feat(server): add authenticated remote access and desktop bootstrap

Adds cookie-based login with a bootstrap token flow for desktop apps, secures OpenCode instance traffic with per-instance Basic auth, and updates UI/plugin clients to use credentials.
2026-01-14 18:18:14 +00:00
parent 927e4e1281
commit 40634138bc
27 changed files with 1721 additions and 160 deletions
--- a/packages/server/src/workspaces/opencode-auth.ts
+++ b/packages/server/src/workspaces/opencode-auth.ts
@@ -0,0 +1,22 @@
+import crypto from "node:crypto"
+
+export const OPENCODE_SERVER_USERNAME_ENV = "OPENCODE_SERVER_USERNAME" as const
+export const OPENCODE_SERVER_PASSWORD_ENV = "OPENCODE_SERVER_PASSWORD" as const
+
+export const DEFAULT_OPENCODE_USERNAME = "codenomad" as const
+
+export function generateOpencodeServerPassword(): string {
+  return crypto.randomBytes(32).toString("base64url")
+}
+
+export function buildOpencodeBasicAuthHeader(params: { username?: string; password?: string }): string | undefined {
+  const username = params.username
+  const password = params.password
+
+  if (!username || !password) {
+    return undefined
+  }
+
+  const token = Buffer.from(`${username}:${password}`, "utf8").toString("base64")
+  return `Basic ${token}`
+}