refactor(auth): enhance OAuth credential discovery and client logging

standardize usage of "credential" instead of "key" across the client logging to better reflect the use of complex OAuth tokens.

The credential discovery and initialization flow were made more robust:
- File paths configured in OAuth settings now correctly strip comments and quotes.
- Initialization in the main app (lifespan) now catches and logs errors for individual token setups, preventing a failure in one token from stopping the application startup.
- Added explicit FileNotFoundError handling and improved debug logging in base provider classes.
- Provider default paths were renamed for clarity (e.g., `gemini` is now `gemini_cli`).

src/proxy_app/main.py

@@ -172,18 +172,23 @@ async def lifespan(app: FastAPI):
         discovered_creds = temp_cred_manager.discover_and_prepare()
         
         init_tasks = []
-        failed_inits = []
-        for provider, paths in discovered_creds.items():
-            provider_plugin_class = PROVIDER_PLUGINS.get(provider)
-            if provider_plugin_class and hasattr(provider_plugin_class(), 'initialize_token'):
-                provider_instance = provider_plugin_class()
-                for path in paths:
-                    init_tasks.append(provider_instance.initialize_token(path))
+        if discovered_creds:
+            logging.info(f"Found OAuth credentials for {len(discovered_creds)} provider(s). Validating tokens...")
+            for provider, paths in discovered_creds.items():
+                provider_plugin_class = PROVIDER_PLUGINS.get(provider)
+                if provider_plugin_class and hasattr(provider_plugin_class(), 'initialize_token'):
+                    provider_instance = provider_plugin_class()
+                    for path in paths:
+                        init_tasks.append((provider, path, provider_instance.initialize_token(path)))
         
         if init_tasks:
+            logging.info(f"Attempting to initialize/validate {len(init_tasks)} OAuth token(s)...")
             # Run sequentially to allow for user input without overlap
-            for task in init_tasks:
-                await task
+            for provider, path, task in init_tasks:
+                try:
+                    await task
+                except Exception as e:
+                    logging.error(f"Failed to initialize OAuth token for {provider} at '{path}': {e}")
         logging.info("OAuth credential validation complete.")
 
     # [NEW] Load provider-specific params

src/rotator_library/client.py

@@ -233,7 +233,7 @@ class RotatingClient:
         try:
             while True:
                 if request and await request.is_disconnected():
-                    lib_logger.info(f"Client disconnected. Aborting stream for key ...{key[-4:]}.")
+                    lib_logger.info(f"Client disconnected. Aborting stream for credential ...{key[-6:]}.")
                     # Do not yield [DONE] because the client is gone.
                     # The 'finally' block will handle key release.
                     break
@@ -262,7 +262,7 @@ class RotatingClient:
                     # This is a critical, typed error from litellm that signals a key failure.
                     # We do not try to parse it here. We wrap it and raise it immediately
                     # for the outer retry loop to handle.
-                    lib_logger.warning(f"Caught a critical API error mid-stream: {type(e).__name__}. Signaling for key rotation.")
+                    lib_logger.warning(f"Caught a critical API error mid-stream: {type(e).__name__}. Signaling for credential rotation.")
                     raise StreamedAPIError("Provider error received in stream", data=e)
 
                 except Exception as e:
@@ -315,7 +315,7 @@ class RotatingClient:
 
         except Exception as e:
             # Catch any other unexpected errors during streaming.
-            lib_logger.error(f"An unexpected error occurred during the stream for key ...{key[-4:]}: {e}")
+            lib_logger.error(f"An unexpected error occurred during the stream for credential ...{key[-6:]}: {e}")
             # We still need to raise it so the client knows something went wrong.
             raise
 
@@ -339,12 +339,12 @@ class RotatingClient:
                             "usage": stream.usage.dict() if hasattr(stream.usage, 'dict') else vars(stream.usage)
                         }
                         yield f"data: {json.dumps(final_usage_chunk)}\n\n"
-                        lib_logger.info(f"Yielded final usage chunk for key ...{key[-4:]}.")
+                        lib_logger.info(f"Yielded final usage chunk for credential ...{key[-6:]}.")
                     except Exception as e:
                         lib_logger.error(f"Failed to create or yield final usage chunk: {e}")
 
             await self.usage_manager.release_key(key, model)
-            lib_logger.info(f"STREAM FINISHED and lock released for key ...{key[-4:]}.")
+            lib_logger.info(f"STREAM FINISHED and lock released for credential ...{key[-6:]}.")
             
             # Only send [DONE] if the stream completed naturally and the client is still there.
             # This prevents sending [DONE] to a disconnected client or after an error.
@@ -525,7 +525,7 @@ class RotatingClient:
                             log_failure(api_key=current_cred, model=model, attempt=attempt + 1, error=e, request_headers=dict(request.headers) if request else {})
                             
                             if request and await request.is_disconnected():
-                                lib_logger.warning(f"Client disconnected. Aborting retries for key ...{current_cred[-6:]}.")
+                                lib_logger.warning(f"Client disconnected. Aborting retries for credential ...{current_cred[-6:]}.")
                                 raise last_exception
 
                             classified_error = classify_error(e)
@@ -907,7 +907,7 @@ class RotatingClient:
         if provider_instance:
             for api_key in shuffled_keys:
                 try:
-                    lib_logger.debug(f"Attempting to get models for {provider} with key ...{api_key[-4:]}")
+                    lib_logger.debug(f"Attempting to get models for {provider} with credential ...{api_key[-6:]}")
                     models = await provider_instance.get_models(api_key, self.http_client)
                     lib_logger.info(f"Got {len(models)} models for provider: {provider}")
 
@@ -920,10 +920,10 @@ class RotatingClient:
                     return filtered_models
                 except Exception as e:
                     classified_error = classify_error(e)
-                    lib_logger.debug(f"Failed to get models for provider {provider} with key ...{api_key[-4:]}: {classified_error.error_type}. Trying next key.")
-                    continue # Try the next key
-        
-        lib_logger.error(f"Failed to get models for provider {provider} after trying all keys.")
+                    lib_logger.debug(f"Failed to get models for provider {provider} with credential ...{api_key[-6:]}: {classified_error.error_type}. Trying next credential.")
+                    continue # Try the next credential
+
+        lib_logger.error(f"Failed to get models for provider {provider} after trying all credentials.")
         return []
 
     async def get_all_available_models(self, grouped: bool = True) -> Union[Dict[str, List[str]], List[str]]:

src/rotator_library/credential_manager.py

@@ -11,8 +11,8 @@ OAUTH_BASE_DIR.mkdir(exist_ok=True)
 
 # Standard paths where tools like `gemini login` store credentials.
 DEFAULT_OAUTH_PATHS = {
-    "gemini": Path.home() / ".gemini" / "oauth_creds.json",
-    "qwen": Path.home() / ".qwen" / "oauth_creds.json",
+    "gemini_cli": Path.home() / ".gemini" / "oauth_creds.json",
+    "qwen_code": Path.home() / ".qwen" / "oauth_creds.json",
     # Add other providers like 'claude' here if they have a standard CLI path
 }
 
@@ -31,6 +31,7 @@ class CredentialManager:
         locally if it doesn't already exist and returns the updated config
         pointing to the local paths.
         """
+        lib_logger.info("Starting OAuth credential discovery...")
         updated_config = {}
         for provider, paths in self.oauth_config.items():
             updated_paths = []
@@ -38,8 +39,13 @@ class CredentialManager:
                 account_id = i + 1
                 source_path = self._resolve_source_path(provider, path_str)
                 
-                if not source_path or not source_path.exists():
-                    lib_logger.warning(f"Could not find OAuth file for {provider} account #{account_id}. Skipping.")
+                if not source_path:
+                    lib_logger.debug(f"No default path configured for provider: {provider}. Skipping account #{account_id}.")
+                    continue
+                
+                lib_logger.debug(f"Checking for OAuth source file at '{source_path}'...")
+                if not source_path.exists():
+                    lib_logger.debug(f"Could not find OAuth source file for {provider} account #{account_id}. Skipping.")
                     continue
 
                 local_filename = f"{provider}_oauth_{account_id}.json"
@@ -50,21 +56,32 @@ class CredentialManager:
                         shutil.copy(source_path, local_path)
                         lib_logger.info(f"Copied '{source_path}' to local credentials at '{local_path}'.")
                     except Exception as e:
-                        lib_logger.error(f"Failed to copy OAuth file for {provider} account #{account_id}: {e}")
+                        lib_logger.error(f"Failed to copy OAuth file for {provider} account #{account_id} from '{source_path}': {e}")
                         continue
                 
                 updated_paths.append(str(local_path.resolve()))
             
             if updated_paths:
+                lib_logger.info(f"Found and prepared {len(updated_paths)} credential(s) for provider: {provider}")
                 updated_config[provider] = updated_paths
+            else:
+                lib_logger.warning(f"No valid OAuth credentials found for configured provider: {provider}")
         
+        lib_logger.info("OAuth credential discovery complete.")
         return updated_config
 
     def _resolve_source_path(self, provider: str, specified_path: Optional[str]) -> Optional[Path]:
         """Determines the source path for a credential file."""
-        if specified_path:
+        path_val = specified_path or ""
+        
+        # Strip comments and whitespace, then remove quotes
+        path_val = path_val.split('#')[0].strip()
+        if path_val.startswith('"') and path_val.endswith('"'):
+            path_val = path_val[1:-1].strip()
+
+        if path_val:
             # If a path is given, use it directly.
-            return Path(specified_path).expanduser()
+            return Path(path_val).expanduser()
         
         # If no path is given, try the default location.
         return DEFAULT_OAUTH_PATHS.get(provider)

src/rotator_library/providers/gemini_auth_base.py

@@ -31,6 +31,7 @@ class GeminiAuthBase:
             if path in self._credentials_cache:
                 return self._credentials_cache[path]
             try:
+                lib_logger.debug(f"Loading Gemini credentials from file: {path}")
                 with open(path, 'r') as f:
                     creds = json.load(f)
                 # Handle gcloud-style creds file which nest tokens under "credential"
@@ -38,6 +39,8 @@ class GeminiAuthBase:
                     creds = creds["credential"]
                 self._credentials_cache[path] = creds
                 return creds
+            except FileNotFoundError:
+                raise IOError(f"Gemini OAuth credential file not found at '{path}'")
             except Exception as e:
                 raise IOError(f"Failed to load Gemini OAuth credentials from '{path}': {e}")
 
@@ -46,6 +49,7 @@ class GeminiAuthBase:
         try:
             with open(path, 'w') as f:
                 json.dump(creds, f, indent=2)
+            lib_logger.debug(f"Saved updated Gemini OAuth credentials to '{path}'.")
         except Exception as e:
             lib_logger.error(f"Failed to save updated Gemini OAuth credentials to '{path}': {e}")
 
@@ -101,10 +105,18 @@ class GeminiAuthBase:
     # [NEW] Add init flow for invalid/expired tokens
     async def initialize_token(self, path: str) -> Dict[str, Any]:
         """Initiates OAuth flow if tokens are missing or invalid."""
+        lib_logger.debug(f"Initializing Gemini token at '{path}'...")
         try:
             creds = await self._load_credentials(path)
-            if not creds.get("refresh_token") or self._is_token_expired(creds):
-                lib_logger.warning(f"Invalid or missing Gemini OAuth tokens at '{path}'. Initiating setup...")
+            
+            reason = ""
+            if not creds.get("refresh_token"):
+                reason = "refresh token is missing"
+            elif self._is_token_expired(creds):
+                reason = "token is expired"
+
+            if reason:
+                lib_logger.warning(f"Gemini OAuth token for '{Path(path).name}' needs setup: {reason}.")
                 # Use subprocess to run gemini-cli setup or simulate web flow
                 # Based on CLIProxyAPI-main/gemini/gemini_auth.go: Use web flow with local server
                 # For simplicity, prompt user to run manual setup or integrate browser flow
@@ -123,6 +135,7 @@ class GeminiAuthBase:
                 print(f"Please open this URL in your browser:\n\n{auth_url}\n")
                 auth_code = input("After authorizing, paste the 'code' from the redirected URL here: ")
                 
+                lib_logger.info(f"Attempting to exchange authorization code for tokens...")
                 async with httpx.AsyncClient() as client:
                     response = await client.post(TOKEN_URI, data={
                         "code": auth_code.strip(),
@@ -141,11 +154,13 @@ class GeminiAuthBase:
                         "client_secret": CLIENT_SECRET
                     }
                     await self._save_credentials(path, creds)
-                    lib_logger.info(f"Gemini OAuth initialized successfully for '{path}'.")
+                    lib_logger.info(f"Gemini OAuth initialized successfully for '{Path(path).name}'.")
                 return creds
+            
+            lib_logger.info(f"Gemini OAuth token at '{Path(path).name}' is valid.")
             return creds
         except Exception as e:
-            raise ValueError(f"Failed to initialize Gemini OAuth: {e}")
+            raise ValueError(f"Failed to initialize Gemini OAuth for '{path}': {e}")
 
     async def get_auth_header(self, credential_path: str) -> Dict[str, str]:
         creds = await self._load_credentials(credential_path)

src/rotator_library/providers/qwen_auth_base.py

@@ -31,10 +31,13 @@ class QwenAuthBase:
             if path in self._credentials_cache:
                 return self._credentials_cache[path]
             try:
+                lib_logger.debug(f"Loading Qwen credentials from file: {path}")
                 with open(path, 'r') as f:
                     creds = json.load(f)
                 self._credentials_cache[path] = creds
                 return creds
+            except FileNotFoundError:
+                raise IOError(f"Qwen OAuth credential file not found at '{path}'")
             except Exception as e:
                 raise IOError(f"Failed to load Qwen OAuth credentials from '{path}': {e}")
 
@@ -43,6 +46,7 @@ class QwenAuthBase:
         try:
             with open(path, 'w') as f:
                 json.dump(creds, f, indent=2)
+            lib_logger.debug(f"Saved updated Qwen OAuth credentials to '{path}'.")
         except Exception as e:
             lib_logger.error(f"Failed to save updated Qwen OAuth credentials to '{path}': {e}")
 
@@ -100,10 +104,18 @@ class QwenAuthBase:
     # [NEW] Add init flow for invalid/expired tokens
     async def initialize_token(self, path: str) -> Dict[str, Any]:
         """Initiates device flow if tokens are missing or invalid."""
+        lib_logger.debug(f"Initializing Qwen token at '{path}'...")
         try:
             creds = await self._load_credentials(path)
-            if not creds.get("refresh_token") or self._is_token_expired(creds):
-                lib_logger.warning(f"Invalid or missing Qwen OAuth tokens at '{path}'. Initiating device flow...")
+
+            reason = ""
+            if not creds.get("refresh_token"):
+                reason = "refresh token is missing"
+            elif self._is_token_expired(creds):
+                reason = "token is expired"
+
+            if reason:
+                lib_logger.warning(f"Qwen OAuth token for '{Path(path).name}' needs setup: {reason}.")
                 # Based on CLIProxyAPI-main/qwen/qwen_auth.go: Use device code with PKCE
                 code_verifier = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode('utf-8').rstrip('=')
                 code_challenge = base64.urlsafe_b64encode(
@@ -126,6 +138,7 @@ class QwenAuthBase:
                     print(f"\n--- Qwen OAuth Setup Required for {Path(path).name} ---")
                     print(f"Please visit: {dev_data['verification_uri_complete']}")
                     print(f"And enter code: {dev_data['user_code']}\n")
+                    lib_logger.info("Polling for token, please complete authentication in the browser...")
                     
                     token_data = None
                     start_time = time.time()
@@ -141,7 +154,9 @@ class QwenAuthBase:
                         )
                         if poll_response.status_code == 200:
                             token_data = poll_response.json()
+                            lib_logger.info("Successfully received token.")
                             break
+                        lib_logger.debug("Polling for device code authentication...")
                         await asyncio.sleep(dev_data['interval'])
                     
                     if not token_data:
@@ -154,11 +169,13 @@ class QwenAuthBase:
                         "resource_url": token_data.get("resource_url")
                     })
                     await self._save_credentials(path, creds)
-                    lib_logger.info(f"Qwen OAuth initialized successfully for '{path}'.")
+                    lib_logger.info(f"Qwen OAuth initialized successfully for '{Path(path).name}'.")
                 return creds
+            
+            lib_logger.info(f"Qwen OAuth token at '{Path(path).name}' is valid.")
             return creds
         except Exception as e:
-            raise ValueError(f"Failed to initialize Qwen OAuth: {e}")
+            raise ValueError(f"Failed to initialize Qwen OAuth for '{path}': {e}")
 
     async def get_auth_header(self, credential_path: str) -> Dict[str, str]:
         creds = await self._load_credentials(credential_path)