opencode-qwen-cli-auth 2.2.8 → 2.2.9

package/README.md

@@ -1,162 +1,62 @@
-# opencode-qwen-cli-auth
-OAuth plugin for OpenCode that lets you use Qwen models with your Qwen account, without managing a DashScope API key directly.
-
-## Scope
-
-- Uses OAuth Device Authorization Grant (RFC 8628) for sign-in.
-- Best suited for personal/dev workflows.
-- For production or commercial workloads, use DashScope API key auth instead:
-  https://dashscope.console.aliyun.com/
-
-## Features
-
-- OAuth login through `opencode auth login`.
-- Automatic token refresh before expiration.
-- Dynamic API base URL from token `resource_url` with safe fallback.
-- Model normalization to `coder-model` for Qwen Portal API.
-- Optional prompt bridge behavior via `QWEN_MODE`.
-- Optional debug and request logging via environment variables.
-
-## Requirements
-
-- Qwen account
-- OpenCode
-- Node.js `>=20` (only required when building/testing from source)
-
-## Quick start
-
-Add the plugin to your OpenCode config:
-
-```json
-{
-  "$schema": "https://opencode.ai/config.json",
-  "plugin": ["opencode-qwen-cli-auth"],
-  "model": "qwen-code/coder-model"
-}
-```
-
-Then sign in:
-
-```bash
-opencode auth login
-```
-
-Choose `Qwen Code` -> `Qwen Code (qwen.ai OAuth)`.
-
-## Usage
-
-```bash
-opencode run "create a hello world file" --model=qwen-code/coder-model
-opencode chat --model=qwen-code/coder-model
-```
-
-Always keep the provider prefix `qwen-code/` in model configuration.
-
-## Configuration
-
-### `QWEN_MODE`
-
-Resolution order:
-
-1. Environment variable `QWEN_MODE`
-2. File `~/.opencode/qwen/auth-config.json`
-3. Default value: `true`
-
-Example `~/.opencode/qwen/auth-config.json`:
-
-```json
-{
-  "qwenMode": true
-}
-```
-
-Supported env values:
-
-- Enable: `QWEN_MODE=1` or `QWEN_MODE=true`
-- Disable: `QWEN_MODE=0` or `QWEN_MODE=false`
-
-## Logging and debug
-
-- Enable debug logs:
-
-```bash
-DEBUG_QWEN_PLUGIN=1 opencode run "your prompt"
-```
-
-- Enable request logging to files:
-
-```bash
-ENABLE_PLUGIN_REQUEST_LOGGING=1 opencode run "your prompt"
-```
-
-Log path: `~/.opencode/logs/qwen-plugin/`
-
-## Local plugin data
-
-- OAuth token: `~/.opencode/qwen/oauth_token.json`
-- Plugin config: `~/.opencode/qwen/auth-config.json`
-- Prompt cache: `~/.opencode/cache/`
-
-## Troubleshooting
-
-### `Authentication required. Please run: opencode auth login`
-
-Token is missing or refresh failed. Re-authenticate:
-
-```bash
-opencode auth login
-```
-
-### Device authorization timed out
-
-The device code expired or was not confirmed in time. Run `opencode auth login` again and confirm in the browser sooner.
-
-### `429` rate limit
-
-The server is throttling requests. Reduce request frequency and retry later.
-
-### Wrong model behavior
-
-Ensure your model is set correctly in OpenCode:
-
-```yaml
-model: qwen-code/coder-model
-```
-
-## Clear auth state
-
-- macOS/Linux:
-
-```bash
-rm -rf ~/.opencode/qwen/
-```
-
-- PowerShell:
-
-```powershell
-Remove-Item -Recurse -Force "$HOME/.opencode/qwen"
-```
-
-Then log in again with `opencode auth login`.
-
-## Development
-
-```bash
-npm run build
-npm run typecheck
-npm run test
-npm run lint
-```
-
-## Policy and links
-
-- Terms of Service: https://qwen.ai/termsservice
-- Privacy Policy: https://qwen.ai/privacypolicy
-- Usage Policy: https://qwen.ai/usagepolicy
-- NPM: https://www.npmjs.com/package/opencode-qwen-cli-auth
-- Repository: https://github.com/TVD-00/opencode-qwen-cli-auth
-- Issues: https://github.com/TVD-00/opencode-qwen-cli-auth/issues
-
-## License
-
-MIT
+# opencode-qwen-cli-auth (local fork)
+
+Plugin OAuth cho **OpenCode** để dùng Qwen theo cơ chế giống **qwen-code CLI** (free tier bằng Qwen account), không cần DashScope API key.
+
+## Cấu hình nhanh
+
+`opencode.json`:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-qwen-cli-auth"],
+  "model": "qwen-code/coder-model"
+}
+```
+
+Đăng nhập:
+
+```bash
+opencode auth login
+```
+
+Chọn provider **Qwen Code (qwen.ai OAuth)**.
+
+## Vì sao plugin trước bị `insufficient_quota`?
+
+Từ việc đối chiếu với **qwen-code** (gốc), request free-tier cần:
+
+- Base URL đúng (DashScope OpenAI-compatible):
+  - mặc định: `https://dashscope.aliyuncs.com/compatible-mode/v1`
+  - có thể thay đổi theo `resource_url` trong `~/.qwen/oauth_creds.json`
+- Headers DashScope đặc thù:
+  - `X-DashScope-AuthType: qwen-oauth`
+  - `X-DashScope-CacheControl: enable`
+  - `User-Agent` + `X-DashScope-UserAgent`
+- Giới hạn output token theo model (qwen-code):
+  - `coder-model`: 65536
+  - `vision-model`: 8192
+
+Fork này đã **inject headers ở tầng fetch** để vẫn hoạt động ngay cả khi OpenCode không gọi hook `chat.headers`.
+
+## Debug / logging
+
+```bash
+DEBUG_QWEN_PLUGIN=1 opencode run "hello" --model=qwen-code/coder-model
+ENABLE_PLUGIN_REQUEST_LOGGING=1 opencode run "hello" --model=qwen-code/coder-model
+```
+
+Log path: `~/.opencode/logs/qwen-plugin/`
+
+## Clear auth
+
+PowerShell:
+
+```powershell
+Remove-Item -Recurse -Force "$HOME/.opencode/qwen"
+Remove-Item -Recurse -Force "$HOME/.qwen"  # nếu muốn xoá token qwen-code luôn
+```
+
+## Ghi chú build
+
+Repo này chỉ chứa output `dist/` (không có `src/`/`tsconfig.json`), nên `npm run build/typecheck` sẽ không compile lại TS.

package/dist/index.js

@@ -15,7 +15,11 @@ import { PROVIDER_ID, AUTH_LABELS, DEVICE_FLOW, PORTAL_HEADERS } from "./lib/con
 import { logError, logInfo, logWarn, LOGGING_ENABLED } from "./lib/logger.js";
 const CHAT_REQUEST_TIMEOUT_MS = 30000;
 const CHAT_MAX_RETRIES = 0;
-const CHAT_MAX_TOKENS_CAP = 2048;
+// Output token caps should match what qwen-code uses for DashScope.
+// - coder-model: 64K output
+// - vision-model: 8K output
+// We still keep a default for safety.
+const CHAT_MAX_TOKENS_CAP = 65536;
 const CHAT_DEFAULT_MAX_TOKENS = 2048;
 const MAX_CONSECUTIVE_POLL_FAILURES = 3;
 const QUOTA_DEGRADE_MAX_TOKENS = 1024;
@@ -23,6 +27,58 @@ const CLI_FALLBACK_TIMEOUT_MS = 8000;
 const CLI_FALLBACK_MAX_BUFFER_CHARS = 1024 * 1024;
 const ENABLE_CLI_FALLBACK = process.env.OPENCODE_QWEN_ENABLE_CLI_FALLBACK === "1";
 const PLUGIN_USER_AGENT = "opencode-qwen-cli-auth/2.2.1";
+// Match qwen-code output limits for DashScope OAuth.
+const DASH_SCOPE_OUTPUT_LIMITS = {
+    "coder-model": 65536,
+    "vision-model": 8192,
+};
+function capPayloadMaxTokens(payload) {
+    if (!payload || typeof payload !== "object") {
+        return payload;
+    }
+    const model = typeof payload.model === "string" ? payload.model : "";
+    const normalizedModel = model.trim().toLowerCase();
+    const limit = DASH_SCOPE_OUTPUT_LIMITS[normalizedModel];
+    if (!limit) {
+        return payload;
+    }
+    const next = { ...payload };
+    let changed = false;
+    if (typeof next.max_tokens === "number" && next.max_tokens > limit) {
+        next.max_tokens = limit;
+        changed = true;
+    }
+    if (typeof next.max_completion_tokens === "number" && next.max_completion_tokens > limit) {
+        next.max_completion_tokens = limit;
+        changed = true;
+    }
+    // Some clients use camelCase.
+    if (typeof next.maxTokens === "number" && next.maxTokens > limit) {
+        next.maxTokens = limit;
+        changed = true;
+    }
+    if (next.options && typeof next.options === "object") {
+        const options = { ...next.options };
+        let optionsChanged = false;
+        if (typeof options.max_tokens === "number" && options.max_tokens > limit) {
+            options.max_tokens = limit;
+            optionsChanged = true;
+        }
+        if (typeof options.max_completion_tokens === "number" && options.max_completion_tokens > limit) {
+            options.max_completion_tokens = limit;
+            optionsChanged = true;
+        }
+        if (typeof options.maxTokens === "number" && options.maxTokens > limit) {
+            options.maxTokens = limit;
+            optionsChanged = true;
+        }
+        if (optionsChanged) {
+            next.options = options;
+            changed = true;
+        }
+    }
+    return changed ? next : payload;
+}
 const CLIENT_ONLY_BODY_FIELDS = new Set([
     "providerID",
     "provider",
@@ -581,15 +637,63 @@ async function sendWithTimeout(input, requestInit) {
         composed.cleanup();
     }
 }
+function applyDashScopeHeaders(requestInit) {
+    // Ensure required DashScope OAuth headers are always present.
+    // This mirrors qwen-code (DashScopeOpenAICompatibleProvider.buildHeaders) behavior.
+    // NOTE: We intentionally do this in the fetch layer so it works even when
+    // OpenCode does not call the `chat.headers` hook (older versions / API mismatch).
+    const headersToApply = {
+        "X-DashScope-AuthType": PORTAL_HEADERS.AUTH_TYPE_VALUE,
+        "X-DashScope-CacheControl": "enable",
+        "User-Agent": PLUGIN_USER_AGENT,
+        "X-DashScope-UserAgent": PLUGIN_USER_AGENT,
+    };
+    if (!requestInit.headers) {
+        requestInit.headers = { ...headersToApply };
+        return;
+    }
+    if (requestInit.headers instanceof Headers) {
+        for (const [key, value] of Object.entries(headersToApply)) {
+            if (!requestInit.headers.has(key)) {
+                requestInit.headers.set(key, value);
+            }
+        }
+        return;
+    }
+    if (Array.isArray(requestInit.headers)) {
+        const existing = new Set(requestInit.headers.map(([name]) => String(name).toLowerCase()));
+        for (const [key, value] of Object.entries(headersToApply)) {
+            if (!existing.has(key.toLowerCase())) {
+                requestInit.headers.push([key, value]);
+            }
+        }
+        return;
+    }
+    // Plain object
+    for (const [key, value] of Object.entries(headersToApply)) {
+        if (!(key in requestInit.headers)) {
+            requestInit.headers[key] = value;
+        }
+    }
+}
 async function failFastFetch(input, init) {
     const normalized = await normalizeFetchInvocation(input, init);
     const requestInput = normalized.requestInput;
     const requestInit = normalized.requestInit;
+    // Always inject DashScope OAuth headers at the fetch layer.
+    // This ensures compatibility across OpenCode versions.
+    applyDashScopeHeaders(requestInit);
     const sourceSignal = requestInit.signal;
     const rawPayload = parseJsonRequestBody(requestInit);
     const sessionID = typeof rawPayload?.sessionID === "string" ? rawPayload.sessionID : undefined;
     let payload = rawPayload;
     if (payload) {
+        // Ensure we never exceed DashScope model output limits.
+        const capped = capPayloadMaxTokens(payload);
+        if (capped !== payload) {
+            payload = capped;
+            applyJsonRequestBody(requestInit, payload);
+        }
         const sanitized = sanitizeOutgoingPayload(payload);
         if (sanitized !== payload) {
             payload = sanitized;
@@ -762,7 +866,7 @@ async function getValidAccessToken(getAuth) {
 }
 /**
  * Get base URL from token stored on disk (resource_url).
- * Falls back to portal.qwen.ai/v1 if not available.
+ * Falls back to DashScope compatible-mode if not available.
  */
 function getBaseUrl() {
     try {
@@ -776,31 +880,31 @@ function getBaseUrl() {
     }
     return getApiBaseUrl();
 }
-/**
- * Alibaba Qwen OAuth authentication plugin for opencode
- *
- * @example
- * ```json
- * {
- *   "plugin": ["opencode-alibaba-qwen-cli-auth"],
- *   "model": "qwen-code/coder-model"
- * }
- * ```
- */
-export const QwenAuthPlugin = async (_input) => {
-    return {
-        auth: {
-            provider: PROVIDER_ID,
+/**
+ * Alibaba Qwen OAuth authentication plugin for opencode
+ *
+ * @example
+ * ```json
+ * {
+ *   "plugin": ["opencode-alibaba-qwen-cli-auth"],
+ *   "model": "qwen-code/coder-model"
+ * }
+ * ```
+ */
+export const QwenAuthPlugin = async (_input) => {
+    return {
+        auth: {
+            provider: PROVIDER_ID,
             /**
              * Loader: get token + base URL, return to SDK.
              * Pattern similar to opencode-qwencode-auth reference plugin.
              */
-            async loader(getAuth, provider) {
+            async loader(getAuth, provider) {
                 // Zero cost for OAuth models (free)
                 if (provider?.models) {
-                    for (const model of Object.values(provider.models)) {
-                        if (model) model.cost = { input: 0, output: 0 };
-                    }
+                    for (const model of Object.values(provider.models)) {
+                        if (model) model.cost = { input: 0, output: 0 };
+                    }
                 }
                 const accessToken = await getValidAccessToken(getAuth);
                 if (!accessToken) return null;
@@ -817,32 +921,32 @@ export const QwenAuthPlugin = async (_input) => {
                 };
             },
             methods: [
-                {
-                    label: AUTH_LABELS.OAUTH,
-                    type: "oauth",
-                    /**
-                     * Device Authorization Grant OAuth flow (RFC 8628)
-                     */
-                    authorize: async () => {
-                        // Generate PKCE
-                        const pkce = await createPKCE();
-                        // Request device code
-                        const deviceAuth = await requestDeviceCode(pkce);
-                        if (!deviceAuth) {
-                            throw new Error("Failed to request device code");
-                        }
+                {
+                    label: AUTH_LABELS.OAUTH,
+                    type: "oauth",
+                    /**
+                     * Device Authorization Grant OAuth flow (RFC 8628)
+                     */
+                    authorize: async () => {
+                        // Generate PKCE
+                        const pkce = await createPKCE();
+                        // Request device code
+                        const deviceAuth = await requestDeviceCode(pkce);
+                        if (!deviceAuth) {
+                            throw new Error("Failed to request device code");
+                        }
                         // Display user code
                         console.log(`\nPlease visit: ${deviceAuth.verification_uri}`);
                         console.log(`And enter code: ${deviceAuth.user_code}\n`);
                         // Verification URL - SDK will open browser automatically when method=auto
-                        const verificationUrl = deviceAuth.verification_uri_complete || deviceAuth.verification_uri;
-                        return {
-                            url: verificationUrl,
-                            method: "auto",
-                            instructions: AUTH_LABELS.INSTRUCTIONS,
-                            callback: async () => {
-                                // Poll for token
-                                let pollInterval = (deviceAuth.interval || 5) * 1000;
+                        const verificationUrl = deviceAuth.verification_uri_complete || deviceAuth.verification_uri;
+                        return {
+                            url: verificationUrl,
+                            method: "auto",
+                            instructions: AUTH_LABELS.INSTRUCTIONS,
+                            callback: async () => {
+                                // Poll for token
+                                let pollInterval = (deviceAuth.interval || 5) * 1000;
                                 const POLLING_MARGIN_MS = 3000;
                                 const maxInterval = DEVICE_FLOW.MAX_POLL_INTERVAL;
                                 const startTime = Date.now();
@@ -855,9 +959,9 @@ export const QwenAuthPlugin = async (_input) => {
                                         saveToken(result);
                                         // Return to SDK to save auth state
                                         return {
-                                            type: "success",
-                                            access: result.access,
-                                            refresh: result.refresh,
+                                            type: "success",
+                                            access: result.access,
+                                            refresh: result.refresh,
                                             expires: result.expires,
                                         };
                                     }
@@ -900,19 +1004,19 @@ export const QwenAuthPlugin = async (_input) => {
                                 console.error("[qwen-oauth-plugin] Device authorization timed out");
                                 return { type: "failed" };
                             },
-                        };
-                    },
-                },
-            ],
-        },
+                        };
+                    },
+                },
+            ],
+        },
         /**
          * Register qwen-code provider with model list.
          * Only register models that Portal API (OAuth) accepts:
          * coder-model and vision-model (according to QWEN_OAUTH_ALLOWED_MODELS from original CLI)
          */
-        config: async (config) => {
-            const providers = config.provider || {};
-            providers[PROVIDER_ID] = {
+        config: async (config) => {
+            const providers = config.provider || {};
+            providers[PROVIDER_ID] = {
                 npm: "@ai-sdk/openai-compatible",
                 name: "Qwen Code",
                 options: {
@@ -928,18 +1032,18 @@ export const QwenAuthPlugin = async (_input) => {
                         // Thinking is always enabled by default on server side (qwen3.5-plus)
                         reasoning: false,
                         limit: { context: 1048576, output: CHAT_MAX_TOKENS_CAP },
-                        cost: { input: 0, output: 0 },
-                        modalities: { input: ["text"], output: ["text"] },
-                    },
+                        cost: { input: 0, output: 0 },
+                        modalities: { input: ["text"], output: ["text"] },
+                    },
                     "vision-model": {
                         id: "vision-model",
                         name: "Qwen VL Plus (vision)",
                         reasoning: false,
-                        limit: { context: 131072, output: CHAT_MAX_TOKENS_CAP },
-                        cost: { input: 0, output: 0 },
-                        modalities: { input: ["text"], output: ["text"] },
-                    },
-                },
+                        limit: { context: 131072, output: DASH_SCOPE_OUTPUT_LIMITS["vision-model"] },
+                        cost: { input: 0, output: 0 },
+                        modalities: { input: ["text"], output: ["text"] },
+                    },
+                },
             };
             config.provider = providers;
         },
@@ -1013,5 +1117,5 @@ export const QwenAuthPlugin = async (_input) => {
         },
     };
 };
-export default QwenAuthPlugin;
+export default QwenAuthPlugin;
 //# sourceMappingURL=index.js.map

package/dist/lib/auth/auth.js

@@ -556,12 +556,12 @@ export function getApiBaseUrl(resourceUrl) {
         try {
             const normalizedResourceUrl = normalizeResourceUrl(resourceUrl);
             if (!normalizedResourceUrl) {
-                logWarn("Invalid resource_url, using default Portal API URL");
+                logWarn("Invalid resource_url, using default DashScope endpoint");
                 return DEFAULT_QWEN_BASE_URL;
             }
             const url = new URL(normalizedResourceUrl);
             if (!url.protocol.startsWith("http")) {
-                logWarn("Invalid resource_url protocol, using default Portal API URL");
+                logWarn("Invalid resource_url protocol, using default DashScope endpoint");
                 return DEFAULT_QWEN_BASE_URL;
             }
             let baseUrl = normalizedResourceUrl.replace(/\/$/, "");
@@ -570,18 +570,18 @@ export function getApiBaseUrl(resourceUrl) {
                 baseUrl = `${baseUrl}${suffix}`;
             }
             if (LOGGING_ENABLED) {
-                logInfo("Constructed Portal API base URL from resource_url:", baseUrl);
+                logInfo("Constructed DashScope base URL from resource_url:", baseUrl);
             }
             return baseUrl;
         }
         catch (error) {
-            logWarn("Invalid resource_url format, using default Portal API URL:", error);
+            logWarn("Invalid resource_url format, using default DashScope endpoint:", error);
             return DEFAULT_QWEN_BASE_URL;
         }
     }
     if (LOGGING_ENABLED) {
-        logInfo("No resource_url provided, using default Portal API URL");
+        logInfo("No resource_url provided, using default DashScope endpoint");
     }
     return DEFAULT_QWEN_BASE_URL;
 }
-//# sourceMappingURL=auth.js.map
+//# sourceMappingURL=auth.js.map

package/dist/lib/constants.d.ts

@@ -8,15 +8,15 @@ export declare const PROVIDER_ID = "qwen-code";
 /** Dummy API key (actual auth via OAuth) */
 export declare const DUMMY_API_KEY = "qwen-oauth";
 /**
- * Default Qwen Portal API base URL (fallback if resource_url is missing)
+ * Default Qwen DashScope base URL (fallback if resource_url is missing)
  * Note: This plugin is for OAuth authentication only. For API key authentication,
  * use OpenCode's built-in DashScope support.
  *
- * IMPORTANT: Portal API uses /v1 path (not /api/v1)
+ * IMPORTANT: OAuth endpoints use /api/v1, DashScope OpenAI-compatible uses /compatible-mode/v1
  * - OAuth endpoints: /api/v1/oauth2/ (for authentication)
  * - Chat API: /v1/ (for completions)
  */
-export declare const DEFAULT_QWEN_BASE_URL = "https://portal.qwen.ai/v1";
+export declare const DEFAULT_QWEN_BASE_URL = "https://dashscope.aliyuncs.com/compatible-mode/v1";
 /** Qwen OAuth endpoints and configuration */
 export declare const QWEN_OAUTH: {
     readonly DEVICE_CODE_URL: "https://chat.qwen.ai/api/v1/oauth2/device/code";
@@ -40,8 +40,8 @@ export declare const HTTP_STATUS: {
     readonly TOO_MANY_REQUESTS: 429;
 };
 /**
- * Portal API headers
- * Note: Portal API (OAuth) requires special header to indicate OAuth authentication
+ * DashScope headers
+ * Note: OAuth requires X-DashScope-AuthType to indicate qwen-oauth authentication
  */
 export declare const PORTAL_HEADERS: {
     readonly AUTH_TYPE: "X-DashScope-AuthType";

package/dist/lib/constants.js

@@ -8,15 +8,19 @@ export const PROVIDER_ID = "qwen-code";
 /** Dummy API key (actual auth via OAuth) */
 export const DUMMY_API_KEY = "qwen-oauth";
 /**
- * Default Qwen Portal API base URL (fallback if resource_url is missing)
+ * Default Qwen DashScope base URL (fallback if resource_url is missing)
  * Note: This plugin is for OAuth authentication only. For API key authentication,
  * use OpenCode's built-in DashScope support.
  *
- * IMPORTANT: Portal API uses /v1 path (not /api/v1)
+ * IMPORTANT: OAuth endpoints use /api/v1, DashScope OpenAI-compatible uses /compatible-mode/v1
  * - OAuth endpoints: /api/v1/oauth2/ (for authentication)
  * - Chat API: /v1/ (for completions)
  */
-export const DEFAULT_QWEN_BASE_URL = "https://portal.qwen.ai/v1";
+// NOTE:
+// qwen-code (official CLI) defaults to DashScope OpenAI-compatible endpoint when
+// `resource_url` is missing. This is required for the free OAuth flow to behave
+// the same as the CLI.
+export const DEFAULT_QWEN_BASE_URL = "https://dashscope.aliyuncs.com/compatible-mode/v1";
 /** Qwen OAuth endpoints and configuration */
 export const QWEN_OAUTH = {
     DEVICE_CODE_URL: "https://chat.qwen.ai/api/v1/oauth2/device/code",
@@ -40,8 +44,8 @@ export const HTTP_STATUS = {
     TOO_MANY_REQUESTS: 429,
 };
 /**
- * Portal API headers
- * Note: Portal API (OAuth) requires special header to indicate OAuth authentication
+ * DashScope headers
+ * Note: OAuth requires X-DashScope-AuthType to indicate qwen-oauth authentication
  */
 export const PORTAL_HEADERS = {
     AUTH_TYPE: "X-DashScope-AuthType",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-qwen-cli-auth",
-  "version": "2.2.8",
+  "version": "2.2.9",
   "description": "Qwen OAuth authentication plugin for opencode - use your Qwen account instead of API keys",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",