npm - opencode-qwen-cli-auth - Versions diffs - 2.3.0 → 2.3.1 - Mend

opencode-qwen-cli-auth 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -7,6 +7,7 @@ OAuth plugin for [OpenCode](https://opencode.ai) to use Qwen for free via Qwen A
 - **OAuth 2.0 Device Authorization Grant** (RFC 8628) - login with your Qwen Account
 - **No API key required** - utilize Qwen's free tier
 - **Automatic token refresh** when expired
+- **Multi-account support** - add multiple Qwen accounts and keep one active account
 - **DashScope compatibility** - automatically injects required headers for the OAuth flow
 - **Smart output token limit** - auto-caps tokens based on model (65K for coder-model, 8K for vision-model)
 - **Retry & Fallback** - handles quota/rate limit errors with payload degradation mechanism
@@ -44,6 +45,9 @@ Select provider **Qwen Code (qwen.ai OAuth)** and follow the instructions:
 2. Enter the provided code
 3. The plugin will automatically poll and save the token
+To add more accounts, run `opencode auth login` again.
+The plugin stores each successful login in the multi-account store and can auto-switch on quota exhaustion.
 ## Supported Models
 | Model | ID | Context | Max Output | Cost |
@@ -62,6 +66,8 @@ Select provider **Qwen Code (qwen.ai OAuth)** and follow the instructions:
 | `DEBUG_QWEN_PLUGIN=1` | Enable debug logging | Optional |
 | `ENABLE_PLUGIN_REQUEST_LOGGING=1` | Enable request logging to file | Optional |
 | `OPENCODE_QWEN_ENABLE_CLI_FALLBACK=1` | Enable CLI fallback on quota error | Optional |
+| `OPENCODE_QWEN_ACCOUNTS_PATH` | Override multi-account store path (must be inside `~/.qwen`) | Optional |
+| `OPENCODE_QWEN_QUOTA_COOLDOWN_MS` | Cooldown for exhausted accounts | Default: `1800000` (30 min) |
 ### Debug & Logging
@@ -95,6 +101,8 @@ Log files are stored at: `~/.opencode/logs/qwen-plugin/`
 - **Format**: JSON with access_token, refresh_token, expiry_date, resource_url
 - **Auto-refresh**: Triggered when less than 30 seconds to expiration
 - **Lock mechanism**: Safe multi-process token refresh
+- **Multi-account store**: `~/.qwen/oauth_accounts.json`
+- **Multi-account lock**: `~/.qwen/oauth_accounts.lock`
 ### Required Headers
@@ -113,9 +121,10 @@ X-DashScope-UserAgent: opencode-qwen-cli-auth/{version}
 When hitting a `429 insufficient_quota` error, the plugin automatically:
-1. **Degrades payload** - removes tools, reduces max_tokens to 1024
-2. **Retries** - attempts request with degraded payload
-3. **CLI fallback** (optional) - invokes `qwen` CLI if `OPENCODE_QWEN_ENABLE_CLI_FALLBACK=1` is set
+1. **Marks current account exhausted** for cooldown window
+2. **Switches to next healthy account** and retries with same payload
+3. **Degrades payload** if no healthy account can be switched
+4. **CLI fallback** (optional) - invokes `qwen` CLI if `OPENCODE_QWEN_ENABLE_CLI_FALLBACK=1` is set
 ### Token Expiration
@@ -130,6 +139,9 @@ When hitting a `429 insufficient_quota` error, the plugin automatically:
 ```bash
 # View saved token
 cat ~/.qwen/oauth_creds.json
+# View multi-account store
+cat ~/.qwen/oauth_accounts.json
 ```
 ### Remove Authentication

package/README.vi.md CHANGED Viewed

@@ -7,6 +7,7 @@ Plugin OAuth cho [OpenCode](https://opencode.ai) để sử dụng Qwen miễn p
 - **OAuth 2.0 Device Authorization Grant** (RFC 8628) - đăng nhập bằng Qwen Account
 - **Không cần API key** - sử dụng free tier của Qwen
 - **Tự động refresh token** khi hết hạn
+- **Hỗ trợ đa tài khoản** - thêm nhiều Qwen account và duy trì một tài khoản active
 - **Tương thích DashScope** - tự động inject headers cần thiết cho OAuth flow
 - **Giới hạn output token thông minh** - tự động cap theo model (65K cho coder-model, 8K cho vision-model)
 - **Retry & Fallback** - xử lý lỗi quota/rate limit với cơ chế degrade (giảm tải payload)
@@ -44,6 +45,9 @@ Chọn provider **Qwen Code (qwen.ai OAuth)** và làm theo hướng dẫn:
 2. Nhập mã code được cung cấp
 3. Plugin sẽ tự động poll và lưu token
+Để thêm tài khoản mới, chạy lại `opencode auth login`.
+Plugin sẽ lưu từng lần đăng nhập thành công vào kho đa tài khoản và có thể tự động đổi tài khoản khi hết quota.
 ## Models hỗ trợ
 | Model | ID | Context | Max Output | Chi phí |
@@ -62,6 +66,8 @@ Chọn provider **Qwen Code (qwen.ai OAuth)** và làm theo hướng dẫn:
 | `DEBUG_QWEN_PLUGIN=1` | Bật debug logging | Tùy chọn |
 | `ENABLE_PLUGIN_REQUEST_LOGGING=1` | Bật ghi log request ra file | Tùy chọn |
 | `OPENCODE_QWEN_ENABLE_CLI_FALLBACK=1` | Bật tính năng gọi CLI khi hết quota | Tùy chọn |
+| `OPENCODE_QWEN_ACCOUNTS_PATH` | Ghi đè đường dẫn kho đa tài khoản (phải nằm trong `~/.qwen`) | Tùy chọn |
+| `OPENCODE_QWEN_QUOTA_COOLDOWN_MS` | Thời gian cooldown cho tài khoản đã hết quota | Mặc định: `1800000` (30 phút) |
 ### Debug & Logging
@@ -95,6 +101,8 @@ File log được lưu tại: `~/.opencode/logs/qwen-plugin/`
 - **Định dạng**: JSON chứa access_token, refresh_token, expiry_date, resource_url
 - **Tự động refresh**: Kích hoạt khi token còn dưới 30 giây là hết hạn
 - **Cơ chế khóa (Lock)**: Đảm bảo an toàn khi refresh token trong môi trường đa tiến trình (multi-process)
+- **Kho đa tài khoản**: `~/.qwen/oauth_accounts.json`
+- **Lock đa tài khoản**: `~/.qwen/oauth_accounts.lock`
 ### Headers Bắt buộc
@@ -113,9 +121,10 @@ X-DashScope-UserAgent: opencode-qwen-cli-auth/{version}
 Khi gặp lỗi `429 insufficient_quota`, plugin sẽ tự động:
-1. **Degrade payload** - loại bỏ mảng tools, giảm max_tokens xuống 1024
-2. **Retry** - thử gọi lại API với payload đã giảm tải
-3. **CLI fallback** (tùy chọn) - gọi `qwen` CLI nếu biến `OPENCODE_QWEN_ENABLE_CLI_FALLBACK=1` được bật
+1. **Đánh dấu tài khoản hiện tại đã hết quota** trong cửa sổ cooldown
+2. **Đổi sang tài khoản khỏe tiếp theo** và retry với payload ban đầu
+3. **Degrade payload** nếu không còn tài khoản khỏe để đổi
+4. **CLI fallback** (tùy chọn) - gọi `qwen` CLI nếu biến `OPENCODE_QWEN_ENABLE_CLI_FALLBACK=1` được bật
 ### Token Hết Hạn
@@ -130,6 +139,9 @@ Khi gặp lỗi `429 insufficient_quota`, plugin sẽ tự động:
 ```bash
 # Xem token đang được lưu
 cat ~/.qwen/oauth_creds.json
+# Xem kho đa tài khoản
+cat ~/.qwen/oauth_accounts.json
 ```
 ### Xóa xác thực

package/dist/index.js CHANGED Viewed

@@ -17,7 +17,7 @@
 import { randomUUID } from "node:crypto";
 import { spawn } from "node:child_process";
 import { existsSync } from "node:fs";
-import { createPKCE, requestDeviceCode, pollForToken, getApiBaseUrl, saveToken, refreshAccessToken, loadStoredToken, getValidToken } from "./lib/auth/auth.js";
+import { createPKCE, requestDeviceCode, pollForToken, getApiBaseUrl, saveToken, refreshAccessToken, loadStoredToken, getValidToken, upsertOAuthAccount, getActiveOAuthAccount, markOAuthAccountQuotaExhausted, switchToNextHealthyOAuthAccount } from "./lib/auth/auth.js";
 import { PROVIDER_ID, AUTH_LABELS, DEVICE_FLOW, PORTAL_HEADERS } from "./lib/constants.js";
 import { logError, logInfo, logWarn, LOGGING_ENABLED } from "./lib/logger.js";
@@ -46,6 +46,7 @@ const DASH_SCOPE_OUTPUT_LIMITS = {
     "coder-model": 65536,
     "vision-model": 8192,
 };
+let ACTIVE_OAUTH_ACCOUNT_ID = null;
 function capPayloadMaxTokens(payload) {
     if (!payload || typeof payload !== "object") {
         return payload;
@@ -125,7 +126,7 @@ function resolveQwenCliCommand() {
     return "qwen";
 }
 const QWEN_CLI_COMMAND = resolveQwenCliCommand();
-function shouldUseShell(command) {
+function requiresShellExecution(command) {
     return process.platform === "win32" && /\.(cmd|bat)$/i.test(command);
 }
 function makeFailFastErrorResponse(status, code, message) {
@@ -252,6 +253,67 @@ function getHeaderValue(headers, headerName) {
     }
     return undefined;
 }
+function applyAuthorizationHeader(requestInit, accessToken) {
+    if (typeof accessToken !== "string" || accessToken.length === 0) {
+        return;
+    }
+    const bearer = `Bearer ${accessToken}`;
+    if (!requestInit.headers) {
+        requestInit.headers = { authorization: bearer };
+        return;
+    }
+    if (requestInit.headers instanceof Headers) {
+        requestInit.headers.set("authorization", bearer);
+        return;
+    }
+    if (Array.isArray(requestInit.headers)) {
+        const existing = requestInit.headers.findIndex(([name]) => String(name).toLowerCase() === "authorization");
+        if (existing >= 0) {
+            requestInit.headers[existing][1] = bearer;
+            return;
+        }
+        requestInit.headers.push(["authorization", bearer]);
+        return;
+    }
+    let existingKey = null;
+    for (const key of Object.keys(requestInit.headers)) {
+        if (key.toLowerCase() === "authorization") {
+            existingKey = key;
+            break;
+        }
+    }
+    if (existingKey) {
+        requestInit.headers[existingKey] = bearer;
+        return;
+    }
+    requestInit.headers.authorization = bearer;
+}
+function rewriteRequestBaseUrl(requestInput, resourceUrl) {
+    if (typeof requestInput !== "string" || typeof resourceUrl !== "string" || resourceUrl.length === 0) {
+        return requestInput;
+    }
+    try {
+        const targetBase = new URL(getApiBaseUrl(resourceUrl));
+        const current = new URL(requestInput);
+        const baseSegments = targetBase.pathname.split("/").filter(Boolean);
+        const currentSegments = current.pathname.split("/").filter(Boolean);
+        let suffix = currentSegments;
+        if (currentSegments.length >= baseSegments.length &&
+            baseSegments.every((segment, index) => currentSegments[index] === segment)) {
+            suffix = currentSegments.slice(baseSegments.length);
+        }
+        const mergedPath = [...baseSegments, ...suffix].join("/");
+        targetBase.pathname = `/${mergedPath}`.replace(/\/+/g, "/");
+        targetBase.search = current.search;
+        targetBase.hash = current.hash;
+        return targetBase.toString();
+    }
+    catch (_error) {
+        return requestInput;
+    }
+}
 /**
  * Applies JSON request body with proper content-type header
  * @param {RequestInit} requestInit - Fetch options
@@ -311,10 +373,6 @@ function parseJsonRequestBody(requestInit) {
     catch (_error) {
         return null;
     }
-}
-    catch (_error) {
-        return null;
-    }
 }
 /**
  * Removes client-only fields and caps max_tokens
@@ -375,6 +433,10 @@ function createQuotaDegradedPayload(payload) {
         degraded.stream = false;
         changed = true;
     }
+    if ("stream_options" in degraded) {
+        delete degraded.stream_options;
+        changed = true;
+    }
     // Reduce max_tokens
     if (typeof degraded.max_tokens !== "number" || degraded.max_tokens > QUOTA_DEGRADE_MAX_TOKENS) {
         degraded.max_tokens = QUOTA_DEGRADE_MAX_TOKENS;
@@ -639,6 +701,12 @@ async function runQwenCliFallback(payload, context, abortSignal) {
             command: QWEN_CLI_COMMAND,
         });
     }
+    if (requiresShellExecution(QWEN_CLI_COMMAND)) {
+        return {
+            ok: false,
+            reason: "cli_shell_execution_blocked_for_security",
+        };
+    }
     return await new Promise((resolve) => {
         let settled = false;
         let stdout = "";
@@ -646,7 +714,6 @@ async function runQwenCliFallback(payload, context, abortSignal) {
         let timer = null;
         let child = undefined;
         let abortHandler = undefined;
-        const useShell = shouldUseShell(QWEN_CLI_COMMAND);
         const finalize = (result) => {
             if (settled) {
                 return;
@@ -669,7 +736,7 @@ async function runQwenCliFallback(payload, context, abortSignal) {
         }
         try {
             child = spawn(QWEN_CLI_COMMAND, args, {
-                shell: useShell,
+                shell: false,
                 windowsHide: true,
                 stdio: ["ignore", "pipe", "pipe"],
             });
@@ -843,7 +910,7 @@ function applyDashScopeHeaders(requestInit) {
  */
 async function failFastFetch(input, init) {
     const normalized = await normalizeFetchInvocation(input, init);
-    const requestInput = normalized.requestInput;
+    let requestInput = normalized.requestInput;
     const requestInit = normalized.requestInit;
     // Always inject DashScope OAuth headers at the fetch layer.
     // This ensures compatibility across OpenCode versions.
@@ -869,12 +936,14 @@ async function failFastFetch(input, init) {
         requestId: getHeaderValue(requestInit.headers, "x-request-id"),
         sessionID,
         modelID: typeof payload?.model === "string" ? payload.model : undefined,
+        accountID: ACTIVE_OAUTH_ACCOUNT_ID,
     };
     if (LOGGING_ENABLED) {
         logInfo("Qwen request dispatch", {
             request_id: context.requestId,
             sessionID: context.sessionID,
             modelID: context.modelID,
+            accountID: context.accountID,
             max_tokens: typeof payload?.max_tokens === "number" ? payload.max_tokens : undefined,
             max_completion_tokens: typeof payload?.max_completion_tokens === "number" ? payload.max_completion_tokens : undefined,
             message_count: Array.isArray(payload?.messages) ? payload.messages.length : undefined,
@@ -890,6 +959,7 @@ async function failFastFetch(input, init) {
                     request_id: context.requestId,
                     sessionID: context.sessionID,
                     modelID: context.modelID,
+                    accountID: context.accountID,
                     status: response.status,
                     attempt: retryAttempt + 1,
                 });
@@ -899,6 +969,37 @@ const RETRYABLE_STATUS_CODES = [429, 500, 502, 503, 504];
                 if (response.status === 429) {
                     const firstBody = await response.text().catch(() => "");
                     if (payload && isInsufficientQuota(firstBody)) {
+                        if (context.accountID) {
+                            try {
+                                await markOAuthAccountQuotaExhausted(context.accountID, "insufficient_quota");
+                                const switched = await switchToNextHealthyOAuthAccount([context.accountID]);
+                                if (switched?.accessToken) {
+                                    const rotatedInit = { ...requestInit };
+                                    requestInput = rewriteRequestBaseUrl(requestInput, switched.resourceUrl);
+                                    applyAuthorizationHeader(rotatedInit, switched.accessToken);
+                                    applyAuthorizationHeader(requestInit, switched.accessToken);
+                                    context.accountID = switched.accountId;
+                                    ACTIVE_OAUTH_ACCOUNT_ID = switched.accountId;
+                                    if (LOGGING_ENABLED) {
+                                        logInfo("Switched OAuth account after insufficient_quota", {
+                                            request_id: context.requestId,
+                                            sessionID: context.sessionID,
+                                            modelID: context.modelID,
+                                            accountID: context.accountID,
+                                            healthyAccounts: switched.healthyAccountCount,
+                                            totalAccounts: switched.totalAccountCount,
+                                        });
+                                    }
+                                    response = await sendWithTimeout(requestInput, rotatedInit);
+                                    if (retryAttempt < MAX_REQUEST_RETRIES) {
+                                        continue;
+                                    }
+                                }
+                            }
+                            catch (switchError) {
+                                logWarn("Failed to switch OAuth account after insufficient_quota", switchError);
+                            }
+                        }
                         const degradedPayload = createQuotaDegradedPayload(payload);
                         if (degradedPayload) {
                             const fallbackInit = { ...requestInit };
@@ -989,25 +1090,39 @@ const RETRYABLE_STATUS_CODES = [429, 500, 502, 503, 504];
  * Uses getAuth() from SDK instead of reading file directly.
  *
  * @param {Function} getAuth - Function to get auth state from SDK
- * @returns {Promise<string|null>} Access token or null if not available
+ * @returns {Promise<{ accessToken: string, resourceUrl?: string, accountId?: string }|null>} Access token state or null
  */
 async function getValidAccessToken(getAuth) {
+    const activeOAuthAccount = await getActiveOAuthAccount({ allowExhausted: true });
+    if (activeOAuthAccount?.accessToken) {
+        return {
+            accessToken: activeOAuthAccount.accessToken,
+            resourceUrl: activeOAuthAccount.resourceUrl,
+            accountId: activeOAuthAccount.accountId,
+        };
+    }
     const diskToken = await getValidToken();
     if (diskToken?.accessToken) {
-        return diskToken.accessToken;
+        return {
+            accessToken: diskToken.accessToken,
+            resourceUrl: diskToken.resourceUrl,
+        };
     }
     const auth = await getAuth();
     if (!auth || auth.type !== "oauth") {
         return null;
     }
     let accessToken = auth.access;
+    let resourceUrl = undefined;
     // Refresh if expired (60 second buffer)
     if (accessToken && auth.expires && Date.now() > auth.expires - 60000 && auth.refresh) {
         try {
             const refreshResult = await refreshAccessToken(auth.refresh);
             if (refreshResult.type === "success") {
                 accessToken = refreshResult.access;
+                resourceUrl = refreshResult.resourceUrl;
                 saveToken(refreshResult);
+                await upsertOAuthAccount(refreshResult, { setActive: false });
             }
             else {
                 if (LOGGING_ENABLED) {
@@ -1025,18 +1140,27 @@ async function getValidAccessToken(getAuth) {
     }
     if (auth.access && auth.refresh) {
         try {
-            saveToken({
+            const sdkToken = {
                 type: "success",
                 access: accessToken || auth.access,
                 refresh: auth.refresh,
                 expires: typeof auth.expires === "number" ? auth.expires : Date.now() + 3600 * 1000,
-            });
+                resourceUrl,
+            };
+            saveToken(sdkToken);
+            await upsertOAuthAccount(sdkToken, { setActive: false });
         }
         catch (e) {
             logWarn("Failed to bootstrap .qwen token from SDK auth state:", e);
         }
     }
-    return accessToken ?? null;
+    if (!accessToken) {
+        return null;
+    }
+    return {
+        accessToken,
+        resourceUrl,
+    };
 }
 /**
@@ -1044,7 +1168,10 @@ async function getValidAccessToken(getAuth) {
  * Falls back to DashScope compatible-mode if not available.
  * @returns {string} DashScope API base URL
  */
-function getBaseUrl() {
+function getBaseUrl(resourceUrl) {
+    if (typeof resourceUrl === "string" && resourceUrl.length > 0) {
+        return getApiBaseUrl(resourceUrl);
+    }
     try {
         const stored = loadStoredToken();
         if (stored?.resource_url) {
@@ -1087,14 +1214,15 @@ export const QwenAuthPlugin = async (_input) => {
                         if (model) model.cost = { input: 0, output: 0 };
                     }
                 }
-                const accessToken = await getValidAccessToken(getAuth);
-                if (!accessToken) return null;
-                const baseURL = getBaseUrl();
+                const tokenState = await getValidAccessToken(getAuth);
+                if (!tokenState?.accessToken) return null;
+                ACTIVE_OAUTH_ACCOUNT_ID = tokenState.accountId || null;
+                const baseURL = getBaseUrl(tokenState.resourceUrl);
                 if (LOGGING_ENABLED) {
                     logInfo("Using Qwen baseURL:", baseURL);
                 }
                 return {
-                    apiKey: accessToken,
+                    apiKey: tokenState.accessToken,
                     baseURL,
                     timeout: CHAT_REQUEST_TIMEOUT_MS,
                     maxRetries: CHAT_MAX_RETRIES,
@@ -1138,6 +1266,8 @@ export const QwenAuthPlugin = async (_input) => {
                                     const result = await pollForToken(deviceAuth.device_code, pkce.verifier);
                                     if (result.type === "success") {
                                         saveToken(result);
+                                        const savedAccount = await upsertOAuthAccount(result, { setActive: true });
+                                        ACTIVE_OAUTH_ACCOUNT_ID = savedAccount?.accountId || ACTIVE_OAUTH_ACCOUNT_ID;
                                         // Return to SDK to save auth state
                                         return {
                                             type: "success",

package/dist/lib/auth/auth.d.ts CHANGED Viewed

@@ -38,6 +38,56 @@ export declare function clearStoredToken(): void;
  * @param tokenResult - Token result from OAuth flow
  */
 export declare function saveToken(tokenResult: TokenResult): void;
+/**
+ * Upsert OAuth account into ~/.qwen/oauth_accounts.json
+ */
+export declare function upsertOAuthAccount(tokenResult: TokenResult, options?: {
+    accountId?: string;
+    accountKey?: string;
+    setActive?: boolean;
+}): Promise<{
+    accountId: string;
+    accessToken: string;
+    resourceUrl?: string;
+    exhaustedUntil: number;
+    healthyAccountCount: number;
+    totalAccountCount: number;
+} | null>;
+/**
+ * Get active OAuth account token from multi-account store
+ */
+export declare function getActiveOAuthAccount(options?: {
+    allowExhausted?: boolean;
+    requireHealthy?: boolean;
+    preferredAccountId?: string;
+}): Promise<{
+    accountId: string;
+    accessToken: string;
+    resourceUrl?: string;
+    exhaustedUntil: number;
+    healthyAccountCount: number;
+    totalAccountCount: number;
+} | null>;
+/**
+ * Mark account as exhausted by insufficient_quota
+ */
+export declare function markOAuthAccountQuotaExhausted(accountId: string, errorCode?: string): Promise<{
+    accountId: string;
+    exhaustedUntil: number;
+    healthyAccountCount: number;
+    totalAccountCount: number;
+} | null>;
+/**
+ * Switch active account to next healthy one
+ */
+export declare function switchToNextHealthyOAuthAccount(excludedAccountIds?: string[]): Promise<{
+    accountId: string;
+    accessToken: string;
+    resourceUrl?: string;
+    exhaustedUntil: number;
+    healthyAccountCount: number;
+    totalAccountCount: number;
+} | null>;
 /**
  * Check if token is expired (with 5 minute buffer)
  * @param expiresAt - Expiration timestamp in milliseconds
@@ -62,4 +112,4 @@ export declare function getValidToken(): Promise<{
  * - Chat API: /v1/ (for completions)
  */
 export declare function getApiBaseUrl(resourceUrl?: string): string;
-//# sourceMappingURL=auth.d.ts.map
+//# sourceMappingURL=auth.d.ts.map

package/dist/lib/auth/auth.js CHANGED Viewed

@@ -8,7 +8,7 @@
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { readFileSync, writeFileSync, existsSync, mkdirSync, unlinkSync, renameSync, statSync } from "fs";
 import { QWEN_OAUTH, DEFAULT_QWEN_BASE_URL, TOKEN_REFRESH_BUFFER_MS, VERIFICATION_URI } from "../constants.js";
-import { getTokenPath, getQwenDir, getTokenLockPath, getLegacyTokenPath } from "../config.js";
+import { getTokenPath, getQwenDir, getTokenLockPath, getLegacyTokenPath, getAccountsPath, getAccountsLockPath } from "../config.js";
 import { logError, logWarn, logInfo, LOGGING_ENABLED } from "../logger.js";
 /** Maximum number of retries for token refresh operations */
@@ -27,6 +27,10 @@ const LOCK_BACKOFF_MULTIPLIER = 1.5;
 const LOCK_MAX_INTERVAL_MS = 2000;
 /** Maximum number of lock acquisition attempts */
 const LOCK_MAX_ATTEMPTS = 20;
+/** Account schema version for ~/.qwen/oauth_accounts.json */
+const ACCOUNT_STORE_VERSION = 1;
+/** Default cooldown when account hits insufficient_quota */
+const DEFAULT_QUOTA_COOLDOWN_MS = 30 * 60 * 1000;
 /**
  * Checks if an error is an AbortError (from AbortController)
@@ -172,6 +176,225 @@ function toStoredTokenData(data) {
     };
 }
+function getQuotaCooldownMs() {
+    const raw = process.env.OPENCODE_QWEN_QUOTA_COOLDOWN_MS;
+    if (typeof raw !== "string" || raw.trim().length === 0) {
+        return DEFAULT_QUOTA_COOLDOWN_MS;
+    }
+    const parsed = Number(raw);
+    if (!Number.isFinite(parsed) || parsed < 1000) {
+        return DEFAULT_QUOTA_COOLDOWN_MS;
+    }
+    return Math.floor(parsed);
+}
+function normalizeAccountStore(raw) {
+    const fallback = {
+        version: ACCOUNT_STORE_VERSION,
+        activeAccountId: null,
+        accounts: [],
+    };
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        return fallback;
+    }
+    const input = raw;
+    const accounts = Array.isArray(input.accounts) ? input.accounts : [];
+    const normalizedAccounts = [];
+    for (const item of accounts) {
+        if (!item || typeof item !== "object" || Array.isArray(item)) {
+            continue;
+        }
+        const token = toStoredTokenData(item.token);
+        if (!token) {
+            continue;
+        }
+        const id = typeof item.id === "string" && item.id.trim().length > 0
+            ? item.id.trim()
+            : `acct_${Math.random().toString(16).slice(2)}_${Date.now().toString(36)}`;
+        const createdAt = typeof item.createdAt === "number" && Number.isFinite(item.createdAt) ? item.createdAt : Date.now();
+        const updatedAt = typeof item.updatedAt === "number" && Number.isFinite(item.updatedAt) ? item.updatedAt : createdAt;
+        const exhaustedUntil = typeof item.exhaustedUntil === "number" && Number.isFinite(item.exhaustedUntil) ? item.exhaustedUntil : 0;
+        const lastErrorCode = typeof item.lastErrorCode === "string" ? item.lastErrorCode : undefined;
+        const accountKey = typeof item.accountKey === "string" && item.accountKey.trim().length > 0 ? item.accountKey.trim() : undefined;
+        normalizedAccounts.push({
+            id,
+            token,
+            resource_url: token.resource_url,
+            exhaustedUntil,
+            lastErrorCode,
+            accountKey,
+            createdAt,
+            updatedAt,
+        });
+    }
+    let activeAccountId = typeof input.activeAccountId === "string" && input.activeAccountId.length > 0 ? input.activeAccountId : null;
+    if (activeAccountId && !normalizedAccounts.some(account => account.id === activeAccountId)) {
+        activeAccountId = null;
+    }
+    if (!activeAccountId && normalizedAccounts.length > 0) {
+        activeAccountId = normalizedAccounts[0].id;
+    }
+    return {
+        version: ACCOUNT_STORE_VERSION,
+        activeAccountId,
+        accounts: normalizedAccounts,
+    };
+}
+function normalizeTokenResultToStored(tokenResult) {
+    if (!tokenResult || tokenResult.type !== "success") {
+        return null;
+    }
+    return toStoredTokenData({
+        access_token: tokenResult.access,
+        refresh_token: tokenResult.refresh,
+        token_type: "Bearer",
+        expiry_date: tokenResult.expires,
+        resource_url: tokenResult.resourceUrl,
+    });
+}
+function parseJwtPayloadSegment(token) {
+    if (typeof token !== "string") {
+        return null;
+    }
+    const parts = token.split(".");
+    if (parts.length < 2) {
+        return null;
+    }
+    const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+    try {
+        return JSON.parse(Buffer.from(padded, "base64").toString("utf8"));
+    }
+    catch (_error) {
+        return null;
+    }
+}
+function deriveAccountKeyFromToken(tokenData) {
+    if (!tokenData || typeof tokenData !== "object") {
+        return null;
+    }
+    const payload = parseJwtPayloadSegment(tokenData.access_token);
+    if (payload && typeof payload === "object") {
+        const candidates = ["sub", "uid", "user_id", "email", "username"];
+        for (const key of candidates) {
+            const value = payload[key];
+            if (typeof value === "string" && value.trim().length > 0) {
+                return `${key}:${value.trim()}`;
+            }
+        }
+    }
+    if (typeof tokenData.refresh_token === "string" && tokenData.refresh_token.length > 12) {
+        return `refresh:${tokenData.refresh_token}`;
+    }
+    return null;
+}
+function buildAccountEntry(tokenData, accountId, accountKey) {
+    const now = Date.now();
+    return {
+        id: accountId,
+        token: tokenData,
+        resource_url: tokenData.resource_url,
+        exhaustedUntil: 0,
+        lastErrorCode: undefined,
+        accountKey: accountKey || undefined,
+        createdAt: now,
+        updatedAt: now,
+    };
+}
+function writeAccountsStoreData(store) {
+    const qwenDir = getQwenDir();
+    if (!existsSync(qwenDir)) {
+        mkdirSync(qwenDir, { recursive: true, mode: 0o700 });
+    }
+    const accountsPath = getAccountsPath();
+    const tempPath = `${accountsPath}.tmp.${Date.now().toString(36)}-${Math.random().toString(16).slice(2)}`;
+    const payload = {
+        version: ACCOUNT_STORE_VERSION,
+        activeAccountId: store.activeAccountId || null,
+        accounts: store.accounts.map(account => ({
+            id: account.id,
+            token: account.token,
+            resource_url: account.resource_url,
+            exhaustedUntil: account.exhaustedUntil || 0,
+            lastErrorCode: account.lastErrorCode,
+            accountKey: account.accountKey,
+            createdAt: account.createdAt,
+            updatedAt: account.updatedAt,
+        })),
+    };
+    try {
+        writeFileSync(tempPath, JSON.stringify(payload, null, 2), {
+            encoding: "utf-8",
+            mode: 0o600,
+        });
+        renameSync(tempPath, accountsPath);
+    }
+    catch (error) {
+        try {
+            if (existsSync(tempPath)) {
+                unlinkSync(tempPath);
+            }
+        }
+        catch (_cleanupError) {
+        }
+        throw error;
+    }
+}
+function loadAccountsStoreData() {
+    const path = getAccountsPath();
+    if (!existsSync(path)) {
+        return normalizeAccountStore(null);
+    }
+    try {
+        const raw = JSON.parse(readFileSync(path, "utf-8"));
+        return normalizeAccountStore(raw);
+    }
+    catch (error) {
+        logWarn("Failed to read oauth_accounts.json, using empty store", error);
+        return normalizeAccountStore(null);
+    }
+}
+function pickNextHealthyAccount(store, excludedIds = new Set(), now = Date.now()) {
+    const accounts = Array.isArray(store.accounts) ? store.accounts : [];
+    if (accounts.length === 0) {
+        return null;
+    }
+    const activeIndex = accounts.findIndex(account => account.id === store.activeAccountId);
+    for (let step = 1; step <= accounts.length; step += 1) {
+        const index = activeIndex >= 0 ? (activeIndex + step) % accounts.length : (step - 1);
+        const candidate = accounts[index];
+        if (!candidate || excludedIds.has(candidate.id)) {
+            continue;
+        }
+        if (typeof candidate.exhaustedUntil === "number" && candidate.exhaustedUntil > now) {
+            continue;
+        }
+        return candidate;
+    }
+    return null;
+}
+function countHealthyAccounts(store, now = Date.now()) {
+    return store.accounts.filter(account => !(typeof account.exhaustedUntil === "number" && account.exhaustedUntil > now)).length;
+}
+function syncAccountToLegacyTokenFile(account) {
+    writeStoredTokenData({
+        access_token: account.token.access_token,
+        refresh_token: account.token.refresh_token,
+        token_type: account.token.token_type || "Bearer",
+        expiry_date: account.token.expiry_date,
+        resource_url: account.resource_url,
+    });
+}
 /**
  * Builds token success object from stored token data
  * @param {Object} stored - Stored token data from file
@@ -251,6 +474,37 @@ function migrateLegacyTokenIfNeeded() {
         logWarn("Failed to migrate legacy token:", error);
     }
 }
+function migrateLegacyTokenToAccountsIfNeeded() {
+    const accountsPath = getAccountsPath();
+    if (existsSync(accountsPath)) {
+        return;
+    }
+    const legacyToken = loadStoredToken();
+    if (!legacyToken) {
+        return;
+    }
+    const tokenData = toStoredTokenData(legacyToken);
+    if (!tokenData) {
+        return;
+    }
+    const accountKey = deriveAccountKeyFromToken(tokenData);
+    const accountId = `acct_${Date.now().toString(36)}_${Math.random().toString(16).slice(2, 10)}`;
+    const store = normalizeAccountStore({
+        version: ACCOUNT_STORE_VERSION,
+        activeAccountId: accountId,
+        accounts: [buildAccountEntry(tokenData, accountId, accountKey)],
+    });
+    try {
+        writeAccountsStoreData(store);
+        if (LOGGING_ENABLED) {
+            logInfo("Migrated legacy oauth_creds.json to oauth_accounts.json");
+        }
+    }
+    catch (error) {
+        logWarn("Failed to migrate legacy token to oauth_accounts.json", error);
+    }
+}
 /**
  * Acquires exclusive lock for token refresh to prevent concurrent refreshes
  * Uses file-based locking with exponential backoff retry strategy
@@ -259,6 +513,10 @@ function migrateLegacyTokenIfNeeded() {
  */
 async function acquireTokenLock() {
     const lockPath = getTokenLockPath();
+    const qwenDir = getQwenDir();
+    if (!existsSync(qwenDir)) {
+        mkdirSync(qwenDir, { recursive: true, mode: 0o700 });
+    }
     const lockValue = `${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}`;
     let waitMs = LOCK_ATTEMPT_INTERVAL_MS;
     for (let attempt = 0; attempt < LOCK_MAX_ATTEMPTS; attempt++) {
@@ -322,6 +580,82 @@ function releaseTokenLock(lockPath) {
         }
     }
 }
+async function acquireAccountsLock() {
+    const lockPath = getAccountsLockPath();
+    const qwenDir = getQwenDir();
+    if (!existsSync(qwenDir)) {
+        mkdirSync(qwenDir, { recursive: true, mode: 0o700 });
+    }
+    const lockValue = `${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}`;
+    let waitMs = LOCK_ATTEMPT_INTERVAL_MS;
+    for (let attempt = 0; attempt < LOCK_MAX_ATTEMPTS; attempt++) {
+        try {
+            writeFileSync(lockPath, lockValue, {
+                encoding: "utf-8",
+                flag: "wx",
+                mode: 0o600,
+            });
+            return lockPath;
+        }
+        catch (error) {
+            if (!hasErrorCode(error, "EEXIST")) {
+                throw error;
+            }
+            try {
+                const stats = statSync(lockPath);
+                const ageMs = Date.now() - stats.mtimeMs;
+                if (ageMs > LOCK_TIMEOUT_MS) {
+                    try {
+                        unlinkSync(lockPath);
+                    }
+                    catch (staleError) {
+                        if (!hasErrorCode(staleError, "ENOENT")) {
+                            logWarn("Failed to remove stale accounts lock", staleError);
+                        }
+                    }
+                    continue;
+                }
+            }
+            catch (statError) {
+                if (!hasErrorCode(statError, "ENOENT")) {
+                    logWarn("Failed to inspect accounts lock file", statError);
+                }
+            }
+            await sleep(waitMs);
+            waitMs = Math.min(Math.floor(waitMs * LOCK_BACKOFF_MULTIPLIER), LOCK_MAX_INTERVAL_MS);
+        }
+    }
+    throw new Error("Accounts lock timeout");
+}
+function releaseAccountsLock(lockPath) {
+    try {
+        unlinkSync(lockPath);
+    }
+    catch (error) {
+        if (!hasErrorCode(error, "ENOENT")) {
+            logWarn("Failed to release accounts lock file", error);
+        }
+    }
+}
+async function withAccountsStoreLock(mutator) {
+    const lockPath = await acquireAccountsLock();
+    try {
+        const store = loadAccountsStoreData();
+        const next = await mutator(store);
+        if (next && typeof next === "object") {
+            writeAccountsStoreData(next);
+            return next;
+        }
+        writeAccountsStoreData(store);
+        return store;
+    }
+    finally {
+        releaseAccountsLock(lockPath);
+    }
+}
 /**
  * Requests device code from Qwen OAuth server
  * Initiates OAuth 2.0 Device Authorization Grant flow
@@ -694,6 +1028,217 @@ export function saveToken(tokenResult) {
         throw error;
     }
 }
+function buildRuntimeAccountResponse(account, healthyCount, totalCount, accessToken, resourceUrl) {
+    return {
+        accountId: account.id,
+        accessToken,
+        resourceUrl: resourceUrl || account.resource_url,
+        exhaustedUntil: account.exhaustedUntil || 0,
+        healthyAccountCount: healthyCount,
+        totalAccountCount: totalCount,
+    };
+}
+export async function upsertOAuthAccount(tokenResult, options = {}) {
+    const tokenData = normalizeTokenResultToStored(tokenResult);
+    if (!tokenData) {
+        return null;
+    }
+    migrateLegacyTokenToAccountsIfNeeded();
+    const accountKey = options.accountKey || deriveAccountKeyFromToken(tokenData);
+    let selectedId = null;
+    await withAccountsStoreLock((store) => {
+        const now = Date.now();
+        let index = -1;
+        if (typeof options.accountId === "string" && options.accountId.length > 0) {
+            index = store.accounts.findIndex(account => account.id === options.accountId);
+        }
+        if (index < 0 && accountKey) {
+            index = store.accounts.findIndex(account => account.accountKey === accountKey);
+        }
+        if (index < 0) {
+            index = store.accounts.findIndex(account => account.token?.refresh_token === tokenData.refresh_token);
+        }
+        if (index < 0) {
+            const newId = typeof options.accountId === "string" && options.accountId.length > 0
+                ? options.accountId
+                : `acct_${Date.now().toString(36)}_${Math.random().toString(16).slice(2, 10)}`;
+            store.accounts.push(buildAccountEntry(tokenData, newId, accountKey));
+            index = store.accounts.length - 1;
+        }
+        const target = store.accounts[index];
+        target.token = tokenData;
+        target.resource_url = tokenData.resource_url;
+        target.exhaustedUntil = 0;
+        target.lastErrorCode = undefined;
+        target.updatedAt = now;
+        if (!target.createdAt || !Number.isFinite(target.createdAt)) {
+            target.createdAt = now;
+        }
+        if (accountKey) {
+            target.accountKey = accountKey;
+        }
+        selectedId = target.id;
+        if (options.setActive || !store.activeAccountId) {
+            store.activeAccountId = target.id;
+        }
+        return store;
+    });
+    if (!selectedId) {
+        return null;
+    }
+    if (options.setActive) {
+        return getActiveOAuthAccount({ allowExhausted: true, preferredAccountId: selectedId });
+    }
+    return getActiveOAuthAccount({ allowExhausted: true });
+}
+export async function getActiveOAuthAccount(options = {}) {
+    migrateLegacyTokenToAccountsIfNeeded();
+    const lockPath = await acquireAccountsLock();
+    let selected = null;
+    let dirty = false;
+    try {
+        const store = loadAccountsStoreData();
+        const now = Date.now();
+        if (store.accounts.length === 0) {
+            return null;
+        }
+        if (typeof options.preferredAccountId === "string" && options.preferredAccountId.length > 0) {
+            const exists = store.accounts.some(account => account.id === options.preferredAccountId);
+            if (exists && store.activeAccountId !== options.preferredAccountId) {
+                store.activeAccountId = options.preferredAccountId;
+                dirty = true;
+            }
+        }
+        let active = store.accounts.find(account => account.id === store.activeAccountId);
+        if (!active) {
+            active = store.accounts[0];
+            store.activeAccountId = active.id;
+            dirty = true;
+        }
+        const activeHealthy = !(typeof active.exhaustedUntil === "number" && active.exhaustedUntil > now);
+        if (!activeHealthy && !options.allowExhausted) {
+            const replacement = pickNextHealthyAccount(store, new Set(), now);
+            if (!replacement) {
+                return null;
+            }
+            if (store.activeAccountId !== replacement.id) {
+                store.activeAccountId = replacement.id;
+                dirty = true;
+            }
+            active = replacement;
+        }
+        const healthyCount = countHealthyAccounts(store, now);
+        selected = {
+            account: { ...active },
+            healthyCount,
+            totalCount: store.accounts.length,
+        };
+        if (dirty) {
+            writeAccountsStoreData(store);
+        }
+    }
+    finally {
+        releaseAccountsLock(lockPath);
+    }
+    if (!selected) {
+        return null;
+    }
+    if (options.requireHealthy && selected.account.exhaustedUntil > Date.now()) {
+        return null;
+    }
+    try {
+        syncAccountToLegacyTokenFile(selected.account);
+    }
+    catch (error) {
+        logWarn("Failed to sync active account token to oauth_creds.json", error);
+        return null;
+    }
+    const valid = await getValidToken();
+    if (!valid) {
+        return null;
+    }
+    const latest = loadStoredToken();
+    if (latest) {
+        try {
+            await withAccountsStoreLock((store) => {
+                const target = store.accounts.find(account => account.id === selected.account.id);
+                if (!target) {
+                    return store;
+                }
+                target.token = latest;
+                target.resource_url = latest.resource_url;
+                target.updatedAt = Date.now();
+                return store;
+            });
+        }
+        catch (error) {
+            logWarn("Failed to update account token from refreshed legacy token", error);
+        }
+    }
+    return buildRuntimeAccountResponse(selected.account, selected.healthyCount, selected.totalCount, valid.accessToken, valid.resourceUrl);
+}
+export async function markOAuthAccountQuotaExhausted(accountId, errorCode = "insufficient_quota") {
+    if (typeof accountId !== "string" || accountId.length === 0) {
+        return null;
+    }
+    migrateLegacyTokenToAccountsIfNeeded();
+    const cooldownMs = getQuotaCooldownMs();
+    let outcome = null;
+    await withAccountsStoreLock((store) => {
+        const now = Date.now();
+        const target = store.accounts.find(account => account.id === accountId);
+        if (!target) {
+            return store;
+        }
+        target.exhaustedUntil = now + cooldownMs;
+        target.lastErrorCode = errorCode;
+        target.updatedAt = now;
+        if (store.activeAccountId === target.id) {
+            const next = pickNextHealthyAccount(store, new Set([target.id]), now);
+            if (next) {
+                store.activeAccountId = next.id;
+            }
+        }
+        outcome = {
+            accountId: target.id,
+            exhaustedUntil: target.exhaustedUntil,
+            healthyAccountCount: countHealthyAccounts(store, now),
+            totalAccountCount: store.accounts.length,
+        };
+        return store;
+    });
+    return outcome;
+}
+export async function switchToNextHealthyOAuthAccount(excludedAccountIds = []) {
+    migrateLegacyTokenToAccountsIfNeeded();
+    const excluded = new Set(Array.isArray(excludedAccountIds)
+        ? excludedAccountIds.filter(id => typeof id === "string" && id.length > 0)
+        : []);
+    let switchedId = null;
+    await withAccountsStoreLock((store) => {
+        const next = pickNextHealthyAccount(store, excluded, Date.now());
+        if (!next) {
+            return store;
+        }
+        store.activeAccountId = next.id;
+        switchedId = next.id;
+        return store;
+    });
+    if (!switchedId) {
+        return null;
+    }
+    return getActiveOAuthAccount({
+        allowExhausted: false,
+        requireHealthy: true,
+        preferredAccountId: switchedId,
+    });
+}
 /**
  * Checks if token is expired (with buffer)
  * @param {number} expiresAt - Token expiry timestamp in milliseconds

package/dist/lib/config.d.ts CHANGED Viewed

@@ -29,6 +29,14 @@ export declare function getTokenPath(): string;
  * Get token lock path for multi-process refresh coordination
  */
 export declare function getTokenLockPath(): string;
+/**
+ * Get multi-account storage path
+ */
+export declare function getAccountsPath(): string;
+/**
+ * Get multi-account lock path
+ */
+export declare function getAccountsLockPath(): string;
 /**
  * Get legacy token storage path used by old plugin versions
  */

package/dist/lib/config.js CHANGED Viewed

@@ -5,7 +5,7 @@
  */
 import { homedir } from "os";
-import { join } from "path";
+import { join, resolve, relative, isAbsolute, parse, dirname } from "path";
 import { readFileSync, existsSync } from "fs";
 /**
@@ -25,6 +25,50 @@ export function getQwenDir() {
     return join(homedir(), ".qwen");
 }
+const ACCOUNTS_FILENAME = "oauth_accounts.json";
+const DEFAULT_ACCOUNTS_PATH = join(getQwenDir(), ACCOUNTS_FILENAME);
+function isRootPath(pathValue) {
+    const parsed = parse(pathValue);
+    return pathValue === parsed.root;
+}
+function isPathInsideBase(pathValue, baseDir) {
+    const rel = relative(baseDir, pathValue);
+    if (rel === "") {
+        return true;
+    }
+    return !rel.startsWith("..") && !isAbsolute(rel);
+}
+function resolveAccountsPathFromEnv() {
+    const envPath = process.env.OPENCODE_QWEN_ACCOUNTS_PATH;
+    if (typeof envPath !== "string" || envPath.trim().length === 0) {
+        return null;
+    }
+    const trimmed = envPath.trim();
+    if (trimmed.includes("\0")) {
+        console.warn("[qwen-oauth-plugin] Ignoring OPENCODE_QWEN_ACCOUNTS_PATH with invalid null-byte");
+        return null;
+    }
+    const resolved = resolve(trimmed);
+    if (isRootPath(resolved)) {
+        console.warn("[qwen-oauth-plugin] Ignoring OPENCODE_QWEN_ACCOUNTS_PATH pointing to root path");
+        return null;
+    }
+    const baseDir = getQwenDir();
+    if (!isPathInsideBase(resolved, baseDir)) {
+        console.warn("[qwen-oauth-plugin] Ignoring OPENCODE_QWEN_ACCOUNTS_PATH outside ~/.qwen for safety");
+        return null;
+    }
+    const parsed = parse(resolved);
+    if (!parsed.base || parsed.base.length === 0) {
+        console.warn("[qwen-oauth-plugin] Ignoring OPENCODE_QWEN_ACCOUNTS_PATH without filename");
+        return null;
+    }
+    return resolved;
+}
 /**
  * Get plugin configuration file path
  * @returns {string} Path to ~/.opencode/qwen/auth-config.json
@@ -96,6 +140,26 @@ export function getTokenLockPath() {
     return join(getQwenDir(), "oauth_creds.lock");
 }
+/**
+ * Get multi-account storage path
+ * @returns {string} Path to ~/.qwen/oauth_accounts.json or OPENCODE_QWEN_ACCOUNTS_PATH override
+ */
+export function getAccountsPath() {
+    return resolveAccountsPathFromEnv() || DEFAULT_ACCOUNTS_PATH;
+}
+/**
+ * Get multi-account lock path
+ * @returns {string} Path to ~/.qwen/oauth_accounts.lock (or sidecar lock for override path)
+ */
+export function getAccountsLockPath() {
+    const accountsPath = getAccountsPath();
+    if (dirname(accountsPath) !== getQwenDir()) {
+        return `${accountsPath}.lock`;
+    }
+    return join(getQwenDir(), "oauth_accounts.lock");
+}
 /**
  * Get legacy token storage path used by old plugin versions
  * Used for backward compatibility and token migration

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-qwen-cli-auth",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "Qwen OAuth authentication plugin for opencode - use your Qwen account instead of API keys",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",