opencode-gemini-auth 1.0.10 → 1.1.0

package/README.md

@@ -41,6 +41,14 @@ opencode  # Reinstalls latest
 
 ## Local Development
 
+First, clone the repository and install dependencies:
+
+```bash
+git clone https://github.com/jenslys/opencode-gemini-auth.git
+cd opencode-gemini-auth
+bun install
+```
+
 When you want Opencode to use a local checkout of this plugin, point the
 `plugin` entry in your config to the folder via a `file://` URL:
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-gemini-auth",
   "module": "index.ts",
-  "version": "1.0.10",
+  "version": "1.1.0",
   "author": "jenslys",
   "repository": "https://github.com/jenslys/opencode-gemini-auth",
   "files": [

package/src/constants.ts

@@ -32,3 +32,8 @@ export const CODE_ASSIST_HEADERS = {
   "X-Goog-Api-Client": "gl-node/22.17.0",
   "Client-Metadata": "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI",
 } as const;
+
+/**
+ * Provider identifier shared between the plugin loader and credential store.
+ */
+export const GEMINI_PROVIDER_ID = "google";

package/src/plugin/cache.ts

@@ -0,0 +1,53 @@
+import { accessTokenExpired } from "./auth";
+import type { OAuthAuthDetails } from "./types";
+
+const authCache = new Map<string, OAuthAuthDetails>();
+
+function normalizeRefreshKey(refresh?: string): string | undefined {
+  const key = refresh?.trim();
+  return key ? key : undefined;
+}
+
+export function resolveCachedAuth(auth: OAuthAuthDetails): OAuthAuthDetails {
+  const key = normalizeRefreshKey(auth.refresh);
+  if (!key) {
+    return auth;
+  }
+
+  const cached = authCache.get(key);
+  if (!cached) {
+    authCache.set(key, auth);
+    return auth;
+  }
+
+  if (!accessTokenExpired(auth)) {
+    authCache.set(key, auth);
+    return auth;
+  }
+
+  if (!accessTokenExpired(cached)) {
+    return cached;
+  }
+
+  authCache.set(key, auth);
+  return auth;
+}
+
+export function storeCachedAuth(auth: OAuthAuthDetails): void {
+  const key = normalizeRefreshKey(auth.refresh);
+  if (!key) {
+    return;
+  }
+  authCache.set(key, auth);
+}
+
+export function clearCachedAuth(refresh?: string): void {
+  if (!refresh) {
+    authCache.clear();
+    return;
+  }
+  const key = normalizeRefreshKey(refresh);
+  if (key) {
+    authCache.delete(key);
+  }
+}

package/src/plugin/project.ts

@@ -1,6 +1,7 @@
 import {
   CODE_ASSIST_HEADERS,
   GEMINI_CODE_ASSIST_ENDPOINT,
+  GEMINI_PROVIDER_ID,
 } from "../constants";
 import { formatRefreshParts, parseRefreshParts } from "./auth";
 import type {
@@ -12,6 +13,73 @@ import type {
 const projectContextResultCache = new Map<string, ProjectContextResult>();
 const projectContextPendingCache = new Map<string, Promise<ProjectContextResult>>();
 
+const CODE_ASSIST_METADATA = {
+  ideType: "IDE_UNSPECIFIED",
+  platform: "PLATFORM_UNSPECIFIED",
+  pluginType: "GEMINI",
+} as const;
+
+interface GeminiUserTier {
+  id?: string;
+  isDefault?: boolean;
+  userDefinedCloudaicompanionProject?: boolean;
+}
+
+interface LoadCodeAssistPayload {
+  cloudaicompanionProject?: string;
+  currentTier?: {
+    id?: string;
+  };
+  allowedTiers?: GeminiUserTier[];
+}
+
+interface OnboardUserPayload {
+  done?: boolean;
+  response?: {
+    cloudaicompanionProject?: {
+      id?: string;
+    };
+  };
+}
+
+class ProjectIdRequiredError extends Error {
+  constructor() {
+    super(
+      "Google Gemini requires a Google Cloud project. Enable the Gemini for Google Cloud API on a project you control, rerun `opencode auth login`, and supply that project ID when prompted.",
+    );
+  }
+}
+
+function buildMetadata(projectId?: string): Record<string, string> {
+  const metadata: Record<string, string> = {
+    ideType: CODE_ASSIST_METADATA.ideType,
+    platform: CODE_ASSIST_METADATA.platform,
+    pluginType: CODE_ASSIST_METADATA.pluginType,
+  };
+  if (projectId) {
+    metadata.duetProject = projectId;
+  }
+  return metadata;
+}
+
+function getDefaultTierId(allowedTiers?: GeminiUserTier[]): string | undefined {
+  if (!allowedTiers || allowedTiers.length === 0) {
+    return undefined;
+  }
+  for (const tier of allowedTiers) {
+    if (tier?.isDefault) {
+      return tier.id;
+    }
+  }
+  return allowedTiers[0]?.id;
+}
+
+function wait(ms: number): Promise<void> {
+  return new Promise(function (resolve) {
+    setTimeout(resolve, ms);
+  });
+}
+
 function getCacheKey(auth: OAuthAuthDetails): string | undefined {
   const refresh = auth.refresh?.trim();
   return refresh ? refresh : undefined;
@@ -27,11 +95,18 @@ export function invalidateProjectContextCache(refresh?: string): void {
   projectContextResultCache.delete(refresh);
 }
 
-export async function loadManagedProject(accessToken: string): Promise<{
-  managedProjectId?: string;
-  needsOnboarding: boolean;
-}> {
+export async function loadManagedProject(
+  accessToken: string,
+  projectId?: string,
+): Promise<LoadCodeAssistPayload | null> {
   try {
+    const metadata = buildMetadata(projectId);
+
+    const requestBody: Record<string, unknown> = { metadata };
+    if (projectId) {
+      requestBody.cloudaicompanionProject = projectId;
+    }
+
     const response = await fetch(
       `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`,
       {
@@ -41,134 +116,78 @@ export async function loadManagedProject(accessToken: string): Promise<{
           Authorization: `Bearer ${accessToken}`,
           ...CODE_ASSIST_HEADERS,
         },
-        body: JSON.stringify({
-          metadata: {
-            ideType: "IDE_UNSPECIFIED",
-            platform: "PLATFORM_UNSPECIFIED",
-            pluginType: "GEMINI",
-          },
-        }),
+        body: JSON.stringify(requestBody),
       },
     );
 
     if (!response.ok) {
-      return { needsOnboarding: false };
+      return null;
     }
 
-    const payload = (await response.json()) as {
-      cloudaicompanionProject?: string;
-      currentTier?: string;
-    };
-
-    if (payload.cloudaicompanionProject) {
-      return {
-        managedProjectId: payload.cloudaicompanionProject,
-        needsOnboarding: false,
-      };
-    }
-
-    return { needsOnboarding: !payload.currentTier };
+    return (await response.json()) as LoadCodeAssistPayload;
   } catch (error) {
     console.error("Failed to load Gemini managed project:", error);
-    return { needsOnboarding: false };
+    return null;
   }
 }
 
-export async function pollOperation(
+
+export async function onboardManagedProject(
   accessToken: string,
-  operationName: string,
+  tierId: string,
+  projectId?: string,
   attempts = 10,
-  intervalMs = 2000,
+  delayMs = 5000,
 ): Promise<string | undefined> {
-  for (let attempt = 0; attempt < attempts; attempt += 1) {
-    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+  const metadata = buildMetadata(projectId);
+  const requestBody: Record<string, unknown> = {
+    tierId,
+    metadata,
+  };
 
+  if (tierId !== "FREE") {
+    if (!projectId) {
+      throw new ProjectIdRequiredError();
+    }
+    requestBody.cloudaicompanionProject = projectId;
+  }
+
+  for (let attempt = 0; attempt < attempts; attempt += 1) {
     try {
       const response = await fetch(
-        `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal/operations/${operationName}`,
+        `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`,
         {
-          method: "GET",
+          method: "POST",
           headers: {
+            "Content-Type": "application/json",
             Authorization: `Bearer ${accessToken}`,
+            ...CODE_ASSIST_HEADERS,
           },
+          body: JSON.stringify(requestBody),
         },
       );
 
       if (!response.ok) {
-        continue;
+        return undefined;
       }
 
-      const payload = (await response.json()) as {
-        done?: boolean;
-        response?: {
-          cloudaicompanionProject?: {
-            id?: string;
-          };
-        };
-      };
-
-      const projectId = payload.response?.cloudaicompanionProject?.id;
+      const payload = (await response.json()) as OnboardUserPayload;
+      const managedProjectId = payload.response?.cloudaicompanionProject?.id;
+      if (payload.done && managedProjectId) {
+        return managedProjectId;
+      }
       if (payload.done && projectId) {
         return projectId;
       }
     } catch (error) {
-      console.error("Failed to poll Gemini onboarding operation:", error);
-    }
-  }
-  return undefined;
-}
-
-export async function onboardManagedProject(
-  accessToken: string,
-): Promise<string | undefined> {
-  try {
-    const response = await fetch(
-      `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`,
-      {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${accessToken}`,
-          ...CODE_ASSIST_HEADERS,
-        },
-        body: JSON.stringify({
-          tierId: "FREE",
-          metadata: {
-            ideType: "IDE_UNSPECIFIED",
-            platform: "PLATFORM_UNSPECIFIED",
-            pluginType: "GEMINI",
-          },
-        }),
-      },
-    );
-
-    if (!response.ok) {
+      console.error("Failed to onboard Gemini managed project:", error);
       return undefined;
     }
 
-    const payload = (await response.json()) as {
-      done?: boolean;
-      name?: string;
-      response?: {
-        cloudaicompanionProject?: {
-          id?: string;
-        };
-      };
-    };
-
-    if (payload.done && payload.response?.cloudaicompanionProject?.id) {
-      return payload.response.cloudaicompanionProject.id;
-    }
-
-    if (!payload.done && payload.name) {
-      return pollOperation(accessToken, payload.name);
-    }
-
-    return undefined;
-  } catch (error) {
-    console.error("Failed to onboard Gemini managed project:", error);
-    return undefined;
+    await wait(delayMs);
   }
+
+  return undefined;
 }
 
 export async function ensureProjectContext(
@@ -201,13 +220,43 @@ export async function ensureProjectContext(
       };
     }
 
-    const loadResult = await loadManagedProject(accessToken);
-    let managedProjectId = loadResult.managedProjectId;
+    const loadPayload = await loadManagedProject(accessToken, parts.projectId);
+    if (loadPayload?.cloudaicompanionProject) {
+      const managedProjectId = loadPayload.cloudaicompanionProject;
+      const updatedAuth: OAuthAuthDetails = {
+        ...auth,
+        refresh: formatRefreshParts({
+          refreshToken: parts.refreshToken,
+          projectId: parts.projectId,
+          managedProjectId,
+        }),
+      };
+
+      await client.auth.set({
+        path: { id: GEMINI_PROVIDER_ID },
+        body: updatedAuth,
+      });
+
+      return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+    }
+
+    if (!loadPayload) {
+      throw new ProjectIdRequiredError();
+    }
+
+    const currentTierId = loadPayload.currentTier?.id ?? undefined;
+    if (currentTierId && currentTierId !== "FREE") {
+      throw new ProjectIdRequiredError();
+    }
+
+    const defaultTierId = getDefaultTierId(loadPayload.allowedTiers);
+    const tierId = defaultTierId ?? "FREE";
 
-    if (!managedProjectId && loadResult.needsOnboarding) {
-      managedProjectId = await onboardManagedProject(accessToken);
+    if (tierId !== "FREE") {
+      throw new ProjectIdRequiredError();
     }
 
+    const managedProjectId = await onboardManagedProject(accessToken, tierId, parts.projectId);
     if (managedProjectId) {
       const updatedAuth: OAuthAuthDetails = {
         ...auth,
@@ -219,14 +268,14 @@ export async function ensureProjectContext(
       };
 
       await client.auth.set({
-        path: { id: "gemini-cli" },
+        path: { id: GEMINI_PROVIDER_ID },
         body: updatedAuth,
       });
 
       return { auth: updatedAuth, effectiveProjectId: managedProjectId };
     }
 
-    return { auth, effectiveProjectId: "" };
+    throw new ProjectIdRequiredError();
   };
 
   if (!cacheKey) {

package/src/plugin/token.test.ts

@@ -0,0 +1,74 @@
+import { beforeEach, describe, expect, it, mock } from "bun:test";
+
+import { GEMINI_PROVIDER_ID } from "../constants";
+import { refreshAccessToken } from "./token";
+import type { OAuthAuthDetails, PluginClient } from "./types";
+
+const baseAuth: OAuthAuthDetails = {
+  type: "oauth",
+  refresh: "refresh-token|project-123",
+  access: "old-access",
+  expires: Date.now() - 1000,
+};
+
+function createClient() {
+  return {
+    auth: {
+      set: mock(async () => {}),
+    },
+  } as PluginClient & {
+    auth: { set: ReturnType<typeof mock<(input: any) => Promise<void>>> };
+  };
+}
+
+describe("refreshAccessToken", () => {
+  beforeEach(() => {
+    mock.restore();
+  });
+
+  it("updates the caller but skips persisting when refresh token is unchanged", async () => {
+    const client = createClient();
+    const fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          access_token: "new-access",
+          expires_in: 3600,
+        }),
+        { status: 200 },
+      );
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await refreshAccessToken(baseAuth, client);
+
+    expect(result?.access).toBe("new-access");
+    expect(client.auth.set.mock.calls.length).toBe(0);
+  });
+
+  it("persists when Google rotates the refresh token", async () => {
+    const client = createClient();
+    const fetchMock = mock(async () => {
+      return new Response(
+        JSON.stringify({
+          access_token: "next-access",
+          expires_in: 3600,
+          refresh_token: "rotated-token",
+        }),
+        { status: 200 },
+      );
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await refreshAccessToken(baseAuth, client);
+
+    expect(result?.access).toBe("next-access");
+    expect(client.auth.set.mock.calls.length).toBe(1);
+    expect(client.auth.set.mock.calls[0]?.[0]).toEqual({
+      path: { id: GEMINI_PROVIDER_ID },
+      body: expect.objectContaining({
+        type: "oauth",
+        refresh: expect.stringContaining("rotated-token"),
+      }),
+    });
+  });
+});

package/src/plugin/token.ts

@@ -1,5 +1,10 @@
-import { GEMINI_CLIENT_ID, GEMINI_CLIENT_SECRET } from "../constants";
+import {
+  GEMINI_CLIENT_ID,
+  GEMINI_CLIENT_SECRET,
+  GEMINI_PROVIDER_ID,
+} from "../constants";
 import { formatRefreshParts, parseRefreshParts } from "./auth";
+import { clearCachedAuth, storeCachedAuth } from "./cache";
 import { invalidateProjectContextCache } from "./project";
 import type { OAuthAuthDetails, PluginClient, RefreshParts } from "./types";
 
@@ -101,7 +106,7 @@ export async function refreshAccessToken(
             }),
           };
           await client.auth.set({
-            path: { id: "gemini-cli" },
+            path: { id: GEMINI_PROVIDER_ID },
             body: clearedAuth,
           });
         } catch (storeError) {
@@ -131,12 +136,19 @@ export async function refreshAccessToken(
       refresh: formatRefreshParts(refreshedParts),
     };
 
-    await client.auth.set({
-      path: { id: "gemini-cli" },
-      body: updatedAuth,
-    });
+    storeCachedAuth(updatedAuth);
     invalidateProjectContextCache(auth.refresh);
 
+    const refreshTokenRotated =
+      typeof payload.refresh_token === "string" && payload.refresh_token !== parts.refreshToken;
+
+    if (refreshTokenRotated) {
+      await client.auth.set({
+        path: { id: GEMINI_PROVIDER_ID },
+        body: updatedAuth,
+      });
+    }
+
     return updatedAuth;
   } catch (error) {
     console.error("Failed to refresh Gemini access token due to an unexpected error:", error);

package/src/plugin.ts

@@ -1,4 +1,4 @@
-import { GEMINI_REDIRECT_URI } from "./constants";
+import { GEMINI_PROVIDER_ID, GEMINI_REDIRECT_URI } from "./constants";
 import { authorizeGemini, exchangeGemini } from "./gemini/oauth";
 import type { GeminiTokenExchangeResult } from "./gemini/oauth";
 import { accessTokenExpired, isOAuthAuth } from "./plugin/auth";
@@ -17,6 +17,7 @@ import type {
   LoaderResult,
   PluginContext,
   PluginResult,
+  ProjectContextResult,
   Provider,
 } from "./plugin/types";
 
@@ -24,7 +25,7 @@ export const GeminiCLIOAuthPlugin = async (
   { client }: PluginContext,
 ): Promise<PluginResult> => ({
   auth: {
-    provider: "google",
+    provider: GEMINI_PROVIDER_ID,
     loader: async (getAuth: GetAuth, provider: Provider): Promise<LoaderResult | null> => {
       const auth = await getAuth();
       if (!isOAuthAuth(auth)) {
@@ -65,7 +66,18 @@ export const GeminiCLIOAuthPlugin = async (
             return fetch(input, init);
           }
 
-          const projectContext = await ensureProjectContext(authRecord, client);
+          async function resolveProjectContext(): Promise<ProjectContextResult> {
+            try {
+              return await ensureProjectContext(authRecord, client);
+            } catch (error) {
+              if (error instanceof Error) {
+                console.error(error.message);
+              }
+              throw error;
+            }
+          }
+
+          const projectContext = await resolveProjectContext();
 
           const { request, init: transformedInit, streaming } = prepareGeminiRequest(
             input,
@@ -193,7 +205,7 @@ export const GeminiCLIOAuthPlugin = async (
         },
       },
       {
-        provider: "google",
+        provider: GEMINI_PROVIDER_ID,
         label: "Manually enter API Key",
         type: "api",
       },