mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-08 15:18:28 +00:00
7ecfc1d93c
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 2dee8e1174
Co-authored-by: mudrii <220262+mudrii@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
377 lines
11 KiB
TypeScript
377 lines
11 KiB
TypeScript
import {
|
|
getOAuthApiKey,
|
|
getOAuthProviders,
|
|
type OAuthCredentials,
|
|
type OAuthProvider,
|
|
} from "@mariozechner/pi-ai";
|
|
import type { OpenClawConfig } from "../../config/config.js";
|
|
import { withFileLock } from "../../infra/file-lock.js";
|
|
import { refreshQwenPortalCredentials } from "../../providers/qwen-portal-oauth.js";
|
|
import { refreshChutesTokens } from "../chutes-oauth.js";
|
|
import { AUTH_STORE_LOCK_OPTIONS, log } from "./constants.js";
|
|
import { formatAuthDoctorHint } from "./doctor.js";
|
|
import { ensureAuthStoreFile, resolveAuthStorePath } from "./paths.js";
|
|
import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
|
|
import { ensureAuthProfileStore, saveAuthProfileStore } from "./store.js";
|
|
import type { AuthProfileStore } from "./types.js";
|
|
|
|
const OAUTH_PROVIDER_IDS = new Set<string>(getOAuthProviders().map((provider) => provider.id));
|
|
|
|
const isOAuthProvider = (provider: string): provider is OAuthProvider =>
|
|
OAUTH_PROVIDER_IDS.has(provider);
|
|
|
|
const resolveOAuthProvider = (provider: string): OAuthProvider | null =>
|
|
isOAuthProvider(provider) ? provider : null;
|
|
|
|
/** Bearer-token auth modes that are interchangeable (oauth tokens and raw tokens). */
|
|
const BEARER_AUTH_MODES = new Set(["oauth", "token"]);
|
|
|
|
const isCompatibleModeType = (mode: string | undefined, type: string | undefined): boolean => {
|
|
if (!mode || !type) {
|
|
return false;
|
|
}
|
|
if (mode === type) {
|
|
return true;
|
|
}
|
|
// Both token and oauth represent bearer-token auth paths — allow bidirectional compat.
|
|
return BEARER_AUTH_MODES.has(mode) && BEARER_AUTH_MODES.has(type);
|
|
};
|
|
|
|
function isProfileConfigCompatible(params: {
|
|
cfg?: OpenClawConfig;
|
|
profileId: string;
|
|
provider: string;
|
|
mode: "api_key" | "token" | "oauth";
|
|
allowOAuthTokenCompatibility?: boolean;
|
|
}): boolean {
|
|
const profileConfig = params.cfg?.auth?.profiles?.[params.profileId];
|
|
if (profileConfig && profileConfig.provider !== params.provider) {
|
|
return false;
|
|
}
|
|
if (profileConfig && !isCompatibleModeType(profileConfig.mode, params.mode)) {
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
function buildOAuthApiKey(provider: string, credentials: OAuthCredentials): string {
|
|
const needsProjectId = provider === "google-gemini-cli" || provider === "google-antigravity";
|
|
return needsProjectId
|
|
? JSON.stringify({
|
|
token: credentials.access,
|
|
projectId: credentials.projectId,
|
|
})
|
|
: credentials.access;
|
|
}
|
|
|
|
function buildApiKeyProfileResult(params: { apiKey: string; provider: string; email?: string }) {
|
|
return {
|
|
apiKey: params.apiKey,
|
|
provider: params.provider,
|
|
email: params.email,
|
|
};
|
|
}
|
|
|
|
function buildOAuthProfileResult(params: {
|
|
provider: string;
|
|
credentials: OAuthCredentials;
|
|
email?: string;
|
|
}) {
|
|
return buildApiKeyProfileResult({
|
|
apiKey: buildOAuthApiKey(params.provider, params.credentials),
|
|
provider: params.provider,
|
|
email: params.email,
|
|
});
|
|
}
|
|
|
|
function isExpiredCredential(expires: number | undefined): boolean {
|
|
return (
|
|
typeof expires === "number" && Number.isFinite(expires) && expires > 0 && Date.now() >= expires
|
|
);
|
|
}
|
|
|
|
type ResolveApiKeyForProfileParams = {
|
|
cfg?: OpenClawConfig;
|
|
store: AuthProfileStore;
|
|
profileId: string;
|
|
agentDir?: string;
|
|
};
|
|
|
|
function adoptNewerMainOAuthCredential(params: {
|
|
store: AuthProfileStore;
|
|
profileId: string;
|
|
agentDir?: string;
|
|
cred: OAuthCredentials & { type: "oauth"; provider: string; email?: string };
|
|
}): (OAuthCredentials & { type: "oauth"; provider: string; email?: string }) | null {
|
|
if (!params.agentDir) {
|
|
return null;
|
|
}
|
|
try {
|
|
const mainStore = ensureAuthProfileStore(undefined);
|
|
const mainCred = mainStore.profiles[params.profileId];
|
|
if (
|
|
mainCred?.type === "oauth" &&
|
|
mainCred.provider === params.cred.provider &&
|
|
Number.isFinite(mainCred.expires) &&
|
|
(!Number.isFinite(params.cred.expires) || mainCred.expires > params.cred.expires)
|
|
) {
|
|
params.store.profiles[params.profileId] = { ...mainCred };
|
|
saveAuthProfileStore(params.store, params.agentDir);
|
|
log.info("adopted newer OAuth credentials from main agent", {
|
|
profileId: params.profileId,
|
|
agentDir: params.agentDir,
|
|
expires: new Date(mainCred.expires).toISOString(),
|
|
});
|
|
return mainCred;
|
|
}
|
|
} catch (err) {
|
|
// Best-effort: don't crash if main agent store is missing or unreadable.
|
|
log.debug("adoptNewerMainOAuthCredential failed", {
|
|
profileId: params.profileId,
|
|
error: err instanceof Error ? err.message : String(err),
|
|
});
|
|
}
|
|
return null;
|
|
}
|
|
|
|
async function refreshOAuthTokenWithLock(params: {
|
|
profileId: string;
|
|
agentDir?: string;
|
|
}): Promise<{ apiKey: string; newCredentials: OAuthCredentials } | null> {
|
|
const authPath = resolveAuthStorePath(params.agentDir);
|
|
ensureAuthStoreFile(authPath);
|
|
|
|
return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
|
|
const store = ensureAuthProfileStore(params.agentDir);
|
|
const cred = store.profiles[params.profileId];
|
|
if (!cred || cred.type !== "oauth") {
|
|
return null;
|
|
}
|
|
|
|
if (Date.now() < cred.expires) {
|
|
return {
|
|
apiKey: buildOAuthApiKey(cred.provider, cred),
|
|
newCredentials: cred,
|
|
};
|
|
}
|
|
|
|
const oauthCreds: Record<string, OAuthCredentials> = {
|
|
[cred.provider]: cred,
|
|
};
|
|
|
|
const result =
|
|
String(cred.provider) === "chutes"
|
|
? await (async () => {
|
|
const newCredentials = await refreshChutesTokens({
|
|
credential: cred,
|
|
});
|
|
return { apiKey: newCredentials.access, newCredentials };
|
|
})()
|
|
: String(cred.provider) === "qwen-portal"
|
|
? await (async () => {
|
|
const newCredentials = await refreshQwenPortalCredentials(cred);
|
|
return { apiKey: newCredentials.access, newCredentials };
|
|
})()
|
|
: await (async () => {
|
|
const oauthProvider = resolveOAuthProvider(cred.provider);
|
|
if (!oauthProvider) {
|
|
return null;
|
|
}
|
|
return await getOAuthApiKey(oauthProvider, oauthCreds);
|
|
})();
|
|
if (!result) {
|
|
return null;
|
|
}
|
|
store.profiles[params.profileId] = {
|
|
...cred,
|
|
...result.newCredentials,
|
|
type: "oauth",
|
|
};
|
|
saveAuthProfileStore(store, params.agentDir);
|
|
|
|
return result;
|
|
});
|
|
}
|
|
|
|
async function tryResolveOAuthProfile(
|
|
params: ResolveApiKeyForProfileParams,
|
|
): Promise<{ apiKey: string; provider: string; email?: string } | null> {
|
|
const { cfg, store, profileId } = params;
|
|
const cred = store.profiles[profileId];
|
|
if (!cred || cred.type !== "oauth") {
|
|
return null;
|
|
}
|
|
if (
|
|
!isProfileConfigCompatible({
|
|
cfg,
|
|
profileId,
|
|
provider: cred.provider,
|
|
mode: cred.type,
|
|
})
|
|
) {
|
|
return null;
|
|
}
|
|
|
|
if (Date.now() < cred.expires) {
|
|
return buildOAuthProfileResult({
|
|
provider: cred.provider,
|
|
credentials: cred,
|
|
email: cred.email,
|
|
});
|
|
}
|
|
|
|
const refreshed = await refreshOAuthTokenWithLock({
|
|
profileId,
|
|
agentDir: params.agentDir,
|
|
});
|
|
if (!refreshed) {
|
|
return null;
|
|
}
|
|
return buildApiKeyProfileResult({
|
|
apiKey: refreshed.apiKey,
|
|
provider: cred.provider,
|
|
email: cred.email,
|
|
});
|
|
}
|
|
|
|
export async function resolveApiKeyForProfile(
|
|
params: ResolveApiKeyForProfileParams,
|
|
): Promise<{ apiKey: string; provider: string; email?: string } | null> {
|
|
const { cfg, store, profileId } = params;
|
|
const cred = store.profiles[profileId];
|
|
if (!cred) {
|
|
return null;
|
|
}
|
|
if (
|
|
!isProfileConfigCompatible({
|
|
cfg,
|
|
profileId,
|
|
provider: cred.provider,
|
|
mode: cred.type,
|
|
// Compatibility: treat "oauth" config as compatible with stored token profiles.
|
|
allowOAuthTokenCompatibility: true,
|
|
})
|
|
) {
|
|
return null;
|
|
}
|
|
|
|
if (cred.type === "api_key") {
|
|
const key = cred.key?.trim();
|
|
if (!key) {
|
|
return null;
|
|
}
|
|
return buildApiKeyProfileResult({ apiKey: key, provider: cred.provider, email: cred.email });
|
|
}
|
|
if (cred.type === "token") {
|
|
const token = cred.token?.trim();
|
|
if (!token) {
|
|
return null;
|
|
}
|
|
if (isExpiredCredential(cred.expires)) {
|
|
return null;
|
|
}
|
|
return buildApiKeyProfileResult({ apiKey: token, provider: cred.provider, email: cred.email });
|
|
}
|
|
|
|
const oauthCred =
|
|
adoptNewerMainOAuthCredential({
|
|
store,
|
|
profileId,
|
|
agentDir: params.agentDir,
|
|
cred,
|
|
}) ?? cred;
|
|
|
|
if (Date.now() < oauthCred.expires) {
|
|
return buildOAuthProfileResult({
|
|
provider: oauthCred.provider,
|
|
credentials: oauthCred,
|
|
email: oauthCred.email,
|
|
});
|
|
}
|
|
|
|
try {
|
|
const result = await refreshOAuthTokenWithLock({
|
|
profileId,
|
|
agentDir: params.agentDir,
|
|
});
|
|
if (!result) {
|
|
return null;
|
|
}
|
|
return buildApiKeyProfileResult({
|
|
apiKey: result.apiKey,
|
|
provider: cred.provider,
|
|
email: cred.email,
|
|
});
|
|
} catch (error) {
|
|
const refreshedStore = ensureAuthProfileStore(params.agentDir);
|
|
const refreshed = refreshedStore.profiles[profileId];
|
|
if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) {
|
|
return buildOAuthProfileResult({
|
|
provider: refreshed.provider,
|
|
credentials: refreshed,
|
|
email: refreshed.email ?? cred.email,
|
|
});
|
|
}
|
|
const fallbackProfileId = suggestOAuthProfileIdForLegacyDefault({
|
|
cfg,
|
|
store: refreshedStore,
|
|
provider: cred.provider,
|
|
legacyProfileId: profileId,
|
|
});
|
|
if (fallbackProfileId && fallbackProfileId !== profileId) {
|
|
try {
|
|
const fallbackResolved = await tryResolveOAuthProfile({
|
|
cfg,
|
|
store: refreshedStore,
|
|
profileId: fallbackProfileId,
|
|
agentDir: params.agentDir,
|
|
});
|
|
if (fallbackResolved) {
|
|
return fallbackResolved;
|
|
}
|
|
} catch {
|
|
// keep original error
|
|
}
|
|
}
|
|
|
|
// Fallback: if this is a secondary agent, try using the main agent's credentials
|
|
if (params.agentDir) {
|
|
try {
|
|
const mainStore = ensureAuthProfileStore(undefined); // main agent (no agentDir)
|
|
const mainCred = mainStore.profiles[profileId];
|
|
if (mainCred?.type === "oauth" && Date.now() < mainCred.expires) {
|
|
// Main agent has fresh credentials - copy them to this agent and use them
|
|
refreshedStore.profiles[profileId] = { ...mainCred };
|
|
saveAuthProfileStore(refreshedStore, params.agentDir);
|
|
log.info("inherited fresh OAuth credentials from main agent", {
|
|
profileId,
|
|
agentDir: params.agentDir,
|
|
expires: new Date(mainCred.expires).toISOString(),
|
|
});
|
|
return buildOAuthProfileResult({
|
|
provider: mainCred.provider,
|
|
credentials: mainCred,
|
|
email: mainCred.email,
|
|
});
|
|
}
|
|
} catch {
|
|
// keep original error if main agent fallback also fails
|
|
}
|
|
}
|
|
|
|
const message = error instanceof Error ? error.message : String(error);
|
|
const hint = formatAuthDoctorHint({
|
|
cfg,
|
|
store: refreshedStore,
|
|
provider: cred.provider,
|
|
profileId,
|
|
});
|
|
throw new Error(
|
|
`OAuth token refresh failed for ${cred.provider}: ${message}. ` +
|
|
"Please try again or re-authenticate." +
|
|
(hint ? `\n\n${hint}` : ""),
|
|
{ cause: error },
|
|
);
|
|
}
|
|
}
|