| |
| |
| |
| |
|
|
| |
| import "open-sse/index.js"; |
| import crypto from "crypto"; |
|
|
| import { generatePKCE, generateState } from "./utils/pkce"; |
| import { |
| CLAUDE_CONFIG, |
| CODEX_CONFIG, |
| GEMINI_CONFIG, |
| QWEN_CONFIG, |
| QODER_CONFIG, |
| IFLOW_CONFIG, |
| ANTIGRAVITY_CONFIG, |
| GITHUB_CONFIG, |
| KIRO_CONFIG, |
| CURSOR_CONFIG, |
| KIMI_CODING_CONFIG, |
| KILOCODE_CONFIG, |
| CLINE_CONFIG, |
| GITLAB_CONFIG, |
| CODEBUDDY_CONFIG, |
| getOAuthClientMetadata, |
| } from "./constants/oauth"; |
| import { XAI_CONFIG, XAI_PKCE_VERIFIER_BYTES } from "./constants/xai"; |
| import { |
| validateXaiOAuthEndpoint, |
| decodeXaiIdTokenEmail, |
| extractEmailFromAccessToken, |
| extractCodexAccountInfo, |
| fetchKiroProfileArn, |
| } from "./providerHelpers"; |
|
|
| export { extractCodexAccountInfo, fetchKiroProfileArn }; |
|
|
| |
| let cachedXaiDiscovery = null; |
|
|
| async function discoverXaiEndpoints() { |
| if (cachedXaiDiscovery) return cachedXaiDiscovery; |
| try { |
| const res = await fetch(XAI_CONFIG.discoveryUrl, { headers: { Accept: "application/json" } }); |
| if (res.ok) { |
| const data = await res.json(); |
| cachedXaiDiscovery = { |
| authorizeUrl: validateXaiOAuthEndpoint(data.authorization_endpoint, "authorization_endpoint"), |
| tokenUrl: validateXaiOAuthEndpoint(data.token_endpoint, "token_endpoint"), |
| }; |
| return cachedXaiDiscovery; |
| } |
| } catch { } |
| cachedXaiDiscovery = { authorizeUrl: XAI_CONFIG.authorizeUrl, tokenUrl: XAI_CONFIG.tokenUrl }; |
| return cachedXaiDiscovery; |
| } |
|
|
| |
| const PROVIDERS = { |
| claude: { |
| config: CLAUDE_CONFIG, |
| flowType: "authorization_code_pkce", |
| buildAuthUrl: (config, redirectUri, state, codeChallenge) => { |
| const params = new URLSearchParams({ |
| code: "true", |
| client_id: config.clientId, |
| response_type: "code", |
| redirect_uri: redirectUri, |
| scope: config.scopes.join(" "), |
| code_challenge: codeChallenge, |
| code_challenge_method: config.codeChallengeMethod, |
| state: state, |
| }); |
| return `${config.authorizeUrl}?${params.toString()}`; |
| }, |
| exchangeToken: async (config, code, redirectUri, codeVerifier, state) => { |
| |
| let authCode = code; |
| let codeState = ""; |
| if (authCode.includes("#")) { |
| const parts = authCode.split("#"); |
| authCode = parts[0]; |
| codeState = parts[1] || ""; |
| } |
|
|
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/json", |
| Accept: "application/json", |
| }, |
| body: JSON.stringify({ |
| code: authCode, |
| state: codeState || state, |
| grant_type: "authorization_code", |
| client_id: config.clientId, |
| redirect_uri: redirectUri, |
| code_verifier: codeVerifier, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Token exchange failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| scope: tokens.scope, |
| }), |
| }, |
|
|
| codex: { |
| config: CODEX_CONFIG, |
| flowType: "authorization_code_pkce", |
| fixedPort: CODEX_CONFIG.fixedPort, |
| callbackPath: CODEX_CONFIG.callbackPath, |
| buildAuthUrl: (config, redirectUri, state, codeChallenge) => { |
| const params = { |
| response_type: "code", |
| client_id: config.clientId, |
| redirect_uri: redirectUri, |
| scope: config.scope, |
| code_challenge: codeChallenge, |
| code_challenge_method: config.codeChallengeMethod, |
| ...config.extraParams, |
| state: state, |
| }; |
| const queryString = Object.entries(params) |
| .map(([key, value]) => `${key}=${encodeURIComponent(value)}`) |
| .join("&"); |
| return `${config.authorizeUrl}?${queryString}`; |
| }, |
| exchangeToken: async (config, code, redirectUri, codeVerifier) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| grant_type: "authorization_code", |
| client_id: config.clientId, |
| code: code, |
| redirect_uri: redirectUri, |
| code_verifier: codeVerifier, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Token exchange failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| mapTokens: (tokens) => { |
| const info = extractCodexAccountInfo(tokens.id_token); |
| const mapped = { |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| idToken: tokens.id_token, |
| expiresIn: tokens.expires_in, |
| lastRefreshAt: new Date().toISOString(), |
| }; |
| const email = info.email || extractEmailFromAccessToken(tokens.access_token); |
| if (email) mapped.email = email; |
| if (info.chatgptAccountId || info.chatgptPlanType) { |
| mapped.providerSpecificData = { |
| chatgptAccountId: info.chatgptAccountId, |
| chatgptPlanType: info.chatgptPlanType, |
| }; |
| } |
| return mapped; |
| }, |
| }, |
|
|
| xai: { |
| config: XAI_CONFIG, |
| flowType: "authorization_code_pkce", |
| fixedPort: XAI_CONFIG.loopbackPort, |
| callbackPath: XAI_CONFIG.callbackPath, |
| pkceVerifierBytes: XAI_PKCE_VERIFIER_BYTES, |
| prepareConfig: async (config) => { |
| const endpoints = await discoverXaiEndpoints(); |
| return { |
| ...config, |
| authorizeUrl: endpoints.authorizeUrl, |
| tokenUrl: endpoints.tokenUrl, |
| }; |
| }, |
| buildAuthUrl: (config, redirectUri, state, codeChallenge) => { |
| |
| const nonce = crypto.randomBytes(16).toString("hex"); |
| const params = { |
| response_type: "code", |
| client_id: config.clientId, |
| redirect_uri: redirectUri, |
| scope: config.scope, |
| code_challenge: codeChallenge, |
| code_challenge_method: config.codeChallengeMethod, |
| state, |
| nonce, |
| plan: "generic", |
| referrer: "cli-proxy-api", |
| }; |
| const qs = Object.entries(params) |
| .map(([k, v]) => `${k}=${encodeURIComponent(v)}`) |
| .join("&"); |
| return `${config.authorizeUrl}?${qs}`; |
| }, |
| exchangeToken: async (config, code, redirectUri, codeVerifier) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| grant_type: "authorization_code", |
| client_id: config.clientId, |
| code, |
| redirect_uri: redirectUri, |
| code_verifier: codeVerifier, |
| }), |
| }); |
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`xAI token exchange failed: ${error}`); |
| } |
| return await response.json(); |
| }, |
| mapTokens: (tokens) => { |
| const mapped = { |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| scope: tokens.scope, |
| }; |
| const email = decodeXaiIdTokenEmail(tokens.id_token); |
| if (email) mapped.email = email; |
| if (tokens.id_token) { |
| mapped.providerSpecificData = { idToken: tokens.id_token }; |
| } |
| return mapped; |
| }, |
| }, |
|
|
| "gemini-cli": { |
| config: GEMINI_CONFIG, |
| flowType: "authorization_code", |
| buildAuthUrl: (config, redirectUri, state) => { |
| const params = new URLSearchParams({ |
| client_id: config.clientId, |
| response_type: "code", |
| redirect_uri: redirectUri, |
| scope: config.scopes.join(" "), |
| state: state, |
| access_type: "offline", |
| prompt: "consent", |
| }); |
| return `${config.authorizeUrl}?${params.toString()}`; |
| }, |
| exchangeToken: async (config, code, redirectUri) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| grant_type: "authorization_code", |
| client_id: config.clientId, |
| client_secret: config.clientSecret, |
| code: code, |
| redirect_uri: redirectUri, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Token exchange failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| postExchange: async (tokens) => { |
| |
| const userInfoRes = await fetch(`${GEMINI_CONFIG.userInfoUrl}?alt=json`, { |
| headers: { Authorization: `Bearer ${tokens.access_token}` }, |
| }); |
| const userInfo = userInfoRes.ok ? await userInfoRes.json() : {}; |
|
|
| |
| let projectId = ""; |
| try { |
| const projectRes = await fetch( |
| "https://cloudcode-pa.googleapis.com/v1internal:loadCodeAssist", |
| { |
| method: "POST", |
| headers: { |
| Authorization: `Bearer ${tokens.access_token}`, |
| "Content-Type": "application/json", |
| }, |
| body: JSON.stringify({ |
| metadata: getOAuthClientMetadata(), |
| mode: 1, |
| }), |
| } |
| ); |
| if (projectRes.ok) { |
| const data = await projectRes.json(); |
| projectId = data.cloudaicompanionProject?.id || data.cloudaicompanionProject || ""; |
| } |
| } catch (e) { |
| console.log("Failed to fetch project ID:", e); |
| } |
|
|
| return { userInfo, projectId }; |
| }, |
| mapTokens: (tokens, extra) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| scope: tokens.scope, |
| email: extra?.userInfo?.email, |
| projectId: extra?.projectId, |
| }), |
| }, |
|
|
| antigravity: { |
| config: ANTIGRAVITY_CONFIG, |
| flowType: "authorization_code", |
| buildAuthUrl: (config, redirectUri, state) => { |
| const params = new URLSearchParams({ |
| client_id: config.clientId, |
| response_type: "code", |
| redirect_uri: redirectUri, |
| scope: config.scopes.join(" "), |
| state: state, |
| access_type: "offline", |
| prompt: "consent", |
| }); |
| return `${config.authorizeUrl}?${params.toString()}`; |
| }, |
| exchangeToken: async (config, code, redirectUri) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| grant_type: "authorization_code", |
| client_id: config.clientId, |
| client_secret: config.clientSecret, |
| code: code, |
| redirect_uri: redirectUri, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Token exchange failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| postExchange: async (tokens) => { |
| |
| const loadHeaders = { |
| "Authorization": `Bearer ${tokens.access_token}`, |
| "Content-Type": "application/json", |
| "User-Agent": ANTIGRAVITY_CONFIG.loadCodeAssistUserAgent, |
| "X-Goog-Api-Client": ANTIGRAVITY_CONFIG.loadCodeAssistApiClient, |
| "Client-Metadata": ANTIGRAVITY_CONFIG.loadCodeAssistClientMetadata, |
| "x-request-source": "local", |
| }; |
| const metadata = getOAuthClientMetadata(); |
|
|
| |
| const userInfoRes = await fetch(`${ANTIGRAVITY_CONFIG.userInfoUrl}?alt=json`, { |
| headers: { |
| Authorization: `Bearer ${tokens.access_token}`, |
| "x-request-source": "local", |
| }, |
| }); |
| const userInfo = userInfoRes.ok ? await userInfoRes.json() : {}; |
|
|
| |
| let projectId = ""; |
| let tierId = "legacy-tier"; |
| try { |
| const loadRes = await fetch(ANTIGRAVITY_CONFIG.loadCodeAssistEndpoint, { |
| method: "POST", |
| headers: loadHeaders, |
| body: JSON.stringify({ metadata }), |
| }); |
| if (loadRes.ok) { |
| const data = await loadRes.json(); |
| projectId = data.cloudaicompanionProject?.id || data.cloudaicompanionProject || ""; |
| if (Array.isArray(data.allowedTiers)) { |
| for (const tier of data.allowedTiers) { |
| if (tier.isDefault && tier.id) { |
| tierId = tier.id.trim(); |
| break; |
| } |
| } |
| } |
| } |
| } catch (e) { |
| console.log("Failed to load code assist:", e); |
| } |
|
|
| |
| if (projectId) { |
| const doOnboard = async () => { |
| for (let i = 0; i < 10; i++) { |
| try { |
| const onboardRes = await fetch(ANTIGRAVITY_CONFIG.onboardUserEndpoint, { |
| method: "POST", |
| headers: loadHeaders, |
| body: JSON.stringify({ tierId, metadata }), |
| }); |
| if (onboardRes.ok) { |
| const result = await onboardRes.json(); |
| if (result.done === true) break; |
| } |
| } catch (e) { |
| break; |
| } |
| await new Promise(resolve => setTimeout(resolve, 5000)); |
| } |
| }; |
| doOnboard().catch(() => {}); |
| } |
|
|
| return { userInfo, projectId }; |
| }, |
| mapTokens: (tokens, extra) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| scope: tokens.scope, |
| email: extra?.userInfo?.email, |
| projectId: extra?.projectId, |
| }), |
| }, |
|
|
| iflow: { |
| config: IFLOW_CONFIG, |
| flowType: "authorization_code", |
| buildAuthUrl: (config, redirectUri, state) => { |
| const params = new URLSearchParams({ |
| loginMethod: config.extraParams.loginMethod, |
| type: config.extraParams.type, |
| redirect: redirectUri, |
| state: state, |
| client_id: config.clientId, |
| }); |
| return `${config.authorizeUrl}?${params.toString()}`; |
| }, |
| exchangeToken: async (config, code, redirectUri) => { |
| |
| const basicAuth = Buffer.from( |
| `${config.clientId}:${config.clientSecret}` |
| ).toString("base64"); |
|
|
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| Authorization: `Basic ${basicAuth}`, |
| }, |
| body: new URLSearchParams({ |
| grant_type: "authorization_code", |
| code: code, |
| redirect_uri: redirectUri, |
| client_id: config.clientId, |
| client_secret: config.clientSecret, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Token exchange failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| postExchange: async (tokens) => { |
| |
| const userInfoRes = await fetch( |
| `${IFLOW_CONFIG.userInfoUrl}?accessToken=${encodeURIComponent(tokens.access_token)}`, |
| { |
| headers: { |
| Accept: "application/json", |
| }, |
| } |
| ); |
| |
| if (!userInfoRes.ok) { |
| const errorText = await userInfoRes.text(); |
| throw new Error(`Failed to fetch user info: ${errorText}`); |
| } |
| |
| const result = await userInfoRes.json(); |
| if (!result.success) { |
| throw new Error(`User info request failed: ${result.message || 'Unknown error'}`); |
| } |
| |
| const userInfo = result.data || {}; |
| |
| |
| if (!userInfo.apiKey || userInfo.apiKey.trim() === "") { |
| throw new Error("Empty API key returned from iFlow"); |
| } |
| |
| |
| const email = userInfo.email?.trim() || userInfo.phone?.trim(); |
| if (!email) { |
| throw new Error("Missing account email/phone in user info"); |
| } |
| |
| return { userInfo }; |
| }, |
| mapTokens: (tokens, extra) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| apiKey: extra?.userInfo?.apiKey, |
| email: extra?.userInfo?.email || extra?.userInfo?.phone, |
| displayName: extra?.userInfo?.nickname || extra?.userInfo?.name, |
| }), |
| }, |
|
|
| qoder: { |
| config: QODER_CONFIG, |
| flowType: "device_code", |
| |
| |
| |
| requestDeviceCode: async (config) => { |
| const { QoderService } = await import("@/lib/oauth/services/qoder"); |
| const flow = new QoderService().initiateDeviceFlow(); |
| |
| |
| |
| |
| |
| |
| return { |
| device_code: flow.nonce, |
| user_code: flow.nonce.slice(0, 8).toUpperCase(), |
| verification_uri: config.loginUrl, |
| verification_uri_complete: flow.verificationUriComplete, |
| expires_in: 300, |
| interval: 2, |
| codeVerifier: flow.codeVerifier, |
| _qoderNonce: flow.nonce, |
| _qoderMachineId: flow.machineId, |
| }; |
| }, |
| pollToken: async (config, deviceCode, codeVerifier, extraData) => { |
| const { QoderService } = await import("@/lib/oauth/services/qoder"); |
| const svc = new QoderService(); |
| const nonce = deviceCode || extraData?._qoderNonce; |
| const verifier = codeVerifier || extraData?._qoderVerifier; |
| if (!nonce || !verifier) { |
| return { |
| ok: false, |
| data: { error: "invalid_request", error_description: "Missing nonce/verifier" }, |
| }; |
| } |
| let result; |
| try { |
| result = await svc.pollDeviceToken({ nonce, codeVerifier: verifier }); |
| } catch (err) { |
| return { |
| ok: false, |
| data: { error: "poll_failed", error_description: err.message }, |
| }; |
| } |
| if (result.status === "pending") { |
| return { ok: false, data: { error: "authorization_pending" } }; |
| } |
| |
| const userInfo = await svc.fetchUserInfo(result.accessToken); |
| |
| |
| |
| |
| |
| const minSeconds = 24 * 60 * 60; |
| const remainingSeconds = Math.floor((result.expireTime - Date.now()) / 1000); |
| const expiresIn = Math.max(minSeconds, remainingSeconds); |
| return { |
| ok: true, |
| data: { |
| access_token: result.accessToken, |
| refresh_token: result.refreshToken, |
| expires_in: expiresIn, |
| _qoderUserId: result.userId, |
| _qoderMachineId: extraData?._qoderMachineId || "", |
| _qoderName: userInfo.name, |
| _qoderEmail: userInfo.email, |
| _qoderOrganizationId: userInfo.organizationId, |
| }, |
| }; |
| }, |
| mapTokens: (tokens) => { |
| const rawEmail = (tokens._qoderEmail || "").trim(); |
| const displayName = (tokens._qoderName || "").trim() || null; |
| const userId = tokens._qoderUserId || ""; |
| |
| |
| |
| |
| const email = rawEmail || (userId ? `qoder-user-${userId}` : null); |
| return { |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token || null, |
| expiresIn: tokens.expires_in, |
| email, |
| displayName, |
| providerSpecificData: { |
| authMethod: "device", |
| userId, |
| machineId: tokens._qoderMachineId || "", |
| organizationId: tokens._qoderOrganizationId || "", |
| }, |
| }; |
| }, |
| }, |
|
|
| qwen: { |
| config: QWEN_CONFIG, |
| flowType: "device_code", |
| requestDeviceCode: async (config, codeChallenge) => { |
| const response = await fetch(config.deviceCodeUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| client_id: config.clientId, |
| scope: config.scope, |
| code_challenge: codeChallenge, |
| code_challenge_method: config.codeChallengeMethod, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Device code request failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| pollToken: async (config, deviceCode, codeVerifier) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| grant_type: "urn:ietf:params:oauth:grant-type:device_code", |
| client_id: config.clientId, |
| device_code: deviceCode, |
| code_verifier: codeVerifier, |
| }), |
| }); |
|
|
| return { |
| ok: response.ok, |
| data: await response.json(), |
| }; |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| providerSpecificData: { resourceUrl: tokens.resource_url }, |
| }), |
| }, |
|
|
| github: { |
| config: GITHUB_CONFIG, |
| flowType: "device_code", |
| requestDeviceCode: async (config) => { |
| const response = await fetch(config.deviceCodeUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| client_id: config.clientId, |
| scope: config.scopes, |
| }), |
| }); |
|
|
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Device code request failed: ${error}`); |
| } |
|
|
| return await response.json(); |
| }, |
| pollToken: async (config, deviceCode) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/x-www-form-urlencoded", |
| Accept: "application/json", |
| }, |
| body: new URLSearchParams({ |
| client_id: config.clientId, |
| device_code: deviceCode, |
| grant_type: "urn:ietf:params:oauth:grant-type:device_code", |
| }), |
| }); |
|
|
| |
| let data; |
| try { |
| data = await response.json(); |
| } catch (e) { |
| |
| const text = await response.text(); |
| data = { error: "invalid_response", error_description: text }; |
| } |
|
|
| return { |
| ok: response.ok, |
| data: data, |
| }; |
| }, |
| postExchange: async (tokens) => { |
| |
| const copilotRes = await fetch(GITHUB_CONFIG.copilotTokenUrl, { |
| headers: { |
| Authorization: `Bearer ${tokens.access_token}`, |
| Accept: "application/json", |
| "X-GitHub-Api-Version": GITHUB_CONFIG.apiVersion, |
| "User-Agent": GITHUB_CONFIG.userAgent, |
| }, |
| }); |
| const copilotToken = copilotRes.ok ? await copilotRes.json() : {}; |
|
|
| |
| const userRes = await fetch(GITHUB_CONFIG.userInfoUrl, { |
| headers: { |
| Authorization: `Bearer ${tokens.access_token}`, |
| Accept: "application/json", |
| "X-GitHub-Api-Version": GITHUB_CONFIG.apiVersion, |
| "User-Agent": GITHUB_CONFIG.userAgent, |
| }, |
| }); |
| const userInfo = userRes.ok ? await userRes.json() : {}; |
|
|
| return { copilotToken, userInfo }; |
| }, |
| mapTokens: (tokens, extra) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| providerSpecificData: { |
| copilotToken: extra?.copilotToken?.token, |
| copilotTokenExpiresAt: extra?.copilotToken?.expires_at, |
| githubUserId: extra?.userInfo?.id, |
| githubLogin: extra?.userInfo?.login, |
| githubName: extra?.userInfo?.name, |
| githubEmail: extra?.userInfo?.email, |
| }, |
| }), |
| }, |
|
|
| kiro: { |
| config: KIRO_CONFIG, |
| flowType: "device_code", |
| |
| requestDeviceCode: async (config, codeChallenge, options = {}) => { |
| const trimmedRegion = typeof options.region === "string" ? options.region.trim() : ""; |
| const region = trimmedRegion || "us-east-1"; |
| const trimmedStartUrl = typeof options.startUrl === "string" ? options.startUrl.trim() : ""; |
| const startUrl = trimmedStartUrl || config.startUrl; |
| const authMethod = options.authMethod === "idc" ? "idc" : "builder-id"; |
| const registerClientUrl = `https://oidc.${region}.amazonaws.com/client/register`; |
| const deviceAuthUrl = `https://oidc.${region}.amazonaws.com/device_authorization`; |
|
|
| |
| const registerRes = await fetch(registerClientUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/json", |
| Accept: "application/json", |
| }, |
| body: JSON.stringify({ |
| clientName: config.clientName, |
| clientType: config.clientType, |
| scopes: config.scopes, |
| grantTypes: config.grantTypes, |
| issuerUrl: config.issuerUrl, |
| }), |
| }); |
|
|
| if (!registerRes.ok) { |
| const error = await registerRes.text(); |
| throw new Error(`Client registration failed: ${error}`); |
| } |
|
|
| const clientInfo = await registerRes.json(); |
|
|
| |
| const deviceRes = await fetch(deviceAuthUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/json", |
| Accept: "application/json", |
| }, |
| body: JSON.stringify({ |
| clientId: clientInfo.clientId, |
| clientSecret: clientInfo.clientSecret, |
| startUrl, |
| }), |
| }); |
|
|
| if (!deviceRes.ok) { |
| const error = await deviceRes.text(); |
| throw new Error(`Device authorization failed: ${error}`); |
| } |
|
|
| const deviceData = await deviceRes.json(); |
|
|
| |
| return { |
| device_code: deviceData.deviceCode, |
| user_code: deviceData.userCode, |
| verification_uri: deviceData.verificationUri, |
| verification_uri_complete: deviceData.verificationUriComplete, |
| expires_in: deviceData.expiresIn, |
| interval: deviceData.interval || 5, |
| |
| _clientId: clientInfo.clientId, |
| _clientSecret: clientInfo.clientSecret, |
| _region: region, |
| _authMethod: authMethod, |
| _startUrl: startUrl, |
| }; |
| }, |
| pollToken: async (config, deviceCode, codeVerifier, extraData) => { |
| const region = extraData?._region || "us-east-1"; |
| const tokenUrl = `https://oidc.${region}.amazonaws.com/token`; |
| const response = await fetch(tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/json", |
| Accept: "application/json", |
| }, |
| body: JSON.stringify({ |
| clientId: extraData?._clientId, |
| clientSecret: extraData?._clientSecret, |
| deviceCode: deviceCode, |
| grantType: "urn:ietf:params:oauth:grant-type:device_code", |
| }), |
| }); |
|
|
| let data; |
| try { |
| data = await response.json(); |
| } catch (e) { |
| const text = await response.text(); |
| data = { error: "invalid_response", error_description: text }; |
| } |
|
|
| |
| if (data.accessToken) { |
| return { |
| ok: true, |
| data: { |
| access_token: data.accessToken, |
| refresh_token: data.refreshToken, |
| expires_in: data.expiresIn, |
| profile_arn: data?.profileArn || null, |
| |
| _clientId: extraData?._clientId, |
| _clientSecret: extraData?._clientSecret, |
| _region: extraData?._region, |
| _authMethod: extraData?._authMethod, |
| _startUrl: extraData?._startUrl, |
| }, |
| }; |
| } |
|
|
| return { |
| ok: false, |
| data: { |
| error: data.error || "authorization_pending", |
| error_description: data.error_description || data.message, |
| }, |
| }; |
| }, |
| mapTokens: (tokens) => { |
| const email = extractEmailFromAccessToken(tokens.access_token); |
| const mapped = { |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| email, |
| providerSpecificData: { |
| profileArn: tokens?.profile_arn || null, |
| clientId: tokens._clientId, |
| clientSecret: tokens._clientSecret, |
| region: tokens._region || "us-east-1", |
| authMethod: tokens._authMethod || "builder-id", |
| startUrl: tokens._startUrl || KIRO_CONFIG.startUrl, |
| }, |
| }; |
| return mapped; |
| }, |
| }, |
|
|
| cursor: { |
| config: CURSOR_CONFIG, |
| flowType: "import_token", |
| |
| |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.accessToken, |
| refreshToken: null, |
| expiresIn: tokens.expiresIn || 86400, |
| providerSpecificData: { |
| machineId: tokens.machineId, |
| authMethod: "imported", |
| }, |
| }), |
| }, |
|
|
| "kimi-coding": { |
| config: KIMI_CODING_CONFIG, |
| flowType: "device_code", |
| requestDeviceCode: async (config) => { |
| const response = await fetch(config.deviceCodeUrl, { |
| method: "POST", |
| headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" }, |
| body: new URLSearchParams({ client_id: config.clientId }), |
| }); |
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Device code request failed: ${error}`); |
| } |
| const data = await response.json(); |
| return { |
| device_code: data.device_code, |
| user_code: data.user_code, |
| verification_uri: data.verification_uri || "https://www.kimi.com/code/authorize_device", |
| verification_uri_complete: |
| data.verification_uri_complete || |
| `https://www.kimi.com/code/authorize_device?user_code=${data.user_code}`, |
| expires_in: data.expires_in, |
| interval: data.interval || 5, |
| }; |
| }, |
| pollToken: async (config, deviceCode) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" }, |
| body: new URLSearchParams({ |
| grant_type: "urn:ietf:params:oauth:grant-type:device_code", |
| client_id: config.clientId, |
| device_code: deviceCode, |
| }), |
| }); |
| let data; |
| try { |
| data = await response.json(); |
| } catch (e) { |
| const text = await response.text(); |
| data = { error: "invalid_response", error_description: text }; |
| } |
| return { ok: response.ok, data }; |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| }), |
| }, |
|
|
| kilocode: { |
| config: KILOCODE_CONFIG, |
| flowType: "device_code", |
| requestDeviceCode: async (config) => { |
| const response = await fetch(config.initiateUrl, { |
| method: "POST", |
| headers: { "Content-Type": "application/json" }, |
| }); |
| if (!response.ok) { |
| if (response.status === 429) { |
| throw new Error("Too many pending authorization requests. Please try again later."); |
| } |
| const error = await response.text(); |
| throw new Error(`Device auth initiation failed: ${error}`); |
| } |
| const data = await response.json(); |
| return { |
| device_code: data.code, |
| user_code: data.code, |
| verification_uri: data.verificationUrl, |
| verification_uri_complete: data.verificationUrl, |
| expires_in: data.expiresIn || 300, |
| interval: 3, |
| }; |
| }, |
| pollToken: async (config, deviceCode) => { |
| const response = await fetch(`${config.pollUrlBase}/${deviceCode}`); |
| if (response.status === 202) return { ok: false, data: { error: "authorization_pending" } }; |
| if (response.status === 403) return { ok: false, data: { error: "access_denied", error_description: "Authorization denied by user" } }; |
| if (response.status === 410) return { ok: false, data: { error: "expired_token", error_description: "Authorization code expired" } }; |
| if (!response.ok) return { ok: false, data: { error: "poll_failed", error_description: `Poll failed: ${response.status}` } }; |
| const data = await response.json(); |
| if (data.status === "approved" && data.token) { |
| |
| let orgId = null; |
| try { |
| const profileRes = await fetch(`${config.apiBaseUrl}/api/profile`, { |
| headers: { "Authorization": `Bearer ${data.token}` } |
| }); |
| if (profileRes.ok) { |
| const profile = await profileRes.json(); |
| orgId = profile.organizations?.[0]?.id || null; |
| } |
| } catch {} |
| return { ok: true, data: { access_token: data.token, _userEmail: data.userEmail, _orgId: orgId } }; |
| } |
| return { ok: false, data: { error: "authorization_pending" } }; |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: null, |
| expiresIn: null, |
| email: tokens._userEmail, |
| ...(tokens._orgId ? { providerSpecificData: { orgId: tokens._orgId } } : {}), |
| }), |
| }, |
|
|
| cline: { |
| config: CLINE_CONFIG, |
| flowType: "authorization_code", |
| buildAuthUrl: (config, redirectUri) => { |
| const params = new URLSearchParams({ |
| client_type: "extension", |
| callback_url: redirectUri, |
| redirect_uri: redirectUri, |
| }); |
| return `${config.authorizeUrl}?${params.toString()}`; |
| }, |
| exchangeToken: async (config, code, redirectUri) => { |
| try { |
| |
| let base64 = code; |
| const padding = 4 - (base64.length % 4); |
| if (padding !== 4) base64 += "=".repeat(padding); |
| const decoded = Buffer.from(base64, "base64").toString("utf-8"); |
| const lastBrace = decoded.lastIndexOf("}"); |
| if (lastBrace === -1) throw new Error("No JSON found in decoded code"); |
| const tokenData = JSON.parse(decoded.substring(0, lastBrace + 1)); |
| return { |
| access_token: tokenData.accessToken, |
| refresh_token: tokenData.refreshToken, |
| email: tokenData.email, |
| firstName: tokenData.firstName, |
| lastName: tokenData.lastName, |
| expires_at: tokenData.expiresAt, |
| }; |
| } catch (e) { |
| const response = await fetch(config.tokenExchangeUrl, { |
| method: "POST", |
| headers: { "Content-Type": "application/json", Accept: "application/json" }, |
| body: JSON.stringify({ grant_type: "authorization_code", code, client_type: "extension", redirect_uri: redirectUri }), |
| }); |
| if (!response.ok) { |
| const error = await response.text(); |
| throw new Error(`Cline token exchange failed: ${error}`); |
| } |
| const data = await response.json(); |
| return { |
| access_token: data.data?.accessToken || data.accessToken, |
| refresh_token: data.data?.refreshToken || data.refreshToken, |
| email: data.data?.userInfo?.email || "", |
| expires_at: data.data?.expiresAt || data.expiresAt, |
| }; |
| } |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_at |
| ? Math.floor((new Date(tokens.expires_at).getTime() - Date.now()) / 1000) |
| : 3600, |
| email: tokens.email, |
| providerSpecificData: { firstName: tokens.firstName, lastName: tokens.lastName }, |
| }), |
| }, |
| |
| |
| gitlab: { |
| config: GITLAB_CONFIG, |
| flowType: "authorization_code_pkce", |
| buildAuthUrl: (config, redirectUri, state, codeChallenge, meta = {}) => { |
| const baseUrl = meta.baseUrl || config.defaultBaseUrl; |
| const clientId = meta.clientId || ""; |
| const params = new URLSearchParams({ |
| client_id: clientId, |
| redirect_uri: redirectUri, |
| response_type: "code", |
| state, |
| scope: config.scope, |
| code_challenge: codeChallenge, |
| code_challenge_method: config.codeChallengeMethod, |
| }); |
| return `${baseUrl}${config.authorizeUrlPath}?${params.toString()}`; |
| }, |
| exchangeToken: async (config, code, redirectUri, codeVerifier, state, meta = {}) => { |
| const baseUrl = meta.baseUrl || config.defaultBaseUrl; |
| const clientId = meta.clientId || ""; |
| const clientSecret = meta.clientSecret || ""; |
| const body = new URLSearchParams({ |
| client_id: clientId, |
| grant_type: "authorization_code", |
| code, |
| redirect_uri: redirectUri, |
| code_verifier: codeVerifier, |
| }); |
| if (clientSecret) body.set("client_secret", clientSecret); |
| const response = await fetch(`${baseUrl}${config.tokenUrlPath}`, { |
| method: "POST", |
| headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" }, |
| body: body.toString(), |
| }); |
| if (!response.ok) throw new Error(`GitLab token exchange failed: ${await response.text()}`); |
| const tokens = await response.json(); |
| |
| const userRes = await fetch(`${baseUrl}${config.userInfoUrlPath}`, { |
| headers: { Authorization: `Bearer ${tokens.access_token}` }, |
| }); |
| const user = userRes.ok ? await userRes.json() : {}; |
| return { ...tokens, _user: user, _baseUrl: baseUrl, _clientId: clientId }; |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: tokens.expires_in, |
| scope: tokens.scope, |
| providerSpecificData: { |
| username: tokens._user?.username || "", |
| email: tokens._user?.email || tokens._user?.public_email || "", |
| name: tokens._user?.name || "", |
| baseUrl: tokens._baseUrl, |
| clientId: tokens._clientId, |
| authKind: "oauth", |
| }, |
| }), |
| }, |
|
|
| |
| |
| |
| |
| codebuddy: { |
| config: CODEBUDDY_CONFIG, |
| flowType: "device_code", |
| requestDeviceCode: async (config) => { |
| const response = await fetch(`${config.stateUrl}?platform=${config.platform}`, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/json", |
| Accept: "application/json", |
| "User-Agent": config.userAgent, |
| "X-Requested-With": "XMLHttpRequest", |
| "X-Domain": "copilot.tencent.com", |
| "X-No-Authorization": "true", |
| "X-No-User-Id": "true", |
| "X-Product": "SaaS", |
| }, |
| body: "{}", |
| }); |
| if (!response.ok) throw new Error(`CodeBuddy state request failed: ${await response.text()}`); |
| const data = await response.json(); |
| if (data.code !== 0 || !data.data?.state || !data.data?.authUrl) { |
| throw new Error(`CodeBuddy state error: ${data.msg || "missing state/authUrl"}`); |
| } |
| return { |
| device_code: data.data.state, |
| verification_uri: data.data.authUrl, |
| user_code: "", |
| interval: config.pollInterval / 1000, |
| _isCodeBuddy: true, |
| }; |
| }, |
| pollToken: async (config, deviceCode) => { |
| const response = await fetch(config.tokenUrl, { |
| method: "POST", |
| headers: { |
| "Content-Type": "application/json", |
| Accept: "application/json", |
| "User-Agent": config.userAgent, |
| "X-Requested-With": "XMLHttpRequest", |
| "X-Domain": "copilot.tencent.com", |
| "X-No-Authorization": "true", |
| "X-No-User-Id": "true", |
| "X-Product": "SaaS", |
| }, |
| body: JSON.stringify({ state: deviceCode }), |
| }); |
| if (!response.ok) return { ok: false, data: { error: "request_failed" } }; |
| const data = await response.json(); |
| |
| if (data.code === 0 && data.data?.accessToken) { |
| return { |
| ok: true, |
| data: { |
| access_token: data.data.accessToken, |
| refresh_token: data.data.refreshToken || "", |
| token_type: data.data.tokenType || "Bearer", |
| }, |
| }; |
| } |
| if (data.code === 11217) return { ok: true, data: { error: "authorization_pending" } }; |
| return { ok: false, data: { error: data.msg || "unknown_error" } }; |
| }, |
| mapTokens: (tokens) => ({ |
| accessToken: tokens.access_token, |
| refreshToken: tokens.refresh_token, |
| expiresIn: 86400, |
| providerSpecificData: {}, |
| }), |
| }, |
| }; |
|
|
| |
| |
| |
| export function getProvider(name) { |
| const provider = PROVIDERS[name]; |
| if (!provider) { |
| throw new Error(`Unknown provider: ${name}`); |
| } |
| return provider; |
| } |
|
|
| |
| |
| |
| export function getProviderNames() { |
| return Object.keys(PROVIDERS); |
| } |
|
|
| |
| |
| |
| |
| export async function generateAuthData(providerName, redirectUri, meta) { |
| const provider = getProvider(providerName); |
| const config = provider.prepareConfig |
| ? await provider.prepareConfig(provider.config, meta || {}) |
| : provider.config; |
| const { codeVerifier, codeChallenge, state } = generatePKCE(provider.pkceVerifierBytes); |
|
|
| let authUrl; |
| if (provider.flowType === "device_code") { |
| |
| authUrl = null; |
| } else if (provider.flowType === "authorization_code_pkce") { |
| authUrl = provider.buildAuthUrl(config, redirectUri, state, codeChallenge, meta || {}); |
| } else { |
| authUrl = provider.buildAuthUrl(config, redirectUri, state, undefined, meta || {}); |
| } |
|
|
| return { |
| authUrl, |
| state, |
| codeVerifier, |
| codeChallenge, |
| redirectUri, |
| flowType: provider.flowType, |
| fixedPort: provider.fixedPort, |
| callbackPath: provider.callbackPath || "/callback", |
| }; |
| } |
|
|
| |
| |
| |
| |
| export async function exchangeTokens(providerName, code, redirectUri, codeVerifier, state, meta) { |
| const provider = getProvider(providerName); |
| const config = provider.prepareConfig |
| ? await provider.prepareConfig(provider.config, meta || {}) |
| : provider.config; |
|
|
| const tokens = await provider.exchangeToken(config, code, redirectUri, codeVerifier, state, meta || {}); |
|
|
| let extra = null; |
| if (provider.postExchange) { |
| extra = await provider.postExchange(tokens); |
| } |
|
|
| return provider.mapTokens(tokens, extra); |
| } |
|
|
| |
| |
| |
| export async function requestDeviceCode(providerName, codeChallenge, options) { |
| const provider = getProvider(providerName); |
| if (provider.flowType !== "device_code") { |
| throw new Error(`Provider ${providerName} does not support device code flow`); |
| } |
| return await provider.requestDeviceCode(provider.config, codeChallenge, options || {}); |
| } |
|
|
| |
| |
| |
| |
| |
| |
| |
| export async function pollForToken(providerName, deviceCode, codeVerifier, extraData) { |
| const provider = getProvider(providerName); |
| if (provider.flowType !== "device_code") { |
| throw new Error(`Provider ${providerName} does not support device code flow`); |
| } |
|
|
| const result = await provider.pollToken(provider.config, deviceCode, codeVerifier, extraData); |
|
|
| if (result.ok) { |
| |
| if (result.data.access_token) { |
| |
| let extra = null; |
| if (provider.postExchange) { |
| extra = await provider.postExchange(result.data); |
| } |
| const tokens = provider.mapTokens(result.data, extra); |
| |
| if (providerName === "kiro" && !tokens.providerSpecificData?.profileArn) { |
| const profileArn = await fetchKiroProfileArn(tokens.accessToken); |
| if (profileArn) tokens.providerSpecificData.profileArn = profileArn; |
| } |
| return { success: true, tokens }; |
| } else { |
| |
| if (result.data.error === 'authorization_pending' || result.data.error === 'slow_down') { |
| |
| return { |
| success: false, |
| error: result.data.error, |
| errorDescription: result.data.error_description || result.data.message, |
| pending: result.data.error === 'authorization_pending' |
| }; |
| } else { |
| |
| return { |
| success: false, |
| error: result.data.error || 'no_access_token', |
| errorDescription: result.data.error_description || result.data.message || 'No access token received' |
| }; |
| } |
| } |
| } |
|
|
| return { success: false, error: result.data.error, errorDescription: result.data.error_description }; |
| } |
|
|
| |
| let codexBackfillDone = false; |
|
|
| |
| export async function backfillCodexEmails() { |
| if (codexBackfillDone) return; |
| codexBackfillDone = true; |
| try { |
| const { getProviderConnections, updateProviderConnection } = await import("@/lib/localDb"); |
| const connections = await getProviderConnections(); |
| const targets = connections.filter((c) => { |
| if (c.provider !== "codex" || c.authType !== "oauth" || !c.idToken) return false; |
| const hasEmail = !!c.email; |
| const hasAccountInfo = !!c.providerSpecificData?.chatgptAccountId; |
| return !hasEmail || !hasAccountInfo; |
| }); |
| for (const conn of targets) { |
| const info = extractCodexAccountInfo(conn.idToken); |
| if (!info.email && !info.chatgptAccountId) continue; |
| const patch = {}; |
| if (!conn.email && info.email) patch.email = info.email; |
| if (info.chatgptAccountId || info.chatgptPlanType) { |
| patch.providerSpecificData = { |
| ...(conn.providerSpecificData || {}), |
| chatgptAccountId: info.chatgptAccountId, |
| chatgptPlanType: info.chatgptPlanType, |
| }; |
| } |
| if (Object.keys(patch).length) { |
| await updateProviderConnection(conn.id, patch); |
| } |
| } |
| } catch (err) { |
| codexBackfillDone = false; |
| console.log("backfillCodexEmails failed:", err?.message || err); |
| } |
| } |
|
|