npm - opencode-qwen-cli-auth - Versions diffs - 2.3.6 → 2.3.8 - Mend

opencode-qwen-cli-auth 2.3.6 → 2.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -10,6 +10,8 @@ OAuth plugin for [OpenCode](https://opencode.ai) to use Qwen for free via Qwen A
 - **Multi-account support** - add multiple Qwen accounts and keep one active account
 - **DashScope compatibility** - automatically injects required headers for the OAuth flow
 - **Smart output token limit** - auto-caps tokens based on model (65K for coder-model, 8K for vision-model)
+- **Reasoning capability in UI (coder-model)** - model tooltip shows reasoning support in OpenCode
+- **Reasoning-effort safety** - strips reasoning control fields from outbound payload for OAuth compatibility
 - **Retry & Fallback** - handles quota/rate limit errors with payload degradation mechanism
 - **Logging & Debugging** - detailed debugging support via environment variables
@@ -55,6 +57,12 @@ The plugin stores each successful login in the multi-account store and can auto-
 | Qwen Coder (Qwen 3.5 Plus) | `coder-model` | text | text | 1M tokens | 65,536 tokens | Free |
 | Qwen VL Plus (Vision) | `vision-model` | text, image | text | 128K tokens | 8,192 tokens | Free |
+### Reasoning Note
+- `coder-model` is marked as reasoning-capable in OpenCode UI.
+- This release is UI-only for reasoning and does not enable runtime reasoning-effort controls for Qwen OAuth.
+- If clients send `reasoning`, `reasoningEffort`, or `reasoning_effort`, the plugin removes these fields before forwarding requests.
 ## Configuration
 ### Environment Variables
@@ -131,7 +139,8 @@ When hitting a `429 insufficient_quota` error, the plugin automatically:
 - Automatically uses refresh token
 - Retries up to 2 times for transient errors (timeout, network)
-- Clears token and requests re-auth on 401/403
+- On refresh `401/403`, marks current account as `auth_invalid` and switches to next healthy account when available
+- If no healthy account is available, requests re-authentication (`opencode auth login`)
 ## Authentication Management

package/README.vi.md CHANGED Viewed

@@ -10,6 +10,8 @@ Plugin OAuth cho [OpenCode](https://opencode.ai) để sử dụng Qwen miễn p
 - **Hỗ trợ đa tài khoản** - thêm nhiều Qwen account và duy trì một tài khoản active
 - **Tương thích DashScope** - tự động inject headers cần thiết cho OAuth flow
 - **Giới hạn output token thông minh** - tự động cap theo model (65K cho coder-model, 8K cho vision-model)
+- **Hiển thị reasoning trên UI (coder-model)** - tooltip model trong OpenCode sẽ hiện hỗ trợ reasoning
+- **An toàn reasoning-effort** - loại bỏ các trường điều khiển reasoning khỏi payload để giữ tương thích OAuth
 - **Retry & Fallback** - xử lý lỗi quota/rate limit với cơ chế degrade (giảm tải payload)
 - **Logging & Debugging** - hỗ trợ debug chi tiết qua biến môi trường
@@ -55,6 +57,12 @@ Plugin sẽ lưu từng lần đăng nhập thành công vào kho đa tài kho
 | Qwen Coder (Qwen 3.5 Plus) | `coder-model` | text | text | 1M tokens | 65,536 tokens | Miễn phí |
 | Qwen VL Plus (Vision) | `vision-model` | text, image | text | 128K tokens | 8,192 tokens | Miễn phí |
+### Ghi chú reasoning
+- `coder-model` được đánh dấu có reasoning trong UI của OpenCode.
+- Bản phát hành này chỉ hỗ trợ reasoning ở mức hiển thị UI, chưa bật điều khiển reasoning-effort ở runtime cho Qwen OAuth.
+- Nếu client gửi `reasoning`, `reasoningEffort` hoặc `reasoning_effort`, plugin sẽ tự loại bỏ trước khi gửi request đi.
 ## Cấu hình
 ### Biến môi trường
@@ -131,7 +139,8 @@ Khi gặp lỗi `429 insufficient_quota`, plugin sẽ tự động:
 - Tự động sử dụng refresh token để lấy token mới
 - Thử lại tối đa 2 lần đối với các lỗi tạm thời (timeout, lỗi mạng)
-- Xóa token cũ và yêu cầu đăng nhập lại nếu nhận lỗi 401/403
+- Nếu refresh gặp `401/403`, plugin đánh dấu account hiện tại là `auth_invalid` và tự chuyển sang account khỏe tiếp theo nếu có
+- Nếu không còn account khỏe, plugin sẽ yêu cầu đăng nhập lại (`opencode auth login`)
 ## Quản lý xác thực

package/dist/index.js CHANGED Viewed

@@ -11,7 +11,7 @@
  *
  * @license MIT with Usage Disclaimer (see LICENSE file)
  * @repository https://github.com/TVD-00/opencode-qwen-cli-auth
- * @version 2.3.6
+ * @version 2.3.8
  */
 import { randomUUID } from "node:crypto";
@@ -40,7 +40,7 @@ const CLI_FALLBACK_MAX_BUFFER_CHARS = 1024 * 1024;
 /** Enable CLI fallback feature via environment variable */
 const ENABLE_CLI_FALLBACK = process.env.OPENCODE_QWEN_ENABLE_CLI_FALLBACK === "1";
 /** User agent string for plugin identification */
-const PLUGIN_USER_AGENT = "opencode-qwen-cli-auth/2.3.4";
+const PLUGIN_USER_AGENT = "opencode-qwen-cli-auth/2.3.8";
 /** Output token limits per model for DashScope OAuth */
 const DASH_SCOPE_OUTPUT_LIMITS = {
     "coder-model": 65536,
@@ -104,6 +104,11 @@ const CLIENT_ONLY_BODY_FIELDS = new Set([
     "options",
     "debug",
 ]);
+const REASONING_CONTROL_FIELDS = new Set([
+    "reasoning",
+    "reasoningEffort",
+    "reasoning_effort",
+]);
 function resolveQwenCliCommand() {
     const fromEnv = process.env.QWEN_CLI_PATH;
     if (typeof fromEnv === "string" && fromEnv.trim().length > 0) {
@@ -394,6 +399,12 @@ function sanitizeOutgoingPayload(payload) {
         delete sanitized.stream_options;
         changed = true;
     }
+    for (const field of REASONING_CONTROL_FIELDS) {
+        if (field in sanitized) {
+            delete sanitized[field];
+            changed = true;
+        }
+    }
     // Cap max_tokens fields
     if (typeof sanitized.max_tokens === "number" && sanitized.max_tokens > CHAT_MAX_TOKENS_CAP) {
         sanitized.max_tokens = CHAT_MAX_TOKENS_CAP;
@@ -1184,7 +1195,10 @@ async function getValidAccessToken(getAuth) {
                 accessToken = refreshResult.access;
                 resourceUrl = refreshResult.resourceUrl;
                 saveToken(refreshResult);
-                await upsertOAuthAccount(refreshResult, { setActive: false });
+                await upsertOAuthAccount(refreshResult, {
+                    setActive: false,
+                    accountId: activeOAuthAccount?.accountId,
+                });
             }
             else {
                 if (LOGGING_ENABLED) {
@@ -1210,7 +1224,10 @@ async function getValidAccessToken(getAuth) {
                 resourceUrl,
             };
             saveToken(sdkToken);
-            await upsertOAuthAccount(sdkToken, { setActive: false });
+            await upsertOAuthAccount(sdkToken, {
+                setActive: false,
+                accountId: activeOAuthAccount?.accountId,
+            });
         }
         catch (e) {
             logWarn("Failed to bootstrap .qwen token from SDK auth state:", e);
@@ -1400,14 +1417,17 @@ export const QwenAuthPlugin = async (_input) => {
                 models: {
                     "coder-model": {
                         id: "coder-model",
-                        name: "Qwen 3.5 Plus)",
-                        // Qwen does not support reasoning_effort from OpenCode UI
-                        // Thinking is always enabled by default on server side (qwen3.5-plus)
+                        name: "Qwen 3.5 Plus",
                         attachment: false,
-                        reasoning: false,
+                        reasoning: true,
                         limit: { context: 1048576, output: CHAT_MAX_TOKENS_CAP },
                         cost: { input: 0, output: 0 },
                         modalities: { input: ["text"], output: ["text"] },
+                        variants: {
+                            low: { disabled: true },
+                            medium: { disabled: true },
+                            high: { disabled: true },
+                        },
                     },
                     "vision-model": {
                         id: "vision-model",

package/dist/lib/auth/auth.js CHANGED Viewed

@@ -7,6 +7,7 @@
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { readFileSync, writeFileSync, existsSync, mkdirSync, unlinkSync, renameSync, statSync } from "fs";
+import { dirname } from "path";
 import { QWEN_OAUTH, DEFAULT_QWEN_BASE_URL, TOKEN_REFRESH_BUFFER_MS, VERIFICATION_URI } from "../constants.js";
 import { getTokenPath, getQwenDir, getTokenLockPath, getLegacyTokenPath, getAccountsPath, getAccountsLockPath } from "../config.js";
 import { logError, logWarn, logInfo, LOGGING_ENABLED } from "../logger.js";
@@ -307,11 +308,15 @@ function buildAccountEntry(tokenData, accountId, accountKey) {
 }
 function writeAccountsStoreData(store) {
+    const accountsPath = getAccountsPath();
+    const accountsDir = dirname(accountsPath);
     const qwenDir = getQwenDir();
     if (!existsSync(qwenDir)) {
         mkdirSync(qwenDir, { recursive: true, mode: 0o700 });
     }
-    const accountsPath = getAccountsPath();
+    if (!existsSync(accountsDir)) {
+        mkdirSync(accountsDir, { recursive: true, mode: 0o700 });
+    }
     const tempPath = `${accountsPath}.tmp.${Date.now().toString(36)}-${Math.random().toString(16).slice(2)}`;
     const payload = {
         version: ACCOUNT_STORE_VERSION,
@@ -583,9 +588,9 @@ function releaseTokenLock(lockPath) {
 async function acquireAccountsLock() {
     const lockPath = getAccountsLockPath();
-    const qwenDir = getQwenDir();
-    if (!existsSync(qwenDir)) {
-        mkdirSync(qwenDir, { recursive: true, mode: 0o700 });
+    const lockDir = dirname(lockPath);
+    if (!existsSync(lockDir)) {
+        mkdirSync(lockDir, { recursive: true, mode: 0o700 });
     }
     const lockValue = `${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}`;
     let waitMs = LOCK_ATTEMPT_INTERVAL_MS;
@@ -1096,89 +1101,140 @@ export async function upsertOAuthAccount(tokenResult, options = {}) {
 export async function getActiveOAuthAccount(options = {}) {
     migrateLegacyTokenToAccountsIfNeeded();
-    const lockPath = await acquireAccountsLock();
-    let selected = null;
-    let dirty = false;
-    try {
-        const store = loadAccountsStoreData();
-        const now = Date.now();
-        if (store.accounts.length === 0) {
-            return null;
-        }
-        if (typeof options.preferredAccountId === "string" && options.preferredAccountId.length > 0) {
-            const exists = store.accounts.some(account => account.id === options.preferredAccountId);
-            if (exists && store.activeAccountId !== options.preferredAccountId) {
-                store.activeAccountId = options.preferredAccountId;
+    const preferredAccountId = typeof options.preferredAccountId === "string" && options.preferredAccountId.length > 0
+        ? options.preferredAccountId
+        : null;
+    const attemptedAuthRejected = new Set();
+    for (;;) {
+        const lockPath = await acquireAccountsLock();
+        let selected = null;
+        let dirty = false;
+        try {
+            const store = loadAccountsStoreData();
+            const now = Date.now();
+            if (store.accounts.length === 0) {
+                return null;
+            }
+            if (attemptedAuthRejected.size === 0 && preferredAccountId) {
+                const exists = store.accounts.some(account => account.id === preferredAccountId);
+                if (exists && store.activeAccountId !== preferredAccountId) {
+                    store.activeAccountId = preferredAccountId;
+                    dirty = true;
+                }
+            }
+            let active = store.accounts.find(account => account.id === store.activeAccountId);
+            if (!active) {
+                active = store.accounts[0];
+                store.activeAccountId = active.id;
                 dirty = true;
             }
+            const activeHealthy = !(typeof active.exhaustedUntil === "number" && active.exhaustedUntil > now);
+            if (!activeHealthy && !options.allowExhausted) {
+                const replacement = pickNextHealthyAccount(store, new Set(), now);
+                if (!replacement) {
+                    return null;
+                }
+                if (store.activeAccountId !== replacement.id) {
+                    store.activeAccountId = replacement.id;
+                    dirty = true;
+                }
+                active = replacement;
+            }
+            const healthyCount = countHealthyAccounts(store, now);
+            selected = {
+                account: { ...active },
+                healthyCount,
+                totalCount: store.accounts.length,
+            };
+            if (dirty) {
+                writeAccountsStoreData(store);
+            }
         }
-        let active = store.accounts.find(account => account.id === store.activeAccountId);
-        if (!active) {
-            active = store.accounts[0];
-            store.activeAccountId = active.id;
-            dirty = true;
+        finally {
+            releaseAccountsLock(lockPath);
         }
-        const activeHealthy = !(typeof active.exhaustedUntil === "number" && active.exhaustedUntil > now);
-        if (!activeHealthy && !options.allowExhausted) {
-            const replacement = pickNextHealthyAccount(store, new Set(), now);
-            if (!replacement) {
-                return null;
-            }
-            if (store.activeAccountId !== replacement.id) {
-                store.activeAccountId = replacement.id;
-                dirty = true;
+        if (!selected) {
+            return null;
+        }
+        if (options.requireHealthy && selected.account.exhaustedUntil > Date.now()) {
+            return null;
+        }
+        try {
+            syncAccountToLegacyTokenFile(selected.account);
+        }
+        catch (error) {
+            logWarn("Failed to sync active account token to oauth_creds.json", error);
+            return null;
+        }
+        const valid = await getValidTokenDetailed({ clearOnFailure: false });
+        if (valid.type === "success") {
+            const latest = loadStoredToken();
+            if (latest) {
+                try {
+                    await withAccountsStoreLock((store) => {
+                        const target = store.accounts.find(account => account.id === selected.account.id);
+                        if (!target) {
+                            return store;
+                        }
+                        target.token = latest;
+                        target.resource_url = latest.resource_url;
+                        target.updatedAt = Date.now();
+                        return store;
+                    });
+                }
+                catch (error) {
+                    logWarn("Failed to update account token from refreshed legacy token", error);
+                }
             }
-            active = replacement;
+            return buildRuntimeAccountResponse(selected.account, selected.healthyCount, selected.totalCount, valid.accessToken, valid.resourceUrl);
         }
-        const healthyCount = countHealthyAccounts(store, now);
-        selected = {
-            account: { ...active },
-            healthyCount,
-            totalCount: store.accounts.length,
-        };
-        if (dirty) {
-            writeAccountsStoreData(store);
+        if (valid.type !== "auth_rejected") {
+            return null;
         }
-    }
-    finally {
-        releaseAccountsLock(lockPath);
-    }
-    if (!selected) {
-        return null;
-    }
-    if (options.requireHealthy && selected.account.exhaustedUntil > Date.now()) {
-        return null;
-    }
-    try {
-        syncAccountToLegacyTokenFile(selected.account);
-    }
-    catch (error) {
-        logWarn("Failed to sync active account token to oauth_creds.json", error);
-        return null;
-    }
-    const valid = await getValidToken();
-    if (!valid) {
-        return null;
-    }
-    const latest = loadStoredToken();
-    if (latest) {
+        attemptedAuthRejected.add(selected.account.id);
+        if (attemptedAuthRejected.size >= selected.totalCount) {
+            if (LOGGING_ENABLED) {
+                logWarn("All OAuth accounts rejected with auth_invalid, re-authentication required", {
+                    attempted: attemptedAuthRejected.size,
+                    total: selected.totalCount,
+                });
+            }
+            return null;
+        }
+        let switchedToHealthy = false;
         try {
             await withAccountsStoreLock((store) => {
+                const now = Date.now();
                 const target = store.accounts.find(account => account.id === selected.account.id);
                 if (!target) {
                     return store;
                 }
-                target.token = latest;
-                target.resource_url = latest.resource_url;
-                target.updatedAt = Date.now();
+                target.exhaustedUntil = now + getQuotaCooldownMs();
+                target.lastErrorCode = "auth_invalid";
+                target.updatedAt = now;
+                const next = pickNextHealthyAccount(store, attemptedAuthRejected, now);
+                if (next) {
+                    store.activeAccountId = next.id;
+                    switchedToHealthy = true;
+                }
                 return store;
             });
         }
         catch (error) {
-            logWarn("Failed to update account token from refreshed legacy token", error);
+            logWarn("Failed to switch OAuth account after auth_invalid", error);
+            return null;
+        }
+        if (!switchedToHealthy) {
+            if (LOGGING_ENABLED) {
+                logWarn("No healthy OAuth account available after auth_invalid", {
+                    accountID: selected.account.id,
+                    attempted: attemptedAuthRejected.size,
+                    total: selected.totalCount,
+                });
+            }
+            return null;
         }
     }
-    return buildRuntimeAccountResponse(selected.account, selected.healthyCount, selected.totalCount, valid.accessToken, valid.resourceUrl);
 }
 export async function markOAuthAccountQuotaExhausted(accountId, errorCode = "insufficient_quota") {
@@ -1248,18 +1304,15 @@ export function isTokenExpired(expiresAt) {
     return Date.now() >= expiresAt - TOKEN_REFRESH_BUFFER_MS;
 }
-/**
- * Gets valid access token, refreshing if expired
- * @returns {Promise<{ accessToken: string, resourceUrl?: string }|null>} Valid token or null if unavailable
- */
-export async function getValidToken() {
+async function getValidTokenDetailed(options = {}) {
+    const clearOnFailure = options.clearOnFailure === true;
     const stored = loadStoredToken();
     if (!stored) {
-        return null;
+        return { type: "missing" };
     }
-    // Return cached token if still valid
     if (!isTokenExpired(stored.expiry_date)) {
         return {
+            type: "success",
             accessToken: stored.access_token,
             resourceUrl: stored.resource_url,
         };
@@ -1267,16 +1320,48 @@ export async function getValidToken() {
     if (LOGGING_ENABLED) {
         logInfo("Token expired, refreshing...");
     }
-    // Token expired, try to refresh
     const refreshResult = await refreshAccessToken(stored.refresh_token);
-    if (refreshResult.type !== "success") {
-        logError("Token refresh failed, re-authentication required");
+    if (refreshResult.type === "success") {
+        return {
+            type: "success",
+            accessToken: refreshResult.access,
+            resourceUrl: refreshResult.resourceUrl,
+        };
+    }
+    const status = typeof refreshResult.status === "number" ? refreshResult.status : undefined;
+    const isAuthRejected = status === 401 ||
+        status === 403 ||
+        refreshResult.error === "refresh_token_rejected";
+    if (clearOnFailure) {
         clearStoredToken();
+    }
+    if (isAuthRejected) {
+        return {
+            type: "auth_rejected",
+            status,
+            error: refreshResult.error || "refresh_token_rejected",
+        };
+    }
+    return {
+        type: "transient_or_unknown",
+        status,
+        error: refreshResult.error || "refresh_failed",
+    };
+}
+/**
+ * Gets valid access token, refreshing if expired
+ * @returns {Promise<{ accessToken: string, resourceUrl?: string }|null>} Valid token or null if unavailable
+ */
+export async function getValidToken() {
+    const result = await getValidTokenDetailed({ clearOnFailure: true });
+    if (result.type !== "success") {
+        logError("Token refresh failed, re-authentication required");
         return null;
     }
     return {
-        accessToken: refreshResult.access,
-        resourceUrl: refreshResult.resourceUrl,
+        accessToken: result.accessToken,
+        resourceUrl: result.resourceUrl,
     };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-qwen-cli-auth",
-  "version": "2.3.6",
+  "version": "2.3.8",
   "description": "Qwen OAuth authentication plugin for opencode - use your Qwen account instead of API keys",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",