mirror of
https://github.com/getcompanion-ai/co-mono.git
synced 2026-04-18 12:03:03 +00:00
330 lines
8.3 KiB
TypeScript
330 lines
8.3 KiB
TypeScript
/**
|
|
* Credential storage for API keys and OAuth tokens.
|
|
* Handles loading, saving, and refreshing credentials from auth.json.
|
|
*
|
|
* Uses file locking to prevent race conditions when multiple pi instances
|
|
* try to refresh tokens simultaneously.
|
|
*/
|
|
|
|
import {
|
|
getEnvApiKey,
|
|
getOAuthApiKey,
|
|
getOAuthProvider,
|
|
getOAuthProviders,
|
|
type OAuthCredentials,
|
|
type OAuthLoginCallbacks,
|
|
type OAuthProviderId,
|
|
} from "@mariozechner/pi-ai";
|
|
import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
|
|
import { dirname, join } from "path";
|
|
import lockfile from "proper-lockfile";
|
|
import { getAgentDir } from "../config.js";
|
|
|
|
export type ApiKeyCredential = {
|
|
type: "api_key";
|
|
key: string;
|
|
};
|
|
|
|
export type OAuthCredential = {
|
|
type: "oauth";
|
|
} & OAuthCredentials;
|
|
|
|
export type AuthCredential = ApiKeyCredential | OAuthCredential;
|
|
|
|
export type AuthStorageData = Record<string, AuthCredential>;
|
|
|
|
/**
|
|
* Credential storage backed by a JSON file.
|
|
*/
|
|
export class AuthStorage {
|
|
private data: AuthStorageData = {};
|
|
private runtimeOverrides: Map<string, string> = new Map();
|
|
private fallbackResolver?: (provider: string) => string | undefined;
|
|
|
|
constructor(private authPath: string = join(getAgentDir(), "auth.json")) {
|
|
this.reload();
|
|
}
|
|
|
|
/**
|
|
* Set a runtime API key override (not persisted to disk).
|
|
* Used for CLI --api-key flag.
|
|
*/
|
|
setRuntimeApiKey(provider: string, apiKey: string): void {
|
|
this.runtimeOverrides.set(provider, apiKey);
|
|
}
|
|
|
|
/**
|
|
* Remove a runtime API key override.
|
|
*/
|
|
removeRuntimeApiKey(provider: string): void {
|
|
this.runtimeOverrides.delete(provider);
|
|
}
|
|
|
|
/**
|
|
* Set a fallback resolver for API keys not found in auth.json or env vars.
|
|
* Used for custom provider keys from models.json.
|
|
*/
|
|
setFallbackResolver(resolver: (provider: string) => string | undefined): void {
|
|
this.fallbackResolver = resolver;
|
|
}
|
|
|
|
/**
|
|
* Reload credentials from disk.
|
|
*/
|
|
reload(): void {
|
|
if (!existsSync(this.authPath)) {
|
|
this.data = {};
|
|
return;
|
|
}
|
|
try {
|
|
this.data = JSON.parse(readFileSync(this.authPath, "utf-8"));
|
|
} catch {
|
|
this.data = {};
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Save credentials to disk.
|
|
*/
|
|
private save(): void {
|
|
const dir = dirname(this.authPath);
|
|
if (!existsSync(dir)) {
|
|
mkdirSync(dir, { recursive: true, mode: 0o700 });
|
|
}
|
|
writeFileSync(this.authPath, JSON.stringify(this.data, null, 2), "utf-8");
|
|
chmodSync(this.authPath, 0o600);
|
|
}
|
|
|
|
/**
|
|
* Get credential for a provider.
|
|
*/
|
|
get(provider: string): AuthCredential | undefined {
|
|
return this.data[provider] ?? undefined;
|
|
}
|
|
|
|
/**
|
|
* Set credential for a provider.
|
|
*/
|
|
set(provider: string, credential: AuthCredential): void {
|
|
this.data[provider] = credential;
|
|
this.save();
|
|
}
|
|
|
|
/**
|
|
* Remove credential for a provider.
|
|
*/
|
|
remove(provider: string): void {
|
|
delete this.data[provider];
|
|
this.save();
|
|
}
|
|
|
|
/**
|
|
* List all providers with credentials.
|
|
*/
|
|
list(): string[] {
|
|
return Object.keys(this.data);
|
|
}
|
|
|
|
/**
|
|
* Check if credentials exist for a provider in auth.json.
|
|
*/
|
|
has(provider: string): boolean {
|
|
return provider in this.data;
|
|
}
|
|
|
|
/**
|
|
* Check if any form of auth is configured for a provider.
|
|
* Unlike getApiKey(), this doesn't refresh OAuth tokens.
|
|
*/
|
|
hasAuth(provider: string): boolean {
|
|
if (this.runtimeOverrides.has(provider)) return true;
|
|
if (this.data[provider]) return true;
|
|
if (getEnvApiKey(provider)) return true;
|
|
if (this.fallbackResolver?.(provider)) return true;
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Get all credentials (for passing to getOAuthApiKey).
|
|
*/
|
|
getAll(): AuthStorageData {
|
|
return { ...this.data };
|
|
}
|
|
|
|
/**
|
|
* Login to an OAuth provider.
|
|
*/
|
|
async login(providerId: OAuthProviderId, callbacks: OAuthLoginCallbacks): Promise<void> {
|
|
const provider = getOAuthProvider(providerId);
|
|
if (!provider) {
|
|
throw new Error(`Unknown OAuth provider: ${providerId}`);
|
|
}
|
|
|
|
const credentials = await provider.login(callbacks);
|
|
this.set(providerId, { type: "oauth", ...credentials });
|
|
}
|
|
|
|
/**
|
|
* Logout from a provider.
|
|
*/
|
|
logout(provider: string): void {
|
|
this.remove(provider);
|
|
}
|
|
|
|
/**
|
|
* Refresh OAuth token with file locking to prevent race conditions.
|
|
* Multiple pi instances may try to refresh simultaneously when tokens expire.
|
|
* This ensures only one instance refreshes while others wait and use the result.
|
|
*/
|
|
private async refreshOAuthTokenWithLock(
|
|
providerId: OAuthProviderId,
|
|
): Promise<{ apiKey: string; newCredentials: OAuthCredentials } | null> {
|
|
const provider = getOAuthProvider(providerId);
|
|
if (!provider) {
|
|
return null;
|
|
}
|
|
|
|
// Ensure auth file exists for locking
|
|
if (!existsSync(this.authPath)) {
|
|
const dir = dirname(this.authPath);
|
|
if (!existsSync(dir)) {
|
|
mkdirSync(dir, { recursive: true, mode: 0o700 });
|
|
}
|
|
writeFileSync(this.authPath, "{}", "utf-8");
|
|
chmodSync(this.authPath, 0o600);
|
|
}
|
|
|
|
let release: (() => Promise<void>) | undefined;
|
|
|
|
try {
|
|
// Acquire exclusive lock with retry and timeout
|
|
// Use generous retry window to handle slow token endpoints
|
|
release = await lockfile.lock(this.authPath, {
|
|
retries: {
|
|
retries: 10,
|
|
factor: 2,
|
|
minTimeout: 100,
|
|
maxTimeout: 10000,
|
|
randomize: true,
|
|
},
|
|
stale: 30000, // Consider lock stale after 30 seconds
|
|
});
|
|
|
|
// Re-read file after acquiring lock - another instance may have refreshed
|
|
this.reload();
|
|
|
|
const cred = this.data[providerId];
|
|
if (cred?.type !== "oauth") {
|
|
return null;
|
|
}
|
|
|
|
// Check if token is still expired after re-reading
|
|
// (another instance may have already refreshed it)
|
|
if (Date.now() < cred.expires) {
|
|
// Token is now valid - another instance refreshed it
|
|
const apiKey = provider.getApiKey(cred);
|
|
return { apiKey, newCredentials: cred };
|
|
}
|
|
|
|
// Token still expired, we need to refresh
|
|
const oauthCreds: Record<string, OAuthCredentials> = {};
|
|
for (const [key, value] of Object.entries(this.data)) {
|
|
if (value.type === "oauth") {
|
|
oauthCreds[key] = value;
|
|
}
|
|
}
|
|
|
|
const result = await getOAuthApiKey(providerId, oauthCreds);
|
|
if (result) {
|
|
this.data[providerId] = { type: "oauth", ...result.newCredentials };
|
|
this.save();
|
|
return result;
|
|
}
|
|
|
|
return null;
|
|
} finally {
|
|
// Always release the lock
|
|
if (release) {
|
|
try {
|
|
await release();
|
|
} catch {
|
|
// Ignore unlock errors (lock may have been compromised)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get API key for a provider.
|
|
* Priority:
|
|
* 1. Runtime override (CLI --api-key)
|
|
* 2. API key from auth.json
|
|
* 3. OAuth token from auth.json (auto-refreshed with locking)
|
|
* 4. Environment variable
|
|
* 5. Fallback resolver (models.json custom providers)
|
|
*/
|
|
async getApiKey(providerId: string): Promise<string | undefined> {
|
|
// Runtime override takes highest priority
|
|
const runtimeKey = this.runtimeOverrides.get(providerId);
|
|
if (runtimeKey) {
|
|
return runtimeKey;
|
|
}
|
|
|
|
const cred = this.data[providerId];
|
|
|
|
if (cred?.type === "api_key") {
|
|
return cred.key;
|
|
}
|
|
|
|
if (cred?.type === "oauth") {
|
|
const provider = getOAuthProvider(providerId);
|
|
if (!provider) {
|
|
// Unknown OAuth provider, can't get API key
|
|
return undefined;
|
|
}
|
|
|
|
// Check if token needs refresh
|
|
const needsRefresh = Date.now() >= cred.expires;
|
|
|
|
if (needsRefresh) {
|
|
// Use locked refresh to prevent race conditions
|
|
try {
|
|
const result = await this.refreshOAuthTokenWithLock(providerId);
|
|
if (result) {
|
|
return result.apiKey;
|
|
}
|
|
} catch {
|
|
// Refresh failed - re-read file to check if another instance succeeded
|
|
this.reload();
|
|
const updatedCred = this.data[providerId];
|
|
|
|
if (updatedCred?.type === "oauth" && Date.now() < updatedCred.expires) {
|
|
// Another instance refreshed successfully, use those credentials
|
|
return provider.getApiKey(updatedCred);
|
|
}
|
|
|
|
// Refresh truly failed - return undefined so model discovery skips this provider
|
|
// User can /login to re-authenticate (credentials preserved for retry)
|
|
return undefined;
|
|
}
|
|
} else {
|
|
// Token not expired, use current access token
|
|
return provider.getApiKey(cred);
|
|
}
|
|
}
|
|
|
|
// Fall back to environment variable
|
|
const envKey = getEnvApiKey(providerId);
|
|
if (envKey) return envKey;
|
|
|
|
// Fall back to custom resolver (e.g., models.json custom providers)
|
|
return this.fallbackResolver?.(providerId) ?? undefined;
|
|
}
|
|
|
|
/**
|
|
* Get all registered OAuth providers
|
|
*/
|
|
getOAuthProviders() {
|
|
return getOAuthProviders();
|
|
}
|
|
}
|