opencode-gemini-auth 1.0.7 → 1.0.9

package/README.md

@@ -1,17 +1,40 @@
 # Gemini OAuth Plugin for Opencode
 
-Authenticate the Opencode CLI with your Google account so you can use your existing Gemini plan and its included quota instead of API billing.
+Authenticate the Opencode CLI with your Google account so you can use your
+existing Gemini plan and its included quota instead of API billing.
 
 ## Setup
 
 1. Add the plugin to your [Opencode config](https://opencode.ai/docs/config/):
+
    ```json
    {
      "$schema": "https://opencode.ai/config.json",
      "plugin": ["opencode-gemini-auth"]
    }
    ```
+
 2. Run `opencode auth login`.
 3. Choose the Google provider and select **OAuth with Google (Gemini CLI)**.
 
-The plugin spins up a local callback listener, so after approving in the browser you'll land on an "Authentication complete" page with no URL copy/paste required. If that port is already taken, the CLI automatically falls back to the classic copy/paste flow and explains what to do.
+The plugin spins up a local callback listener, so after approving in the
+browser you'll land on an "Authentication complete" page with no URL
+copy/paste required. If that port is already taken, the CLI automatically
+falls back to the classic copy/paste flow and explains what to do.
+
+## Updating
+
+> [!WARNING]
+> OpenCode does NOT auto-update plugins
+
+To get the latest version:
+
+```bash
+(cd ~ && sed -i.bak '/"opencode-gemini-auth"/d' .cache/opencode/package.json && \
+rm -rf .cache/opencode/node_modules/opencode-gemini-auth && \
+echo "Plugin update script finished successfully.")
+```
+
+```bash
+opencode  # Reinstalls latest
+```

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-gemini-auth",
   "module": "index.ts",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "author": "jenslys",
   "repository": "https://github.com/jenslys/opencode-gemini-auth",
   "files": [

package/src/plugin/auth.ts

@@ -1,5 +1,7 @@
 import type { AuthDetails, OAuthAuthDetails, RefreshParts } from "./types";
 
+const ACCESS_TOKEN_EXPIRY_BUFFER_MS = 60 * 1000;
+
 export function isOAuthAuth(auth: AuthDetails): auth is OAuthAuthDetails {
   return auth.type === "oauth";
 }
@@ -23,5 +25,5 @@ export function accessTokenExpired(auth: OAuthAuthDetails): boolean {
   if (!auth.access || typeof auth.expires !== "number") {
     return true;
   }
-  return auth.expires <= Date.now();
+  return auth.expires <= Date.now() + ACCESS_TOKEN_EXPIRY_BUFFER_MS;
 }

package/src/plugin/project.ts

@@ -9,6 +9,24 @@ import type {
   ProjectContextResult,
 } from "./types";
 
+const projectContextResultCache = new Map<string, ProjectContextResult>();
+const projectContextPendingCache = new Map<string, Promise<ProjectContextResult>>();
+
+function getCacheKey(auth: OAuthAuthDetails): string | undefined {
+  const refresh = auth.refresh?.trim();
+  return refresh ? refresh : undefined;
+}
+
+export function invalidateProjectContextCache(refresh?: string): void {
+  if (!refresh) {
+    projectContextPendingCache.clear();
+    projectContextResultCache.clear();
+    return;
+  }
+  projectContextPendingCache.delete(refresh);
+  projectContextResultCache.delete(refresh);
+}
+
 export async function loadManagedProject(accessToken: string): Promise<{
   managedProjectId?: string;
   needsOnboarding: boolean;
@@ -157,42 +175,79 @@ export async function ensureProjectContext(
   auth: OAuthAuthDetails,
   client: PluginClient,
 ): Promise<ProjectContextResult> {
-  if (!auth.access) {
+  const accessToken = auth.access;
+  if (!accessToken) {
     return { auth, effectiveProjectId: "" };
   }
 
-  const parts = parseRefreshParts(auth.refresh);
-  if (parts.projectId || parts.managedProjectId) {
-    return {
-      auth,
-      effectiveProjectId: parts.projectId || parts.managedProjectId || "",
-    };
+  const cacheKey = getCacheKey(auth);
+  if (cacheKey) {
+    const cached = projectContextResultCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const pending = projectContextPendingCache.get(cacheKey);
+    if (pending) {
+      return pending;
+    }
   }
 
-  const loadResult = await loadManagedProject(auth.access);
-  let managedProjectId = loadResult.managedProjectId;
+  const resolveContext = async (): Promise<ProjectContextResult> => {
+    const parts = parseRefreshParts(auth.refresh);
+    if (parts.projectId || parts.managedProjectId) {
+      return {
+        auth,
+        effectiveProjectId: parts.projectId || parts.managedProjectId || "",
+      };
+    }
 
-  if (!managedProjectId && loadResult.needsOnboarding) {
-    managedProjectId = await onboardManagedProject(auth.access);
-  }
+    const loadResult = await loadManagedProject(accessToken);
+    let managedProjectId = loadResult.managedProjectId;
 
-  if (managedProjectId) {
-    const updatedAuth: OAuthAuthDetails = {
-      ...auth,
-      refresh: formatRefreshParts({
-        refreshToken: parts.refreshToken,
-        projectId: parts.projectId,
-        managedProjectId,
-      }),
-    };
+    if (!managedProjectId && loadResult.needsOnboarding) {
+      managedProjectId = await onboardManagedProject(accessToken);
+    }
 
-    await client.auth.set({
-      path: { id: "gemini-cli" },
-      body: updatedAuth,
-    });
+    if (managedProjectId) {
+      const updatedAuth: OAuthAuthDetails = {
+        ...auth,
+        refresh: formatRefreshParts({
+          refreshToken: parts.refreshToken,
+          projectId: parts.projectId,
+          managedProjectId,
+        }),
+      };
+
+      await client.auth.set({
+        path: { id: "gemini-cli" },
+        body: updatedAuth,
+      });
 
-    return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+      return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+    }
+
+    return { auth, effectiveProjectId: "" };
+  };
+
+  if (!cacheKey) {
+    return resolveContext();
   }
 
-  return { auth, effectiveProjectId: "" };
+  const promise = resolveContext()
+    .then((result) => {
+      const nextKey = getCacheKey(result.auth) ?? cacheKey;
+      projectContextPendingCache.delete(cacheKey);
+      projectContextResultCache.set(nextKey, result);
+      if (nextKey !== cacheKey) {
+        projectContextResultCache.delete(cacheKey);
+      }
+      return result;
+    })
+    .catch((error) => {
+      projectContextPendingCache.delete(cacheKey);
+      throw error;
+    });
+
+  projectContextPendingCache.set(cacheKey, promise);
+  return promise;
 }

package/src/plugin/request.ts

@@ -5,7 +5,7 @@ import {
 
 const STREAM_ACTION = "streamGenerateContent";
 
-function isGenerativeLanguageRequest(input: RequestInfo): input is string {
+export function isGenerativeLanguageRequest(input: RequestInfo): input is string {
   return typeof input === "string" && input.includes("generativelanguage.googleapis.com");
 }
 
@@ -39,8 +39,6 @@ export function prepareGeminiRequest(
 ): { request: RequestInfo; init: RequestInit; streaming: boolean } {
   const baseInit: RequestInit = { ...init };
   const headers = new Headers(init?.headers ?? {});
-  headers.set("Authorization", `Bearer ${accessToken}`);
-  headers.delete("x-api-key");
 
   if (!isGenerativeLanguageRequest(input)) {
     return {
@@ -50,6 +48,9 @@ export function prepareGeminiRequest(
     };
   }
 
+  headers.set("Authorization", `Bearer ${accessToken}`);
+  headers.delete("x-api-key");
+
   const match = input.match(/\/models\/([^:]+):(\w+)/);
   if (!match) {
     return {
@@ -67,28 +68,36 @@ export function prepareGeminiRequest(
 
   let body = baseInit.body;
   if (typeof baseInit.body === "string" && baseInit.body) {
-    try {
-      const parsedBody = JSON.parse(baseInit.body) as Record<string, unknown>;
-      const requestPayload: Record<string, unknown> = { ...parsedBody };
+    const trimmedPayload = baseInit.body.trim();
+    const looksCodeAssistPayload =
+      trimmedPayload.startsWith("{") &&
+      trimmedPayload.includes('"project"') &&
+      trimmedPayload.includes('"request"');
 
-      if ("system_instruction" in requestPayload) {
-        requestPayload.systemInstruction = requestPayload.system_instruction;
-        delete requestPayload.system_instruction;
-      }
+    if (!looksCodeAssistPayload) {
+      try {
+        const parsedBody = JSON.parse(baseInit.body) as Record<string, unknown>;
+        const requestPayload: Record<string, unknown> = { ...parsedBody };
 
-      if ("model" in requestPayload) {
-        delete requestPayload.model;
-      }
+        if ("system_instruction" in requestPayload) {
+          requestPayload.systemInstruction = requestPayload.system_instruction;
+          delete requestPayload.system_instruction;
+        }
 
-      const wrappedBody = {
-        project: projectId,
-        model,
-        request: requestPayload,
-      };
+        if ("model" in requestPayload) {
+          delete requestPayload.model;
+        }
+
+        const wrappedBody = {
+          project: projectId,
+          model,
+          request: requestPayload,
+        };
 
-      body = JSON.stringify(wrappedBody);
-    } catch (error) {
-      console.error("Failed to transform Gemini request body:", error);
+        body = JSON.stringify(wrappedBody);
+      } catch (error) {
+        console.error("Failed to transform Gemini request body:", error);
+      }
     }
   }
 

package/src/plugin/token.ts

@@ -1,7 +1,55 @@
 import { GEMINI_CLIENT_ID, GEMINI_CLIENT_SECRET } from "../constants";
 import { formatRefreshParts, parseRefreshParts } from "./auth";
+import { invalidateProjectContextCache } from "./project";
 import type { OAuthAuthDetails, PluginClient, RefreshParts } from "./types";
 
+interface OAuthErrorPayload {
+  error?:
+    | string
+    | {
+        code?: string;
+        status?: string;
+        message?: string;
+      };
+  error_description?: string;
+}
+
+function parseOAuthErrorPayload(text: string | undefined): { code?: string; description?: string } {
+  if (!text) {
+    return {};
+  }
+
+  try {
+    const payload = JSON.parse(text) as OAuthErrorPayload;
+    if (!payload || typeof payload !== "object") {
+      return { description: text };
+    }
+
+    let code: string | undefined;
+    if (typeof payload.error === "string") {
+      code = payload.error;
+    } else if (payload.error && typeof payload.error === "object") {
+      code = payload.error.status ?? payload.error.code;
+      if (!payload.error_description && payload.error.message) {
+        return { code, description: payload.error.message };
+      }
+    }
+
+    const description = payload.error_description;
+    if (description) {
+      return { code, description };
+    }
+
+    if (payload.error && typeof payload.error === "object" && payload.error.message) {
+      return { code, description: payload.error.message };
+    }
+
+    return { code };
+  } catch {
+    return { description: text };
+  }
+}
+
 export async function refreshAccessToken(
   auth: OAuthAuthDetails,
   client: PluginClient,
@@ -26,6 +74,41 @@ export async function refreshAccessToken(
     });
 
     if (!response.ok) {
+      let errorText: string | undefined;
+      try {
+        errorText = await response.text();
+      } catch {
+        // Ignore body parsing failures; we'll fall back to status only.
+      }
+
+      const { code, description } = parseOAuthErrorPayload(errorText);
+      const details = [code, description ?? errorText].filter(Boolean).join(": ");
+      const baseMessage = `Gemini token refresh failed (${response.status} ${response.statusText})`;
+      console.warn(`[Gemini OAuth] ${details ? `${baseMessage} - ${details}` : baseMessage}`);
+
+      if (code === "invalid_grant") {
+        console.warn(
+          "[Gemini OAuth] Google revoked the stored refresh token. Run `opencode auth login` and reauthenticate the Google provider.",
+        );
+        invalidateProjectContextCache(auth.refresh);
+        try {
+          const clearedAuth: OAuthAuthDetails = {
+            type: "oauth",
+            refresh: formatRefreshParts({
+              refreshToken: "",
+              projectId: parts.projectId,
+              managedProjectId: parts.managedProjectId,
+            }),
+          };
+          await client.auth.set({
+            path: { id: "gemini-cli" },
+            body: clearedAuth,
+          });
+        } catch (storeError) {
+          console.error("Failed to clear stored Gemini OAuth credentials:", storeError);
+        }
+      }
+
       return undefined;
     }
 
@@ -52,10 +135,11 @@ export async function refreshAccessToken(
       path: { id: "gemini-cli" },
       body: updatedAuth,
     });
+    invalidateProjectContextCache(auth.refresh);
 
     return updatedAuth;
   } catch (error) {
-    console.error("Failed to refresh Gemini access token:", error);
+    console.error("Failed to refresh Gemini access token due to an unexpected error:", error);
     return undefined;
   }
 }

package/src/plugin.ts

@@ -4,7 +4,11 @@ import type { GeminiTokenExchangeResult } from "./gemini/oauth";
 import { accessTokenExpired, isOAuthAuth } from "./plugin/auth";
 import { promptProjectId } from "./plugin/cli";
 import { ensureProjectContext } from "./plugin/project";
-import { prepareGeminiRequest, transformGeminiResponse } from "./plugin/request";
+import {
+  isGenerativeLanguageRequest,
+  prepareGeminiRequest,
+  transformGeminiResponse,
+} from "./plugin/request";
 import { refreshAccessToken } from "./plugin/token";
 import { startOAuthListener, type OAuthListener } from "./plugin/server";
 import type {
@@ -37,6 +41,10 @@ export const GeminiCLIOAuthPlugin = async (
       return {
         apiKey: "",
         async fetch(input, init) {
+          if (!isGenerativeLanguageRequest(input)) {
+            return fetch(input, init);
+          }
+
           const latestAuth = await getAuth();
           if (!isOAuthAuth(latestAuth)) {
             return fetch(input, init);