Files
2026-07-13 13:39:12 +08:00

536 lines
18 KiB
TypeScript

/**
* Zed Hosted Models — auth + model-catalog helpers.
*
* Zed's cloud aggregator (cloud.zed.dev) authenticates native apps with a
* self-generated RSA keypair instead of a registered OAuth client_id/secret:
*
* 1. The client (OmniRoute) generates an ephemeral RSA keypair.
* 2. It sends the public key to zed.dev/native_app_signin (as a URL param).
* 3. The user signs in inside their browser (Zed itself brokers GitHub/Google).
* 4. Zed's browser flow redirects to a local "native app" callback
* (`http://127.0.0.1:<port>/?user_id=...&access_token=...`) with the
* access token RSA-encrypted against the public key we sent in step 2.
* 5. OmniRoute decrypts the access token locally with the private key that
* never left the server (or the operator's browser/paste flow).
*
* No client_id/client_secret/Firebase key is embedded anywhere in this file —
* the "credential" is a keypair generated fresh per login attempt, so
* CLAUDE.md Hard Rule #11 (resolvePublicCred for embedded upstream secrets)
* does not apply here.
*
* Ported from decolua/9router PR #2328 (open-sse/shared/zedAuth.js),
* adapted to TypeScript + OmniRoute conventions. `fetch` is intentionally the
* global one — open-sse/utils/proxyFetch.ts monkey-patches `globalThis.fetch`
* with the proxy-aware dispatcher at module load, so every plain `fetch()`
* call in this codebase already goes through it.
*/
import crypto from "node:crypto";
export const ZED_WEB_BASE_URL = "https://zed.dev";
export const ZED_CLOUD_BASE_URL = "https://cloud.zed.dev";
export const ZED_LLM_BASE_URL = "https://cloud.zed.dev";
export const ZED_HEADERS = {
expiredToken: "x-zed-expired-token",
outdatedToken: "x-zed-outdated-token",
clientSupportsStatus: "x-zed-client-supports-status-messages",
clientSupportsStreamEnded: "x-zed-client-supports-stream-ended-request-completion-status",
serverSupportsStatus: "x-zed-server-supports-status-messages",
clientSupportsXai: "x-zed-client-supports-x-ai",
systemId: "x-zed-system-id",
} as const;
const PRIVATE_KEY_PREFIX = "zed-rsa-pkcs1:";
const LLM_TOKEN_TTL_MS = 50 * 60 * 1000;
const MODEL_CACHE_TTL_MS = 60 * 60 * 1000;
export type ZedRawModel = Record<string, unknown>;
export type ZedModel = {
id: string;
name: string;
provider: unknown;
isLatest: boolean;
contextLength: unknown;
contextLengthInMaxMode: unknown;
maxOutputTokens: unknown;
supportsTools: boolean;
supportsImages: boolean;
supportsThinking: boolean;
supportsDisablingThinking: boolean;
supportsFastMode: boolean;
supportsServerSideCompaction: boolean;
supportedEffortLevels: unknown;
supportsStreamingTools: boolean;
supportsParallelToolCalls: boolean;
isDisabled: boolean;
disabledReason: unknown;
};
export type ZedModelCatalog = {
expiresAt: number;
models: ZedModel[];
rawModels: ZedRawModel[];
rawById: Map<string, ZedRawModel>;
defaultModel: string;
defaultFastModel: string;
recommendedModels: string[];
};
export type ZedCredentials = {
accessToken?: string;
apiKey?: string;
providerSpecificData?: {
userId?: string;
systemId?: string;
organizationId?: unknown;
defaultOrganizationId?: unknown;
[key: string]: unknown;
} | null;
[key: string]: unknown;
};
export type ZedRequestConfig = {
webBaseUrl?: string;
cloudBaseUrl?: string;
llmBaseUrl?: string;
defaultNativeAppPort?: number;
[key: string]: unknown;
};
const llmTokenCache = new Map<string, { token: string; expiresAt: number }>();
const modelCache = new Map<string, ZedModelCatalog>();
const modelInflight = new Map<string, Promise<ZedModelCatalog>>();
function b64url(value: string): string {
return Buffer.from(value).toString("base64url");
}
function b64urlPadded(value: Buffer): string {
return value.toString("base64").replace(/\+/g, "-").replace(/\//g, "_");
}
function fromB64url(value: string): string {
return Buffer.from(String(value || ""), "base64url").toString("utf8");
}
function normalizeBaseUrl(baseUrl: unknown, fallback: string): string {
return String(baseUrl || fallback).replace(/\/+$/, "");
}
function zedUrl(
config: ZedRequestConfig | undefined,
key: "cloudBaseUrl" | "llmBaseUrl" | "webBaseUrl",
path: string,
fallbackBase: string
): string {
const base = normalizeBaseUrl(config?.[key], fallbackBase);
return `${base}${path}`;
}
/** Encode a PEM private key as an opaque verifier string that can flow through the
* generic OAuth `codeVerifier` slot (mirrors PKCE's code_verifier plumbing). */
export function encodeZedPrivateKeyVerifier(privateKeyPem: string): string {
return `${PRIVATE_KEY_PREFIX}${b64url(privateKeyPem)}`;
}
export function decodeZedPrivateKeyVerifier(verifier: unknown): string {
const value = String(verifier || "");
if (!value.startsWith(PRIVATE_KEY_PREFIX)) {
throw new Error("Missing Zed private key verifier; restart the login flow");
}
return fromB64url(value.slice(PRIVATE_KEY_PREFIX.length));
}
export type ZedNativeAuthData = {
authUrl: string;
privateKeyVerifier: string;
nativeAppPort: number;
systemId: string;
publicKey: string;
};
/** Generate a fresh RSA keypair + the zed.dev native_app_signin URL for it. */
export function createZedNativeAuthData(
config: ZedRequestConfig = {},
options: { nativeAppPort?: number; systemId?: string } = {}
): ZedNativeAuthData {
const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
modulusLength: 2048,
publicKeyEncoding: { type: "pkcs1", format: "der" },
privateKeyEncoding: { type: "pkcs1", format: "pem" },
});
const nativeAppPort = Number(options.nativeAppPort || config.defaultNativeAppPort || 58443);
const systemId = options.systemId || crypto.randomUUID();
const publicKeyString = b64urlPadded(publicKey as unknown as Buffer);
const signInUrl = new URL(
`${normalizeBaseUrl(config.webBaseUrl, ZED_WEB_BASE_URL)}/native_app_signin`
);
signInUrl.searchParams.set("native_app_port", String(nativeAppPort));
signInUrl.searchParams.set("native_app_public_key", publicKeyString);
if (systemId) signInUrl.searchParams.set("system_id", systemId);
return {
authUrl: signInUrl.toString(),
privateKeyVerifier: encodeZedPrivateKeyVerifier(privateKey as unknown as string),
nativeAppPort,
systemId,
publicKey: publicKeyString,
};
}
export type ZedCallbackPayload = {
userId: string;
encryptedAccessToken: string;
};
/** Parse the pasted native-app callback URL/JSON/query string into userId + encrypted token. */
export function parseZedCallbackPayload(input: unknown): ZedCallbackPayload {
const raw = String(input || "").trim();
if (!raw) throw new Error("Missing Zed callback URL");
let data: Record<string, unknown> = {};
try {
data = JSON.parse(raw);
} catch {
let url: URL;
try {
url = new URL(raw);
} catch {
try {
url = new URL(`http://127.0.0.1/?${raw.replace(/^\?/, "")}`);
} catch {
throw new Error("Invalid Zed callback URL");
}
}
url.searchParams.forEach((value, key) => {
data[key] = value;
});
}
const userId = data.user_id || data.userId;
const encryptedAccessToken = data.access_token || data.accessToken || data.token;
if (!userId || !encryptedAccessToken) {
throw new Error("Zed callback must include user_id and access_token");
}
return {
userId: String(userId),
encryptedAccessToken: String(encryptedAccessToken),
};
}
/** Decrypt the RSA-encrypted access token Zed returned, using our stored private key. */
export function decryptZedAccessToken(encryptedAccessToken: unknown, privateKeyVerifier: unknown): string {
const privateKey = decodeZedPrivateKeyVerifier(privateKeyVerifier);
const encrypted = Buffer.from(String(encryptedAccessToken), "base64url");
try {
return crypto
.privateDecrypt(
{ key: privateKey, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING, oaepHash: "sha256" },
encrypted
)
.toString("utf8");
} catch (oaepError) {
try {
return crypto
.privateDecrypt({ key: privateKey, padding: crypto.constants.RSA_PKCS1_PADDING }, encrypted)
.toString("utf8");
} catch {
const message = oaepError instanceof Error ? oaepError.message : String(oaepError);
throw new Error(`Failed to decrypt Zed access token: ${message}`);
}
}
}
export function buildZedUserAuthHeader(credentials: ZedCredentials | null | undefined): string {
const psd = credentials?.providerSpecificData || {};
const userId = psd.userId || (credentials as Record<string, unknown> | null)?.userId;
const accessToken = credentials?.accessToken || credentials?.apiKey;
if (!userId || !accessToken) {
throw new Error("Zed credential is missing userId or accessToken");
}
return `${userId} ${accessToken}`;
}
function getSystemId(credentials: ZedCredentials | null | undefined): string {
return String(
credentials?.providerSpecificData?.systemId ||
(credentials as Record<string, unknown> | null)?.systemId ||
""
);
}
async function fetchJson(url: string, options: RequestInit) {
const res = await fetch(url, options);
const text = await res.text();
let data = null;
if (text) {
try {
data = JSON.parse(text);
} catch {
data = { raw: text };
}
}
if (!res.ok) {
const message = data?.message || data?.error?.message || data?.error || text || `HTTP ${res.status}`;
const err = new Error(String(message)) as Error & { status?: number; body?: unknown };
err.status = res.status;
err.body = data;
throw err;
}
return data;
}
export async function fetchZedAuthenticatedUser(
credentials: ZedCredentials,
options: { config?: ZedRequestConfig; signal?: AbortSignal | null } = {}
) {
const config = options.config || {};
const headers: Record<string, string> = {
Accept: "application/json",
Authorization: buildZedUserAuthHeader(credentials),
};
const systemId = getSystemId(credentials);
if (systemId) headers[ZED_HEADERS.systemId] = systemId;
return fetchJson(zedUrl(config, "cloudBaseUrl", "/client/users/me", ZED_CLOUD_BASE_URL), {
method: "GET",
headers,
signal: options.signal ?? undefined,
});
}
function normalizeOrganizationId(value: unknown): string {
if (!value) return "";
if (typeof value === "string") return value;
if (typeof value === "object" && value !== null) {
const rec = value as Record<string, unknown>;
if (typeof rec[0] === "string") return rec[0] as string;
if (typeof rec.id === "string") return rec.id;
}
return String(value);
}
export function resolveZedOrganizationId(
credentials: ZedCredentials,
userInfo = null
): string {
const psd = credentials?.providerSpecificData || {};
const explicit = normalizeOrganizationId(psd.organizationId || psd.defaultOrganizationId);
if (explicit) return explicit;
const fromUser = normalizeOrganizationId(
userInfo?.default_organization_id || userInfo?.defaultOrganizationId
);
if (fromUser) return fromUser;
const org =
(userInfo?.organizations || []).find((item: Record<string, unknown>) => item?.is_personal) ||
userInfo?.organizations?.[0];
return normalizeOrganizationId(org?.id);
}
function zedUserCacheKey(credentials: ZedCredentials, organizationId: string): string {
const psd = credentials?.providerSpecificData || {};
const userId = psd.userId || (credentials as Record<string, unknown>).userId || "unknown";
const token = credentials?.accessToken || credentials?.apiKey || "";
return `${userId}:${organizationId || "default"}:${token.slice(-16)}`;
}
function zedModelCacheKey(credentials: ZedCredentials): string {
const psd = credentials?.providerSpecificData || {};
const org = psd.organizationId || psd.defaultOrganizationId || "default";
const token = credentials?.accessToken || credentials?.apiKey || "";
return `${psd.userId || "unknown"}:${org}:${token.slice(-16)}`;
}
export async function fetchZedLlmToken(
credentials: ZedCredentials,
options: {
config?: ZedRequestConfig;
organizationId?: string;
forceRefresh?: boolean;
signal?: AbortSignal | null;
} = {}
): Promise<string> {
const config = options.config || {};
let organizationId = options.organizationId || resolveZedOrganizationId(credentials);
if (!organizationId) {
const userInfo = await fetchZedAuthenticatedUser(credentials, options);
organizationId = resolveZedOrganizationId(credentials, userInfo);
}
if (!organizationId) throw new Error("No Zed organization selected");
const cacheKey = zedUserCacheKey(credentials, organizationId);
const cached = llmTokenCache.get(cacheKey);
if (!options.forceRefresh && cached && cached.expiresAt > Date.now()) return cached.token;
const headers: Record<string, string> = {
"Content-Type": "application/json",
Accept: "application/json",
Authorization: buildZedUserAuthHeader(credentials),
};
const systemId = getSystemId(credentials);
if (systemId) headers[ZED_HEADERS.systemId] = systemId;
const data = await fetchJson(zedUrl(config, "cloudBaseUrl", "/client/llm_tokens", ZED_CLOUD_BASE_URL), {
method: "POST",
headers,
body: JSON.stringify({ organization_id: organizationId }),
signal: options.signal ?? undefined,
});
const token =
typeof data?.token === "string" ? data.token : data?.token?.[0] || data?.token?.value;
if (!token) throw new Error("Zed did not return an LLM token");
llmTokenCache.set(cacheKey, { token, expiresAt: Date.now() + LLM_TOKEN_TTL_MS });
return token;
}
export function shouldRefreshZedLlmToken(response: Response | null | undefined): boolean {
return (
response?.status === 401 ||
!!response?.headers?.has?.(ZED_HEADERS.expiredToken) ||
!!response?.headers?.has?.(ZED_HEADERS.outdatedToken)
);
}
export async function zedLlmFetch(
credentials: ZedCredentials,
path: string,
options: {
config?: ZedRequestConfig;
signal?: AbortSignal | null;
fetchOptions?: RequestInit;
organizationId?: string;
forceRefresh?: boolean;
} = {}
): Promise<Response> {
const config = options.config || {};
const url = zedUrl(config, "llmBaseUrl", path, ZED_LLM_BASE_URL);
const buildRequest = async (forceRefresh: boolean) => {
const token = await fetchZedLlmToken(credentials, { ...options, forceRefresh });
return fetch(url, {
...options.fetchOptions,
headers: {
...(options.fetchOptions?.headers || {}),
Authorization: `Bearer ${token}`,
},
signal: options.signal ?? undefined,
});
};
let response = await buildRequest(false);
if (shouldRefreshZedLlmToken(response)) {
response = await buildRequest(true);
}
return response;
}
function normalizeZedModelId(id: unknown): string {
if (!id) return "";
if (typeof id === "string") return id;
if (typeof id === "object" && id !== null) {
const rec = id as Record<string, unknown>;
if (typeof rec[0] === "string") return rec[0] as string;
if (typeof rec.id === "string") return rec.id;
}
return String(id);
}
export function mapZedModel(model: ZedRawModel): ZedModel | null {
const id = normalizeZedModelId(model?.id);
if (!id) return null;
return {
id,
name: (model.display_name as string) || (model.displayName as string) || id,
provider: model.provider,
isLatest: !!model.is_latest,
contextLength: model.max_token_count ?? model.maxTokenCount,
contextLengthInMaxMode: model.max_token_count_in_max_mode ?? model.maxTokenCountInMaxMode,
maxOutputTokens: model.max_output_tokens ?? model.maxOutputTokens,
supportsTools: !!model.supports_tools,
supportsImages: !!model.supports_images,
supportsThinking: !!model.supports_thinking,
supportsDisablingThinking: !!model.supports_disabling_thinking,
supportsFastMode: !!model.supports_fast_mode,
supportsServerSideCompaction: !!model.supports_server_side_compaction,
supportedEffortLevels: model.supported_effort_levels ?? model.supportedEffortLevels ?? [],
supportsStreamingTools: !!model.supports_streaming_tools,
supportsParallelToolCalls: !!model.supports_parallel_tool_calls,
isDisabled: !!model.is_disabled,
disabledReason: model.disabled_reason ?? null,
};
}
/** Resolve (and cache) the live Zed model catalog. Never hardcoded — always a live fetch. */
export async function resolveZedModels(
credentials: ZedCredentials,
options: {
config?: ZedRequestConfig;
signal?: AbortSignal | null;
forceRefresh?: boolean;
} = {}
): Promise<ZedModelCatalog | null> {
if (!credentials?.accessToken) return null;
const key = zedModelCacheKey(credentials);
const cached = modelCache.get(key);
if (!options.forceRefresh && cached && cached.expiresAt > Date.now()) return cached;
const existing = modelInflight.get(key);
if (existing && !options.forceRefresh) return existing;
const promise = (async (): Promise<ZedModelCatalog> => {
const response = await zedLlmFetch(credentials, "/models", {
...options,
fetchOptions: {
method: "GET",
headers: {
Accept: "application/json",
[ZED_HEADERS.clientSupportsXai]: "true",
},
},
});
if (!response.ok) {
const text = await response.text().catch(() => "");
throw new Error(`Zed models failed: ${response.status} ${text}`);
}
const data = await response.json();
const rawModels: ZedRawModel[] = Array.isArray(data?.models) ? data.models : [];
const models = rawModels
.map(mapZedModel)
.filter((m): m is ZedModel => !!m)
.filter((model) => !model.isDisabled);
const rawById = new Map<string, ZedRawModel>();
for (const raw of rawModels) {
const id = normalizeZedModelId(raw?.id);
if (id) rawById.set(id, raw);
}
const entry: ZedModelCatalog = {
expiresAt: Date.now() + MODEL_CACHE_TTL_MS,
models,
rawModels,
rawById,
defaultModel: normalizeZedModelId(data?.default_model ?? data?.defaultModel),
defaultFastModel: normalizeZedModelId(data?.default_fast_model ?? data?.defaultFastModel),
recommendedModels: (data?.recommended_models || data?.recommendedModels || [])
.map(normalizeZedModelId)
.filter(Boolean),
};
modelCache.set(key, entry);
return entry;
})();
modelInflight.set(key, promise);
try {
return await promise;
} finally {
if (modelInflight.get(key) === promise) modelInflight.delete(key);
}
}
export function clearZedCaches(): void {
llmTokenCache.clear();
modelCache.clear();
modelInflight.clear();
}