Module openrouter_oauth

Expand description

OpenRouter OAuth PKCE authentication flow.

This module implements the OAuth PKCE flow for OpenRouter, allowing users to authenticate with their OpenRouter account securely.

§Security Model

Tokens are stored using OS-specific secure storage (keyring) by default, with fallback to AES-256-GCM encrypted files if the keyring is unavailable.

§Keyring Storage (Default)

Uses the platform-native credential store:

macOS: Keychain (accessible only to the user)
Windows: Credential Manager (encrypted with user’s credentials)
Linux: Secret Service API / libsecret (requires a keyring daemon)

§File Storage (Fallback)

When keyring is unavailable, tokens are stored in: ~/.vtcode/auth/openrouter.json

The file is encrypted with AES-256-GCM using a machine-derived key:

Machine hostname
User ID (where available)
A static salt

§Migration

When loading tokens, the system checks the keyring first, then falls back to file storage for backward compatibility. This allows seamless migration from file-based to keyring-based storage.

Re-exports§

pub use super::credentials::AuthCredentialsStoreMode;

Structs§

OpenRouterOAuthConfig: Configuration for OpenRouter OAuth authentication.
OpenRouterToken: Stored OAuth token with metadata.

Enums§

AuthStatus: OAuth authentication status.

Constants§

DEFAULT_CALLBACK_PORT: Default callback port for localhost OAuth server

Functions§

clear_oauth_token: Clear the stored OAuth token from all storage locations.
exchange_code_for_token: Exchange an authorization code for an API key.
get_auth_status: Get the current OAuth authentication status.
get_auth_url: Generate the OAuth authorization URL.
load_oauth_token: Load an OAuth token from storage using the default mode.
load_oauth_token_with_mode: Load an OAuth token from storage with specified mode.
save_oauth_token: Save an OAuth token to encrypted storage using the default mode.
save_oauth_token_with_mode: Save an OAuth token to encrypted storage with specified mode.