Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3470796

Timestamp:

02/27/2026 02:29:08 AM (11 days ago)

Author:

lightsyncpro

Message:

Version 2.15 - OpenRouter credentials now use short-lease token refresh

Location:

lightsyncpro/trunk

Files:

: 2 added
: 1 edited

assets/screenshot-6.png (added)
assets/screenshot-7.png (added)
includes/oauth/class-openrouter-oauth.php (modified) (8 diffs)

Legend:

: Unmodified
: Added
: Removed

lightsyncpro/trunk/includes/oauth/class-openrouter-oauth.php

-                      r3469756
+                      r3470796
 use LightSyncPro\Util\Crypto;
 use LightSyncPro\Util\Logger;
+if ( ! defined( 'ABSPATH' ) ) exit;
 …
  * Handles broker-based OAuth PKCE flow for OpenRouter AI.
+ *
+ * KEY DIFFERENCE from Canva/Figma/Dropbox:
+ * - OpenRouter returns a persistent API key, NOT an expiring access token
+ * - No token refresh needed — the key is valid until user revokes it
+ * - API key is retrieved during OAuth and stored locally (encrypted)
+ * - Generation calls go DIRECTLY to OpenRouter (not proxied through broker)
+ * - Broker is only used for OAuth flow and model list
+ * Follows the SAME pattern as Canva/Figma/Dropbox:
+ * - Broker handles OAuth and stores the persistent credential (API key)
+ * - Plugin receives only a broker JWT during pickup
+ * - Plugin calls broker's /token/refresh to get a short-lease API key
+ * - Short-lease key is stored as a WordPress transient (auto-expires in 1hr)
+ * - When transient expires, plugin requests a fresh key from broker
+ * - No long-lived credentials in the WordPress database
+ *
  * Flow:
 …
  * 2. Broker redirects to openrouter.ai/auth (PKCE)
  * 3. User authenticates → code returned to broker
  * 4. Broker exchanges code for API key, encrypts & stores
+ * 4. Broker exchanges code for API key, encrypts & stores on broker
  * 5. User redirected back to WP with ?lsp_openrouter_connected=1
  * 6. Plugin picks up broker JWT AND API key
  * 7. Generation: plugin → OpenRouter directly (with API key)
  * 8. Models: plugin → broker (with JWT) for curated list
+ * 6. Plugin picks up broker JWT (no API key in response)
+ * 7. Generation: plugin calls broker /token/refresh → gets short-lease key → calls OpenRouter directly
+ * 8. Models: plugin → OpenRouter public API (no auth needed)
  */
 class OpenRouterOAuth {
 …
         ];
+        // Store API key for direct OpenRouter calls (skips broker proxy)
+        if (!empty($data['data']['api_key'])) {
+            $opts['openrouter_api_key_enc'] = Crypto::enc($data['data']['api_key']);
+            error_log('[LSP OpenRouter] ✓ API key received and encrypted');
+        } else {
+            error_log('[LSP OpenRouter] ⚠ No API key in pickup response — only broker token');
+        }
+        // Clean up any legacy stored API key from pre-refresh architecture
+        $opts['openrouter_api_key_enc'] = '';
         Admin::set_opt($opts);
+        error_log('[LSP OpenRouter] ✓ Successfully connected and stored credentials');
+        // Clear any stale short-lease key transient
+        delete_transient('lsp_openrouter_access_token');
+        error_log('[LSP OpenRouter] ✓ Connected — broker token stored, API key stays on broker');
         set_transient('lsp_openrouter_notice', 'success', 60);
 …
     /**
      * Get the OpenRouter API key for direct calls (bypasses broker proxy)
+     * Get the OpenRouter API key for direct calls (short-lease from broker)
+     *
+     * If not cached locally, fetches from broker using the broker JWT.
+     * This ensures generation requests go directly to OpenRouter, not through our server.
+     * Mirrors the Canva/Figma/Dropbox token refresh pattern:
+     * 1. Check WordPress transient (cached short-lease key, ≤1 hour)
+     * 2. If expired, call broker's /openrouter/token/refresh endpoint
+     * 3. Broker decrypts stored API key and returns it with TTL
+     * 4. Store in transient (auto-expires)
+     *
+     * Result: no long-lived credentials in the WordPress database.
+     *
      * @return string|WP_Error API key or error
      */
     public static function get_api_key() {
+        $o = Admin::get_opt();
+        // Try locally stored key first
+        $enc = $o['openrouter_api_key_enc'] ?? '';
+        if ($enc) {
+            $key = Crypto::dec($enc);
+            if ($key) return $key;
+        }
+        // Not stored yet (existing connection from before direct mode) — fetch from broker
+        // 1. Check transient first (cached short-lease key)
+        $cached = get_transient('lsp_openrouter_access_token');
+        if ($cached) {
+            return $cached;
+        }
+        // 2. Get broker token for authentication
         $broker_token = self::get_broker_token();
         if (is_wp_error($broker_token)) {
 …
+        }
+        $resp = wp_remote_get(
+            self::BROKER_URL . '/wp-json/lsp-broker/v1/openrouter/get-key',
+        // 3. Request fresh short-lease key from broker
+        $resp = wp_remote_post(
+            self::BROKER_URL . '/wp-json/lsp-broker/v1/openrouter/token/refresh',
+            [
                 'timeout' => 15,
 …
         if (is_wp_error($resp)) {
+            return new \WP_Error('key_fetch_failed', 'Could not retrieve API key: ' . $resp->get_error_message());
+        }
+            return new \WP_Error('token_refresh_failed', 'Could not refresh OpenRouter key: ' . $resp->get_error_message());
+        }
+        $http_code = wp_remote_retrieve_response_code($resp);
         $data = json_decode(wp_remote_retrieve_body($resp), true);
+        if (empty($data['success']) || empty($data['data']['api_key'])) {
+            $error = $data['data']['error'] ?? 'Unknown error retrieving API key';
+            return new \WP_Error('key_fetch_failed', $error);
+        }
+        // Cache locally for future calls
+        Admin::set_opt([
+            'openrouter_api_key_enc' => Crypto::enc($data['data']['api_key']),
+        ]);
+        return $data['data']['api_key'];
+        // Handle broker errors
+        if ($http_code !== 200 || empty($data['success']) || empty($data['data']['access_token'])) {
+            $error = $data['data']['error'] ?? 'Unknown error refreshing OpenRouter key';
+            $reconnect = !empty($data['data']['reconnect']);
+            Logger::debug('[LSP OpenRouter] Token refresh failed: ' . $error . ($reconnect ? ' (reconnect needed)' : ''));
+            return new \WP_Error(
+                $reconnect ? 'openrouter_reconnect' : 'token_refresh_failed',
+                $error
+            );
+        }
+        // 4. Store as transient — auto-expires, never persists in options table
+        $key = $data['data']['access_token'];
+        $ttl = (int)($data['data']['expires_in'] ?? 3600);
+        // Refresh 60s early to avoid hitting OpenRouter with a stale key
+        set_transient('lsp_openrouter_access_token', $key, max($ttl - 60, 300));
+        Logger::debug('[LSP OpenRouter] Short-lease key refreshed, TTL=' . $ttl . 's');
+        return $key;
+    }
 …
         Admin::set_opt([
             'openrouter_broker_token_enc' => '',
             'openrouter_api_key_enc'      => '',
+            'openrouter_api_key_enc'      => '',  // Clear any legacy stored key
             'openrouter_connected_at'     => 0,
         ]);
+        // Clear cached models
+        // Clear short-lease key transient and cached models
+        delete_transient('lsp_openrouter_access_token');
         delete_transient('lsp_openrouter_models_v3');
         Logger::debug('[LSP OpenRouter] Disconnected – broker token cleared');
+        Logger::debug('[LSP OpenRouter] Disconnected – broker token and transients cleared');
+    }

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3470796

Legend:

lightsyncpro/trunk/includes/oauth/class-openrouter-oauth.php

Download in other formats: