npm - opencode-supabase - Versions diffs - 0.0.5 → 0.0.7-alpha.0 - Mend

opencode-supabase 0.0.5 → 0.0.7-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -20,6 +20,18 @@ Launch `opencode` in your project, then run:
 Connect your account and ask your agent about Supabase capabilities.
+## OAuth Callback Contract
+Plugin uses fixed localhost callback window for browser auth:
+- `http://localhost:14589/auth/callback`
+- `http://localhost:14590/auth/callback`
+- `http://localhost:14591/auth/callback`
+Your Supabase OAuth app must allow all 3 redirect URIs.
+Maintainer note: deployed OAuth app config must stay in sync with this fixed callback set. If callback ports change in code later, update OAuth app setup too.
 ## Debug Logging
 If you hit auth or tool errors and need logs for an issue, collect the newest OpenCode session log from its default log directory:
@@ -45,3 +57,17 @@ Then share that newest session log file in the issue. In our testing, the sessio
 ## Reference
 - Supabase Management API: https://supabase.com/docs/reference/api/introduction
+## Releasing
+For user-visible or package-relevant changes, add a changeset in your PR:
+```bash
+bun run changeset
+```
+Commit the generated `.changeset/*.md` file with your code change.
+Maintainers use a release PR workflow driven by Changesets. Internal-only changes can use the `no-changeset` label when appropriate.
+See `docs/releasing.md` for the full maintainer runbook.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-supabase",
-  "version": "0.0.5",
+  "version": "0.0.7-alpha.0",
   "type": "module",
   "description": "OpenCode plugin for Supabase integration with server and TUI components",
   "license": "Apache-2.0",
@@ -26,7 +26,10 @@
     "lint": "biome check .",
     "verify:pack": "npm pack --dry-run",
     "typecheck": "bunx tsc --noEmit",
-    "test": "bun test"
+    "test": "bun test",
+    "changeset": "changeset",
+    "version-packages": "changeset version",
+    "release": "changeset publish"
   },
   "dependencies": {
     "@opencode-ai/plugin": "latest",
@@ -36,6 +39,7 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
+    "@changesets/cli": "^2.30.0",
     "@opentui/core": "0.1.95",
     "@opentui/solid": "0.1.95",
     "@types/bun": "latest",

package/src/server/auth.ts CHANGED Viewed

@@ -15,6 +15,7 @@ import { writeSavedAuth } from "./store.ts";
 const CALLBACK_PATH = "/auth/callback";
 const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000;
+const CALLBACK_PORTS = [14589, 14590, 14591] as const;
 type PendingAuth = {
   codeVerifier: string;
@@ -25,6 +26,7 @@ type PendingAuth = {
 };
 type AuthDeps = {
+  callbackPorts?: number[];
   fetch?: FetchLike;
   logger?: SupabaseLogger;
   setCallbackTimeout?: typeof setTimeout;
@@ -38,6 +40,13 @@ function callbackUrl(port: number) {
   return `http://localhost:${port}${CALLBACK_PATH}`;
 }
+function normalizeCallbackPorts(ports: readonly number[]) {
+  if (ports.length === 0) {
+    throw new Error("Supabase callback ports must not be empty");
+  }
+  return [...ports];
+}
 async function isPortInUse(port: number) {
   return new Promise<boolean>((resolve) => {
     const socket = createConnection(port, "localhost");
@@ -52,139 +61,183 @@ async function isPortInUse(port: number) {
 }
 async function ensureServer(
-  port: number,
-  config: ReturnType<typeof readSupabaseConfig>,
+  callbackPorts: readonly number[],
+  _config: ReturnType<typeof readSupabaseConfig>,
   input: Pick<PluginInput, "directory" | "worktree">,
   deps: AuthDeps,
 ) {
+  const candidatePorts = normalizeCallbackPorts(callbackPorts);
   if (server) {
-    if (serverPort !== port) {
+    if (!serverPort || !candidatePorts.includes(serverPort)) {
       throw new Error(`Supabase callback server already running on port ${serverPort}`);
     }
-    return;
-  }
-  if (await isPortInUse(port)) {
-    throw new Error(`Supabase callback port ${port} is already in use`);
+    return serverPort;
   }
   const brokerConfig: BrokerConfig = {
-    baseUrl: config.brokerBaseUrl,
+    baseUrl: _config.brokerBaseUrl,
   };
-  await deps.logger?.info("supabase callback server started", {
-    port,
-  });
+  let selectedPort: number | undefined;
+  for (const port of candidatePorts) {
+    const portBusy = await isPortInUse(port);
+    await deps.logger?.debug("supabase callback port probe", {
+      port,
+      available: !portBusy,
+    });
+    if (!portBusy) {
+      try {
+        server = Bun.serve({
+          port,
+          async fetch(req) {
+            const url = new URL(req.url);
+            if (url.pathname !== CALLBACK_PATH) {
+              return new Response("Not found", { status: 404 });
+            }
+            const state = url.searchParams.get("state");
+            await deps.logger?.debug("supabase auth callback received", {
+              has_state: Boolean(state),
+              has_code: Boolean(url.searchParams.get("code")),
+              has_error: Boolean(url.searchParams.get("error")),
+            });
+            if (!state) {
+              return new Response(htmlError("Missing required state parameter - potential CSRF attack"), {
+                status: 400,
+                headers: { "Content-Type": "text/html" },
+              });
+            }
+            const pending = pendingAuths.get(state);
+            if (!pending) {
+              return new Response(htmlError("Invalid or expired state parameter - potential CSRF attack"), {
+                status: 400,
+                headers: { "Content-Type": "text/html" },
+              });
+            }
+            const error = url.searchParams.get("error");
+            const errorDescription = url.searchParams.get("error_description");
+            if (error) {
+              clearTimeout(pending.timeout);
+              pendingAuths.delete(state);
+              await deps.logger?.error("supabase auth failed", {
+                reason: "provider_denied",
+              });
+              pending.reject(new Error(errorDescription || error));
+              await stopServerIfIdle(deps.logger, "provider_denied");
+              return new Response(htmlError(errorDescription || error), {
+                headers: { "Content-Type": "text/html" },
+              });
+            }
+            const code = url.searchParams.get("code");
+            if (!code) {
+              clearTimeout(pending.timeout);
+              pendingAuths.delete(state);
+              await deps.logger?.error("supabase auth failed", {
+                reason: "missing_code",
+              });
+              pending.reject(new Error("Missing authorization code"));
+              await stopServerIfIdle(deps.logger, "missing_code");
+              return new Response(htmlError("Missing authorization code"), {
+                status: 400,
+                headers: { "Content-Type": "text/html" },
+              });
+            }
+            clearTimeout(pending.timeout);
+            pendingAuths.delete(state);
+            try {
+              const tokens = await exchangeCodeThroughBroker(
+                brokerConfig,
+                {
+                  code,
+                  redirect_uri: pending.redirectUri,
+                  code_verifier: pending.codeVerifier,
+                },
+                deps.fetch,
+                deps.logger,
+              );
+              const expires = Date.now() + (tokens.expires_in || 3600) * 1000;
+              await writeSavedAuth(input, {
+                access: tokens.access_token,
+                refresh: tokens.refresh_token,
+                expires,
+              });
-  server = Bun.serve({
-    port,
-    async fetch(req) {
-      const url = new URL(req.url);
-      if (url.pathname !== CALLBACK_PATH) {
-        return new Response("Not found", { status: 404 });
-      }
+              pending.resolve({ tokens, expires });
-      const state = url.searchParams.get("state");
-      await deps.logger?.debug("supabase auth callback received", {
-        has_state: Boolean(state),
-        has_code: Boolean(url.searchParams.get("code")),
-        has_error: Boolean(url.searchParams.get("error")),
-      });
-      if (!state) {
-        return new Response(htmlError("Missing required state parameter - potential CSRF attack"), {
-          status: 400,
-          headers: { "Content-Type": "text/html" },
-        });
-      }
+              await deps.logger?.info("supabase auth completed", {
+                status: "success",
+              });
-      const pending = pendingAuths.get(state);
-      if (!pending) {
-        return new Response(htmlError("Invalid or expired state parameter - potential CSRF attack"), {
-          status: 400,
-          headers: { "Content-Type": "text/html" },
-        });
-      }
+              await stopServerIfIdle(deps.logger, "auth_completed");
-      const error = url.searchParams.get("error");
-      const errorDescription = url.searchParams.get("error_description");
-      if (error) {
-        clearTimeout(pending.timeout);
-        pendingAuths.delete(state);
-        await deps.logger?.error("supabase auth failed", {
-          reason: "provider_denied",
-        });
-        pending.reject(new Error(errorDescription || error));
-        return new Response(htmlError(errorDescription || error), {
-          headers: { "Content-Type": "text/html" },
-        });
-      }
+              return new Response(HTML_SUCCESS, {
+                headers: { "Content-Type": "text/html" },
+              });
+            } catch (cause) {
+              const errorMessage = cause instanceof BrokerClientError
+                ? `Authorization failed: ${cause.message}`
+                : "Authorization failed";
-      const code = url.searchParams.get("code");
-      if (!code) {
-        clearTimeout(pending.timeout);
-        pendingAuths.delete(state);
-        await deps.logger?.error("supabase auth failed", {
-          reason: "missing_code",
-        });
-        pending.reject(new Error("Missing authorization code"));
-        return new Response(htmlError("Missing authorization code"), {
-          status: 400,
-          headers: { "Content-Type": "text/html" },
-        });
-      }
+              await deps.logger?.error("supabase auth failed", {
+                status: cause instanceof BrokerClientError ? cause.status : 400,
+                broker_error: cause instanceof BrokerClientError,
+              });
-      clearTimeout(pending.timeout);
-      pendingAuths.delete(state);
+              pending.reject(cause instanceof Error ? cause : new Error(String(cause)));
+              await stopServerIfIdle(deps.logger, "broker_exchange_failed");
-      try {
-        const tokens = await exchangeCodeThroughBroker(
-          brokerConfig,
-          {
-            code,
-            redirect_uri: pending.redirectUri,
-            code_verifier: pending.codeVerifier,
+              return new Response(htmlError(errorMessage), {
+                status: cause instanceof BrokerClientError && cause.status >= 500 ? 502 : 400,
+                headers: { "Content-Type": "text/html" },
+              });
+            }
           },
-          deps.fetch,
-          deps.logger,
-        );
-        const expires = Date.now() + (tokens.expires_in || 3600) * 1000;
-        await writeSavedAuth(input, {
-          access: tokens.access_token,
-          refresh: tokens.refresh_token,
-          expires,
         });
-        pending.resolve({ tokens, expires });
-        await deps.logger?.info("supabase auth completed", {
-          status: "success",
-        });
-        return new Response(HTML_SUCCESS, {
-          headers: { "Content-Type": "text/html" },
-        });
-      } catch (cause) {
-        const errorMessage = cause instanceof BrokerClientError
-          ? `Authorization failed: ${cause.message}`
-          : "Authorization failed";
-        await deps.logger?.error("supabase auth failed", {
-          status: cause instanceof BrokerClientError ? cause.status : 400,
-          broker_error: cause instanceof BrokerClientError,
+        selectedPort = port;
+        break;
+      } catch (error) {
+        await deps.logger?.warn("supabase callback server bind failed", {
+          port,
+          message: error instanceof Error ? error.message : String(error),
         });
+      }
+    }
+  }
-        pending.reject(cause instanceof Error ? cause : new Error(String(cause)));
+  if (selectedPort === undefined) {
+    await deps.logger?.error("supabase callback port window exhausted", {
+      ports_tried: candidatePorts,
+    });
+    throw new Error(
+      `Supabase callback ports busy: ${candidatePorts.join(", ")}. Close other OpenCode sessions and retry.`,
+    );
+  }
-        return new Response(htmlError(errorMessage), {
-          status: cause instanceof BrokerClientError && cause.status >= 500 ? 502 : 400,
-          headers: { "Content-Type": "text/html" },
-        });
-      }
-    },
+  await deps.logger?.info("supabase callback server started", {
+    port: selectedPort,
   });
-  serverPort = port;
+  serverPort = selectedPort;
+  return selectedPort;
+}
+async function stopServerIfIdle(logger?: SupabaseLogger, reason?: string) {
+  if (pendingAuths.size > 0 || !server) return;
+  const port = serverPort;
+  server.stop();
+  server = undefined;
+  serverPort = undefined;
+  await logger?.info("supabase callback server stopped", {
+    reason,
+    port,
+  });
 }
 function waitForCallback(
@@ -201,6 +254,7 @@ function waitForCallback(
       void deps.logger?.error("supabase auth callback timed out", {
         reason: "timeout",
       });
+      void stopServerIfIdle(deps.logger, "timeout");
       reject(new Error("OAuth callback timeout - authorization took too long"));
     }, CALLBACK_TIMEOUT_MS);
@@ -220,6 +274,7 @@ export function createSupabaseAuth(
   deps: AuthDeps = {},
 ) {
   const config = readSupabaseConfig(options);
+  const authCallbackPorts = normalizeCallbackPorts(deps.callbackPorts ?? CALLBACK_PORTS);
   return {
     provider: "supabase",
@@ -228,13 +283,13 @@ export function createSupabaseAuth(
         type: "oauth" as const,
         label: "Supabase",
         async authorize() {
-          await ensureServer(config.oauthPort, config, input, deps);
+          const port = await ensureServer(authCallbackPorts, config, input, deps);
           await deps.logger?.info("supabase auth started", {
-            port: config.oauthPort,
+            port,
           });
           const pkce = await generatePKCE();
           const state = generateState();
-          const redirectUri = callbackUrl(config.oauthPort);
+          const redirectUri = callbackUrl(port);
           const callbackPromise = waitForCallback(state, pkce.verifier, redirectUri, deps);
           return {

package/src/shared/cfg.ts CHANGED Viewed

@@ -18,26 +18,6 @@ function readEnvString(value: string | undefined): string | undefined {
   return typeof value === "string" && value.trim() ? value.trim() : undefined;
 }
-function readPortOption(options: PluginOptions | undefined, key: string) {
-  const value = options?.[key];
-  if (typeof value === "number") return value;
-  if (typeof value === "string" && value.trim()) return value.trim();
-  return undefined;
-}
-function requirePort(value: number | string | undefined) {
-  if (value === undefined) {
-    throw new Error("Missing required Supabase config: oauthPort");
-  }
-  const parsed = typeof value === "number" ? value : Number.parseInt(value, 10);
-  if (!Number.isInteger(parsed) || parsed <= 0) {
-    throw new Error("Invalid Supabase config: oauthPort must be a positive integer");
-  }
-  return parsed;
-}
 export function readSupabaseConfig(
   options: PluginOptions | undefined,
   env: SupabaseEnv = process.env,
@@ -46,11 +26,6 @@ export function readSupabaseConfig(
     readStringOption(options, "clientId") ??
     readEnvString(env.OPENCODE_SUPABASE_OAUTH_CLIENT_ID) ??
     DEFAULT_SUPABASE_OAUTH_CLIENT_ID;
-  const oauthPort = requirePort(
-    readPortOption(options, "oauthPort") ??
-    env.OPENCODE_SUPABASE_OAUTH_PORT ??
-    DEFAULT_SUPABASE_OAUTH_PORT,
-  );
   const brokerBaseUrl =
     readStringOption(options, "brokerBaseUrl") ??
     readEnvString(env.OPENCODE_SUPABASE_BROKER_URL) ??
@@ -58,7 +33,7 @@ export function readSupabaseConfig(
   return {
     clientId,
-    oauthPort,
+    oauthPort: DEFAULT_SUPABASE_OAUTH_PORT,
     authorizeUrl:
       readStringOption(options, "authorizeUrl") ??
       env.SUPABASE_OAUTH_AUTHORIZE_URL ??