feat(server): add authenticated remote access and desktop bootstrap

Adds cookie-based login with a bootstrap token flow for desktop apps, secures OpenCode instance traffic with per-instance Basic auth, and updates UI/plugin clients to use credentials.

packages/opencode-config/plugin/lib/background-process.ts

@@ -1,5 +1,6 @@
 import path from "path"
 import { tool } from "@opencode-ai/plugin/tool"
+import { createCodeNomadRequester, type CodeNomadConfig } from "./request"
 
 type BackgroundProcess = {
   id: string
@@ -12,11 +13,6 @@ type BackgroundProcess = {
   outputSizeBytes?: number
 }
 
-type CodeNomadConfig = {
-  instanceId: string
-  baseUrl: string
-}
-
 type BackgroundProcessOptions = {
   baseDir: string
 }
@@ -27,30 +23,10 @@ type ParsedCommand = {
 }
 
 export function createBackgroundProcessTools(config: CodeNomadConfig, options: BackgroundProcessOptions) {
+  const requester = createCodeNomadRequester(config)
+
   const request = async <T>(path: string, init?: RequestInit): Promise<T> => {
-
-    const base = config.baseUrl.replace(/\/+$/, "")
-    const url = `${base}/workspaces/${config.instanceId}/plugin/background-processes${path}`
-    const headers = normalizeHeaders(init?.headers)
-    if (init?.body !== undefined) {
-      headers["Content-Type"] = "application/json"
-    }
-
-    const response = await fetch(url, {
-      ...init,
-      headers,
-    })
-
-    if (!response.ok) {
-      const message = await response.text()
-      throw new Error(message || `Request failed with ${response.status}`)
-    }
-
-    if (response.status === 204) {
-      return undefined as T
-    }
-
-    return (await response.json()) as T
+    return requester.requestJson<T>(`/background-processes${path}`, init)
   }
 
   return {
@@ -249,13 +225,7 @@ function tokenize(input: string): string[] {
 
     if (char === "|" || char === "&" || char === ";") {
       flush()
-      const next = input[index + 1]
-      if ((char === "|" || char === "&") && next === char) {
-        tokens.push(char + next)
-        index += 1
-      } else {
-        tokens.push(char)
-      }
+      tokens.push(char)
       continue
     }
 
@@ -266,44 +236,18 @@ function tokenize(input: string): string[] {
   return tokens
 }
 
-function isSeparator(token: string) {
-  return token === "|" || token === "||" || token === "&&" || token === ";" || token === "&"
+function isSeparator(token: string): boolean {
+  return token === "|" || token === "&" || token === ";"
 }
 
-function unquote(value: string) {
-  if (value.length >= 2) {
-    const first = value[0]
-    const last = value[value.length - 1]
-    if ((first === "'" && last === "'") || (first === '"' && last === '"')) {
-      return value.slice(1, -1)
-    }
+function unquote(token: string): string {
+  if ((token.startsWith('"') && token.endsWith('"')) || (token.startsWith("'") && token.endsWith("'"))) {
+    return token.slice(1, -1)
   }
-  return value
+  return token
 }
 
-function isWithinBase(baseDir: string, target: string) {
-  const relative = path.relative(baseDir, target)
-  if (!relative) return true
-  return !relative.startsWith("..") && !path.isAbsolute(relative)
-}
-
-function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
-  const output: Record<string, string> = {}
-  if (!headers) return output
-
-  if (headers instanceof Headers) {
-    headers.forEach((value, key) => {
-      output[key] = value
-    })
-    return output
-  }
-
-  if (Array.isArray(headers)) {
-    for (const [key, value] of headers) {
-      output[key] = value
-    }
-    return output
-  }
-
-  return { ...headers }
+function isWithinBase(base: string, candidate: string): boolean {
+  const relative = path.relative(base, candidate)
+  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative))
 }

packages/opencode-config/plugin/lib/client.ts

@@ -1,74 +1,41 @@
-export type PluginEvent = {
-  type: string
-  properties?: Record<string, unknown>
-}
+import { createCodeNomadRequester, type CodeNomadConfig, type PluginEvent } from "./request"
 
-export type CodeNomadConfig = {
-  instanceId: string
-  baseUrl: string
-}
-
-export function getCodeNomadConfig(): CodeNomadConfig {
-  return {
-    instanceId: requireEnv("CODENOMAD_INSTANCE_ID"),
-    baseUrl: requireEnv("CODENOMAD_BASE_URL"),
-  }
-}
+export { getCodeNomadConfig, type CodeNomadConfig, type PluginEvent } from "./request"
 
 export function createCodeNomadClient(config: CodeNomadConfig) {
-  return {
-    postEvent: (event: PluginEvent) => postPluginEvent(config.baseUrl, config.instanceId, event),
-    startEvents: (onEvent: (event: PluginEvent) => void) => startPluginEvents(config.baseUrl, config.instanceId, onEvent),
-  }
-}
+  const requester = createCodeNomadRequester(config)
 
-function requireEnv(key: string): string {
-  const value = process.env[key]
-  if (!value || !value.trim()) {
-    throw new Error(`[CodeNomadPlugin] Missing required env var ${key}`)
+  return {
+    postEvent: (event: PluginEvent) =>
+      requester.requestVoid("/event", {
+        method: "POST",
+        body: JSON.stringify(event),
+      }),
+    startEvents: (onEvent: (event: PluginEvent) => void) => startPluginEvents(requester, onEvent),
   }
-  return value
 }
 
 function delay(ms: number) {
   return new Promise<void>((resolve) => setTimeout(resolve, ms))
 }
 
-async function postPluginEvent(baseUrl: string, instanceId: string, event: PluginEvent) {
-  const url = `${baseUrl.replace(/\/+$/, "")}/workspaces/${instanceId}/plugin/event`
-  const response = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify(event),
-  })
-
-  if (!response.ok) {
-    throw new Error(`[CodeNomadPlugin] POST ${url} failed (${response.status})`)
-  }
-}
-
-async function startPluginEvents(baseUrl: string, instanceId: string, onEvent: (event: PluginEvent) => void) {
-  const url = `${baseUrl.replace(/\/+$/, "")}/workspaces/${instanceId}/plugin/events`
-
+async function startPluginEvents(
+  requester: ReturnType<typeof createCodeNomadRequester>,
+  onEvent: (event: PluginEvent) => void,
+) {
   // Fail plugin startup if we cannot establish the initial connection.
-  const initialBody = await connectWithRetries(url, 3)
+  const initialBody = await connectWithRetries(requester, 3)
 
   // After startup, keep reconnecting; throw after 3 consecutive failures.
-  void consumeWithReconnect(url, onEvent, initialBody)
+  void consumeWithReconnect(requester, onEvent, initialBody)
 }
 
-async function connectWithRetries(url: string, maxAttempts: number) {
+async function connectWithRetries(requester: ReturnType<typeof createCodeNomadRequester>, maxAttempts: number) {
   let lastError: unknown
 
   for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
     try {
-      const response = await fetch(url, { headers: { Accept: "text/event-stream" } })
-      if (!response.ok || !response.body) {
-        throw new Error(`[CodeNomadPlugin] SSE unavailable (${response.status})`)
-      }
-      return response.body
+      return await requester.requestSseBody("/events")
     } catch (error) {
       lastError = error
       await delay(500 * attempt)
@@ -76,11 +43,12 @@ async function connectWithRetries(url: string, maxAttempts: number) {
   }
 
   const reason = lastError instanceof Error ? lastError.message : String(lastError)
-  throw new Error(`[CodeNomadPlugin] Failed to connect to CodeNomad after ${maxAttempts} retries: ${reason}`)
+  const url = requester.buildUrl("/events")
+  throw new Error(`[CodeNomadPlugin] Failed to connect to CodeNomad at ${url} after ${maxAttempts} retries: ${reason}`)
 }
 
 async function consumeWithReconnect(
-  url: string,
+  requester: ReturnType<typeof createCodeNomadRequester>,
   onEvent: (event: PluginEvent) => void,
   initialBody: ReadableStream<Uint8Array>,
 ) {
@@ -90,7 +58,7 @@ async function consumeWithReconnect(
   while (true) {
     try {
       if (!body) {
-        body = await connectWithRetries(url, 3)
+        body = await connectWithRetries(requester, 3)
       }
 
       await consumeSseBody(body, onEvent)

packages/opencode-config/plugin/lib/request.ts

@@ -0,0 +1,124 @@
+export type PluginEvent = {
+  type: string
+  properties?: Record<string, unknown>
+}
+
+export type CodeNomadConfig = {
+  instanceId: string
+  baseUrl: string
+}
+
+export function getCodeNomadConfig(): CodeNomadConfig {
+  return {
+    instanceId: requireEnv("CODENOMAD_INSTANCE_ID"),
+    baseUrl: requireEnv("CODENOMAD_BASE_URL"),
+  }
+}
+
+export function createCodeNomadRequester(config: CodeNomadConfig) {
+  const baseUrl = config.baseUrl.replace(/\/+$/, "")
+  const pluginBase = `${baseUrl}/workspaces/${encodeURIComponent(config.instanceId)}/plugin`
+  const authorization = buildInstanceAuthorizationHeader()
+
+  const buildUrl = (path: string) => {
+    if (path.startsWith("http://") || path.startsWith("https://")) {
+      return path
+    }
+    const normalized = path.startsWith("/") ? path : `/${path}`
+    return `${pluginBase}${normalized}`
+  }
+
+  const buildHeaders = (headers: HeadersInit | undefined, hasBody: boolean): Record<string, string> => {
+    const output: Record<string, string> = normalizeHeaders(headers)
+    output.Authorization = authorization
+    if (hasBody) {
+      output["Content-Type"] = output["Content-Type"] ?? "application/json"
+    }
+    return output
+  }
+
+  const fetchWithAuth = async (path: string, init?: RequestInit): Promise<Response> => {
+    const url = buildUrl(path)
+    const hasBody = init?.body !== undefined
+    const headers = buildHeaders(init?.headers, hasBody)
+
+    return fetch(url, {
+      ...init,
+      headers,
+    })
+  }
+
+  const requestJson = async <T>(path: string, init?: RequestInit): Promise<T> => {
+    const response = await fetchWithAuth(path, init)
+    if (!response.ok) {
+      const message = await response.text().catch(() => "")
+      throw new Error(message || `Request failed with ${response.status}`)
+    }
+
+    if (response.status === 204) {
+      return undefined as T
+    }
+
+    return (await response.json()) as T
+  }
+
+  const requestVoid = async (path: string, init?: RequestInit): Promise<void> => {
+    const response = await fetchWithAuth(path, init)
+    if (!response.ok) {
+      const message = await response.text().catch(() => "")
+      throw new Error(message || `Request failed with ${response.status}`)
+    }
+  }
+
+  const requestSseBody = async (path: string): Promise<ReadableStream<Uint8Array>> => {
+    const response = await fetchWithAuth(path, { headers: { Accept: "text/event-stream" } })
+    if (!response.ok || !response.body) {
+      throw new Error(`SSE unavailable (${response.status})`)
+    }
+    return response.body as ReadableStream<Uint8Array>
+  }
+
+  return {
+    buildUrl,
+    fetch: fetchWithAuth,
+    requestJson,
+    requestVoid,
+    requestSseBody,
+  }
+}
+
+function requireEnv(key: string): string {
+  const value = process.env[key]
+  if (!value || !value.trim()) {
+    throw new Error(`[CodeNomadPlugin] Missing required env var ${key}`)
+  }
+  return value
+}
+
+function buildInstanceAuthorizationHeader(): string {
+  const username = requireEnv("OPENCODE_SERVER_USERNAME")
+  const password = requireEnv("OPENCODE_SERVER_PASSWORD")
+  const token = Buffer.from(`${username}:${password}`, "utf8").toString("base64")
+  return `Basic ${token}`
+}
+
+function normalizeHeaders(headers: HeadersInit | undefined): Record<string, string> {
+  const output: Record<string, string> = {}
+  if (!headers) return output
+
+  if (headers instanceof Headers) {
+    headers.forEach((value, key) => {
+      output[key] = value
+    })
+    return output
+  }
+
+  if (Array.isArray(headers)) {
+    for (const [key, value] of headers) {
+      output[key] = value
+    }
+    return output
+  }
+
+  return { ...headers }
+}