opencode-gemini-auth 1.0.5

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Jens
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,14 @@
+# Gemini OAuth Plugin for Opencode
+
+Plugin for Opencode that allows you to authenticate with your Google account. This allows you to use your Google account instead of using the API.
+
+## install
+
+Add the `opencode-gemini-auth` plugin to your [opencode config](https://opencode.ai/docs/config/)
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-gemini-auth"]
+}
+```

package/index.ts

@@ -0,0 +1,14 @@
+export {
+  GeminiCLIOAuthPlugin,
+  GoogleOAuthPlugin,
+} from "./src/plugin";
+
+export {
+  authorizeGemini,
+  exchangeGemini,
+} from "./src/gemini/oauth";
+
+export type {
+  GeminiAuthorization,
+  GeminiTokenExchangeResult,
+} from "./src/gemini/oauth";

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "opencode-gemini-auth",
+  "module": "index.ts",
+  "version": "1.0.5",
+  "author": "jenslys",
+  "repository": "https://github.com/jenslys/opencode-gemini-auth",
+  "files": [
+    "index.ts",
+    "src"
+  ],
+  "license": "MIT",
+  "type": "module",
+  "devDependencies": {
+    "@opencode-ai/plugin": "^0.15.30",
+    "@types/bun": "latest"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "dependencies": {
+    "@openauthjs/openauth": "^0.4.3"
+  }
+}

package/src/constants.ts

@@ -0,0 +1,34 @@
+/**
+ * Constants used for Google Gemini OAuth flows and Cloud Code Assist API integration.
+ */
+export const GEMINI_CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com";
+
+/**
+ * Client secret issued for the Gemini CLI OAuth application.
+ */
+export const GEMINI_CLIENT_SECRET = "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";
+
+/**
+ * Scopes required for Gemini CLI integrations.
+ */
+export const GEMINI_SCOPES: readonly string[] = [
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/userinfo.profile",
+];
+
+/**
+ * OAuth redirect URI used by the local CLI callback server.
+ */
+export const GEMINI_REDIRECT_URI = "http://localhost:8085/oauth2callback";
+
+/**
+ * Root endpoint for the Cloud Code Assist API which backs Gemini CLI traffic.
+ */
+export const GEMINI_CODE_ASSIST_ENDPOINT = "https://cloudcode-pa.googleapis.com";
+
+export const CODE_ASSIST_HEADERS = {
+  "User-Agent": "google-api-nodejs-client/9.15.1",
+  "X-Goog-Api-Client": "gl-node/22.17.0",
+  "Client-Metadata": "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI",
+} as const;

package/src/gemini/oauth.ts

@@ -0,0 +1,174 @@
+import { generatePKCE } from "@openauthjs/openauth/pkce";
+
+import {
+  GEMINI_CLIENT_ID,
+  GEMINI_CLIENT_SECRET,
+  GEMINI_REDIRECT_URI,
+  GEMINI_SCOPES,
+} from "../constants";
+
+interface PkcePair {
+  challenge: string;
+  verifier: string;
+}
+
+interface GeminiAuthState {
+  verifier: string;
+  projectId: string;
+}
+
+/**
+ * Result returned to the caller after constructing an OAuth authorization URL.
+ */
+export interface GeminiAuthorization {
+  url: string;
+  verifier: string;
+  projectId: string;
+}
+
+interface GeminiTokenExchangeSuccess {
+  type: "success";
+  refresh: string;
+  access: string;
+  expires: number;
+  email?: string;
+  projectId: string;
+}
+
+interface GeminiTokenExchangeFailure {
+  type: "failed";
+  error: string;
+}
+
+export type GeminiTokenExchangeResult =
+  | GeminiTokenExchangeSuccess
+  | GeminiTokenExchangeFailure;
+
+interface GeminiTokenResponse {
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+}
+
+interface GeminiUserInfo {
+  email?: string;
+}
+
+/**
+ * Encode an object into a URL-safe base64 string.
+ */
+function encodeState(payload: GeminiAuthState): string {
+  return Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
+}
+
+/**
+ * Decode an OAuth state parameter back into its structured representation.
+ */
+function decodeState(state: string): GeminiAuthState {
+  const normalized = state.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = normalized.padEnd(normalized.length + ((4 - normalized.length % 4) % 4), "=");
+  const json = Buffer.from(padded, "base64").toString("utf8");
+  const parsed = JSON.parse(json);
+  if (typeof parsed.verifier !== "string") {
+    throw new Error("Missing PKCE verifier in state");
+  }
+  return {
+    verifier: parsed.verifier,
+    projectId: typeof parsed.projectId === "string" ? parsed.projectId : "",
+  };
+}
+
+/**
+ * Build the Gemini OAuth authorization URL including PKCE and optional project metadata.
+ */
+export async function authorizeGemini(projectId = ""): Promise<GeminiAuthorization> {
+  const pkce = (await generatePKCE()) as PkcePair;
+
+  const url = new URL("https://accounts.google.com/o/oauth2/v2/auth");
+  url.searchParams.set("client_id", GEMINI_CLIENT_ID);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("redirect_uri", GEMINI_REDIRECT_URI);
+  url.searchParams.set("scope", GEMINI_SCOPES.join(" "));
+  url.searchParams.set("code_challenge", pkce.challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set(
+    "state",
+    encodeState({ verifier: pkce.verifier, projectId: projectId || "" }),
+  );
+  url.searchParams.set("access_type", "offline");
+  url.searchParams.set("prompt", "consent");
+
+  return {
+    url: url.toString(),
+    verifier: pkce.verifier,
+    projectId: projectId || "",
+  };
+}
+
+/**
+ * Exchange an authorization code for Gemini CLI access and refresh tokens.
+ */
+export async function exchangeGemini(
+  code: string,
+  state: string,
+): Promise<GeminiTokenExchangeResult> {
+  try {
+    const { verifier, projectId } = decodeState(state);
+
+    const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: new URLSearchParams({
+        client_id: GEMINI_CLIENT_ID,
+        client_secret: GEMINI_CLIENT_SECRET,
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: GEMINI_REDIRECT_URI,
+        code_verifier: verifier,
+      }),
+    });
+
+    if (!tokenResponse.ok) {
+      const errorText = await tokenResponse.text();
+      return { type: "failed", error: errorText };
+    }
+
+    const tokenPayload = (await tokenResponse.json()) as GeminiTokenResponse;
+
+    const userInfoResponse = await fetch(
+      "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
+      {
+        headers: {
+          Authorization: `Bearer ${tokenPayload.access_token}`,
+        },
+      },
+    );
+
+    const userInfo = userInfoResponse.ok
+      ? ((await userInfoResponse.json()) as GeminiUserInfo)
+      : {};
+
+    const refreshToken = tokenPayload.refresh_token;
+    if (!refreshToken) {
+      return { type: "failed", error: "Missing refresh token in response" };
+    }
+
+    const storedRefresh = `${refreshToken}|${projectId || ""}`;
+
+    return {
+      type: "success",
+      refresh: storedRefresh,
+      access: tokenPayload.access_token,
+      expires: Date.now() + tokenPayload.expires_in * 1000,
+      email: userInfo.email,
+      projectId: projectId || "",
+    };
+  } catch (error) {
+    return {
+      type: "failed",
+      error: error instanceof Error ? error.message : "Unknown error",
+    };
+  }
+}

package/src/plugin/auth.ts

@@ -0,0 +1,27 @@
+import type { AuthDetails, OAuthAuthDetails, RefreshParts } from "./types";
+
+export function isOAuthAuth(auth: AuthDetails): auth is OAuthAuthDetails {
+  return auth.type === "oauth";
+}
+
+export function parseRefreshParts(refresh: string): RefreshParts {
+  const [refreshToken = "", projectId = "", managedProjectId = ""] = (refresh ?? "").split("|");
+  return {
+    refreshToken,
+    projectId: projectId || undefined,
+    managedProjectId: managedProjectId || undefined,
+  };
+}
+
+export function formatRefreshParts(parts: RefreshParts): string {
+  const projectSegment = parts.projectId ?? "";
+  const base = `${parts.refreshToken}|${projectSegment}`;
+  return parts.managedProjectId ? `${base}|${parts.managedProjectId}` : base;
+}
+
+export function accessTokenExpired(auth: OAuthAuthDetails): boolean {
+  if (!auth.access || typeof auth.expires !== "number") {
+    return true;
+  }
+  return auth.expires <= Date.now();
+}

package/src/plugin/cli.ts

@@ -0,0 +1,12 @@
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+
+export async function promptProjectId(): Promise<string> {
+  const rl = createInterface({ input, output });
+  try {
+    const answer = await rl.question("Project ID (leave blank to use your default project): ");
+    return answer.trim();
+  } finally {
+    rl.close();
+  }
+}

package/src/plugin/project.ts

@@ -0,0 +1,198 @@
+import {
+  CODE_ASSIST_HEADERS,
+  GEMINI_CODE_ASSIST_ENDPOINT,
+} from "../constants";
+import { formatRefreshParts, parseRefreshParts } from "./auth";
+import type {
+  OAuthAuthDetails,
+  PluginClient,
+  ProjectContextResult,
+} from "./types";
+
+export async function loadManagedProject(accessToken: string): Promise<{
+  managedProjectId?: string;
+  needsOnboarding: boolean;
+}> {
+  try {
+    const response = await fetch(
+      `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:loadCodeAssist`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${accessToken}`,
+          ...CODE_ASSIST_HEADERS,
+        },
+        body: JSON.stringify({
+          metadata: {
+            ideType: "IDE_UNSPECIFIED",
+            platform: "PLATFORM_UNSPECIFIED",
+            pluginType: "GEMINI",
+          },
+        }),
+      },
+    );
+
+    if (!response.ok) {
+      return { needsOnboarding: false };
+    }
+
+    const payload = (await response.json()) as {
+      cloudaicompanionProject?: string;
+      currentTier?: string;
+    };
+
+    if (payload.cloudaicompanionProject) {
+      return {
+        managedProjectId: payload.cloudaicompanionProject,
+        needsOnboarding: false,
+      };
+    }
+
+    return { needsOnboarding: !payload.currentTier };
+  } catch (error) {
+    console.error("Failed to load Gemini managed project:", error);
+    return { needsOnboarding: false };
+  }
+}
+
+export async function pollOperation(
+  accessToken: string,
+  operationName: string,
+  attempts = 10,
+  intervalMs = 2000,
+): Promise<string | undefined> {
+  for (let attempt = 0; attempt < attempts; attempt += 1) {
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+
+    try {
+      const response = await fetch(
+        `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal/operations/${operationName}`,
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+          },
+        },
+      );
+
+      if (!response.ok) {
+        continue;
+      }
+
+      const payload = (await response.json()) as {
+        done?: boolean;
+        response?: {
+          cloudaicompanionProject?: {
+            id?: string;
+          };
+        };
+      };
+
+      const projectId = payload.response?.cloudaicompanionProject?.id;
+      if (payload.done && projectId) {
+        return projectId;
+      }
+    } catch (error) {
+      console.error("Failed to poll Gemini onboarding operation:", error);
+    }
+  }
+  return undefined;
+}
+
+export async function onboardManagedProject(
+  accessToken: string,
+): Promise<string | undefined> {
+  try {
+    const response = await fetch(
+      `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:onboardUser`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${accessToken}`,
+          ...CODE_ASSIST_HEADERS,
+        },
+        body: JSON.stringify({
+          tierId: "FREE",
+          metadata: {
+            ideType: "IDE_UNSPECIFIED",
+            platform: "PLATFORM_UNSPECIFIED",
+            pluginType: "GEMINI",
+          },
+        }),
+      },
+    );
+
+    if (!response.ok) {
+      return undefined;
+    }
+
+    const payload = (await response.json()) as {
+      done?: boolean;
+      name?: string;
+      response?: {
+        cloudaicompanionProject?: {
+          id?: string;
+        };
+      };
+    };
+
+    if (payload.done && payload.response?.cloudaicompanionProject?.id) {
+      return payload.response.cloudaicompanionProject.id;
+    }
+
+    if (!payload.done && payload.name) {
+      return pollOperation(accessToken, payload.name);
+    }
+
+    return undefined;
+  } catch (error) {
+    console.error("Failed to onboard Gemini managed project:", error);
+    return undefined;
+  }
+}
+
+export async function ensureProjectContext(
+  auth: OAuthAuthDetails,
+  client: PluginClient,
+): Promise<ProjectContextResult> {
+  if (!auth.access) {
+    return { auth, effectiveProjectId: "" };
+  }
+
+  const parts = parseRefreshParts(auth.refresh);
+  if (parts.projectId || parts.managedProjectId) {
+    return {
+      auth,
+      effectiveProjectId: parts.projectId || parts.managedProjectId || "",
+    };
+  }
+
+  const loadResult = await loadManagedProject(auth.access);
+  let managedProjectId = loadResult.managedProjectId;
+
+  if (!managedProjectId && loadResult.needsOnboarding) {
+    managedProjectId = await onboardManagedProject(auth.access);
+  }
+
+  if (managedProjectId) {
+    const updatedAuth: OAuthAuthDetails = {
+      ...auth,
+      refresh: formatRefreshParts({
+        refreshToken: parts.refreshToken,
+        projectId: parts.projectId,
+        managedProjectId,
+      }),
+    };
+
+    await client.auth.set({
+      path: { id: "gemini-cli" },
+      body: updatedAuth,
+    });
+
+    return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+  }
+
+  return { auth, effectiveProjectId: "" };
+}

package/src/plugin/request.ts

@@ -0,0 +1,146 @@
+import {
+  CODE_ASSIST_HEADERS,
+  GEMINI_CODE_ASSIST_ENDPOINT,
+} from "../constants";
+
+const STREAM_ACTION = "streamGenerateContent";
+
+function isGenerativeLanguageRequest(input: RequestInfo): input is string {
+  return typeof input === "string" && input.includes("generativelanguage.googleapis.com");
+}
+
+function transformStreamingPayload(payload: string): string {
+  return payload
+    .split("\n")
+    .map((line) => {
+      if (!line.startsWith("data:")) {
+        return line;
+      }
+      const json = line.slice(5).trim();
+      if (!json) {
+        return line;
+      }
+      try {
+        const parsed = JSON.parse(json) as { response?: unknown };
+        if (parsed.response !== undefined) {
+          return `data: ${JSON.stringify(parsed.response)}`;
+        }
+      } catch (_) {}
+      return line;
+    })
+    .join("\n");
+}
+
+export function prepareGeminiRequest(
+  input: RequestInfo,
+  init: RequestInit | undefined,
+  accessToken: string,
+  projectId: string,
+): { request: RequestInfo; init: RequestInit; streaming: boolean } {
+  const baseInit: RequestInit = { ...init };
+  const headers = new Headers(init?.headers ?? {});
+  headers.set("Authorization", `Bearer ${accessToken}`);
+  headers.delete("x-api-key");
+
+  if (!isGenerativeLanguageRequest(input)) {
+    return {
+      request: input,
+      init: { ...baseInit, headers },
+      streaming: false,
+    };
+  }
+
+  const match = input.match(/\/models\/([^:]+):(\w+)/);
+  if (!match) {
+    return {
+      request: input,
+      init: { ...baseInit, headers },
+      streaming: false,
+    };
+  }
+
+  const [, model, action] = match;
+  const streaming = action === STREAM_ACTION;
+  const transformedUrl = `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:${action}${
+    streaming ? "?alt=sse" : ""
+  }`;
+
+  let body = baseInit.body;
+  if (typeof baseInit.body === "string" && baseInit.body) {
+    try {
+      const parsedBody = JSON.parse(baseInit.body) as Record<string, unknown>;
+      const requestPayload: Record<string, unknown> = { ...parsedBody };
+
+      if ("system_instruction" in requestPayload) {
+        requestPayload.systemInstruction = requestPayload.system_instruction;
+        delete requestPayload.system_instruction;
+      }
+
+      if ("model" in requestPayload) {
+        delete requestPayload.model;
+      }
+
+      const wrappedBody = {
+        project: projectId,
+        model,
+        request: requestPayload,
+      };
+
+      body = JSON.stringify(wrappedBody);
+    } catch (error) {
+      console.error("Failed to transform Gemini request body:", error);
+    }
+  }
+
+  if (streaming) {
+    headers.set("Accept", "text/event-stream");
+  }
+
+  headers.set("User-Agent", CODE_ASSIST_HEADERS["User-Agent"]);
+  headers.set("X-Goog-Api-Client", CODE_ASSIST_HEADERS["X-Goog-Api-Client"]);
+  headers.set("Client-Metadata", CODE_ASSIST_HEADERS["Client-Metadata"]);
+
+  return {
+    request: transformedUrl,
+    init: {
+      ...baseInit,
+      headers,
+      body,
+    },
+    streaming,
+  };
+}
+
+export async function transformGeminiResponse(
+  response: Response,
+  streaming: boolean,
+): Promise<Response> {
+  const contentType = response.headers.get("content-type") ?? "";
+  if (!streaming && !contentType.includes("application/json")) {
+    return response;
+  }
+
+  try {
+    const text = await response.text();
+    const headers = new Headers(response.headers);
+    const init = {
+      status: response.status,
+      statusText: response.statusText,
+      headers,
+    };
+
+    if (streaming) {
+      return new Response(transformStreamingPayload(text), init);
+    }
+
+    const parsed = JSON.parse(text) as { response?: unknown };
+    if (parsed.response !== undefined) {
+      return new Response(JSON.stringify(parsed.response), init);
+    }
+
+    return new Response(text, init);
+  } catch (error) {
+    console.error("Failed to transform Gemini response:", error);
+    return response;
+  }
+}

package/src/plugin/token.ts

@@ -0,0 +1,61 @@
+import { GEMINI_CLIENT_ID, GEMINI_CLIENT_SECRET } from "../constants";
+import { formatRefreshParts, parseRefreshParts } from "./auth";
+import type { OAuthAuthDetails, PluginClient, RefreshParts } from "./types";
+
+export async function refreshAccessToken(
+  auth: OAuthAuthDetails,
+  client: PluginClient,
+): Promise<OAuthAuthDetails | undefined> {
+  const parts = parseRefreshParts(auth.refresh);
+  if (!parts.refreshToken) {
+    return undefined;
+  }
+
+  try {
+    const response = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: parts.refreshToken,
+        client_id: GEMINI_CLIENT_ID,
+        client_secret: GEMINI_CLIENT_SECRET,
+      }),
+    });
+
+    if (!response.ok) {
+      return undefined;
+    }
+
+    const payload = (await response.json()) as {
+      access_token: string;
+      expires_in: number;
+      refresh_token?: string;
+    };
+
+    const refreshedParts: RefreshParts = {
+      refreshToken: payload.refresh_token ?? parts.refreshToken,
+      projectId: parts.projectId,
+      managedProjectId: parts.managedProjectId,
+    };
+
+    const updatedAuth: OAuthAuthDetails = {
+      ...auth,
+      access: payload.access_token,
+      expires: Date.now() + payload.expires_in * 1000,
+      refresh: formatRefreshParts(refreshedParts),
+    };
+
+    await client.auth.set({
+      path: { id: "gemini-cli" },
+      body: updatedAuth,
+    });
+
+    return updatedAuth;
+  } catch (error) {
+    console.error("Failed to refresh Gemini access token:", error);
+    return undefined;
+  }
+}

package/src/plugin/types.ts

@@ -0,0 +1,75 @@
+import type { GeminiTokenExchangeResult } from "../gemini/oauth";
+
+export interface OAuthAuthDetails {
+  type: "oauth";
+  refresh: string;
+  access?: string;
+  expires?: number;
+}
+
+export interface NonOAuthAuthDetails {
+  type: string;
+  [key: string]: unknown;
+}
+
+export type AuthDetails = OAuthAuthDetails | NonOAuthAuthDetails;
+
+export type GetAuth = () => Promise<AuthDetails>;
+
+export interface ProviderModel {
+  cost?: {
+    input: number;
+    output: number;
+  };
+  [key: string]: unknown;
+}
+
+export interface Provider {
+  models?: Record<string, ProviderModel>;
+}
+
+export interface LoaderResult {
+  apiKey: string;
+  fetch(input: RequestInfo, init?: RequestInit): Promise<Response>;
+}
+
+export interface AuthMethod {
+  provider?: string;
+  label: string;
+  type: "oauth" | "api";
+  authorize?: () => Promise<{
+    url: string;
+    instructions: string;
+    method: string;
+    callback: (callbackUrl: string) => Promise<GeminiTokenExchangeResult>;
+  }>;
+}
+
+export interface PluginClient {
+  auth: {
+    set(input: { path: { id: string }; body: OAuthAuthDetails }): Promise<void>;
+  };
+}
+
+export interface PluginContext {
+  client: PluginClient;
+}
+
+export interface PluginResult {
+  auth: {
+    provider: string;
+    loader: (getAuth: GetAuth, provider: Provider) => Promise<LoaderResult | null>;
+    methods: AuthMethod[];
+  };
+}
+
+export interface RefreshParts {
+  refreshToken: string;
+  projectId?: string;
+  managedProjectId?: string;
+}
+
+export interface ProjectContextResult {
+  auth: OAuthAuthDetails;
+  effectiveProjectId: string;
+}

package/src/plugin.ts

@@ -0,0 +1,124 @@
+import { authorizeGemini, exchangeGemini } from "./gemini/oauth";
+import type { GeminiTokenExchangeResult } from "./gemini/oauth";
+import { accessTokenExpired, isOAuthAuth } from "./plugin/auth";
+import { promptProjectId } from "./plugin/cli";
+import { ensureProjectContext } from "./plugin/project";
+import { prepareGeminiRequest, transformGeminiResponse } from "./plugin/request";
+import { refreshAccessToken } from "./plugin/token";
+import type {
+  GetAuth,
+  LoaderResult,
+  PluginContext,
+  PluginResult,
+  Provider,
+} from "./plugin/types";
+
+export const GeminiCLIOAuthPlugin = async (
+  { client }: PluginContext,
+): Promise<PluginResult> => ({
+  auth: {
+    provider: "google",
+    loader: async (getAuth: GetAuth, provider: Provider): Promise<LoaderResult | null> => {
+      const auth = await getAuth();
+      if (!isOAuthAuth(auth)) {
+        return null;
+      }
+
+      if (provider.models) {
+        for (const model of Object.values(provider.models)) {
+          if (model) {
+            model.cost = { input: 0, output: 0 };
+          }
+        }
+      }
+
+      return {
+        apiKey: "",
+        async fetch(input, init) {
+          const latestAuth = await getAuth();
+          if (!isOAuthAuth(latestAuth)) {
+            return fetch(input, init);
+          }
+
+          let authRecord = latestAuth;
+          if (accessTokenExpired(authRecord)) {
+            const refreshed = await refreshAccessToken(authRecord, client);
+            if (!refreshed) {
+              return fetch(input, init);
+            }
+            authRecord = refreshed;
+          }
+
+          const accessToken = authRecord.access;
+          if (!accessToken) {
+            return fetch(input, init);
+          }
+
+          const projectContext = await ensureProjectContext(authRecord, client);
+
+          const { request, init: transformedInit, streaming } = prepareGeminiRequest(
+            input,
+            init,
+            accessToken,
+            projectContext.effectiveProjectId,
+          );
+
+          const response = await fetch(request, transformedInit);
+          return transformGeminiResponse(response, streaming);
+        },
+      };
+    },
+    methods: [
+      {
+        label: "OAuth with Google (Gemini CLI)",
+        type: "oauth",
+        authorize: async () => {
+          console.log("\n=== Google Gemini OAuth Setup ===");
+          console.log("1. You'll be asked to sign in to your Google account and grant permission.");
+          console.log("2. After you approve, the browser will try to redirect to a 'localhost' page.");
+          console.log("3. This page will show an error like 'This site can’t be reached'. This is perfectly normal and means it worked!");
+          console.log("4. Once you see that error, copy the entire URL from the address bar, paste it back here, and press Enter.");
+          console.log("\n")
+
+          const projectId = await promptProjectId();
+          const authorization = await authorizeGemini(projectId);
+
+          return {
+            url: authorization.url,
+            instructions:
+              "Visit the URL above, complete OAuth, ignore the localhost connection error, and paste the full redirected URL (e.g., http://localhost:8085/oauth2callback?code=...&state=...): ",
+            method: "code",
+            callback: async (callbackUrl: string): Promise<GeminiTokenExchangeResult> => {
+              try {
+                const url = new URL(callbackUrl);
+                const code = url.searchParams.get("code");
+                const state = url.searchParams.get("state");
+
+                if (!code || !state) {
+                  return {
+                    type: "failed",
+                    error: "Missing code or state in callback URL",
+                  };
+                }
+
+                return exchangeGemini(code, state);
+              } catch (error) {
+                return {
+                  type: "failed",
+                  error: error instanceof Error ? error.message : "Unknown error",
+                };
+              }
+            },
+          };
+        },
+      },
+      {
+        provider: "google",
+        label: "Manually enter API Key",
+        type: "api",
+      },
+    ],
+  },
+});
+
+export const GoogleOAuthPlugin = GeminiCLIOAuthPlugin;

package/src/shims.d.ts

@@ -0,0 +1,8 @@
+declare module "@openauthjs/openauth/pkce" {
+  interface PkcePair {
+    challenge: string;
+    verifier: string;
+  }
+
+  export function generatePKCE(): Promise<PkcePair>;
+}