upgrade openclaw to 3.23 (#652)

Co-authored-by: Felix <24791380+vcfgv@users.noreply.github.com>
2026-03-26 16:58:04 +08:00
parent b786b773f1
commit ba5947e2cb
22 changed files with 2927 additions and 4739 deletions
--- a/electron/utils/qwen-oauth.ts
+++ b/electron/utils/qwen-oauth.ts
@@ -0,0 +1,211 @@
+/**
+ * Self-contained Qwen Device Code OAuth flow.
+ *
+ * Implements RFC 8628 (Device Authorization Grant) with PKCE for Qwen API.
+ * Zero dependency on openclaw extension modules — survives openclaw upgrades.
+ *
+ * Protocol:
+ *   1. POST /api/v1/oauth2/device/code  → get device_code, user_code, verification_uri
+ *   2. Open verification_uri in browser
+ *   3. Poll POST /api/v1/oauth2/token with device_code until approved
+ *   4. Return { access, refresh, expires, resourceUrl }
+ */
+import { createHash, randomBytes, randomUUID } from 'node:crypto';
+import { proxyAwareFetch } from './proxy-fetch';
+
+// ── Constants ────────────────────────────────────────────────
+
+const QWEN_OAUTH_BASE_URL = 'https://chat.qwen.ai';
+const QWEN_OAUTH_DEVICE_CODE_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/device/code`;
+const QWEN_OAUTH_TOKEN_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
+const QWEN_OAUTH_CLIENT_ID = 'f0304373b74a44d2b584a3fb70ca9e56';
+const QWEN_OAUTH_SCOPE = 'openid profile email model.completion';
+const QWEN_OAUTH_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code';
+
+// ── Types ────────────────────────────────────────────────────
+
+export interface QwenOAuthToken {
+    access: string;
+    refresh: string;
+    expires: number;
+    resourceUrl?: string;
+}
+
+interface QwenDeviceAuthorization {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete?: string;
+    expires_in: number;
+    interval?: number;
+}
+
+type DeviceTokenResult =
+    | { status: 'success'; token: QwenOAuthToken }
+    | { status: 'pending'; slowDown?: boolean }
+    | { status: 'error'; message: string };
+
+export interface QwenOAuthOptions {
+    openUrl: (url: string) => Promise<void>;
+    note: (message: string, title?: string) => Promise<void>;
+    progress: { update: (message: string) => void; stop: (message?: string) => void };
+}
+
+// ── PKCE helpers (self-contained, no openclaw dependency) ────
+
+function generatePkce(): { verifier: string; challenge: string } {
+    const verifier = randomBytes(32).toString('base64url');
+    const challenge = createHash('sha256').update(verifier).digest('base64url');
+    return { verifier, challenge };
+}
+
+function toFormUrlEncoded(params: Record<string, string>): string {
+    return new URLSearchParams(params).toString();
+}
+
+// ── OAuth flow steps ─────────────────────────────────────────
+
+async function requestDeviceCode(params: { challenge: string }): Promise<QwenDeviceAuthorization> {
+    const response = await proxyAwareFetch(QWEN_OAUTH_DEVICE_CODE_ENDPOINT, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+            'x-request-id': randomUUID(),
+        },
+        body: toFormUrlEncoded({
+            client_id: QWEN_OAUTH_CLIENT_ID,
+            scope: QWEN_OAUTH_SCOPE,
+            code_challenge: params.challenge,
+            code_challenge_method: 'S256',
+        }),
+    });
+
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Qwen device authorization failed: ${text || response.statusText}`);
+    }
+
+    const payload = (await response.json()) as QwenDeviceAuthorization & { error?: string };
+    if (!payload.device_code || !payload.user_code || !payload.verification_uri) {
+        throw new Error(
+            payload.error ??
+                'Qwen device authorization returned an incomplete payload (missing user_code or verification_uri).',
+        );
+    }
+    return payload;
+}
+
+async function pollDeviceToken(params: {
+    deviceCode: string;
+    verifier: string;
+}): Promise<DeviceTokenResult> {
+    const response = await proxyAwareFetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+        },
+        body: toFormUrlEncoded({
+            grant_type: QWEN_OAUTH_GRANT_TYPE,
+            client_id: QWEN_OAUTH_CLIENT_ID,
+            device_code: params.deviceCode,
+            code_verifier: params.verifier,
+        }),
+    });
+
+    if (!response.ok) {
+        let payload: { error?: string; error_description?: string } | undefined;
+        try {
+            payload = (await response.json()) as { error?: string; error_description?: string };
+        } catch {
+            const text = await response.text();
+            return { status: 'error', message: text || response.statusText };
+        }
+
+        if (payload?.error === 'authorization_pending') {
+            return { status: 'pending' };
+        }
+
+        if (payload?.error === 'slow_down') {
+            return { status: 'pending', slowDown: true };
+        }
+
+        return {
+            status: 'error',
+            message: payload?.error_description || payload?.error || response.statusText,
+        };
+    }
+
+    const tokenPayload = (await response.json()) as {
+        access_token?: string | null;
+        refresh_token?: string | null;
+        expires_in?: number | null;
+        token_type?: string;
+        resource_url?: string;
+    };
+
+    if (!tokenPayload.access_token || !tokenPayload.refresh_token || !tokenPayload.expires_in) {
+        return { status: 'error', message: 'Qwen OAuth returned incomplete token payload.' };
+    }
+
+    return {
+        status: 'success',
+        token: {
+            access: tokenPayload.access_token,
+            refresh: tokenPayload.refresh_token,
+            expires: Date.now() + tokenPayload.expires_in * 1000,
+            resourceUrl: tokenPayload.resource_url,
+        },
+    };
+}
+
+// ── Public API ───────────────────────────────────────────────
+
+export async function loginQwenPortalOAuth(params: QwenOAuthOptions): Promise<QwenOAuthToken> {
+    const { verifier, challenge } = generatePkce();
+    const device = await requestDeviceCode({ challenge });
+    const verificationUrl = device.verification_uri_complete || device.verification_uri;
+
+    await params.note(
+        [
+            `Open ${verificationUrl} to approve access.`,
+            `If prompted, enter the code ${device.user_code}.`,
+        ].join('\n'),
+        'Qwen OAuth',
+    );
+
+    try {
+        await params.openUrl(verificationUrl);
+    } catch {
+        // Fall back to manual copy/paste if browser open fails.
+    }
+
+    const start = Date.now();
+    let pollIntervalMs = device.interval ? device.interval * 1000 : 2000;
+    const timeoutMs = device.expires_in * 1000;
+
+    while (Date.now() - start < timeoutMs) {
+        params.progress.update('Waiting for Qwen OAuth approval…');
+        const result = await pollDeviceToken({
+            deviceCode: device.device_code,
+            verifier,
+        });
+
+        if (result.status === 'success') {
+            return result.token;
+        }
+
+        if (result.status === 'error') {
+            throw new Error(`Qwen OAuth failed: ${result.message}`);
+        }
+
+        if (result.status === 'pending' && result.slowDown) {
+            pollIntervalMs = Math.min(pollIntervalMs * 1.5, 10000);
+        }
+
+        await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+    }
+
+    throw new Error('Qwen OAuth timed out waiting for authorization.');
+}