refactor: share provider OAuth runtime helpers

vincentkoc · vincentkoc · commit 75de853c3791 · 2026-05-30T03:30:51.000+02:00
diff --git a/docs/.generated/plugin-sdk-api-baseline.sha256 b/docs/.generated/plugin-sdk-api-baseline.sha256
@@ -1,2 +1,2 @@
-49a138a9743063067b983c4dd27d047572aef0764c0e5f87a98d91f43d4f8213  plugin-sdk-api-baseline.json
-cd7ea2f2b4c1d1d073c3077410d44270244e778f33197567f4127a946cc0f7f7  plugin-sdk-api-baseline.jsonl
+6e4aa968ce2734e34e375a70101f7d94abbef3d44a8f7ab515d86e33b7e7fd46  plugin-sdk-api-baseline.json
+d7adacb07286c73b0286afb674a639567c5e795de40d4f763ccfa2a1bcd7300e  plugin-sdk-api-baseline.jsonl
diff --git a/docs/plugins/sdk-subpaths.md b/docs/plugins/sdk-subpaths.md
@@ -144,7 +144,7 @@ and pairing-path families.
     | `plugin-sdk/self-hosted-provider-setup` | Focused OpenAI-compatible self-hosted provider setup helpers |
     | `plugin-sdk/cli-backend` | CLI backend defaults + watchdog constants |
     | `plugin-sdk/provider-auth-runtime` | Runtime API-key resolution helpers for provider plugins |
-    | `plugin-sdk/provider-oauth-runtime` | Generic provider OAuth callback types, callback-page rendering, PKCE/state helpers, and abort helpers |
+    | `plugin-sdk/provider-oauth-runtime` | Generic provider OAuth callback types, callback-page rendering, PKCE/state helpers, authorization-input parsing, token-expiry helpers, and abort helpers |
     | `plugin-sdk/provider-auth-api-key` | API-key onboarding/profile-write helpers such as `upsertApiKeyProfile` |
     | `plugin-sdk/provider-auth-result` | Standard OAuth auth-result builder |
     | `plugin-sdk/provider-env-vars` | Provider auth env-var lookup helpers |
diff --git a/extensions/openai/openai-codex-oauth-flow.runtime.ts b/extensions/openai/openai-codex-oauth-flow.runtime.ts
@@ -5,7 +5,11 @@
  * It is only intended for CLI use, not browser environments.
  */
 
-import { parseStrictPositiveInteger } from "openclaw/plugin-sdk/number-runtime";
+import {
+  parseOAuthAuthorizationInput,
+  resolveOAuthTokenExpiresAt,
+  resolveOAuthTokenLifetimeMs,
+} from "openclaw/plugin-sdk/provider-oauth-runtime";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { resolveCodexAuthIdentity } from "./openai-codex-auth-identity.js";
 import {
@@ -113,46 +117,14 @@ function waitForManualPromptFallback(signal?: AbortSignal): Promise<null> {
   });
 }
 
-function parseAuthorizationInput(input: string): { code?: string; state?: string } {
-  const value = input.trim();
-  if (!value) {
-    return {};
-  }
-
-  try {
-    const url = new URL(value);
-    return {
-      code: url.searchParams.get("code") ?? undefined,
-      state: url.searchParams.get("state") ?? undefined,
-    };
-  } catch {
-    // not a URL
-  }
-
-  if (value.includes("#")) {
-    const [code, state] = value.split("#", 2);
-    return { code, state };
-  }
-
-  if (value.includes("code=")) {
-    const params = new URLSearchParams(value);
-    return {
-      code: params.get("code") ?? undefined,
-      state: params.get("state") ?? undefined,
-    };
-  }
-
-  return { code: value };
-}
-
 async function promptForAuthorizationCode(
   onPrompt: (prompt: OAuthPrompt) => Promise<string>,
   state: string,
 ): Promise<string | undefined> {
   const input = await onPrompt({
     message: "Paste the authorization code (or full redirect URL):",
   });
-  const parsed = parseAuthorizationInput(input);
+  const parsed = parseOAuthAuthorizationInput(input);
   if (parsed.state && parsed.state !== state) {
     throw new Error("State mismatch");
   }
@@ -167,17 +139,12 @@ function formatMissingTokenResponseFields(json: TokenResponseJson): string {
   if (!json.refresh_token) {
     missing.push("refresh_token");
   }
-  if (parseStrictPositiveInteger(json.expires_in) === undefined) {
+  if (resolveOAuthTokenLifetimeMs(json.expires_in) === undefined) {
     missing.push("expires_in");
   }
   return missing.join(", ");
 }
 
-function resolveTokenExpiresAt(expiresIn: unknown, nowMs = Date.now()): number | undefined {
-  const seconds = parseStrictPositiveInteger(expiresIn);
-  return seconds === undefined ? undefined : nowMs + seconds * 1000;
-}
-
 function formatTokenRequestError(
   operation: "exchange" | "refresh",
   error: unknown,
@@ -259,7 +226,7 @@ async function exchangeAuthorizationCode(
 
   const json = (await response.json()) as TokenResponseJson;
 
-  const expires = resolveTokenExpiresAt(json.expires_in);
+  const expires = resolveOAuthTokenExpiresAt(json.expires_in);
   if (!json.access_token || !json.refresh_token || expires === undefined) {
     return {
       type: "failed",
@@ -301,7 +268,7 @@ async function refreshAccessToken(
 
     const json = (await response.json()) as TokenResponseJson;
 
-    const expires = resolveTokenExpiresAt(json.expires_in);
+    const expires = resolveOAuthTokenExpiresAt(json.expires_in);
     if (!json.access_token || !json.refresh_token || expires === undefined) {
       return {
         type: "failed",
@@ -502,7 +469,7 @@ export async function loginOpenAICodex(options: {
         code = result.code;
       } else if (manualCode) {
         // Manual input won (or callback timed out and user had entered code)
-        const parsed = parseAuthorizationInput(manualCode);
+        const parsed = parseOAuthAuthorizationInput(manualCode);
         if (parsed.state && parsed.state !== state) {
           throw new Error("State mismatch");
         }
@@ -516,7 +483,7 @@ export async function loginOpenAICodex(options: {
           throw manualError;
         }
         if (manualCode) {
-          const parsed = parseAuthorizationInput(manualCode);
+          const parsed = parseOAuthAuthorizationInput(manualCode);
           if (parsed.state && parsed.state !== state) {
             throw new Error("State mismatch");
           }
diff --git a/src/llm/utils/oauth/anthropic.ts b/src/llm/utils/oauth/anthropic.ts
@@ -6,7 +6,10 @@
  */
 
 import type { Server } from "node:http";
-import { parseStrictPositiveInteger } from "../../../infra/parse-finite-number.js";
+import {
+  parseOAuthAuthorizationInput,
+  resolveOAuthTokenExpiresAt,
+} from "../../../plugin-sdk/provider-oauth-runtime.js";
 import {
   buildOAuthRequestSignal,
   createOAuthLoginCancelledError,
@@ -62,38 +65,6 @@ async function getNodeApis(): Promise<NodeApis> {
   return nodeApis;
 }
 
-function parseAuthorizationInput(input: string): { code?: string; state?: string } {
-  const value = input.trim();
-  if (!value) {
-    return {};
-  }
-
-  try {
-    const url = new URL(value);
-    return {
-      code: url.searchParams.get("code") ?? undefined,
-      state: url.searchParams.get("state") ?? undefined,
-    };
-  } catch {
-    // not a URL
-  }
-
-  if (value.includes("#")) {
-    const [code, state] = value.split("#", 2);
-    return { code, state };
-  }
-
-  if (value.includes("code=")) {
-    const params = new URLSearchParams(value);
-    return {
-      code: params.get("code") ?? undefined,
-      state: params.get("state") ?? undefined,
-    };
-  }
-
-  return { code: value };
-}
-
 function formatErrorDetails(error: unknown): string {
   if (error instanceof Error) {
     const details: string[] = [`${error.name}: ${error.message}`];
@@ -123,19 +94,6 @@ function formatTokenResponseParseContext(responseBody: string): string {
   return `bodyBytes=${Buffer.byteLength(responseBody, "utf8")}`;
 }
 
-function resolveTokenExpiresAt(value: unknown): number | undefined {
-  const expiresInSeconds = parseStrictPositiveInteger(value);
-  if (expiresInSeconds === undefined) {
-    return undefined;
-  }
-
-  const lifetimeMs = expiresInSeconds * 1000;
-  const expiresAt = Date.now() + lifetimeMs - 5 * 60 * 1000;
-  return Number.isSafeInteger(lifetimeMs) && Number.isSafeInteger(expiresAt)
-    ? expiresAt
-    : undefined;
-}
-
 function parseTokenCredentials(
   responseBody: string,
   options: {
@@ -160,7 +118,7 @@ function parseTokenCredentials(
   }
 
   const record = data as Record<string, unknown>;
-  const expires = resolveTokenExpiresAt(record.expires_in);
+  const expires = resolveOAuthTokenExpiresAt(record.expires_in, { refreshSkewMs: 5 * 60 * 1000 });
   if (
     typeof record.access_token !== "string" ||
     !record.access_token ||
@@ -388,7 +346,7 @@ export async function loginAnthropic(options: {
         state = result.state;
         redirectUriForExchange = REDIRECT_URI;
       } else if (manualInput) {
-        const parsed = parseAuthorizationInput(manualInput);
+        const parsed = parseOAuthAuthorizationInput(manualInput);
         if (parsed.state && parsed.state !== expectedState) {
           throw new Error("OAuth state mismatch");
         }
@@ -402,7 +360,7 @@ export async function loginAnthropic(options: {
           throw manualError;
         }
         if (manualInput) {
-          const parsed = parseAuthorizationInput(manualInput);
+          const parsed = parseOAuthAuthorizationInput(manualInput);
           if (parsed.state && parsed.state !== expectedState) {
             throw new Error("OAuth state mismatch");
           }
@@ -432,7 +390,7 @@ export async function loginAnthropic(options: {
         options.signal,
         server.cancelWait,
       );
-      const parsed = parseAuthorizationInput(input);
+      const parsed = parseOAuthAuthorizationInput(input);
       if (parsed.state && parsed.state !== expectedState) {
         throw new Error("OAuth state mismatch");
       }
diff --git a/src/plugin-sdk/provider-oauth-runtime.test.ts b/src/plugin-sdk/provider-oauth-runtime.test.ts
@@ -0,0 +1,36 @@
+import { describe, expect, it } from "vitest";
+import {
+  parseOAuthAuthorizationInput,
+  resolveOAuthTokenExpiresAt,
+  resolveOAuthTokenLifetimeMs,
+} from "./provider-oauth-runtime.js";
+
+describe("provider OAuth runtime", () => {
+  it("parses authorization code input from redirect URLs, query strings, and raw codes", () => {
+    expect(
+      parseOAuthAuthorizationInput("http://localhost/callback?code=oauth-code&state=oauth-state"),
+    ).toEqual({ code: "oauth-code", state: "oauth-state" });
+    expect(parseOAuthAuthorizationInput("code=oauth-code&state=oauth-state")).toEqual({
+      code: "oauth-code",
+      state: "oauth-state",
+    });
+    expect(parseOAuthAuthorizationInput("oauth-code#oauth-state")).toEqual({
+      code: "oauth-code",
+      state: "oauth-state",
+    });
+    expect(parseOAuthAuthorizationInput(" oauth-code ")).toEqual({ code: "oauth-code" });
+    expect(parseOAuthAuthorizationInput("   ")).toEqual({});
+  });
+
+  it("resolves safe OAuth token lifetimes and expiry timestamps", () => {
+    expect(resolveOAuthTokenLifetimeMs("30")).toBe(30_000);
+    expect(resolveOAuthTokenExpiresAt(30, { nowMs: 1_000, refreshSkewMs: 5_000 })).toBe(26_000);
+  });
+
+  it("rejects invalid OAuth token lifetimes", () => {
+    expect(resolveOAuthTokenLifetimeMs(0)).toBeUndefined();
+    expect(resolveOAuthTokenLifetimeMs(1.5)).toBeUndefined();
+    expect(resolveOAuthTokenLifetimeMs(Number.MAX_SAFE_INTEGER)).toBeUndefined();
+    expect(resolveOAuthTokenExpiresAt(Number.MAX_SAFE_INTEGER, { nowMs: 1_000 })).toBeUndefined();
+  });
+});
diff --git a/src/plugin-sdk/provider-oauth-runtime.ts b/src/plugin-sdk/provider-oauth-runtime.ts
@@ -1,5 +1,8 @@
 import type { Model } from "../llm/types.js";
-import { resolveTimerTimeoutMs } from "../shared/number-coercion.js";
+import {
+  positiveSecondsToSafeMilliseconds,
+  resolveTimerTimeoutMs,
+} from "../shared/number-coercion.js";
 
 const LOGO_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 800 800" aria-hidden="true"><path fill="#fff" fill-rule="evenodd" d="M165.29 165.29 H517.36 V400 H400 V517.36 H282.65 V634.72 H165.29 Z M282.65 282.65 V400 H400 V282.65 Z"/><path fill="#fff" d="M517.36 400 H634.72 V634.72 H517.36 Z"/></svg>`;
 
@@ -21,6 +24,11 @@ export type OAuthPrompt = {
   allowEmpty?: boolean;
 };
 
+export type OAuthAuthorizationInput = {
+  code?: string;
+  state?: string;
+};
+
 export type OAuthAuthInfo = {
   url: string;
   instructions?: string;
@@ -213,6 +221,55 @@ export function generateOAuthState(): string {
   return base64urlEncode(stateBytes);
 }
 
+export function parseOAuthAuthorizationInput(input: string): OAuthAuthorizationInput {
+  const value = input.trim();
+  if (!value) {
+    return {};
+  }
+
+  try {
+    const url = new URL(value);
+    return {
+      code: url.searchParams.get("code") ?? undefined,
+      state: url.searchParams.get("state") ?? undefined,
+    };
+  } catch {
+    // Plain pasted code or query-string input.
+  }
+
+  if (value.includes("#")) {
+    const [code, state] = value.split("#", 2);
+    return { code, state };
+  }
+
+  if (value.includes("code=")) {
+    const params = new URLSearchParams(value);
+    return {
+      code: params.get("code") ?? undefined,
+      state: params.get("state") ?? undefined,
+    };
+  }
+
+  return { code: value };
+}
+
+export function resolveOAuthTokenLifetimeMs(value: unknown): number | undefined {
+  return positiveSecondsToSafeMilliseconds(value);
+}
+
+export function resolveOAuthTokenExpiresAt(
+  value: unknown,
+  options: { nowMs?: number; refreshSkewMs?: number } = {},
+): number | undefined {
+  const lifetimeMs = resolveOAuthTokenLifetimeMs(value);
+  if (lifetimeMs === undefined) {
+    return undefined;
+  }
+
+  const expiresAt = (options.nowMs ?? Date.now()) + lifetimeMs - (options.refreshSkewMs ?? 0);
+  return Number.isSafeInteger(expiresAt) ? expiresAt : undefined;
+}
+
 export function createOAuthLoginCancelledError(): Error {
   return new Error("Login cancelled");
 }
