opencode-supabase 0.0.1

package/src/server/store.ts

@@ -0,0 +1,53 @@
+import type { PluginInput } from "@opencode-ai/plugin";
+import { mkdir } from "node:fs/promises";
+import { dirname, join } from "node:path";
+
+type StoreInput = Pick<PluginInput, "directory" | "worktree">;
+
+export type SavedAuth = {
+  access: string;
+  refresh: string;
+  expires: number;
+};
+
+export type SavedState = {
+  version: 1;
+  auth?: SavedAuth;
+};
+
+const STORE_FILE = "supabase-auth.json";
+
+export function file(input: StoreInput): string {
+  const root = input.worktree || input.directory;
+  return join(root, ".opencode", STORE_FILE);
+}
+
+export async function read(input: StoreInput): Promise<SavedState> {
+  const authFile = Bun.file(file(input));
+  if (!(await authFile.exists())) {
+    return { version: 1 };
+  }
+
+  const parsed = JSON.parse(await authFile.text()) as SavedState;
+  if (parsed.version !== 1) {
+    throw new Error("Unsupported Supabase auth store version");
+  }
+  return parsed.auth ? { version: 1, auth: parsed.auth } : { version: 1 };
+}
+
+export async function write(input: StoreInput, auth: SavedAuth): Promise<void> {
+  const path = file(input);
+  await mkdir(dirname(path), { recursive: true });
+  await Bun.write(path, JSON.stringify({ version: 1, auth }, null, 2));
+}
+
+export async function clear(input: StoreInput): Promise<void> {
+  const path = file(input);
+  await mkdir(dirname(path), { recursive: true });
+  await Bun.write(path, JSON.stringify({ version: 1 }, null, 2));
+}
+
+export const getStoreFile = file;
+export const readSavedAuth = read;
+export const writeSavedAuth = write;
+export const clearSavedAuth = clear;

package/src/server/tools.ts

@@ -0,0 +1,245 @@
+import type { PluginOptions } from "@opencode-ai/plugin";
+import type { ToolContext } from "@opencode-ai/plugin/tool";
+import { tool } from "@opencode-ai/plugin";
+
+import {
+  BrokerClientError,
+  refreshTokenThroughBroker,
+} from "../shared/broker.ts";
+import { supabaseManagementApiFetch } from "../shared/api.ts";
+import { readSupabaseConfig } from "../shared/cfg.ts";
+import type { FetchLike } from "../shared/types.ts";
+import { clearSavedAuth, readSavedAuth, writeSavedAuth, type SavedAuth } from "./store.ts";
+
+type ToolDeps = {
+  fetch?: FetchLike;
+};
+
+type HostAuthWriter = {
+  set(input: {
+    path: { id: string };
+    query: { directory: string };
+    body: {
+      type: "oauth";
+      access: string;
+      refresh: string;
+      expires: number;
+    };
+  }): Promise<unknown>;
+};
+
+export type SupabaseToolInput = {
+  client: {
+    auth: HostAuthWriter;
+  };
+  directory: string;
+  serverUrl: URL;
+  worktree: string;
+};
+
+type SupabaseToolContext = Pick<
+  ToolContext,
+  "directory" | "worktree" | "abort" | "sessionID" | "messageID" | "agent" | "metadata" | "ask"
+>;
+
+const NOT_CONNECTED_MESSAGE = "Supabase is not connected. Run /supabase first.";
+const REFRESH_BUFFER_MS = 30_000;
+
+function isRefreshNeeded(auth: SavedAuth) {
+  return auth.expires <= Date.now() + REFRESH_BUFFER_MS;
+}
+
+function generateRandomString(length: number) {
+  const bytes = crypto.getRandomValues(new Uint8Array(length));
+  return btoa(String.fromCharCode(...bytes))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "")
+    .slice(0, length);
+}
+
+async function executeSupabaseRequest(
+  input: SupabaseToolInput,
+  options: PluginOptions | undefined,
+  deps: ToolDeps,
+  path: string,
+  errorLabel: string,
+  init?: RequestInit,
+) {
+  const config = readSupabaseConfig(options);
+  const auth = await ensureSupabaseToolAuth(input, options, deps);
+  const response = await supabaseManagementApiFetch(
+    config,
+    auth.access,
+    path,
+    init,
+    deps.fetch,
+  );
+
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    throw new Error(`Failed to ${errorLabel}: ${response.status} ${body}`.trim());
+  }
+
+  return JSON.stringify(await response.json(), null, 2);
+}
+
+async function executeSupabaseGet(
+  input: SupabaseToolInput,
+  options: PluginOptions | undefined,
+  deps: ToolDeps,
+  path: string,
+  errorLabel: string,
+) {
+  return executeSupabaseRequest(input, options, deps, path, errorLabel);
+}
+
+async function setHostAuth(
+  input: Pick<SupabaseToolInput, "client" | "directory">,
+  auth: SavedAuth,
+) {
+  await input.client.auth.set({
+    path: { id: "supabase" },
+    query: { directory: input.directory },
+    body: {
+      type: "oauth",
+      access: auth.access,
+      refresh: auth.refresh,
+      expires: auth.expires,
+    },
+  });
+}
+
+async function clearHostAuth(
+  input: Pick<SupabaseToolInput, "directory" | "serverUrl">,
+  fetchImpl: FetchLike,
+) {
+  const url = new URL(`/auth/supabase?directory=${encodeURIComponent(input.directory)}`, input.serverUrl);
+  const response = await fetchImpl(url.toString(), { method: "DELETE" });
+  if (!response.ok) {
+    throw new Error(`Failed to clear host auth: ${response.status}`);
+  }
+}
+
+export async function ensureSupabaseToolAuth(
+  input: SupabaseToolInput,
+  options?: PluginOptions,
+  deps: ToolDeps = {},
+): Promise<SavedAuth> {
+  const fetchImpl = deps.fetch ?? fetch;
+  const saved = await readSavedAuth(input);
+  if (!saved.auth) {
+    throw new Error(NOT_CONNECTED_MESSAGE);
+  }
+
+  if (!isRefreshNeeded(saved.auth)) {
+    return saved.auth;
+  }
+
+  const config = readSupabaseConfig(options);
+
+  try {
+    const refreshed = await refreshTokenThroughBroker(
+      { baseUrl: config.brokerBaseUrl },
+      { refresh_token: saved.auth.refresh },
+      deps.fetch,
+    );
+
+    const nextAuth: SavedAuth = {
+      access: refreshed.access_token,
+      refresh: refreshed.refresh_token,
+      expires: Date.now() + (refreshed.expires_in ?? 3600) * 1000,
+    };
+    await writeSavedAuth(input, nextAuth);
+    try {
+      await setHostAuth(input, nextAuth);
+    } catch {}
+    return nextAuth;
+  } catch (error) {
+    if (error instanceof BrokerClientError && (error.status === 401 || error.status === 400)) {
+      await clearSavedAuth(input);
+      try {
+        await clearHostAuth(input, fetchImpl);
+      } catch {}
+      throw new Error(NOT_CONNECTED_MESSAGE);
+    }
+
+    if (error instanceof BrokerClientError) {
+      throw new Error(`Supabase auth refresh failed: ${error.message}`);
+    }
+    throw error;
+  }
+}
+
+export function createSupabaseTools(
+  input: SupabaseToolInput,
+  options?: PluginOptions,
+  deps: ToolDeps = {},
+) {
+  return {
+    supabase_list_organizations: tool({
+      description: "List all Supabase organizations for the authenticated user.",
+      args: {},
+      async execute(_args, _context: SupabaseToolContext) {
+        return executeSupabaseGet(input, options, deps, "/organizations", "list organizations");
+      },
+    }),
+    supabase_list_projects: tool({
+      description: "List all Supabase projects for the authenticated user.",
+      args: {},
+      async execute(_args, _context: SupabaseToolContext) {
+        return executeSupabaseGet(input, options, deps, "/projects", "list projects");
+      },
+    }),
+    supabase_get_project_api_keys: tool({
+      description: "Get the API keys for a Supabase project.",
+      args: {
+        project_ref: tool.schema.string().describe("Project reference ID"),
+      },
+      async execute(args, _context: SupabaseToolContext) {
+        return executeSupabaseGet(
+          input,
+          options,
+          deps,
+          `/projects/${args.project_ref}/api-keys`,
+          "get API keys",
+        );
+      },
+    }),
+    supabase_create_project: tool({
+      description: "Create a new Supabase project in an organization.",
+      args: {
+        organization_id: tool.schema.string().describe("Organization ID to create the project in"),
+        name: tool.schema.string().describe("Project name"),
+        region: tool.schema.string().describe("Database region").optional(),
+        db_pass: tool.schema.string().describe("Database password").optional(),
+      },
+      async execute(args, _context: SupabaseToolContext) {
+        return executeSupabaseRequest(
+          input,
+          options,
+          deps,
+          "/projects",
+          "create project",
+          {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+              organization_id: args.organization_id,
+              name: args.name,
+              region: args.region ?? "us-east-1",
+              db_pass: args.db_pass ?? generateRandomString(32),
+            }),
+          },
+        );
+      },
+    }),
+    supabase_login: tool({
+      description: "Explain how to connect Supabase in the TUI.",
+      args: {},
+      async execute(_args, _context: SupabaseToolContext) {
+        return "Supabase login must be completed in the TUI. Run /supabase first.";
+      },
+    }),
+  };
+}

package/src/shared/api.ts

@@ -0,0 +1,24 @@
+export const DEFAULT_SUPABASE_OAUTH_AUTHORIZE_URL = "https://api.supabase.com/v1/oauth/authorize";
+export const DEFAULT_SUPABASE_API_BASE_URL = "https://api.supabase.com/v1";
+export const DEFAULT_SUPABASE_BROKER_URL = "https://iaoxncwzemnfxcdwakzb.supabase.co/functions/v1/opencode-supabase-broker";
+
+import type { FetchLike, SupabaseSharedConfig } from "./types.ts";
+
+export async function supabaseManagementApiFetch(
+  config: Pick<SupabaseSharedConfig, "apiBaseUrl">,
+  accessToken: string,
+  path: string,
+  init?: RequestInit,
+  fetchImpl: FetchLike = fetch,
+): Promise<Response> {
+  const url = `${config.apiBaseUrl.replace(/\/$/, "")}${path.startsWith("/") ? path : `/${path}`}`;
+
+  return fetchImpl(url, {
+    ...init,
+    headers: {
+      Accept: "application/json",
+      Authorization: `Bearer ${accessToken}`,
+      ...(init?.headers ?? {}),
+    },
+  });
+}

package/src/shared/broker.ts

@@ -0,0 +1,179 @@
+import type { FetchLike, SupabaseTokenResponse } from "./types.ts";
+
+export type BrokerConfig = {
+  baseUrl: string;
+};
+
+export type ExchangeRequest = {
+  code: string;
+  code_verifier: string;
+  redirect_uri: string;
+};
+
+export type RefreshRequest = {
+  refresh_token: string;
+};
+
+export type BrokerErrorCode =
+  | "invalid_request"
+  | "unauthorized"
+  | "rate_limited"
+  | "upstream_error"
+  | "server_error";
+
+export type BrokerError = {
+  code: BrokerErrorCode;
+  message: string;
+  status: number;
+};
+
+export class BrokerClientError extends Error {
+  readonly code: BrokerErrorCode;
+  readonly status: number;
+
+  constructor(error: BrokerError) {
+    super(error.message);
+    this.name = "BrokerClientError";
+    this.code = error.code;
+    this.status = error.status;
+  }
+}
+
+function normalizeTokenResponse(payload: unknown): SupabaseTokenResponse {
+  if (!payload || typeof payload !== "object") {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker returned an invalid token response",
+      status: 502,
+    });
+  }
+
+  const record = payload as Record<string, unknown>;
+
+  if (typeof record.access_token !== "string" || record.access_token.length === 0) {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker returned an invalid token response",
+      status: 502,
+    });
+  }
+
+  if (typeof record.refresh_token !== "string" || record.refresh_token.length === 0) {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker returned an invalid token response",
+      status: 502,
+    });
+  }
+
+  if (typeof record.expires_in !== "number" || !Number.isFinite(record.expires_in)) {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker returned an invalid token response",
+      status: 502,
+    });
+  }
+
+  if (typeof record.token_type !== "string" || record.token_type.length === 0) {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker returned an invalid token response",
+      status: 502,
+    });
+  }
+
+  return {
+    access_token: record.access_token,
+    refresh_token: record.refresh_token,
+    expires_in: record.expires_in,
+    token_type: record.token_type,
+  };
+}
+
+async function makeBrokerRequest(
+  config: BrokerConfig,
+  endpoint: string,
+  body: unknown,
+  fetchImpl: FetchLike,
+): Promise<SupabaseTokenResponse> {
+  const url = `${config.baseUrl.replace(/\/$/, "")}${endpoint}`;
+
+  let response: Response;
+
+  try {
+    response = await fetchImpl(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify(body),
+    });
+  } catch (cause) {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker request failed",
+      status: 502,
+    });
+  }
+
+  let payload: unknown;
+
+  try {
+    payload = await response.json();
+  } catch {
+    throw new BrokerClientError({
+      code: "upstream_error",
+      message: "broker returned an invalid response",
+      status: 502,
+    });
+  }
+
+  if (!response.ok) {
+    const errorBody = payload as Record<string, unknown> | undefined;
+    const error = errorBody?.error as Record<string, unknown> | undefined;
+
+    const code = (error?.code as BrokerErrorCode) || "upstream_error";
+    const message = (error?.message as string) || "broker request failed";
+
+    throw new BrokerClientError({
+      code,
+      message,
+      status: response.status,
+    });
+  }
+
+  return normalizeTokenResponse(payload);
+}
+
+export async function exchangeCodeThroughBroker(
+  config: BrokerConfig,
+  input: ExchangeRequest,
+  fetchImpl: FetchLike = fetch,
+): Promise<SupabaseTokenResponse> {
+  return makeBrokerRequest(
+    config,
+    "/exchange",
+    {
+      code: input.code,
+      code_verifier: input.code_verifier,
+      redirect_uri: input.redirect_uri,
+    },
+    fetchImpl,
+  );
+}
+
+export async function refreshTokenThroughBroker(
+  config: BrokerConfig,
+  input: RefreshRequest,
+  fetchImpl: FetchLike = fetch,
+): Promise<SupabaseTokenResponse> {
+  return makeBrokerRequest(
+    config,
+    "/refresh",
+    {
+      refresh_token: input.refresh_token,
+    },
+    fetchImpl,
+  );
+}

package/src/shared/cfg.ts

@@ -0,0 +1,71 @@
+import type { PluginOptions } from "@opencode-ai/plugin";
+
+import {
+  DEFAULT_SUPABASE_API_BASE_URL,
+  DEFAULT_SUPABASE_BROKER_URL,
+  DEFAULT_SUPABASE_OAUTH_AUTHORIZE_URL,
+} from "./api.ts";
+import type { SupabaseEnv, SupabaseSharedConfig } from "./types.ts";
+
+function readStringOption(options: PluginOptions | undefined, key: string) {
+  const value = options?.[key];
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+
+function readEnvString(value: string | undefined): string | undefined {
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+
+function readPortOption(options: PluginOptions | undefined, key: string) {
+  const value = options?.[key];
+  if (typeof value === "number") return value;
+  if (typeof value === "string" && value.trim()) return value.trim();
+  return undefined;
+}
+
+function requireString(value: string | undefined, key: string) {
+  if (!value) {
+    throw new Error(`Missing required Supabase config: ${key}`);
+  }
+  return value;
+}
+
+function requirePort(value: number | string | undefined) {
+  if (value === undefined) {
+    throw new Error("Missing required Supabase config: oauthPort");
+  }
+
+  const parsed = typeof value === "number" ? value : Number.parseInt(value, 10);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    throw new Error("Invalid Supabase config: oauthPort must be a positive integer");
+  }
+
+  return parsed;
+}
+
+export function readSupabaseConfig(
+  options: PluginOptions | undefined,
+  env: SupabaseEnv = process.env,
+): SupabaseSharedConfig {
+  const clientId = requireString(
+    readStringOption(options, "clientId") ?? env.OPENCODE_SUPABASE_OAUTH_CLIENT_ID,
+    "clientId",
+  );
+  const oauthPort = requirePort(
+    readPortOption(options, "oauthPort") ?? env.OPENCODE_SUPABASE_OAUTH_PORT,
+  );
+  const brokerBaseUrl =
+    readStringOption(options, "brokerBaseUrl") ?? readEnvString(env.OPENCODE_SUPABASE_BROKER_URL) ?? DEFAULT_SUPABASE_BROKER_URL;
+
+  return {
+    clientId,
+    oauthPort,
+    authorizeUrl:
+      readStringOption(options, "authorizeUrl") ??
+      env.SUPABASE_OAUTH_AUTHORIZE_URL ??
+      DEFAULT_SUPABASE_OAUTH_AUTHORIZE_URL,
+    brokerBaseUrl,
+    apiBaseUrl:
+      readStringOption(options, "apiBaseUrl") ?? env.SUPABASE_API_BASE_URL ?? DEFAULT_SUPABASE_API_BASE_URL,
+  };
+}

package/src/shared/oauth.ts

@@ -0,0 +1,48 @@
+import type { PkceCodes, SupabaseSharedConfig } from "./types.ts";
+
+const PKCE_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+
+export async function generatePKCE(): Promise<PkceCodes> {
+  const verifier = generateRandomString(43);
+  const encoder = new TextEncoder();
+  const hash = await crypto.subtle.digest("SHA-256", encoder.encode(verifier));
+  return {
+    verifier,
+    challenge: base64UrlEncode(hash),
+  };
+}
+
+export function generateRandomString(length: number): string {
+  const bytes = crypto.getRandomValues(new Uint8Array(length));
+  return Array.from(bytes)
+    .map((value) => PKCE_CHARSET[value % PKCE_CHARSET.length])
+    .join("");
+}
+
+export function base64UrlEncode(buffer: ArrayBuffer): string {
+  const bytes = new Uint8Array(buffer);
+  const binary = String.fromCharCode(...bytes);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+export function generateState(): string {
+  return base64UrlEncode(crypto.getRandomValues(new Uint8Array(32)).buffer);
+}
+
+export function buildAuthorizeUrl(
+  config: Pick<SupabaseSharedConfig, "authorizeUrl" | "clientId">,
+  redirectUri: string,
+  pkce: PkceCodes,
+  state: string,
+): string {
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: config.clientId,
+    redirect_uri: redirectUri,
+    code_challenge: pkce.challenge,
+    code_challenge_method: "S256",
+    state,
+  });
+
+  return `${config.authorizeUrl}?${params.toString()}`;
+}

package/src/shared/types.ts

@@ -0,0 +1,35 @@
+import type { PluginOptions } from "@opencode-ai/plugin";
+
+export type SupabaseEnv = Record<string, string | undefined>;
+
+export type SupabaseConfigSource = PluginOptions | undefined;
+
+export type SupabaseSharedConfig = {
+  clientId: string;
+  oauthPort: number;
+  authorizeUrl: string;
+  brokerBaseUrl: string;
+  apiBaseUrl: string;
+};
+
+export type PkceCodes = {
+  verifier: string;
+  challenge: string;
+};
+
+export type SupabaseTokenResponse = {
+  access_token: string;
+  refresh_token: string;
+  expires_in?: number;
+  token_type?: string;
+  id_token?: string;
+  scope?: string;
+};
+
+export type TokenExchangeInput = {
+  code: string;
+  redirectUri: string;
+  codeVerifier: string;
+};
+
+export type FetchLike = (input: string | URL | Request, init?: RequestInit) => Promise<Response>;

package/src/tui/commands.ts

@@ -0,0 +1,8 @@
+export function createSupabaseCommand(openDialog: () => void) {
+  return {
+    title: "Connect Supabase",
+    value: "supabase.connect",
+    slash: { name: "supabase" },
+    onSelect: openDialog,
+  };
+}