gustavodiasdev
diff --git a/‎src/index.ts‎
Lines changed: 95 additions & 56 deletions b/‎src/index.ts‎
Lines changed: 95 additions & 56 deletions
diff --git a/‎src/plugin/auth.ts‎
Lines changed: 99 additions & 8 deletions b/‎src/plugin/auth.ts‎
Lines changed: 99 additions & 8 deletions
@@ -9,25 +9,27 @@
  */
 
 import { spawn } from 'node:child_process';
+import { randomUUID } from 'node:crypto';
 
 import { QWEN_PROVIDER_ID, QWEN_API_CONFIG, QWEN_MODELS, QWEN_OFFICIAL_HEADERS } from './constants.js';
 import type { QwenCredentials } from './types.js';
-import type { HttpError } from './utils/retry.js';
-import { saveCredentials, loadCredentials, resolveBaseUrl } from './plugin/auth.js';
+import { resolveBaseUrl } from './plugin/auth.js';
 import {
   generatePKCE,
   requestDeviceAuthorization,
   pollDeviceToken,
   tokenResponseToCredentials,
-  refreshAccessToken,
   SlowDownError,
 } from './qwen/oauth.js';
-import { logTechnicalDetail } from './errors.js';
-import { retryWithBackoff } from './utils/retry.js';
+import { retryWithBackoff, getErrorStatus } from './utils/retry.js';
 import { RequestQueue } from './plugin/request-queue.js';
+import { tokenManager } from './plugin/token-manager.js';
+import { createDebugLogger } from './utils/debug-logger.js';
+
+const debugLogger = createDebugLogger('PLUGIN');
 
 // Global session ID for the plugin lifetime
-const PLUGIN_SESSION_ID = crypto.randomUUID();
+const PLUGIN_SESSION_ID = randomUUID();
 
 // Singleton request queue for throttling (shared across all requests)
 const requestQueue = new RequestQueue();
@@ -86,7 +88,7 @@ export const QwenAuthPlugin = async (_input: unknown) => {
       provider: QWEN_PROVIDER_ID,
 
       loader: async (
-        getAuth: () => Promise<{ type: string; access?: string; refresh?: string; expires?: number }>,
+        getAuth: any,
         provider: { models?: Record<string, { cost?: { input: number; output: number } }> },
       ) => {
         // Zerar custo dos modelos (gratuito via OAuth)
@@ -96,66 +98,103 @@ export const QwenAuthPlugin = async (_input: unknown) => {
           }
         }
 
-        const accessToken = await getValidAccessToken(getAuth);
-        if (!accessToken) return null;
+        // Get latest valid credentials
+        const credentials = await tokenManager.getValidCredentials();
+        if (!credentials?.accessToken) return null;
 
-        // Load credentials to resolve region-specific base URL
-        const creds = loadCredentials();
-        const baseURL = resolveBaseUrl(creds?.resource_url);
+        const baseURL = resolveBaseUrl(credentials.resourceUrl);
 
         return {
-          apiKey: accessToken,
+          apiKey: credentials.accessToken,
           baseURL: baseURL,
           headers: {
             ...QWEN_OFFICIAL_HEADERS,
-            // Custom metadata object required by official backend for free quota
-            'X-Metadata': JSON.stringify({
-              sessionId: PLUGIN_SESSION_ID,
-              promptId: crypto.randomUUID(),
-              source: 'opencode-qwencode-auth'
-            })
           },
-          // Custom fetch with throttling and retry
-          fetch: async (url: string, options?: RequestInit) => {
+          // Custom fetch with throttling, retry and 401 recovery
+          fetch: async (url: string, options: any = {}) => {
             return requestQueue.enqueue(async () => {
-              return retryWithBackoff(
-                async () => {
-                  // Generate new promptId for each request
-                  const headers = new Headers(options?.headers);
-                  headers.set('Authorization', `Bearer ${accessToken}`);
-                  headers.set(
-                    'X-Metadata',
-                    JSON.stringify({
-                      sessionId: PLUGIN_SESSION_ID,
-                      promptId: crypto.randomUUID(),
-                      source: 'opencode-qwencode-auth',
-                    })
-                  );
-
-                  const response = await fetch(url, {
-                    ...options,
-                    headers,
-                  });
-
-                  if (!response.ok) {
-                    const errorText = await response.text().catch(() => '');
-                    const error = new Error(`HTTP ${response.status}: ${errorText}`) as HttpError & { status?: number };
-                    error.status = response.status;
-                    (error as any).response = response;
-                    throw error;
+              let authRetryCount = 0;
+
+              const executeRequest = async (): Promise<Response> => {
+                // Get latest token (possibly refreshed by concurrent request)
+                const currentCreds = await tokenManager.getValidCredentials();
+                const token = currentCreds?.accessToken;
+                
+                if (!token) throw new Error('No access token available');
+
+                // Prepare merged headers
+                const mergedHeaders: Record<string, string> = {
+                  ...QWEN_OFFICIAL_HEADERS,
+                };
+
+                // Merge provided headers (handles both plain object and Headers instance)
+                if (options.headers) {
+                  if (typeof (options.headers as any).entries === 'function') {
+                    for (const [k, v] of (options.headers as any).entries()) {
+                      const kl = k.toLowerCase();
+                      if (!kl.startsWith('x-dashscope') && kl !== 'user-agent' && kl !== 'authorization') {
+                        mergedHeaders[k] = v;
+                      }
+                    }
+                  } else {
+                    for (const [k, v] of Object.entries(options.headers)) {
+                      const kl = k.toLowerCase();
+                      if (!kl.startsWith('x-dashscope') && kl !== 'user-agent' && kl !== 'authorization') {
+                        mergedHeaders[k] = v as string;
+                      }
+                    }
                   }
+                }
 
-                  return response;
-                },
-                {
-                  authType: 'qwen-oauth',
-                  maxAttempts: 7,
-                  initialDelayMs: 1500,
-                  maxDelayMs: 30000,
+                // Force our Authorization token
+                mergedHeaders['Authorization'] = `Bearer ${token}`;
+
+                // Optional: X-Metadata might be expected by some endpoints for free quota tracking
+                // but let's try without it first to match official client closer
+                // mergedHeaders['X-Metadata'] = JSON.stringify({ ... });
+
+                // Perform the request
+                const response = await fetch(url, {
+                  ...options,
+                  headers: mergedHeaders
+                });
+
+                // Reactive recovery for 401 (token expired mid-session)
+                if (response.status === 401 && authRetryCount < 1) {
+                  authRetryCount++;
+                  debugLogger.warn('401 Unauthorized detected. Forcing token refresh...');
+                  
+                  // Force refresh from API
+                  const refreshed = await tokenManager.getValidCredentials(true);
+                  if (refreshed?.accessToken) {
+                    debugLogger.info('Token refreshed, retrying request...');
+                    return executeRequest(); // Recursive retry with new token
+                  }
                 }
-              );
+
+                // Error handling for retryWithBackoff
+                if (!response.ok) {
+                  const errorText = await response.text().catch(() => '');
+                  const error: any = new Error(`HTTP ${response.status}: ${errorText}`);
+                  error.status = response.status;
+                  throw error;
+                }
+
+                return response;
+              };
+
+              // Use official retry logic for 429/5xx errors
+              return retryWithBackoff(() => executeRequest(), {
+                authType: 'qwen-oauth',
+                maxAttempts: 7,
+                shouldRetryOnError: (error: any) => {
+                  const status = error.status || getErrorStatus(error);
+                  // Retry on 401 (handled by executeRequest recursion too), 429, and 5xx
+                  return status === 401 || status === 429 || (status !== undefined && status >= 500 && status < 600);
+                }
+              });
             });
-          },
+          }
         };
       },
 
@@ -189,7 +228,7 @@ export const QwenAuthPlugin = async (_input: unknown) => {
 
                       if (tokenResponse) {
                         const credentials = tokenResponseToCredentials(tokenResponse);
-                        saveCredentials(credentials);
+                        tokenManager.setCredentials(credentials);
 
                         return {
                           type: 'success' as const,
 
@@ -5,34 +5,110 @@
  */
 
 import { homedir } from 'node:os';
-import { join } from 'node:path';
-import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { existsSync, writeFileSync, mkdirSync, readFileSync, renameSync, unlinkSync } from 'node:fs';
+import { randomUUID } from 'node:crypto';
 
 import type { QwenCredentials } from '../types.js';
 import { QWEN_API_CONFIG } from '../constants.js';
 
 /**
  * Get the path to the credentials file
+ * Supports test override via QWEN_TEST_CREDS_PATH environment variable
  */
 export function getCredentialsPath(): string {
+  // Check for test override (prevents tests from modifying user credentials)
+  if (process.env.QWEN_TEST_CREDS_PATH) {
+    return process.env.QWEN_TEST_CREDS_PATH;
+  }
   const homeDir = homedir();
   return join(homeDir, '.qwen', 'oauth_creds.json');
 }
 
 /**
- * Load credentials from file
+ * Validate credentials structure
+ * Matches official client's validateCredentials() function
  */
-export function loadCredentials(): any {
+function validateCredentials(data: unknown): QwenCredentials {
+  if (!data || typeof data !== 'object') {
+    throw new Error('Invalid credentials format: expected object');
+  }
+
+  const creds = data as Partial<QwenCredentials>;
+  const requiredFields = ['accessToken', 'tokenType'] as const;
+
+  // Validate required string fields
+  for (const field of requiredFields) {
+    if (!creds[field] || typeof creds[field] !== 'string') {
+      throw new Error(`Invalid credentials: missing or invalid ${field}`);
+    }
+  }
+
+  // Validate refreshToken (optional but should be string if present)
+  if (creds.refreshToken !== undefined && typeof creds.refreshToken !== 'string') {
+    throw new Error('Invalid credentials: refreshToken must be a string');
+  }
+
+  // Validate expiryDate (required for token management)
+  if (!creds.expiryDate || typeof creds.expiryDate !== 'number') {
+    throw new Error('Invalid credentials: missing or invalid expiryDate');
+  }
+
+  // Validate resourceUrl (optional but should be string if present)
+  if (creds.resourceUrl !== undefined && typeof creds.resourceUrl !== 'string') {
+    throw new Error('Invalid credentials: resourceUrl must be a string');
+  }
+
+  // Validate scope (optional but should be string if present)
+  if (creds.scope !== undefined && typeof creds.scope !== 'string') {
+    throw new Error('Invalid credentials: scope must be a string');
+  }
+
+  return {
+    accessToken: creds.accessToken!,
+    tokenType: creds.tokenType!,
+    refreshToken: creds.refreshToken,
+    resourceUrl: creds.resourceUrl,
+    expiryDate: creds.expiryDate!,
+    scope: creds.scope,
+  };
+}
+
+/**
+ * Load credentials from file and map to camelCase QwenCredentials
+ * Includes comprehensive validation matching official client
+ */
+export function loadCredentials(): QwenCredentials | null {
   const credPath = getCredentialsPath();
   if (!existsSync(credPath)) {
     return null;
   }
 
   try {
     const content = readFileSync(credPath, 'utf8');
-    return JSON.parse(content);
+    const data = JSON.parse(content);
+    
+    // Convert snake_case (file format) to camelCase (internal format)
+    // This matches qwen-code format for compatibility
+    const converted: QwenCredentials = {
+      accessToken: data.access_token,
+      tokenType: data.token_type || 'Bearer',
+      refreshToken: data.refresh_token,
+      resourceUrl: data.resource_url,
+      expiryDate: data.expiry_date,
+      scope: data.scope,
+    };
+    
+    // Validate converted credentials structure
+    const validated = validateCredentials(converted);
+    
+    return validated;
   } catch (error) {
-    console.error('Failed to load Qwen credentials:', error);
+    const message = error instanceof Error ? error.message : String(error);
+    console.error('[QwenAuth] Failed to load credentials:', message);
+    
+    // Corrupted file - suggest re-authentication
+    console.error('[QwenAuth] Credentials file may be corrupted. Please re-authenticate.');
     return null;
   }
 }
@@ -60,10 +136,11 @@ export function resolveBaseUrl(resourceUrl?: string): string {
 
 /**
  * Save credentials to file in qwen-code compatible format
+ * Uses atomic write (temp file + rename) to prevent corruption
  */
 export function saveCredentials(credentials: QwenCredentials): void {
   const credPath = getCredentialsPath();
-  const dir = join(homedir(), '.qwen');
+  const dir = dirname(credPath);
 
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true });
@@ -79,5 +156,19 @@ export function saveCredentials(credentials: QwenCredentials): void {
     scope: credentials.scope,
   };
 
-  writeFileSync(credPath, JSON.stringify(data, null, 2));
+  // ATOMIC WRITE: temp file + rename to prevent corruption
+  const tempPath = `${credPath}.tmp.${randomUUID()}`;
+  
+  try {
+    writeFileSync(tempPath, JSON.stringify(data, null, 2));
+    renameSync(tempPath, credPath); // Atomic on POSIX systems
+  } catch (error) {
+    // Cleanup temp file if rename fails
+    try {
+      if (existsSync(tempPath)) {
+        unlinkSync(tempPath);
+      }
+    } catch {}
+    throw error;
+  }
 }