From 5ad888c73c29cd4226dfbacb0285cbd1ad1e6696 Mon Sep 17 00:00:00 2001 From: Amit Singh Date: Mon, 22 Dec 2025 12:53:45 +0530 Subject: [PATCH 1/4] feat(auth): add OAuth login support for OpenRouter provider --- crates/forge_api/src/lib.rs | 2 + crates/forge_domain/src/auth/credentials.rs | 22 +- crates/forge_domain/src/auth/oauth_config.rs | 4 +- .../forge_infra/src/auth/callback_server.rs | 209 ++++++++++++++++++ crates/forge_infra/src/auth/http/anthropic.rs | 17 +- crates/forge_infra/src/auth/http/mod.rs | 2 + .../forge_infra/src/auth/http/openrouter.rs | 153 +++++++++++++ crates/forge_infra/src/auth/http/standard.rs | 28 ++- crates/forge_infra/src/auth/mod.rs | 2 + crates/forge_infra/src/auth/strategy.rs | 80 +++++-- crates/forge_infra/src/auth/util.rs | 69 +++--- crates/forge_infra/src/lib.rs | 1 + crates/forge_main/src/ui.rs | 115 ++++++++-- crates/forge_repo/src/provider.json | 16 +- 14 files changed, 625 insertions(+), 95 deletions(-) create mode 100644 crates/forge_infra/src/auth/callback_server.rs create mode 100644 crates/forge_infra/src/auth/http/openrouter.rs diff --git a/crates/forge_api/src/lib.rs b/crates/forge_api/src/lib.rs index bf407ba049..20968cf7cb 100644 --- a/crates/forge_api/src/lib.rs +++ b/crates/forge_api/src/lib.rs @@ -6,3 +6,5 @@ pub use forge_api::*; pub use forge_app::dto::*; pub use forge_app::{Plan, UsageInfo, UserUsage}; pub use forge_domain::{Agent, *}; +// Re-export OAuth callback server for CLI use +pub use forge_infra::start_callback_server; diff --git a/crates/forge_domain/src/auth/credentials.rs b/crates/forge_domain/src/auth/credentials.rs index 063dbc65c5..b60f98c018 100644 --- a/crates/forge_domain/src/auth/credentials.rs +++ b/crates/forge_domain/src/auth/credentials.rs @@ -94,14 +94,15 @@ impl AuthDetails { pub struct OAuthTokens { pub access_token: AccessToken, pub refresh_token: Option, - pub expires_at: DateTime, + #[serde(skip_serializing_if = "Option::is_none")] + pub expires_at: Option>, } impl OAuthTokens { pub fn new( access_token: impl ToString, refresh_token: Option, - expires_at: DateTime, + expires_at: Option>, ) -> Self { Self { access_token: access_token.to_string().into(), @@ -111,14 +112,21 @@ impl OAuthTokens { } /// Checks if the token is expired or will expire within the given buffer - /// duration + /// duration. Returns false if no expiration is set (token doesn't expire). pub fn needs_refresh(&self, buffer: chrono::Duration) -> bool { - let now = Utc::now(); - now + buffer >= self.expires_at + self.expires_at + .map(|expires_at| { + let now = Utc::now(); + now + buffer >= expires_at + }) + .unwrap_or(false) // No expiration = doesn't need refresh } - /// Checks if the token is currently expired + /// Checks if the token is currently expired. + /// Returns false if no expiration is set (token doesn't expire). pub fn is_expired(&self) -> bool { - Utc::now() >= self.expires_at + self.expires_at + .map(|expires_at| Utc::now() >= expires_at) + .unwrap_or(false) // No expiration = not expired } } diff --git a/crates/forge_domain/src/auth/oauth_config.rs b/crates/forge_domain/src/auth/oauth_config.rs index f9c99344e3..60d0c8319f 100644 --- a/crates/forge_domain/src/auth/oauth_config.rs +++ b/crates/forge_domain/src/auth/oauth_config.rs @@ -14,7 +14,9 @@ pub struct ClientId(String); pub struct OAuthConfig { pub auth_url: Url, pub token_url: Url, - pub client_id: ClientId, + #[serde(skip_serializing_if = "Option::is_none")] + pub client_id: Option, + #[serde(default)] pub scopes: Vec, #[serde(skip_serializing_if = "Option::is_none")] pub redirect_uri: Option, diff --git a/crates/forge_infra/src/auth/callback_server.rs b/crates/forge_infra/src/auth/callback_server.rs new file mode 100644 index 0000000000..457c5496f8 --- /dev/null +++ b/crates/forge_infra/src/auth/callback_server.rs @@ -0,0 +1,209 @@ +use std::net::TcpListener; +use std::sync::{Arc, Mutex}; + +use tokio::sync::oneshot; + +/// Start a temporary local HTTP server to receive OAuth callback +/// Binds to the specified port (default: 3000 for localhost) +/// Returns receiver for the authorization code +pub fn start_callback_server(port: u16) -> anyhow::Result> { + // Try to bind to the specified port with SO_REUSEADDR for immediate port reuse + let listener = TcpListener::bind(format!("127.0.0.1:{port}")) + .map_err(|e| anyhow::anyhow!("Failed to start callback server on port {port}: {e}"))?; + + // Set SO_REUSEADDR to allow immediate port reuse after server shuts down + listener.set_nonblocking(false)?; + + let (tx, rx) = oneshot::channel(); + let tx = Arc::new(Mutex::new(Some(tx))); + + // Spawn server in background + std::thread::spawn(move || { + tracing::debug!("OAuth callback server started on port {port}"); + if let Err(e) = run_server(listener, tx) { + tracing::error!("OAuth callback server error: {e}"); + } + tracing::debug!("OAuth callback server shut down on port {port}"); + }); + + Ok(rx) +} + +fn run_server( + listener: TcpListener, + tx: Arc>>>, +) -> anyhow::Result<()> { + use std::io::{Read, Write}; + + // Accept exactly one connection + let (mut stream, _) = listener.accept()?; + + // Drop the listener immediately to release the port + drop(listener); + + tracing::debug!("OAuth callback received, processing request"); + + // Read the HTTP request + let mut buffer = [0; 2048]; + let bytes_read = stream.read(&mut buffer)?; + let request = String::from_utf8_lossy(&buffer[..bytes_read]); + + // Extract code from query string + // Example: GET /?code=abc123&state=xyz HTTP/1.1 + let code = request + .lines() + .next() + .and_then(|line| line.split_whitespace().nth(1)) + .and_then(|path| path.split('?').nth(1)) + .and_then(|query| { + query.split('&').find_map(|param| { + let mut parts = param.split('='); + if parts.next() == Some("code") { + parts.next().map(|c| c.to_string()) + } else { + None + } + }) + }); + + // Send success response to browser + let response = if code.is_some() { + "HTTP/1.1 200 OK\r\n\ + Content-Type: text/html\r\n\ + Connection: close\r\n\ + \r\n\ + \ + \ + \ + \ + \ +
\ +

✓ Authentication Successful

\ +

You have successfully authenticated with your provider.

\ +

This window will close in 3 seconds...

\ + \ +

If the window doesn't close automatically, please close it manually and return to the terminal.

\ +
\ + \ + \ + " + } else { + "HTTP/1.1 400 Bad Request\r\n\ + Content-Type: text/html\r\n\ + Connection: close\r\n\ + \r\n\ + \ + \ + \ + \ + \ +
\ +

✗ Authentication Failed

\ +

No authorization code received. Please try again.

\ + \ +
\ + \ + " + }; + + stream.write_all(response.as_bytes())?; + stream.flush()?; + + // Small delay to ensure browser receives complete response before server shuts + // down + std::thread::sleep(std::time::Duration::from_millis(200)); + + // Send code to receiver if available + if let Some(code) = code { + tracing::debug!("Sending authorization code to CLI"); + if let Ok(mut tx_guard) = tx.lock() + && let Some(sender) = tx_guard.take() + { + let _ = sender.send(code); + } + } + + Ok(()) +} + +#[cfg(test)] +mod tests { + use std::io::Write; + use std::net::TcpStream; + + use super::*; + + #[test] + fn test_start_callback_server() { + // Start server on port 0 (OS assigns random port) + let mut rx = start_callback_server(0).expect("Failed to start callback server"); + + // Server should be running and receiver should be waiting + assert!(rx.try_recv().is_err()); // No code yet + } + + #[test] + fn test_callback_server_receives_code() { + // Start server on a random port + let listener = std::net::TcpListener::bind("127.0.0.1:0").unwrap(); + let port = listener.local_addr().unwrap().port(); + drop(listener); // Release the port + + let mut rx = start_callback_server(port).expect("Failed to start callback server"); + + // Give server time to start + std::thread::sleep(std::time::Duration::from_millis(100)); + + // Send a request with an authorization code + let mut stream = TcpStream::connect(format!("127.0.0.1:{}", port)) + .expect("Failed to connect to callback server"); + + let request = "GET /?code=test_auth_code_123&state=xyz HTTP/1.1\r\nHost: localhost\r\n\r\n"; + stream.write_all(request.as_bytes()).unwrap(); + stream.flush().unwrap(); + + // Wait for response + std::thread::sleep(std::time::Duration::from_millis(300)); + + // Verify code was received + let code = rx + .try_recv() + .expect("Should have received authorization code"); + assert_eq!(code, "test_auth_code_123"); + + // Verify port is released - try to bind again + std::thread::sleep(std::time::Duration::from_millis(100)); + let rebind = std::net::TcpListener::bind(format!("127.0.0.1:{}", port)); + assert!( + rebind.is_ok(), + "Port should be released after server shuts down" + ); + } +} diff --git a/crates/forge_infra/src/auth/http/anthropic.rs b/crates/forge_infra/src/auth/http/anthropic.rs index 2b34d23c90..869fbbd3b7 100644 --- a/crates/forge_infra/src/auth/http/anthropic.rs +++ b/crates/forge_infra/src/auth/http/anthropic.rs @@ -34,9 +34,14 @@ impl OAuthHttpProvider for AnthropicHttpProvider { // Anthropic quirk: state = verifier let (challenge, verifier) = PkceCodeChallenge::new_random_sha256(); + let client_id = config + .client_id + .as_ref() + .ok_or_else(|| anyhow::anyhow!("client_id is required for Anthropic OAuth"))?; + let mut url = config.auth_url.clone(); url.query_pairs_mut() - .append_pair("client_id", &config.client_id) + .append_pair("client_id", client_id) .append_pair("response_type", "code") .append_pair("scope", &config.scopes.join(" ")) .append_pair("code_challenge", challenge.as_str()) @@ -78,11 +83,17 @@ impl OAuthHttpProvider for AnthropicHttpProvider { let verifier = verifier .ok_or_else(|| anyhow::anyhow!("PKCE verifier required for Anthropic OAuth"))?; + let client_id = config + .client_id + .as_ref() + .ok_or_else(|| anyhow::anyhow!("client_id is required for Anthropic OAuth"))? + .to_string(); + let request_body = AnthropicTokenRequest { code, state: state.unwrap_or_else(|| verifier.to_string()), grant_type: "authorization_code".to_string(), - client_id: config.client_id.to_string(), + client_id, redirect_uri: config.redirect_uri.clone(), code_verifier: verifier.to_string(), }; @@ -119,7 +130,7 @@ mod tests { fn test_oauth_config() -> OAuthConfig { OAuthConfig { - client_id: "test_client".to_string().into(), + client_id: Some("test_client".to_string().into()), auth_url: Url::parse("https://example.com/auth").unwrap(), token_url: Url::parse("https://example.com/token").unwrap(), scopes: vec!["read".to_string(), "write".to_string()], diff --git a/crates/forge_infra/src/auth/http/mod.rs b/crates/forge_infra/src/auth/http/mod.rs index 75fd44d7f0..81a654ff41 100644 --- a/crates/forge_infra/src/auth/http/mod.rs +++ b/crates/forge_infra/src/auth/http/mod.rs @@ -1,7 +1,9 @@ mod anthropic; mod github; +mod openrouter; mod standard; pub(crate) use anthropic::AnthropicHttpProvider; pub(crate) use github::GithubHttpProvider; +pub(crate) use openrouter::OpenRouterHttpProvider; pub(crate) use standard::StandardHttpProvider; diff --git a/crates/forge_infra/src/auth/http/openrouter.rs b/crates/forge_infra/src/auth/http/openrouter.rs new file mode 100644 index 0000000000..fdd0531b5e --- /dev/null +++ b/crates/forge_infra/src/auth/http/openrouter.rs @@ -0,0 +1,153 @@ +use forge_app::OAuthHttpProvider; +use forge_domain::{AuthCodeParams, OAuthConfig, OAuthTokenResponse}; +use oauth2::PkceCodeChallenge; +use serde::{Deserialize, Serialize}; + +use crate::auth::util::build_http_client; + +/// OpenRouter Provider - Simplified PKCE flow without client_id +/// OpenRouter uses a unique flow where no OAuth client registration is needed +pub struct OpenRouterHttpProvider; + +#[derive(Debug, Serialize)] +struct OpenRouterTokenRequest { + code: String, + #[serde(skip_serializing_if = "Option::is_none")] + code_verifier: Option, + #[serde(skip_serializing_if = "Option::is_none")] + code_challenge_method: Option, +} + +#[derive(Debug, Deserialize)] +struct OpenRouterTokenResponse { + key: String, +} + +#[async_trait::async_trait] +impl OAuthHttpProvider for OpenRouterHttpProvider { + async fn build_auth_url(&self, config: &OAuthConfig) -> anyhow::Result { + // OpenRouter PKCE flow - no client_id needed + let (challenge, verifier) = PkceCodeChallenge::new_random_sha256(); + + // OpenRouter requires callback_url + let callback_url = config.redirect_uri.as_ref().ok_or_else(|| { + anyhow::anyhow!("redirect_uri is required for OpenRouter OAuth (used as callback_url)") + })?; + + let mut url = config.auth_url.clone(); + + // Add callback_url (redirect_uri in OpenRouter's terms) + url.query_pairs_mut() + .append_pair("callback_url", callback_url); + + // Add PKCE parameters + url.query_pairs_mut() + .append_pair("code_challenge", challenge.as_str()) + .append_pair("code_challenge_method", "S256"); + + // Add any extra auth params + if let Some(extra_params) = &config.extra_auth_params { + for (key, value) in extra_params { + url.query_pairs_mut().append_pair(key, value); + } + } + + // Use a random state for CSRF protection + let state = oauth2::CsrfToken::new_random().secret().to_string(); + + Ok(AuthCodeParams { + auth_url: url.to_string(), + state, + code_verifier: Some(verifier.secret().to_string()), + }) + } + + async fn exchange_code( + &self, + config: &OAuthConfig, + code: &str, + verifier: Option<&str>, + ) -> anyhow::Result { + let verifier = verifier + .ok_or_else(|| anyhow::anyhow!("PKCE verifier required for OpenRouter OAuth"))?; + + let request_body = OpenRouterTokenRequest { + code: code.to_string(), + code_verifier: Some(verifier.to_string()), + code_challenge_method: Some("S256".to_string()), + }; + + let client = self.build_http_client(config)?; + let response = client + .post(config.token_url.as_str()) + .header("Content-Type", "application/json") + .json(&request_body) + .send() + .await?; + + if !response.status().is_success() { + let status = response.status(); + let error_text = response.text().await.unwrap_or_default(); + anyhow::bail!("OpenRouter token exchange failed with status {status}: {error_text}"); + } + + let token_response: OpenRouterTokenResponse = response.json().await?; + + // OpenRouter returns an API key directly, not OAuth tokens + // API keys from OpenRouter don't have expiration, so expires_at is None + Ok(OAuthTokenResponse { + access_token: token_response.key, + refresh_token: None, + expires_in: None, + expires_at: None, // OpenRouter API keys don't expire + token_type: "Bearer".to_string(), + scope: None, + }) + } + + /// Create HTTP client with provider-specific headers/behavior + fn build_http_client(&self, config: &OAuthConfig) -> anyhow::Result { + build_http_client(config.custom_headers.as_ref()) + } +} + +#[cfg(test)] +mod tests { + use forge_domain::OAuthConfig; + use url::Url; + + use super::*; + + fn test_oauth_config() -> OAuthConfig { + OAuthConfig { + client_id: None, // OpenRouter doesn't need client_id + auth_url: Url::parse("https://openrouter.ai/auth").unwrap(), + token_url: Url::parse("https://openrouter.ai/api/v1/auth/keys").unwrap(), + scopes: vec![], + redirect_uri: Some("http://localhost:3000/callback".to_string()), + use_pkce: true, + token_refresh_url: None, + extra_auth_params: None, + custom_headers: None, + } + } + + #[tokio::test] + async fn test_openrouter_provider_build_auth_url() { + let provider = OpenRouterHttpProvider; + let config = test_oauth_config(); + + let result = provider.build_auth_url(&config).await.unwrap(); + + assert!( + result + .auth_url + .contains("callback_url=http%3A%2F%2Flocalhost%3A3000%2Fcallback") + ); + assert!(result.auth_url.contains("code_challenge_method=S256")); + assert!(result.auth_url.contains("code_challenge=")); + assert!(result.code_verifier.is_some()); + // OpenRouter doesn't include client_id in URL + assert!(!result.auth_url.contains("client_id")); + } +} diff --git a/crates/forge_infra/src/auth/http/standard.rs b/crates/forge_infra/src/auth/http/standard.rs index 8df1acd14e..304384bd0e 100644 --- a/crates/forge_infra/src/auth/http/standard.rs +++ b/crates/forge_infra/src/auth/http/standard.rs @@ -15,10 +15,15 @@ impl OAuthHttpProvider for StandardHttpProvider { // Use oauth2 library - standard flow use oauth2::{AuthUrl, ClientId, TokenUrl}; - let mut client = - oauth2::basic::BasicClient::new(ClientId::new(config.client_id.to_string())) - .set_auth_uri(AuthUrl::new(config.auth_url.to_string())?) - .set_token_uri(TokenUrl::new(config.token_url.to_string())?); + let client_id = config + .client_id + .as_ref() + .ok_or_else(|| anyhow::anyhow!("client_id is required for OAuth code flow"))? + .to_string(); + + let mut client = oauth2::basic::BasicClient::new(ClientId::new(client_id)) + .set_auth_uri(AuthUrl::new(config.auth_url.to_string())?) + .set_token_uri(TokenUrl::new(config.token_url.to_string())?); if let Some(redirect_uri) = &config.redirect_uri { client = client.set_redirect_uri(oauth2::RedirectUrl::new(redirect_uri.clone())?); @@ -60,10 +65,15 @@ impl OAuthHttpProvider for StandardHttpProvider { ) -> anyhow::Result { use oauth2::{AuthUrl, ClientId, TokenUrl}; - let mut client = - oauth2::basic::BasicClient::new(ClientId::new(config.client_id.to_string())) - .set_auth_uri(AuthUrl::new(config.auth_url.to_string())?) - .set_token_uri(TokenUrl::new(config.token_url.to_string())?); + let client_id = config + .client_id + .as_ref() + .ok_or_else(|| anyhow::anyhow!("client_id is required for OAuth code flow"))? + .to_string(); + + let mut client = oauth2::basic::BasicClient::new(ClientId::new(client_id)) + .set_auth_uri(AuthUrl::new(config.auth_url.to_string())?) + .set_token_uri(TokenUrl::new(config.token_url.to_string())?); if let Some(redirect_uri) = &config.redirect_uri { client = client.set_redirect_uri(oauth2::RedirectUrl::new(redirect_uri.clone())?); @@ -96,7 +106,7 @@ mod tests { fn test_oauth_config() -> OAuthConfig { OAuthConfig { - client_id: "test_client".to_string().into(), + client_id: Some("test_client".to_string().into()), auth_url: Url::parse("https://example.com/auth").unwrap(), token_url: Url::parse("https://example.com/token").unwrap(), scopes: vec!["read".to_string(), "write".to_string()], diff --git a/crates/forge_infra/src/auth/mod.rs b/crates/forge_infra/src/auth/mod.rs index e5c1a4f2d5..d42803e516 100644 --- a/crates/forge_infra/src/auth/mod.rs +++ b/crates/forge_infra/src/auth/mod.rs @@ -1,6 +1,8 @@ +mod callback_server; mod error; mod http; mod strategy; mod util; +pub use callback_server::*; pub use strategy::*; diff --git a/crates/forge_infra/src/auth/strategy.rs b/crates/forge_infra/src/auth/strategy.rs index 7b7f8a744f..0c6ccc3a9a 100644 --- a/crates/forge_infra/src/auth/strategy.rs +++ b/crates/forge_infra/src/auth/strategy.rs @@ -1,5 +1,6 @@ use std::time::Duration; +use chrono::Utc; use forge_app::{AuthStrategy, OAuthHttpProvider, StrategyFactory}; use forge_domain::{ ApiKey, ApiKeyRequest, AuthContextRequest, AuthContextResponse, AuthCredential, CodeRequest, @@ -11,7 +12,9 @@ use reqwest::header::{HeaderMap, HeaderValue}; use url::Url; use crate::auth::error::Error as AuthError; -use crate::auth::http::{AnthropicHttpProvider, GithubHttpProvider, StandardHttpProvider}; +use crate::auth::http::{ + AnthropicHttpProvider, GithubHttpProvider, OpenRouterHttpProvider, StandardHttpProvider, +}; use crate::auth::util::*; /// API Key Strategy - Simple static key authentication @@ -110,7 +113,7 @@ impl AuthStrategy for OAuthCodeStrategy { self.provider_id.clone(), token_response, &self.config, - chrono::Duration::hours(1), // Code flow default + None, // No fallback - respect provider response ) } _ => Err(AuthError::InvalidContext("Expected Code context".to_string()).into()), @@ -121,7 +124,7 @@ impl AuthStrategy for OAuthCodeStrategy { refresh_oauth_credential( credential, &self.config, - chrono::Duration::hours(1), + None, // No fallback - respect provider response false, // No API key exchange ) .await @@ -144,7 +147,18 @@ impl OAuthDeviceStrategy { impl AuthStrategy for OAuthDeviceStrategy { async fn init(&self) -> anyhow::Result { // Build oauth2 client - let client = BasicClient::new(ClientId::new(self.config.client_id.to_string())) + let client_id = self + .config + .client_id + .as_ref() + .ok_or_else(|| { + AuthError::InitiationFailed( + "client_id is required for device code flow".to_string(), + ) + })? + .to_string(); + + let client = BasicClient::new(ClientId::new(client_id)) .set_device_authorization_url( DeviceAuthorizationUrl::new(self.config.auth_url.to_string()) .map_err(|e| AuthError::InitiationFailed(format!("Invalid auth_url: {e}")))?, @@ -208,7 +222,7 @@ impl AuthStrategy for OAuthDeviceStrategy { self.provider_id.clone(), token_response, &self.config, - chrono::Duration::days(365), // Device flow default + None, // No fallback - respect provider response ) } _ => Err(AuthError::InvalidContext("Expected DeviceCode context".to_string()).into()), @@ -219,7 +233,7 @@ impl AuthStrategy for OAuthDeviceStrategy { refresh_oauth_credential( credential, &self.config, - chrono::Duration::days(30), + None, // No fallback - respect provider response false, // No API key exchange ) .await @@ -248,7 +262,18 @@ impl OAuthWithApiKeyStrategy { impl AuthStrategy for OAuthWithApiKeyStrategy { async fn init(&self) -> anyhow::Result { // Same as OAuth Device init - let client = BasicClient::new(ClientId::new(self.oauth_config.client_id.to_string())) + let client_id = self + .oauth_config + .client_id + .as_ref() + .ok_or_else(|| { + AuthError::InitiationFailed( + "client_id is required for OAuth with API key flow".to_string(), + ) + })? + .to_string(); + + let client = BasicClient::new(ClientId::new(client_id)) .set_device_authorization_url( DeviceAuthorizationUrl::new(self.oauth_config.auth_url.to_string()) .map_err(|e| AuthError::InitiationFailed(format!("Invalid auth_url: {e}")))?, @@ -336,8 +361,8 @@ impl AuthStrategy for OAuthWithApiKeyStrategy { refresh_oauth_credential( credential, &self.oauth_config, - chrono::Duration::hours(1), // Unused for API key flow - true, // WITH API key exchange + None, // No fallback - respect provider response + true, // WITH API key exchange ) .await } @@ -347,7 +372,7 @@ impl AuthStrategy for OAuthWithApiKeyStrategy { async fn refresh_oauth_credential( credential: &AuthCredential, config: &OAuthConfig, - expiry_duration: chrono::Duration, + expiry_duration: Option, with_api_key_exchange: bool, ) -> anyhow::Result { // Extract tokens (works for OAuth and OAuthWithApiKey) @@ -381,7 +406,8 @@ async fn refresh_oauth_credential( let (key, expiry) = exchange_oauth_for_api_key(&oauth_access_token, url, config).await?; (Some(key), expiry) } else { - let expiry = calculate_token_expiry(None, expiry_duration); + // No API key exchange - use expiry from token response or default + let expiry = expiry_duration.map(|duration| Utc::now() + duration); (None, expiry) }; @@ -430,13 +456,21 @@ async fn poll_for_tokens( } // Build token request + let client_id = config + .client_id + .as_ref() + .ok_or_else(|| { + AuthError::PollFailed("client_id is required for device code flow".to_string()) + })? + .to_string(); + let params = vec![ ( "grant_type".to_string(), "urn:ietf:params:oauth:grant-type:device_code".to_string(), ), ("device_code".to_string(), device_code.to_string()), - ("client_id".to_string(), config.client_id.to_string()), + ("client_id".to_string(), client_id), ]; let body = serde_urlencoded::to_string(¶ms) @@ -530,7 +564,7 @@ async fn exchange_oauth_for_api_key( oauth_token: &str, api_key_exchange_url: &Url, config: &OAuthConfig, -) -> anyhow::Result<(ApiKey, chrono::DateTime)> { +) -> anyhow::Result<(ApiKey, Option>)> { // Build request headers let mut headers = reqwest::header::HeaderMap::new(); headers.insert( @@ -576,8 +610,8 @@ async fn exchange_oauth_for_api_key( Ok(( access_token.into(), - chrono::DateTime::from_timestamp(expires_at.unwrap_or(0), 0) - .unwrap_or_else(chrono::Utc::now), + expires_at + .map(|ts| chrono::DateTime::from_timestamp(ts, 0).unwrap_or_else(chrono::Utc::now)), )) } @@ -588,6 +622,7 @@ pub enum AnyAuthStrategy { OAuthCodeStandard(OAuthCodeStrategy), OAuthCodeAnthropic(OAuthCodeStrategy), OAuthCodeGithub(OAuthCodeStrategy), + OAuthCodeOpenRouter(OAuthCodeStrategy), OAuthDevice(OAuthDeviceStrategy), OAuthWithApiKey(OAuthWithApiKeyStrategy), } @@ -600,6 +635,7 @@ impl AuthStrategy for AnyAuthStrategy { Self::OAuthCodeStandard(s) => s.init().await, Self::OAuthCodeAnthropic(s) => s.init().await, Self::OAuthCodeGithub(s) => s.init().await, + Self::OAuthCodeOpenRouter(s) => s.init().await, Self::OAuthDevice(s) => s.init().await, Self::OAuthWithApiKey(s) => s.init().await, } @@ -614,6 +650,7 @@ impl AuthStrategy for AnyAuthStrategy { Self::OAuthCodeStandard(s) => s.complete(context_response).await, Self::OAuthCodeAnthropic(s) => s.complete(context_response).await, Self::OAuthCodeGithub(s) => s.complete(context_response).await, + Self::OAuthCodeOpenRouter(s) => s.complete(context_response).await, Self::OAuthDevice(s) => s.complete(context_response).await, Self::OAuthWithApiKey(s) => s.complete(context_response).await, } @@ -625,6 +662,7 @@ impl AuthStrategy for AnyAuthStrategy { Self::OAuthCodeStandard(s) => s.refresh(credential).await, Self::OAuthCodeAnthropic(s) => s.refresh(credential).await, Self::OAuthCodeGithub(s) => s.refresh(credential).await, + Self::OAuthCodeOpenRouter(s) => s.refresh(credential).await, Self::OAuthDevice(s) => s.refresh(credential).await, Self::OAuthWithApiKey(s) => s.refresh(credential).await, } @@ -677,6 +715,12 @@ impl StrategyFactory for ForgeAuthStrategyFactory { ))); } + if provider_id == ProviderId::OPEN_ROUTER { + return Ok(AnyAuthStrategy::OAuthCodeOpenRouter( + OAuthCodeStrategy::new(OpenRouterHttpProvider, provider_id, config), + )); + } + Ok(AnyAuthStrategy::OAuthCodeStandard(OAuthCodeStrategy::new( StandardHttpProvider, provider_id, @@ -718,7 +762,7 @@ mod tests { #[test] fn test_create_auth_strategy_oauth_code() { let config = OAuthConfig { - client_id: "test".to_string().into(), + client_id: Some("test".to_string().into()), auth_url: Url::parse("https://example.com/auth").unwrap(), token_url: Url::parse("https://example.com/token").unwrap(), scopes: vec![], @@ -741,7 +785,7 @@ mod tests { #[test] fn test_create_auth_strategy_oauth_device() { let config = OAuthConfig { - client_id: "test".to_string().into(), + client_id: Some("test".to_string().into()), auth_url: Url::parse("https://example.com/auth").unwrap(), token_url: Url::parse("https://example.com/token").unwrap(), scopes: vec![], @@ -764,7 +808,7 @@ mod tests { #[test] fn test_create_auth_strategy_oauth_with_api_key() { let config = OAuthConfig { - client_id: "test".to_string().into(), + client_id: Some("test".to_string().into()), auth_url: Url::parse("https://example.com/auth").unwrap(), token_url: Url::parse("https://example.com/token").unwrap(), scopes: vec![], diff --git a/crates/forge_infra/src/auth/util.rs b/crates/forge_infra/src/auth/util.rs index de652e0f67..8ae82bf918 100644 --- a/crates/forge_infra/src/auth/util.rs +++ b/crates/forge_infra/src/auth/util.rs @@ -9,25 +9,23 @@ use oauth2::{ClientId, RefreshToken, TokenUrl}; use crate::auth::error::Error; -/// Calculate token expiry with fallback duration -pub(crate) fn calculate_token_expiry( - expires_in: Option, - fallback: chrono::Duration, -) -> chrono::DateTime { - if let Some(seconds) = expires_in { - Utc::now() + chrono::Duration::seconds(seconds as i64) - } else { - Utc::now() + fallback - } +/// Calculate expires_at as Unix timestamp from expires_in seconds +/// Returns None if expires_in is None +pub(crate) fn calculate_expires_at(expires_in: Option) -> Option { + expires_in.map(|seconds| { + let expires_at = Utc::now() + chrono::Duration::seconds(seconds as i64); + expires_at.timestamp() + }) } /// Convert oauth2 TokenResponse into domain OAuthTokenResponse pub(crate) fn into_domain(token: T) -> OAuthTokenResponse { + let expires_in = token.expires_in().map(|d| d.as_secs()); OAuthTokenResponse { access_token: token.access_token().secret().to_string(), refresh_token: token.refresh_token().map(|t| t.secret().to_string()), - expires_in: token.expires_in().map(|d| d.as_secs()), - expires_at: None, + expires_in, + expires_at: calculate_expires_at(expires_in), token_type: "Bearer".to_string(), scope: token.scopes().map(|scopes| { scopes @@ -65,14 +63,25 @@ pub(crate) fn build_http_client( Ok(builder.build()?) } -/// Build OAuth credential with consistent expiry handling +/// Build OAuth credential with expiry from provider response only +/// Priority: expires_in > expires_at > None (no expiration) +/// No fallback is applied - we respect what the provider returns pub(crate) fn build_oauth_credential( provider_id: ProviderId, token_response: OAuthTokenResponse, config: &OAuthConfig, - default_expiry: chrono::Duration, + _default_expiry: Option, // Unused, kept for API compatibility ) -> anyhow::Result { - let expires_at = calculate_token_expiry(token_response.expires_in, default_expiry); + let expires_at = if let Some(seconds) = token_response.expires_in { + // Provider returned expires_in - calculate from now + Some(Utc::now() + chrono::Duration::seconds(seconds as i64)) + } else if let Some(timestamp) = token_response.expires_at { + // Provider returned expires_at timestamp - use it directly + chrono::DateTime::from_timestamp(timestamp, 0) + } else { + // Provider didn't return expiration - token doesn't expire + None + }; let oauth_tokens = OAuthTokens::new( token_response.access_token, token_response.refresh_token, @@ -118,7 +127,13 @@ pub(crate) async fn refresh_access_token( refresh_token: &str, ) -> anyhow::Result { // Build minimal oauth2 client (just need token endpoint) - let client = BasicClient::new(ClientId::new(config.client_id.to_string())) + let client_id = config + .client_id + .as_ref() + .ok_or_else(|| anyhow::anyhow!("client_id is required for token refresh"))? + .to_string(); + + let client = BasicClient::new(ClientId::new(client_id)) .set_token_uri(TokenUrl::new(config.token_url.to_string())?); // Build HTTP client with custom headers @@ -238,30 +253,8 @@ pub(crate) fn parse_token_response( #[cfg(test)] mod tests { - use chrono::Duration; - use super::*; - #[test] - fn test_calculate_token_expiry_with_expires_in() { - let before = Utc::now(); - let expires_at = calculate_token_expiry(Some(3600), Duration::hours(1)); - let after = Utc::now() + Duration::hours(1); - - assert!(expires_at >= before); - assert!(expires_at <= after); - } - - #[test] - fn test_calculate_token_expiry_with_fallback() { - let before = Utc::now(); - let expires_at = calculate_token_expiry(None, Duration::days(365)); - let after = Utc::now() + Duration::days(365); - - assert!(expires_at >= before); - assert!(expires_at <= after); - } - #[test] fn test_build_token_response() { let response = build_token_response( diff --git a/crates/forge_infra/src/lib.rs b/crates/forge_infra/src/lib.rs index 047a0844f3..dfa6ad6b79 100644 --- a/crates/forge_infra/src/lib.rs +++ b/crates/forge_infra/src/lib.rs @@ -18,6 +18,7 @@ mod mcp_client; mod mcp_server; mod walker; +pub use auth::start_callback_server; pub use executor::ForgeCommandExecutorService; pub use forge_infra::*; pub use kv_storage::CacacheStorage; diff --git a/crates/forge_main/src/ui.rs b/crates/forge_main/src/ui.rs index 2e2910f252..3db6873c93 100644 --- a/crates/forge_main/src/ui.rs +++ b/crates/forge_main/src/ui.rs @@ -1956,15 +1956,109 @@ impl A + Send + Sync> UI { format!("Authenticate using your {provider_id} account").dimmed() ))?; + // Check if we should try to start a local callback server + let use_local_server = request + .oauth_config + .redirect_uri + .as_ref() + .map(|uri| uri.starts_with("http://localhost") || uri.starts_with("http://127.0.0.1")) + .unwrap_or(false); + + let code = if use_local_server { + // Try to start local server for automatic callback on port 3000 + match forge_api::start_callback_server(3000) { + Ok(rx) => { + self.writeln(format!( + "{} Opening browser for authentication...", + "→".blue() + ))?; + self.writeln(format!( + "{} Callback server started on {}", + "✓".green(), + "http://localhost:3000".blue() + ))?; + + // Open browser with the original URL (already has localhost:3000) + if let Err(e) = open::that(request.authorization_url.as_str()) { + self.writeln_title(TitleFormat::error(format!( + "Failed to open browser: {e}" + )))?; + self.writeln(format!( + "Please visit: {}", + request.authorization_url.as_str().blue().underline() + ))?; + } + + self.spinner.start(Some("Waiting for authorization..."))?; + + // Wait for callback with timeout + let code = tokio::time::timeout( + std::time::Duration::from_secs(300), // 5 minute timeout + rx, + ) + .await + .map_err(|_| { + anyhow::anyhow!( + "Authorization timeout - no response received after 5 minutes" + ) + })? + .map_err(|_| anyhow::anyhow!("Failed to receive authorization code"))?; + + self.spinner.stop(None)?; + self.writeln(format!( + "{} Authorization code received!", + "✓".green().bold() + ))?; + + code + } + Err(e) => { + // Fallback to manual entry if server fails (e.g., port 3000 in use) + tracing::warn!("Failed to start callback server: {e}"); + self.writeln(format!( + "{} Could not start local server (port 3000 may be in use)", + "⚠".yellow() + ))?; + self.writeln(format!("{} Falling back to manual code entry", "→".blue()))?; + self.manual_code_entry(&request.authorization_url)? + } + } + } else { + // Manual code entry for non-localhost redirects + self.manual_code_entry(&request.authorization_url)? + }; + + self.spinner + .start(Some("Exchanging authorization code..."))?; + + let response = AuthContextResponse::code(request.clone(), &code); + + self.api + .complete_provider_auth( + provider_id, + response, + Duration::from_secs(0), // No timeout needed since we have the data + ) + .await?; + + self.spinner.stop(None)?; + + Ok(()) + } + + /// Helper method for manual code entry + fn manual_code_entry(&mut self, authorization_url: &url::Url) -> anyhow::Result { + use colored::Colorize; + // Display authorization URL self.writeln(format!( "{} Please visit: {}", "→".blue(), - request.authorization_url.as_str().blue().underline() + authorization_url.as_str().blue().underline() ))?; // Try to open browser automatically - if let Err(e) = open::that(request.authorization_url.as_str()) { + if let Err(e) = open::that(authorization_url.as_str()) { self.writeln_title(TitleFormat::error(format!( "Failed to open browser automatically: {e}" )))?; @@ -1979,22 +2073,7 @@ impl A + Send + Sync> UI { anyhow::bail!("Authorization code cannot be empty"); } - self.spinner - .start(Some("Exchanging authorization code..."))?; - - let response = AuthContextResponse::code(request.clone(), &code); - - self.api - .complete_provider_auth( - provider_id, - response, - Duration::from_secs(0), // No timeout needed since we have the data - ) - .await?; - - self.spinner.stop(None)?; - - Ok(()) + Ok(code) } /// Helper method to select an authentication method when multiple are diff --git a/crates/forge_repo/src/provider.json b/crates/forge_repo/src/provider.json index 751371ae16..22f5bc3411 100644 --- a/crates/forge_repo/src/provider.json +++ b/crates/forge_repo/src/provider.json @@ -50,7 +50,21 @@ "response_type": "OpenAI", "url": "https://openrouter.ai/api/v1/chat/completions", "models": "https://openrouter.ai/api/v1/models", - "auth_methods": ["api_key"] + "auth_methods": [ + "api_key", + { + "oauth_code": { + "auth_url": "https://openrouter.ai/auth", + "token_url": "https://openrouter.ai/api/v1/auth/keys", + "redirect_uri": "http://localhost:3000", + "use_pkce": true, + "custom_headers": { + "HTTP-Referer": "https://forgecode.dev", + "X-Title": "forge" + } + } + } + ] }, { "id": "requesty", From 75e1e8842bded1f2fee98dbb7e81309bfbf80dab Mon Sep 17 00:00:00 2001 From: Amit Singh Date: Tue, 23 Dec 2025 13:22:21 +0530 Subject: [PATCH 2/4] refactor(auth): improve OAuth callback UI and spawning --- .../forge_infra/src/auth/callback_server.rs | 396 +++++++++++++++--- crates/forge_main/src/ui.rs | 17 +- 2 files changed, 337 insertions(+), 76 deletions(-) diff --git a/crates/forge_infra/src/auth/callback_server.rs b/crates/forge_infra/src/auth/callback_server.rs index 457c5496f8..5e1ec091b5 100644 --- a/crates/forge_infra/src/auth/callback_server.rs +++ b/crates/forge_infra/src/auth/callback_server.rs @@ -2,6 +2,7 @@ use std::net::TcpListener; use std::sync::{Arc, Mutex}; use tokio::sync::oneshot; +use tokio::task::spawn_blocking; /// Start a temporary local HTTP server to receive OAuth callback /// Binds to the specified port (default: 3000 for localhost) @@ -17,8 +18,8 @@ pub fn start_callback_server(port: u16) -> anyhow::Result\ - \ - \ - \ - \ -
\ -

✓ Authentication Successful

\ -

You have successfully authenticated with your provider.

\ -

This window will close in 3 seconds...

\ - \ -

If the window doesn't close automatically, please close it manually and return to the terminal.

\ -
\ - \ - \ - " + r#"HTTP/1.1 200 OK +Content-Type: text/html +Connection: close + + + + + + + Authentication Successful + + + +
+
+ + + +
+

Authentication Successful

+

You have successfully authenticated with your provider.

+ +
+
What's Next?
+
+
+ 1 + Return to your terminal window +
+
+ 2 + Your authentication is now complete +
+
+ 3 + You can close this browser tab +
+
+
+ +
+

You can safely close this tab and return to your terminal.

+
+ +"# } else { - "HTTP/1.1 400 Bad Request\r\n\ - Content-Type: text/html\r\n\ - Connection: close\r\n\ - \r\n\ - \ - \ - \ - \ - \ -
\ -

✗ Authentication Failed

\ -

No authorization code received. Please try again.

\ - \ -
\ - \ - " + r#"HTTP/1.1 400 Bad Request +Content-Type: text/html +Connection: close + + + + + + + Authentication Failed + + + +
+
+ + + +
+

Authentication Failed

+

No authorization code received. Please try again.

+ +
+
What Happened?
+
+ The authentication process did not complete successfully. This could be due to a timeout or an interrupted connection. +
+
+ +
+

Please close this tab and restart the authentication process from your terminal.

+
+ +"# }; stream.write_all(response.as_bytes())?; diff --git a/crates/forge_main/src/ui.rs b/crates/forge_main/src/ui.rs index 3db6873c93..ef149e52f8 100644 --- a/crates/forge_main/src/ui.rs +++ b/crates/forge_main/src/ui.rs @@ -1968,25 +1968,18 @@ impl A + Send + Sync> UI { // Try to start local server for automatic callback on port 3000 match forge_api::start_callback_server(3000) { Ok(rx) => { + // Display the authorization URL (same format as manual flow) self.writeln(format!( - "{} Opening browser for authentication...", - "→".blue() - ))?; - self.writeln(format!( - "{} Callback server started on {}", - "✓".green(), - "http://localhost:3000".blue() + "{} Please visit: {}", + "→".blue(), + request.authorization_url.as_str().blue().underline() ))?; - // Open browser with the original URL (already has localhost:3000) + // Open browser automatically if let Err(e) = open::that(request.authorization_url.as_str()) { self.writeln_title(TitleFormat::error(format!( "Failed to open browser: {e}" )))?; - self.writeln(format!( - "Please visit: {}", - request.authorization_url.as_str().blue().underline() - ))?; } self.spinner.start(Some("Waiting for authorization..."))?; From da517bf548ab7170f44da642bef1a9512b57cbcb Mon Sep 17 00:00:00 2001 From: Amit Singh Date: Tue, 23 Dec 2025 13:48:26 +0530 Subject: [PATCH 3/4] test(auth): remove callback server tests --- .../forge_infra/src/auth/callback_server.rs | 56 ------------------- 1 file changed, 56 deletions(-) diff --git a/crates/forge_infra/src/auth/callback_server.rs b/crates/forge_infra/src/auth/callback_server.rs index 5e1ec091b5..9812581955 100644 --- a/crates/forge_infra/src/auth/callback_server.rs +++ b/crates/forge_infra/src/auth/callback_server.rs @@ -1,6 +1,5 @@ use std::net::TcpListener; use std::sync::{Arc, Mutex}; - use tokio::sync::oneshot; use tokio::task::spawn_blocking; @@ -420,58 +419,3 @@ Connection: close Ok(()) } - -#[cfg(test)] -mod tests { - use std::io::Write; - use std::net::TcpStream; - - use super::*; - - #[test] - fn test_start_callback_server() { - // Start server on port 0 (OS assigns random port) - let mut rx = start_callback_server(0).expect("Failed to start callback server"); - - // Server should be running and receiver should be waiting - assert!(rx.try_recv().is_err()); // No code yet - } - - #[test] - fn test_callback_server_receives_code() { - // Start server on a random port - let listener = std::net::TcpListener::bind("127.0.0.1:0").unwrap(); - let port = listener.local_addr().unwrap().port(); - drop(listener); // Release the port - - let mut rx = start_callback_server(port).expect("Failed to start callback server"); - - // Give server time to start - std::thread::sleep(std::time::Duration::from_millis(100)); - - // Send a request with an authorization code - let mut stream = TcpStream::connect(format!("127.0.0.1:{}", port)) - .expect("Failed to connect to callback server"); - - let request = "GET /?code=test_auth_code_123&state=xyz HTTP/1.1\r\nHost: localhost\r\n\r\n"; - stream.write_all(request.as_bytes()).unwrap(); - stream.flush().unwrap(); - - // Wait for response - std::thread::sleep(std::time::Duration::from_millis(300)); - - // Verify code was received - let code = rx - .try_recv() - .expect("Should have received authorization code"); - assert_eq!(code, "test_auth_code_123"); - - // Verify port is released - try to bind again - std::thread::sleep(std::time::Duration::from_millis(100)); - let rebind = std::net::TcpListener::bind(format!("127.0.0.1:{}", port)); - assert!( - rebind.is_ok(), - "Port should be released after server shuts down" - ); - } -} From f5db97b39ff54c40c57728bdfbcdbbcb9cc02155 Mon Sep 17 00:00:00 2001 From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com> Date: Tue, 23 Dec 2025 08:20:14 +0000 Subject: [PATCH 4/4] [autofix.ci] apply automated fixes --- crates/forge_infra/src/auth/callback_server.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/crates/forge_infra/src/auth/callback_server.rs b/crates/forge_infra/src/auth/callback_server.rs index 9812581955..d1030ae91d 100644 --- a/crates/forge_infra/src/auth/callback_server.rs +++ b/crates/forge_infra/src/auth/callback_server.rs @@ -1,5 +1,6 @@ use std::net::TcpListener; use std::sync::{Arc, Mutex}; + use tokio::sync::oneshot; use tokio::task::spawn_blocking;