opencode-gemini-auth 1.0.8 → 1.0.10

package/README.md

@@ -38,3 +38,42 @@ echo "Plugin update script finished successfully.")
 ```bash
 opencode  # Reinstalls latest
 ```
+
+## Local Development
+
+When you want Opencode to use a local checkout of this plugin, point the
+`plugin` entry in your config to the folder via a `file://` URL:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["file:///absolute/path/to/opencode-gemini-auth"]
+}
+```
+
+Replace `/absolute/path/to/opencode-gemini-auth` with the absolute path to
+your local clone.
+
+## Debugging Gemini Requests
+
+Set `OPENCODE_GEMINI_DEBUG=1` in the environment when you run an Opencode
+command to capture every Gemini request/response that this plugin issues. When
+enabled, the plugin writes to a timestamped `gemini-debug-<ISO>.log` file in
+your current working directory so the CLI output stays clean.
+
+```bash
+OPENCODE_GEMINI_DEBUG=1 opencode
+```
+
+The logger shows the transformed URL, HTTP method, sanitized headers (the
+`Authorization` header is redacted), whether the call used streaming, and a
+truncated preview (2 KB) of both the request and response bodies. This is handy
+when diagnosing "Bad Request" responses from Gemini. Remember that payloads may
+still include parts of your prompt or response, so only enable this flag when
+you're comfortable keeping that information in the generated log file.
+
+**404s on `gemini-2.5-flash-image`.** Opencode fires internal
+summarization/title requests at `gemini-2.5-flash-image`. The plugin
+automatically remaps those payloads to `gemini-2.5-flash`, eliminating the extra
+404s for accounts without image access. If you still see a 404, confirm your
+project actually has access to the fallback model.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-gemini-auth",
   "module": "index.ts",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "author": "jenslys",
   "repository": "https://github.com/jenslys/opencode-gemini-auth",
   "files": [

package/src/plugin/auth.ts

@@ -1,5 +1,7 @@
 import type { AuthDetails, OAuthAuthDetails, RefreshParts } from "./types";
 
+const ACCESS_TOKEN_EXPIRY_BUFFER_MS = 60 * 1000;
+
 export function isOAuthAuth(auth: AuthDetails): auth is OAuthAuthDetails {
   return auth.type === "oauth";
 }
@@ -23,5 +25,5 @@ export function accessTokenExpired(auth: OAuthAuthDetails): boolean {
   if (!auth.access || typeof auth.expires !== "number") {
     return true;
   }
-  return auth.expires <= Date.now();
+  return auth.expires <= Date.now() + ACCESS_TOKEN_EXPIRY_BUFFER_MS;
 }

package/src/plugin/debug.ts

@@ -0,0 +1,168 @@
+import { createWriteStream } from "node:fs";
+import { join } from "node:path";
+import { cwd, env } from "node:process";
+
+const DEBUG_FLAG = env.OPENCODE_GEMINI_DEBUG ?? "";
+const MAX_BODY_PREVIEW_CHARS = 2000;
+const debugEnabled = DEBUG_FLAG.trim() === "1";
+const logFilePath = debugEnabled ? defaultLogFilePath() : undefined;
+const logWriter = createLogWriter(logFilePath);
+
+export interface GeminiDebugContext {
+  id: string;
+  streaming: boolean;
+  startedAt: number;
+}
+
+interface GeminiDebugRequestMeta {
+  originalUrl: string;
+  resolvedUrl: string;
+  method?: string;
+  headers?: HeadersInit;
+  body?: BodyInit | null;
+  streaming: boolean;
+  projectId?: string;
+}
+
+interface GeminiDebugResponseMeta {
+  body?: string;
+  note?: string;
+  error?: unknown;
+}
+
+let requestCounter = 0;
+
+export function startGeminiDebugRequest(meta: GeminiDebugRequestMeta): GeminiDebugContext | null {
+  if (!debugEnabled) {
+    return null;
+  }
+
+  const id = `GEMINI-${++requestCounter}`;
+  const method = meta.method ?? "GET";
+  logDebug(`[Gemini Debug ${id}] ${method} ${meta.resolvedUrl}`);
+  if (meta.originalUrl && meta.originalUrl !== meta.resolvedUrl) {
+    logDebug(`[Gemini Debug ${id}] Original URL: ${meta.originalUrl}`);
+  }
+  if (meta.projectId) {
+    logDebug(`[Gemini Debug ${id}] Project: ${meta.projectId}`);
+  }
+  logDebug(`[Gemini Debug ${id}] Streaming: ${meta.streaming ? "yes" : "no"}`);
+  logDebug(`[Gemini Debug ${id}] Headers: ${JSON.stringify(maskHeaders(meta.headers))}`);
+  const bodyPreview = formatBodyPreview(meta.body);
+  if (bodyPreview) {
+    logDebug(`[Gemini Debug ${id}] Body Preview: ${bodyPreview}`);
+  }
+
+  return { id, streaming: meta.streaming, startedAt: Date.now() };
+}
+
+export function logGeminiDebugResponse(
+  context: GeminiDebugContext | null | undefined,
+  response: Response,
+  meta: GeminiDebugResponseMeta = {},
+): void {
+  if (!debugEnabled || !context) {
+    return;
+  }
+
+  const durationMs = Date.now() - context.startedAt;
+  logDebug(
+    `[Gemini Debug ${context.id}] Response ${response.status} ${response.statusText} (${durationMs}ms)`,
+  );
+  logDebug(
+    `[Gemini Debug ${context.id}] Response Headers: ${JSON.stringify(maskHeaders(response.headers))}`,
+  );
+
+  if (meta.note) {
+    logDebug(`[Gemini Debug ${context.id}] Note: ${meta.note}`);
+  }
+
+  if (meta.error) {
+    logDebug(`[Gemini Debug ${context.id}] Error: ${formatError(meta.error)}`);
+  }
+
+  if (meta.body) {
+    logDebug(
+      `[Gemini Debug ${context.id}] Response Body Preview: ${truncateForLog(meta.body)}`,
+    );
+  }
+}
+
+function maskHeaders(headers?: HeadersInit | Headers): Record<string, string> {
+  if (!headers) {
+    return {};
+  }
+
+  const result: Record<string, string> = {};
+  const parsed = headers instanceof Headers ? headers : new Headers(headers);
+  parsed.forEach((value, key) => {
+    if (key.toLowerCase() === "authorization") {
+      result[key] = "[redacted]";
+    } else {
+      result[key] = value;
+    }
+  });
+  return result;
+}
+
+function formatBodyPreview(body?: BodyInit | null): string | undefined {
+  if (body == null) {
+    return undefined;
+  }
+
+  if (typeof body === "string") {
+    return truncateForLog(body);
+  }
+
+  if (body instanceof URLSearchParams) {
+    return truncateForLog(body.toString());
+  }
+
+  if (typeof Blob !== "undefined" && body instanceof Blob) {
+    return `[Blob size=${body.size}]`;
+  }
+
+  if (typeof FormData !== "undefined" && body instanceof FormData) {
+    return "[FormData payload omitted]";
+  }
+
+  return `[${body.constructor?.name ?? typeof body} payload omitted]`;
+}
+
+function truncateForLog(text: string): string {
+  if (text.length <= MAX_BODY_PREVIEW_CHARS) {
+    return text;
+  }
+  return `${text.slice(0, MAX_BODY_PREVIEW_CHARS)}... (truncated ${text.length - MAX_BODY_PREVIEW_CHARS} chars)`;
+}
+
+function logDebug(line: string): void {
+  logWriter(line);
+}
+
+function formatError(error: unknown): string {
+  if (error instanceof Error) {
+    return error.stack ?? error.message;
+  }
+  try {
+    return JSON.stringify(error);
+  } catch {
+    return String(error);
+  }
+}
+
+function defaultLogFilePath(): string {
+  const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+  return join(cwd(), `gemini-debug-${timestamp}.log`);
+}
+
+function createLogWriter(filePath?: string): (line: string) => void {
+  if (!filePath) {
+    return () => {};
+  }
+
+  const stream = createWriteStream(filePath, { flags: "a" });
+  return (line: string) => {
+    stream.write(`${line}\n`);
+  };
+}

package/src/plugin/project.ts

@@ -9,6 +9,24 @@ import type {
   ProjectContextResult,
 } from "./types";
 
+const projectContextResultCache = new Map<string, ProjectContextResult>();
+const projectContextPendingCache = new Map<string, Promise<ProjectContextResult>>();
+
+function getCacheKey(auth: OAuthAuthDetails): string | undefined {
+  const refresh = auth.refresh?.trim();
+  return refresh ? refresh : undefined;
+}
+
+export function invalidateProjectContextCache(refresh?: string): void {
+  if (!refresh) {
+    projectContextPendingCache.clear();
+    projectContextResultCache.clear();
+    return;
+  }
+  projectContextPendingCache.delete(refresh);
+  projectContextResultCache.delete(refresh);
+}
+
 export async function loadManagedProject(accessToken: string): Promise<{
   managedProjectId?: string;
   needsOnboarding: boolean;
@@ -157,42 +175,79 @@ export async function ensureProjectContext(
   auth: OAuthAuthDetails,
   client: PluginClient,
 ): Promise<ProjectContextResult> {
-  if (!auth.access) {
+  const accessToken = auth.access;
+  if (!accessToken) {
     return { auth, effectiveProjectId: "" };
   }
 
-  const parts = parseRefreshParts(auth.refresh);
-  if (parts.projectId || parts.managedProjectId) {
-    return {
-      auth,
-      effectiveProjectId: parts.projectId || parts.managedProjectId || "",
-    };
+  const cacheKey = getCacheKey(auth);
+  if (cacheKey) {
+    const cached = projectContextResultCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const pending = projectContextPendingCache.get(cacheKey);
+    if (pending) {
+      return pending;
+    }
   }
 
-  const loadResult = await loadManagedProject(auth.access);
-  let managedProjectId = loadResult.managedProjectId;
+  const resolveContext = async (): Promise<ProjectContextResult> => {
+    const parts = parseRefreshParts(auth.refresh);
+    if (parts.projectId || parts.managedProjectId) {
+      return {
+        auth,
+        effectiveProjectId: parts.projectId || parts.managedProjectId || "",
+      };
+    }
 
-  if (!managedProjectId && loadResult.needsOnboarding) {
-    managedProjectId = await onboardManagedProject(auth.access);
-  }
+    const loadResult = await loadManagedProject(accessToken);
+    let managedProjectId = loadResult.managedProjectId;
 
-  if (managedProjectId) {
-    const updatedAuth: OAuthAuthDetails = {
-      ...auth,
-      refresh: formatRefreshParts({
-        refreshToken: parts.refreshToken,
-        projectId: parts.projectId,
-        managedProjectId,
-      }),
-    };
+    if (!managedProjectId && loadResult.needsOnboarding) {
+      managedProjectId = await onboardManagedProject(accessToken);
+    }
 
-    await client.auth.set({
-      path: { id: "gemini-cli" },
-      body: updatedAuth,
-    });
+    if (managedProjectId) {
+      const updatedAuth: OAuthAuthDetails = {
+        ...auth,
+        refresh: formatRefreshParts({
+          refreshToken: parts.refreshToken,
+          projectId: parts.projectId,
+          managedProjectId,
+        }),
+      };
+
+      await client.auth.set({
+        path: { id: "gemini-cli" },
+        body: updatedAuth,
+      });
 
-    return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+      return { auth: updatedAuth, effectiveProjectId: managedProjectId };
+    }
+
+    return { auth, effectiveProjectId: "" };
+  };
+
+  if (!cacheKey) {
+    return resolveContext();
   }
 
-  return { auth, effectiveProjectId: "" };
+  const promise = resolveContext()
+    .then((result) => {
+      const nextKey = getCacheKey(result.auth) ?? cacheKey;
+      projectContextPendingCache.delete(cacheKey);
+      projectContextResultCache.set(nextKey, result);
+      if (nextKey !== cacheKey) {
+        projectContextResultCache.delete(cacheKey);
+      }
+      return result;
+    })
+    .catch((error) => {
+      projectContextPendingCache.delete(cacheKey);
+      throw error;
+    });
+
+  projectContextPendingCache.set(cacheKey, promise);
+  return promise;
 }

package/src/plugin/request.ts

@@ -2,10 +2,14 @@ import {
   CODE_ASSIST_HEADERS,
   GEMINI_CODE_ASSIST_ENDPOINT,
 } from "../constants";
+import { logGeminiDebugResponse, type GeminiDebugContext } from "./debug";
 
 const STREAM_ACTION = "streamGenerateContent";
+const MODEL_FALLBACKS: Record<string, string> = {
+  "gemini-2.5-flash-image": "gemini-2.5-flash",
+};
 
-function isGenerativeLanguageRequest(input: RequestInfo): input is string {
+export function isGenerativeLanguageRequest(input: RequestInfo): input is string {
   return typeof input === "string" && input.includes("generativelanguage.googleapis.com");
 }
 
@@ -60,9 +64,10 @@ export function prepareGeminiRequest(
     };
   }
 
-  const [, model, action] = match;
-  const streaming = action === STREAM_ACTION;
-  const transformedUrl = `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:${action}${
+  const [, rawModel = "", rawAction = ""] = match;
+  const effectiveModel = MODEL_FALLBACKS[rawModel] ?? rawModel;
+  const streaming = rawAction === STREAM_ACTION;
+  const transformedUrl = `${GEMINI_CODE_ASSIST_ENDPOINT}/v1internal:${rawAction}${
     streaming ? "?alt=sse" : ""
   }`;
 
@@ -70,24 +75,34 @@ export function prepareGeminiRequest(
   if (typeof baseInit.body === "string" && baseInit.body) {
     try {
       const parsedBody = JSON.parse(baseInit.body) as Record<string, unknown>;
-      const requestPayload: Record<string, unknown> = { ...parsedBody };
-
-      if ("system_instruction" in requestPayload) {
-        requestPayload.systemInstruction = requestPayload.system_instruction;
-        delete requestPayload.system_instruction;
-      }
+      const isWrapped = typeof parsedBody.project === "string" && "request" in parsedBody;
+
+      if (isWrapped) {
+        const wrappedBody = {
+          ...parsedBody,
+          model: effectiveModel,
+        } as Record<string, unknown>;
+        body = JSON.stringify(wrappedBody);
+      } else {
+        const requestPayload: Record<string, unknown> = { ...parsedBody };
+
+        if ("system_instruction" in requestPayload) {
+          requestPayload.systemInstruction = requestPayload.system_instruction;
+          delete requestPayload.system_instruction;
+        }
 
-      if ("model" in requestPayload) {
-        delete requestPayload.model;
-      }
+        if ("model" in requestPayload) {
+          delete requestPayload.model;
+        }
 
-      const wrappedBody = {
-        project: projectId,
-        model,
-        request: requestPayload,
-      };
+        const wrappedBody = {
+          project: projectId,
+          model: effectiveModel,
+          request: requestPayload,
+        };
 
-      body = JSON.stringify(wrappedBody);
+        body = JSON.stringify(wrappedBody);
+      }
     } catch (error) {
       console.error("Failed to transform Gemini request body:", error);
     }
@@ -115,9 +130,13 @@ export function prepareGeminiRequest(
 export async function transformGeminiResponse(
   response: Response,
   streaming: boolean,
+  debugContext?: GeminiDebugContext | null,
 ): Promise<Response> {
   const contentType = response.headers.get("content-type") ?? "";
   if (!streaming && !contentType.includes("application/json")) {
+    logGeminiDebugResponse(debugContext, response, {
+      note: "Non-JSON response (body omitted)",
+    });
     return response;
   }
 
@@ -130,6 +149,11 @@ export async function transformGeminiResponse(
       headers,
     };
 
+    logGeminiDebugResponse(debugContext, response, {
+      body: text,
+      note: streaming ? "Streaming SSE payload" : undefined,
+    });
+
     if (streaming) {
       return new Response(transformStreamingPayload(text), init);
     }
@@ -141,6 +165,10 @@ export async function transformGeminiResponse(
 
     return new Response(text, init);
   } catch (error) {
+    logGeminiDebugResponse(debugContext, response, {
+      error,
+      note: "Failed to transform Gemini response",
+    });
     console.error("Failed to transform Gemini response:", error);
     return response;
   }

package/src/plugin/token.ts

@@ -1,7 +1,55 @@
 import { GEMINI_CLIENT_ID, GEMINI_CLIENT_SECRET } from "../constants";
 import { formatRefreshParts, parseRefreshParts } from "./auth";
+import { invalidateProjectContextCache } from "./project";
 import type { OAuthAuthDetails, PluginClient, RefreshParts } from "./types";
 
+interface OAuthErrorPayload {
+  error?:
+    | string
+    | {
+        code?: string;
+        status?: string;
+        message?: string;
+      };
+  error_description?: string;
+}
+
+function parseOAuthErrorPayload(text: string | undefined): { code?: string; description?: string } {
+  if (!text) {
+    return {};
+  }
+
+  try {
+    const payload = JSON.parse(text) as OAuthErrorPayload;
+    if (!payload || typeof payload !== "object") {
+      return { description: text };
+    }
+
+    let code: string | undefined;
+    if (typeof payload.error === "string") {
+      code = payload.error;
+    } else if (payload.error && typeof payload.error === "object") {
+      code = payload.error.status ?? payload.error.code;
+      if (!payload.error_description && payload.error.message) {
+        return { code, description: payload.error.message };
+      }
+    }
+
+    const description = payload.error_description;
+    if (description) {
+      return { code, description };
+    }
+
+    if (payload.error && typeof payload.error === "object" && payload.error.message) {
+      return { code, description: payload.error.message };
+    }
+
+    return { code };
+  } catch {
+    return { description: text };
+  }
+}
+
 export async function refreshAccessToken(
   auth: OAuthAuthDetails,
   client: PluginClient,
@@ -26,6 +74,41 @@ export async function refreshAccessToken(
     });
 
     if (!response.ok) {
+      let errorText: string | undefined;
+      try {
+        errorText = await response.text();
+      } catch {
+        // Ignore body parsing failures; we'll fall back to status only.
+      }
+
+      const { code, description } = parseOAuthErrorPayload(errorText);
+      const details = [code, description ?? errorText].filter(Boolean).join(": ");
+      const baseMessage = `Gemini token refresh failed (${response.status} ${response.statusText})`;
+      console.warn(`[Gemini OAuth] ${details ? `${baseMessage} - ${details}` : baseMessage}`);
+
+      if (code === "invalid_grant") {
+        console.warn(
+          "[Gemini OAuth] Google revoked the stored refresh token. Run `opencode auth login` and reauthenticate the Google provider.",
+        );
+        invalidateProjectContextCache(auth.refresh);
+        try {
+          const clearedAuth: OAuthAuthDetails = {
+            type: "oauth",
+            refresh: formatRefreshParts({
+              refreshToken: "",
+              projectId: parts.projectId,
+              managedProjectId: parts.managedProjectId,
+            }),
+          };
+          await client.auth.set({
+            path: { id: "gemini-cli" },
+            body: clearedAuth,
+          });
+        } catch (storeError) {
+          console.error("Failed to clear stored Gemini OAuth credentials:", storeError);
+        }
+      }
+
       return undefined;
     }
 
@@ -52,10 +135,11 @@ export async function refreshAccessToken(
       path: { id: "gemini-cli" },
       body: updatedAuth,
     });
+    invalidateProjectContextCache(auth.refresh);
 
     return updatedAuth;
   } catch (error) {
-    console.error("Failed to refresh Gemini access token:", error);
+    console.error("Failed to refresh Gemini access token due to an unexpected error:", error);
     return undefined;
   }
 }

package/src/plugin.ts

@@ -4,7 +4,12 @@ import type { GeminiTokenExchangeResult } from "./gemini/oauth";
 import { accessTokenExpired, isOAuthAuth } from "./plugin/auth";
 import { promptProjectId } from "./plugin/cli";
 import { ensureProjectContext } from "./plugin/project";
-import { prepareGeminiRequest, transformGeminiResponse } from "./plugin/request";
+import { startGeminiDebugRequest } from "./plugin/debug";
+import {
+  isGenerativeLanguageRequest,
+  prepareGeminiRequest,
+  transformGeminiResponse,
+} from "./plugin/request";
 import { refreshAccessToken } from "./plugin/token";
 import { startOAuthListener, type OAuthListener } from "./plugin/server";
 import type {
@@ -37,6 +42,10 @@ export const GeminiCLIOAuthPlugin = async (
       return {
         apiKey: "",
         async fetch(input, init) {
+          if (!isGenerativeLanguageRequest(input)) {
+            return fetch(input, init);
+          }
+
           const latestAuth = await getAuth();
           if (!isOAuthAuth(latestAuth)) {
             return fetch(input, init);
@@ -65,8 +74,20 @@ export const GeminiCLIOAuthPlugin = async (
             projectContext.effectiveProjectId,
           );
 
+          const originalUrl = toUrlString(input);
+          const resolvedUrl = toUrlString(request);
+          const debugContext = startGeminiDebugRequest({
+            originalUrl,
+            resolvedUrl,
+            method: transformedInit.method,
+            headers: transformedInit.headers,
+            body: transformedInit.body,
+            streaming,
+            projectId: projectContext.effectiveProjectId,
+          });
+
           const response = await fetch(request, transformedInit);
-          return transformGeminiResponse(response, streaming);
+          return transformGeminiResponse(response, streaming, debugContext);
         },
       };
     },
@@ -181,3 +202,14 @@ export const GeminiCLIOAuthPlugin = async (
 });
 
 export const GoogleOAuthPlugin = GeminiCLIOAuthPlugin;
+
+function toUrlString(value: RequestInfo): string {
+  if (typeof value === "string") {
+    return value;
+  }
+  const candidate = (value as Request).url;
+  if (candidate) {
+    return candidate;
+  }
+  return value.toString();
+}