Skip to content

feat(auth): Auto-Relogin via Persistent Browser Sessions #9455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mguttmann wants to merge 17 commits into
base: dev
Choose a base branch
from
Open

feat(auth): Auto-Relogin via Persistent Browser Sessions #9455

mguttmann wants to merge 17 commits into from
+5,572 −169

Conversation

@mguttmann
Copy link

@mguttmann mguttmann commented Jan 19, 2026

Summary

Automatically refresh expired Anthropic OAuth tokens using persistent browser sessions with Puppeteer + Stealth plugin. This eliminates the need for manual re-authentication when tokens expire overnight.

Closes #9360

Problem

When using Anthropic OAuth (Claude Max subscription), tokens expire after a few hours. The refresh token also expires, causing "Token refresh failed: 400" errors. Users had to manually run opencode auth again each morning.

Solution

This PR adds automatic re-login via headless browser sessions:

  1. One-time setup: User runs opencode auth browser setup which opens a browser window
  2. User logs in: Authenticates with claude.ai (the cookies are saved)
  3. Auto-refresh: When tokens expire, a headless browser automatically:
    • Navigates to the OAuth authorize URL
    • Uses saved cookies to auto-authenticate
    • Clicks "Authorize" button automatically
    • Extracts new tokens and updates the auth store
    • Retries the failed request seamlessly

Features

CLI Commands

  • opencode auth browser setup - Configure browser session for an account
  • opencode auth browser status - Show status of all browser sessions
  • opencode auth browser remove - Remove a browser session

Technical Implementation

  • Puppeteer + Stealth: Uses puppeteer-extra-plugin-stealth to bypass Cloudflare bot detection
  • Auto-install: Puppeteer is automatically installed on first use
  • Isolated profiles: Each OAuth account has its own browser profile (cookies isolated)
  • Profile locking: Prevents concurrent browser operations on same profile
  • Dual callback support: Handles both console.anthropic.com and platform.claude.com OAuth callbacks

Error Handling

  • Detects "Token refresh failed: 400" errors in rotating-fetch.ts
  • Attempts auto-relogin before failing over to next account
  • Shows toast notifications for refresh status
  • Falls back gracefully if browser session is not configured

Files Changed

File Description
auth/browser.ts New - Puppeteer browser session management
auth/rotating-fetch.ts Token refresh error detection + auto-relogin trigger
auth/index.ts Added updateRecord() for token updates
cli/cmd/auth.ts CLI commands for browser session management
server/routes/provider.ts API endpoints for browser sessions
dialog-settings.tsx Desktop UI showing browser session status
package.json Puppeteer as optional dependency

Dependencies

Added as optional dependencies (only installed when needed):

  • puppeteer: ^24.9.0
  • puppeteer-extra: ^3.3.6
  • puppeteer-extra-plugin-stealth: ^2.11.2

Testing

  1. Run opencode auth browser setup and log in
  2. Invalidate token manually or wait for expiration
  3. Send a message - auto-relogin should trigger automatically
  4. Token refreshes seamlessly without user interaction

Screenshots

(Screenshots to be added by @mguttmann)

gwizz and others added 17 commits January 16, 2026 16:30
feat(auth): oauth multi-account failover
f3c29e7
Add OAuth credential failover with toasts
7eb5ba4
fix(auth): improve oauth failover notifications
71693f4
Increase failover toast duration
9ee22c9
Improve OAuth rotation resiliency
91142b2
Add OAuth retry edge case tests
7359043
Relax auth store updates under lock contention
b997788
Rotate oauth on non-network errors
34c1441 
Non-network errors seen in logs:

- AI_APICallError (402 deactivated_workspace)

- AI_APICallError (500 server_error)

- AI_LoadAPIKeyError / OpenAI API key is missing

- ProviderInitError

- ConfigInvalidError

- ProviderAuthOauthCallbackFailed

- NotFoundError

- EditBuffer is destroyed
feat(auth): add usage API endpoint with Anthropic rate limits
097603c 
- Add getUsage() to fetch OAuth account status and health
- Add fetchAnthropicUsage() to fetch Claude Max rate limits from Anthropic API
- Add GET /auth/usage endpoint to expose usage data
feat(app): add auth usage dashboard dialog
5591cba 
- Add DialogAuthUsage component with rate limit visualization
- Display Anthropic 5-hour and 7-day limits with progress bars
- Show OAuth account status, cooldown state, and request counts
- Add button in sidebar to open the dialog
feat(cli): add 'auth usage' command
153d1b0 
- Add AuthUsageCommand to display rate limit info in terminal
- Show account status, cooldown state, and request counts
- Display Anthropic rate limits when available
fix: remove invalid step-start parts from UIMessage conversion
95a5d08 
The AI SDK's convertToModelMessages() does not accept 'step-start' as a valid
UIMessagePart type. This caused AI_InvalidPromptError during session compaction.

- Remove step-start from being added to UIMessage parts
- Simplify the filter since step-start is no longer included
- Fixes compaction breaking sessions with context overflow
Merge PR anomalyco#8912: feat(app): Add OAuth rate limits and usage d…
245c2b1 
…ashboard
feat: multi-account OAuth rotation with settings UI and CLI enhancements
d54b0e0 
## Summary
Implements comprehensive multi-account OAuth support with automatic rate limit
rotation, manual account switching, and a new Settings menu for the desktop app.

## Features

### Multi-Account OAuth Rotation (Backend)
- Add `Auth.OAuthPool.setActive()` to manually switch active OAuth account
- Add `Auth.OAuthPool.snapshot()` returns `activeID` for credential selection
- Update `rotating-fetch.ts` to prefer `activeID` while keeping auto-rotation
- Update `fetchAnthropicUsage()` to respect `provider.active[namespace]`
- Update `getAccounts()` to correctly identify active account

### API Endpoints
- Add `POST /auth/active` endpoint to switch active OAuth account
- Returns updated `anthropicUsage` for immediate UI updates

### Desktop App - Settings Menu
- New `DialogSettings` component with tabbed interface
- **Providers Tab**: View connected providers, add new providers with search
- **Provider Detail View**: Account list, usage stats, switch functionality
- **About Tab**: GitHub, docs, Discord links, keyboard shortcuts
- Inline provider search without leaving settings context

### Desktop App - Context Panel
- Add Anthropic Rate Limits section in session context panel
- Shows 5-hour, weekly (all models), weekly (sonnet) usage bars
- Account switch buttons when multiple accounts configured
- Only visible when current session uses Anthropic provider

### CLI Enhancements
- `opencode auth usage`: Shows individual usage per OAuth account
- `opencode auth switch`: Interactive command to switch active account
- `opencode auth list`: Shows account count per provider
- All provider lists now sorted alphabetically

## Technical Details

### Files Changed
- `packages/opencode/src/auth/index.ts`: Core OAuth pool functions
- `packages/opencode/src/auth/rotating-fetch.ts`: Credential selection
- `packages/opencode/src/server/server.ts`: API endpoint
- `packages/opencode/src/cli/cmd/auth.ts`: CLI commands
- `packages/app/src/components/dialog-settings.tsx`: New settings UI
- `packages/app/src/components/session/session-context-tab.tsx`: Context panel
- `packages/app/src/pages/layout.tsx`: Settings button integration

### Auto-Rotation Flow
1. Request uses `activeID` (manually selected or first available)
2. On 429 rate limit → account gets cooldown, moved to back
3. Next request automatically uses next available account
4. Manual switch via UI/CLI updates `provider.active[namespace]`

### Anthropic Usage Stats
Currently only Anthropic provides OAuth usage statistics.
Other providers show multi-account switching but no usage bars.
Contributions welcome for additional provider support.
feat: add ability to delete individual OAuth accounts
a8a036f 
- Add Auth.OAuthPool.removeRecord() to remove individual OAuth accounts
- Add DELETE /auth/account API endpoint for Desktop app
- Update CLI 'opencode auth logout' to select specific accounts
- Add delete button with confirmation in Desktop Provider settings
Merge origin/dev into feat/multi-account-oauth-rotation-and-settings
35b1cd5
feat(auth): add auto-relogin via browser sessions for expired OAuth t…
660cc46 
…okens

- Add browser.ts with Puppeteer-based browser session management
- Auto-install puppeteer + stealth plugin to bypass Cloudflare
- Store browser profiles per-account for isolated cookie sessions
- Detect 'Token refresh failed: 400' errors in rotating-fetch.ts
- Auto-click 'Authorize' button on consent screen (headless)
- Support both console.anthropic.com and platform.claude.com callbacks
- Add CLI commands: opencode auth browser setup/status/remove
- Add browser session status to desktop settings UI
- Add updateRecord function to OAuthPool for token updates
- Add API endpoints for browser session management
@mguttmann mguttmann mentioned this pull request Jan 19, 2026
Open
8 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Jan 19, 2026

The following comment was made by an LLM, it may be inaccurate:

No duplicate PRs found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamdotdevin adamdotdevin Awaiting requested review from adamdotdevin adamdotdevin is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Auto-Relogin for Anthropic OAuth via Persistent Browser Sessions

1 participant

@mguttmann