import { resolveOAuthPath } from "../../config/paths.js"; import { coerceSecretRef } from "../../config/types.secrets.js"; import { loadJsonFile } from "../../infra/json-file.js"; import { AUTH_STORE_VERSION, log } from "./constants.js"; import { resolveAuthStorePath, resolveLegacyAuthStorePath } from "./paths.js"; import { coerceAuthProfileState, loadPersistedAuthProfileState, mergeAuthProfileState, } from "./state.js"; import type { AuthProfileCredential, AuthProfileSecretsStore, AuthProfileStore, OAuthCredentials, } from "./types.js"; export type LegacyAuthStore = Record; type CredentialRejectReason = "non_object" | "invalid_type" | "missing_provider"; type RejectedCredentialEntry = { key: string; reason: CredentialRejectReason }; const AUTH_PROFILE_TYPES = new Set(["api_key", "oauth", "token"]); function normalizeSecretBackedField(params: { entry: Record; valueField: "key" | "token"; refField: "keyRef" | "tokenRef"; }): void { const value = params.entry[params.valueField]; if (value == null || typeof value === "string") { return; } const ref = coerceSecretRef(value); if (ref && !coerceSecretRef(params.entry[params.refField])) { params.entry[params.refField] = ref; } delete params.entry[params.valueField]; } function normalizeRawCredentialEntry(raw: Record): Partial { const entry = { ...raw } as Record; if (!("type" in entry) && typeof entry["mode"] === "string") { entry["type"] = entry["mode"]; } if (!("key" in entry) && typeof entry["apiKey"] === "string") { entry["key"] = entry["apiKey"]; } normalizeSecretBackedField({ entry, valueField: "key", refField: "keyRef" }); normalizeSecretBackedField({ entry, valueField: "token", refField: "tokenRef" }); return entry as Partial; } function parseCredentialEntry( raw: unknown, fallbackProvider?: string, ): { ok: true; credential: AuthProfileCredential } | { ok: false; reason: CredentialRejectReason } { if (!raw || typeof raw !== "object") { return { ok: false, reason: "non_object" }; } const typed = normalizeRawCredentialEntry(raw as Record); if (!AUTH_PROFILE_TYPES.has(typed.type as AuthProfileCredential["type"])) { return { ok: false, reason: "invalid_type" }; } const provider = typed.provider ?? fallbackProvider; if (typeof provider !== "string" || provider.trim().length === 0) { return { ok: false, reason: "missing_provider" }; } return { ok: true, credential: { ...typed, provider, } as AuthProfileCredential, }; } function warnRejectedCredentialEntries(source: string, rejected: RejectedCredentialEntry[]): void { if (rejected.length === 0) { return; } const reasons = rejected.reduce( (acc, current) => { acc[current.reason] = (acc[current.reason] ?? 0) + 1; return acc; }, {} as Partial>, ); log.warn("ignored invalid auth profile entries during store load", { source, dropped: rejected.length, reasons, keys: rejected.slice(0, 10).map((entry) => entry.key), }); } export function coerceLegacyAuthStore(raw: unknown): LegacyAuthStore | null { if (!raw || typeof raw !== "object") { return null; } const record = raw as Record; if ("profiles" in record) { return null; } const entries: LegacyAuthStore = {}; const rejected: RejectedCredentialEntry[] = []; for (const [key, value] of Object.entries(record)) { const parsed = parseCredentialEntry(value, key); if (!parsed.ok) { rejected.push({ key, reason: parsed.reason }); continue; } entries[key] = parsed.credential; } warnRejectedCredentialEntries("auth.json", rejected); return Object.keys(entries).length > 0 ? entries : null; } export function coercePersistedAuthProfileStore(raw: unknown): AuthProfileStore | null { if (!raw || typeof raw !== "object") { return null; } const record = raw as Record; if (!record.profiles || typeof record.profiles !== "object") { return null; } const profiles = record.profiles as Record; const normalized: Record = {}; const rejected: RejectedCredentialEntry[] = []; for (const [key, value] of Object.entries(profiles)) { const parsed = parseCredentialEntry(value); if (!parsed.ok) { rejected.push({ key, reason: parsed.reason }); continue; } normalized[key] = parsed.credential; } warnRejectedCredentialEntries("auth-profiles.json", rejected); return { version: Number(record.version ?? AUTH_STORE_VERSION), profiles: normalized, ...coerceAuthProfileState(record), }; } function mergeRecord( base?: Record, override?: Record, ): Record | undefined { if (!base && !override) { return undefined; } if (!base) { return { ...override }; } if (!override) { return { ...base }; } return { ...base, ...override }; } export function mergeAuthProfileStores( base: AuthProfileStore, override: AuthProfileStore, ): AuthProfileStore { if ( Object.keys(override.profiles).length === 0 && !override.order && !override.lastGood && !override.usageStats ) { return base; } return { version: Math.max(base.version, override.version ?? base.version), profiles: { ...base.profiles, ...override.profiles }, order: mergeRecord(base.order, override.order), lastGood: mergeRecord(base.lastGood, override.lastGood), usageStats: mergeRecord(base.usageStats, override.usageStats), }; } export function buildPersistedAuthProfileSecretsStore( store: AuthProfileStore, shouldPersistProfile?: (params: { profileId: string; credential: AuthProfileCredential; }) => boolean, ): AuthProfileSecretsStore { const profiles = Object.fromEntries( Object.entries(store.profiles).flatMap(([profileId, credential]) => { if (shouldPersistProfile && !shouldPersistProfile({ profileId, credential })) { return []; } if (credential.type === "api_key" && credential.keyRef && credential.key !== undefined) { const sanitized = { ...credential } as Record; delete sanitized.key; return [[profileId, sanitized]]; } if (credential.type === "token" && credential.tokenRef && credential.token !== undefined) { const sanitized = { ...credential } as Record; delete sanitized.token; return [[profileId, sanitized]]; } return [[profileId, credential]]; }), ) as AuthProfileSecretsStore["profiles"]; return { version: AUTH_STORE_VERSION, profiles, }; } export function applyLegacyAuthStore(store: AuthProfileStore, legacy: LegacyAuthStore): void { for (const [provider, cred] of Object.entries(legacy)) { const profileId = `${provider}:default`; const credentialProvider = cred.provider ?? provider; if (cred.type === "api_key") { store.profiles[profileId] = { type: "api_key", provider: credentialProvider, key: cred.key, ...(cred.email ? { email: cred.email } : {}), }; continue; } if (cred.type === "token") { store.profiles[profileId] = { type: "token", provider: credentialProvider, token: cred.token, ...(typeof cred.expires === "number" ? { expires: cred.expires } : {}), ...(cred.email ? { email: cred.email } : {}), }; continue; } store.profiles[profileId] = { type: "oauth", provider: credentialProvider, access: cred.access, refresh: cred.refresh, expires: cred.expires, ...(cred.enterpriseUrl ? { enterpriseUrl: cred.enterpriseUrl } : {}), ...(cred.projectId ? { projectId: cred.projectId } : {}), ...(cred.accountId ? { accountId: cred.accountId } : {}), ...(cred.email ? { email: cred.email } : {}), }; } } export function mergeOAuthFileIntoStore(store: AuthProfileStore): boolean { const oauthPath = resolveOAuthPath(); const oauthRaw = loadJsonFile(oauthPath); if (!oauthRaw || typeof oauthRaw !== "object") { return false; } const oauthEntries = oauthRaw as Record; let mutated = false; for (const [provider, creds] of Object.entries(oauthEntries)) { if (!creds || typeof creds !== "object") { continue; } const profileId = `${provider}:default`; if (store.profiles[profileId]) { continue; } store.profiles[profileId] = { type: "oauth", provider, ...creds, }; mutated = true; } return mutated; } export function loadPersistedAuthProfileStore(agentDir?: string): AuthProfileStore | null { const authPath = resolveAuthStorePath(agentDir); const raw = loadJsonFile(authPath); const store = coercePersistedAuthProfileStore(raw); if (!store) { return null; } return { ...store, ...mergeAuthProfileState(coerceAuthProfileState(raw), loadPersistedAuthProfileState(agentDir)), }; } export function loadLegacyAuthProfileStore(agentDir?: string): LegacyAuthStore | null { return coerceLegacyAuthStore(loadJsonFile(resolveLegacyAuthStorePath(agentDir))); }