Skip to content

fix: recover from expired enterprise auth on remote config load#31661

Merged
thdxr merged 4 commits into
anomalyco:devfrom
Ayushlm10:fix/remote-config-auth-login
Jun 10, 2026
Merged

fix: recover from expired enterprise auth on remote config load#31661
thdxr merged 4 commits into
anomalyco:devfrom
Ayushlm10:fix/remote-config-auth-login

Conversation

@Ayushlm10

@Ayushlm10 Ayushlm10 commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Issue for this PR

Closes #31649

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Our opencode enterprise config sits behind Cloudflare Access. Once the stored auth token expires, two things break, and together they make it impossible to recover without manually deleting auth.json.

  1. opencode auth login <url> inherited effectCmd's default
    instance: true, so it bootstraps the project instance before running the login
    handler. Bootstrap eagerly calls Config.get(), which loads the enterprise remote
    config with the expired token and dies — so it crashes before it ever runs the auth command.

  2. The failure is cryptic. Access answers an unauthenticated request with its HTML login
    page and HTTP 200. filterStatusOk accepts the 200, schemaBodyJson then fails to
    parse HTML, and that error is Effect.die'd, so startup aborts with
    failed to decode remote config ... Decode error (200) and a raw stack trace.

How did you verify your code works?

Tested against our real Access-protected endpoint with an expired/invalid token:

  • Before: opencode auth login <url> crashed during bootstrap with the decode defect, and
    normal startup printed Decode error (200) plus a stack trace.
  • After: auth login <url> runs the auth command and stores a fresh token. config-loading commands print the clear re-auth message and exit cleanly. Confirmed the freshly stored token returns 200 application/json from the config endpoint.

Added a unit test (extends the existing well-known harness in config.test.ts): a remote config endpoint that returns 200 text/html now produces ConfigRemoteAuthError instead of a generic decode error, and the error carries the login origin.

Screenshots / recordings

Not a UI change — CLI behavior before/after is described above.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

Ayushlm10 added 2 commits June 10, 2026 14:15
@Ayushlm10
fix(cli): skip instance bootstrap for url-based auth login
c28db37 
`opencode auth login <url>` inherited effectCmd's default `instance: true`, so it
bootstrapped the project instance and loaded enterprise remote config with the
stored token before the login handler ran. When that token was expired or invalid,
config loading aborted the command, making it impossible to re-authenticate without
first deleting auth.json.

Gate the command with `instance: (args) => !args.url` (mirrors run.ts's --attach
handling) so URL-based login skips instance/config bootstrap. The interactive path
still loads the instance for provider and config selection.
@Ayushlm10
fix(config): surface actionable error when remote config returns a lo…
5c6f586 
…gin page

Identity-aware proxies (e.g. an SSO gateway) answer unauthenticated requests to a
protected remote config endpoint with their HTML login page and HTTP 200.
filterStatusOk accepted the 200 and schemaBodyJson then failed with a cryptic
"Decode error (200)" defect that aborted startup with a raw stack trace.

Detect the login page in fetchRemoteJson (content-type plus an HTML body sniff) and
raise a tagged ConfigRemoteAuthError carrying the login origin. FormatError renders a
clear, fail-closed message telling the user to run `opencode auth login <origin>`.
The origin is interpolated from the auth entry, so nothing is vendor-specific.
@github-actions github-actions Bot added needs:compliance This means the issue will auto-close after 2 hours. contributor and removed needs:compliance This means the issue will auto-close after 2 hours. labels Jun 10, 2026
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Thanks for updating your PR! It now meets our contributing guidelines. 👍

@github-actions github-actions Bot mentioned this pull request Jun 10, 2026
Open
@thdxr thdxr enabled auto-merge (squash) June 10, 2026 15:01
@thdxr thdxr disabled auto-merge June 10, 2026 15:01
@thdxr thdxr merged commit 02608a4 into anomalyco:dev Jun 10, 2026
7 of 8 checks passed
@Astro-Han Astro-Han mentioned this pull request Jun 10, 2026
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Expired enterprise auth token makes opencode unrecoverable (cryptic decode error + can't re-login)

2 participants

@Ayushlm10 @thdxr