+
+export interface PluginResult {
+  auth: {
+    provider: string;
+    loader: (getAuth: GetAuth, provider: Provider) => Promise<LoaderResult | null>;
+    methods: AuthMethod[];
+  };
+}
+
+export interface RefreshParts {
+  refreshToken: string;
+  projectId?: string;
+  managedProjectId?: string;
+}
+
+export interface ProjectContextResult {
+  auth: OAuthAuthDetails;
+  effectiveProjectId: string;
+}