opencode-gemini-auth 1.3.8 → 1.3.9

package/README.md

@@ -24,6 +24,12 @@ Add the plugin to your Opencode configuration file
 }
 ```
 
+> [!IMPORTANT]
+> If you're using a paid Gemini Code Assist subscription (Standard/Enterprise),
+> explicitly configure a Google Cloud `projectId`. Free tier accounts should
+> auto-provision a managed project, but you can still set `projectId` to force
+> a specific project.
+
 ## Usage
 
 1. **Login**: Run the authentication command in your terminal:
@@ -46,7 +52,10 @@ Once authenticated, Opencode will use your Google account for Gemini requests.
 ### Google Cloud Project
 
 By default, the plugin attempts to provision or find a suitable Google Cloud
-project. To force a specific project, set the `projectId` in your configuration:
+project. To force a specific project, set the `projectId` in your configuration
+or via environment variables:
+
+**File:** `~/.config/opencode/opencode.json`
 
 ```json
 {
@@ -60,6 +69,9 @@ project. To force a specific project, set the `projectId` in your configuration:
 }
 ```
 
+You can also set `OPENCODE_GEMINI_PROJECT_ID`, `GOOGLE_CLOUD_PROJECT`, or
+`GOOGLE_CLOUD_PROJECT_ID` to supply the project ID via environment variables.
+
 ### Model list
 
 Below are example model entries you can add under `provider.google.models` in your

package/index.ts

@@ -5,7 +5,7 @@ export {
 
 export {
   authorizeGemini,
-  exchangeGemini,
+  exchangeGeminiWithVerifier,
 } from "./src/gemini/oauth";
 
 export type {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "opencode-gemini-auth",
   "module": "index.ts",
-  "version": "1.3.8",
+  "version": "1.3.9",
   "author": "jenslys",
   "repository": "https://github.com/jenslys/opencode-gemini-auth",
   "files": [
@@ -11,7 +11,7 @@
   "license": "MIT",
   "type": "module",
   "devDependencies": {
-    "@opencode-ai/plugin": "^1.1.25",
+    "@opencode-ai/plugin": "^1.1.48",
     "@types/bun": "latest"
   },
   "peerDependencies": {

package/src/gemini/oauth.ts

@@ -1,4 +1,5 @@
 import { generatePKCE } from "@openauthjs/openauth/pkce";
+import { randomBytes } from "node:crypto";
 
 import {
   GEMINI_CLIENT_ID,
@@ -6,22 +7,24 @@ import {
   GEMINI_REDIRECT_URI,
   GEMINI_SCOPES,
 } from "../constants";
+import {
+  formatDebugBodyPreview,
+  isGeminiDebugEnabled,
+  logGeminiDebugMessage,
+} from "../plugin/debug";
 
 interface PkcePair {
   challenge: string;
   verifier: string;
 }
 
-interface GeminiAuthState {
-  verifier: string;
-}
-
 /**
  * Result returned to the caller after constructing an OAuth authorization URL.
  */
 export interface GeminiAuthorization {
   url: string;
   verifier: string;
+  state: string;
 }
 
 interface GeminiTokenExchangeSuccess {
@@ -51,34 +54,12 @@ interface GeminiUserInfo {
   email?: string;
 }
 
-/**
- * Encode an object into a URL-safe base64 string.
- */
-function encodeState(payload: GeminiAuthState): string {
-  return Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
-}
-
-/**
- * Decode an OAuth state parameter back into its structured representation.
- */
-function decodeState(state: string): GeminiAuthState {
-  const normalized = state.replace(/-/g, "+").replace(/_/g, "/");
-  const padded = normalized.padEnd(normalized.length + ((4 - normalized.length % 4) % 4), "=");
-  const json = Buffer.from(padded, "base64").toString("utf8");
-  const parsed = JSON.parse(json);
-  if (typeof parsed.verifier !== "string") {
-    throw new Error("Missing PKCE verifier in state");
-  }
-  return {
-    verifier: parsed.verifier,
-  };
-}
-
 /**
  * Build the Gemini OAuth authorization URL including PKCE.
  */
 export async function authorizeGemini(): Promise<GeminiAuthorization> {
   const pkce = (await generatePKCE()) as PkcePair;
+  const state = randomBytes(32).toString("hex");
 
   const url = new URL("https://accounts.google.com/o/oauth2/v2/auth");
   url.searchParams.set("client_id", GEMINI_CLIENT_ID);
@@ -87,7 +68,7 @@ export async function authorizeGemini(): Promise<GeminiAuthorization> {
   url.searchParams.set("scope", GEMINI_SCOPES.join(" "));
   url.searchParams.set("code_challenge", pkce.challenge);
   url.searchParams.set("code_challenge_method", "S256");
-  url.searchParams.set("state", encodeState({ verifier: pkce.verifier }));
+  url.searchParams.set("state", state);
   url.searchParams.set("access_type", "offline");
   url.searchParams.set("prompt", "consent");
   // Add a fragment so any stray terminal glyphs are ignored by the auth server.
@@ -96,28 +77,10 @@ export async function authorizeGemini(): Promise<GeminiAuthorization> {
   return {
     url: url.toString(),
     verifier: pkce.verifier,
+    state,
   };
 }
 
-/**
- * Exchange an authorization code for Gemini CLI access and refresh tokens.
- */
-export async function exchangeGemini(
-  code: string,
-  state: string,
-): Promise<GeminiTokenExchangeResult> {
-  try {
-    const { verifier } = decodeState(state);
-
-    return await exchangeGeminiWithVerifierInternal(code, verifier);
-  } catch (error) {
-    return {
-      type: "failed",
-      error: error instanceof Error ? error.message : "Unknown error",
-    };
-  }
-}
-
 /**
  * Exchange an authorization code using a known PKCE verifier.
  */
@@ -139,6 +102,9 @@ async function exchangeGeminiWithVerifierInternal(
   code: string,
   verifier: string,
 ): Promise<GeminiTokenExchangeResult> {
+  if (isGeminiDebugEnabled()) {
+    logGeminiDebugMessage("OAuth exchange: POST https://oauth2.googleapis.com/token");
+  }
   const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
     method: "POST",
     headers: {
@@ -156,11 +122,28 @@ async function exchangeGeminiWithVerifierInternal(
 
   if (!tokenResponse.ok) {
     const errorText = await tokenResponse.text();
+    if (isGeminiDebugEnabled()) {
+      logGeminiDebugMessage(
+        `OAuth exchange response: ${tokenResponse.status} ${tokenResponse.statusText}`,
+      );
+      const preview = formatDebugBodyPreview(errorText);
+      if (preview) {
+        logGeminiDebugMessage(`OAuth exchange error body: ${preview}`);
+      }
+    }
     return { type: "failed", error: errorText };
   }
 
   const tokenPayload = (await tokenResponse.json()) as GeminiTokenResponse;
+  if (isGeminiDebugEnabled()) {
+    logGeminiDebugMessage(
+      `OAuth exchange success: expires_in=${tokenPayload.expires_in}s refresh_token=${tokenPayload.refresh_token ? "yes" : "no"}`,
+    );
+  }
 
+  if (isGeminiDebugEnabled()) {
+    logGeminiDebugMessage("OAuth userinfo: GET https://www.googleapis.com/oauth2/v1/userinfo");
+  }
   const userInfoResponse = await fetch(
     "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
     {
@@ -169,6 +152,11 @@ async function exchangeGeminiWithVerifierInternal(
       },
     },
   );
+  if (isGeminiDebugEnabled()) {
+    logGeminiDebugMessage(
+      `OAuth userinfo response: ${userInfoResponse.status} ${userInfoResponse.statusText}`,
+    );
+  }
 
   const userInfo = userInfoResponse.ok
     ? ((await userInfoResponse.json()) as GeminiUserInfo)

package/src/plugin/debug.ts

@@ -33,6 +33,33 @@ interface GeminiDebugResponseMeta {
 
 let requestCounter = 0;
 
+/**
+ * Returns true when Gemini debug logging is enabled.
+ */
+export function isGeminiDebugEnabled(): boolean {
+  return debugEnabled;
+}
+
+/**
+ * Writes an arbitrary debug line when debugging is enabled.
+ */
+export function logGeminiDebugMessage(message: string): void {
+  if (!debugEnabled) {
+    return;
+  }
+  logDebug(`[Gemini Debug] ${message}`);
+}
+
+/**
+ * Produces a truncated preview of a debug body payload.
+ */
+export function formatDebugBodyPreview(text?: string | null): string | undefined {
+  if (!text) {
+    return undefined;
+  }
+  return truncateForLog(text);
+}
+
 /**
  * Begins a debug trace for a Gemini request, logging request metadata when debugging is enabled.
  */
@@ -82,6 +109,11 @@ export function logGeminiDebugResponse(
     )}`,
   );
 
+  const traceId = getHeaderValue(meta.headersOverride ?? response.headers, "x-cloudaicompanion-trace-id");
+  if (traceId) {
+    logDebug(`[Gemini Debug ${context.id}] Trace ID: ${traceId}`);
+  }
+
   if (meta.note) {
     logDebug(`[Gemini Debug ${context.id}] Note: ${meta.note}`);
   }
@@ -117,6 +149,34 @@ function maskHeaders(headers?: HeadersInit | Headers): Record<string, string> {
   return result;
 }
 
+/**
+ * Reads a header value from a HeadersInit or Headers instance.
+ */
+function getHeaderValue(headers: HeadersInit | Headers, key: string): string | undefined {
+  const target = key.toLowerCase();
+  if (headers instanceof Headers) {
+    const value = headers.get(key);
+    return value ?? undefined;
+  }
+
+  if (Array.isArray(headers)) {
+    for (const [headerKey, headerValue] of headers) {
+      if (headerKey.toLowerCase() === target) {
+        return headerValue;
+      }
+    }
+    return undefined;
+  }
+
+  const record = headers as Record<string, string | undefined>;
+  for (const [headerKey, headerValue] of Object.entries(record)) {
+    if (headerKey.toLowerCase() === target) {
+      return headerValue ?? undefined;
+    }
+  }
+  return undefined;
+}
+
 /**
  * Produces a short, type-aware preview of a request/response body for logs.
  */

package/src/plugin/project.test.ts

@@ -0,0 +1,112 @@
+import { beforeEach, describe, expect, it, mock } from "bun:test";
+
+import { resolveProjectContextFromAccessToken } from "./project";
+import type { OAuthAuthDetails } from "./types";
+
+const baseAuth: OAuthAuthDetails = {
+  type: "oauth",
+  refresh: "refresh-token",
+  access: "access-token",
+  expires: Date.now() + 60_000,
+};
+
+function toUrlString(input: RequestInfo): string {
+  if (typeof input === "string") {
+    return input;
+  }
+  if (input instanceof URL) {
+    return input.toString();
+  }
+  return (input as Request).url ?? input.toString();
+}
+
+describe("resolveProjectContextFromAccessToken", () => {
+  beforeEach(() => {
+    mock.restore();
+  });
+
+  it("stores managed project id from loadCodeAssist without onboarding", async () => {
+    const fetchMock = mock(async (input: RequestInfo) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            currentTier: { id: "free-tier" },
+            cloudaicompanionProject: "projects/server-project",
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await resolveProjectContextFromAccessToken(
+      baseAuth,
+      baseAuth.access ?? "",
+    );
+
+    expect(result.effectiveProjectId).toBe("projects/server-project");
+    expect(result.auth.refresh).toContain("projects/server-project");
+    expect(fetchMock.mock.calls.length).toBe(1);
+  });
+
+  it("onboards free-tier users without sending a project id", async () => {
+    let onboardBody: Record<string, unknown> | undefined;
+    const fetchMock = mock(async (input: RequestInfo, init?: RequestInit) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            allowedTiers: [{ id: "free-tier", isDefault: true }],
+          }),
+          { status: 200 },
+        );
+      }
+      if (url.includes(":onboardUser")) {
+        const rawBody = typeof init?.body === "string" ? init.body : "{}";
+        onboardBody = JSON.parse(rawBody) as Record<string, unknown>;
+        return new Response(
+          JSON.stringify({
+            done: true,
+            response: { cloudaicompanionProject: { id: "managed-project" } },
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    const result = await resolveProjectContextFromAccessToken(
+      baseAuth,
+      baseAuth.access ?? "",
+    );
+
+    expect(result.effectiveProjectId).toBe("managed-project");
+    expect(result.auth.refresh).toContain("managed-project");
+    expect(onboardBody?.cloudaicompanionProject).toBeUndefined();
+    const metadata = onboardBody?.metadata as Record<string, unknown> | undefined;
+    expect(metadata?.duetProject).toBeUndefined();
+  });
+
+  it("throws when a non-free tier requires a project id", async () => {
+    const fetchMock = mock(async (input: RequestInfo) => {
+      const url = toUrlString(input);
+      if (url.includes(":loadCodeAssist")) {
+        return new Response(
+          JSON.stringify({
+            allowedTiers: [{ id: "standard-tier", isDefault: true }],
+          }),
+          { status: 200 },
+        );
+      }
+      throw new Error(`Unexpected fetch to ${url}`);
+    });
+    (globalThis as { fetch: typeof fetch }).fetch = fetchMock as unknown as typeof fetch;
+
+    await expect(
+      resolveProjectContextFromAccessToken(baseAuth, baseAuth.access ?? ""),
+    ).rejects.toThrow("Google Gemini requires a Google Cloud project");
+  });
+});