refactor: use Effect config for HttpApi authorization (anomalyco#25035)

Author: kitlangton

packages/opencode/src/effect/config-service.ts

@@ -0,0 +1,67 @@
+import { Config, Context, Effect, Layer } from "effect"
+
+type ConfigMap = Record<string, Config.Config<unknown>>
+
+/**
+ * The service shape inferred from an object of Effect `Config` definitions.
+ */
+export type Shape<Fields extends ConfigMap> = {
+  readonly [Key in keyof Fields]: Config.Success<Fields[Key]>
+}
+
+/**
+ * A Context service class with generated layers for config-backed services.
+ */
+export type ServiceClass<Self, Id extends string, Service> = Context.ServiceClass<Self, Id, Service> & {
+  /** Provide already-parsed config, useful in tests. */
+  readonly layer: (input: Service) => Layer.Layer<Self>
+  /** Parse config once from the active Effect ConfigProvider and provide the service. */
+  readonly defaultLayer: Layer.Layer<Self, Config.ConfigError>
+}
+
+/**
+ * Create a Context service whose implementation is derived from Effect `Config`.
+ *
+ * This keeps Effect `Config` as the source of truth for env names, defaults, and
+ * validation while generating a typed service plus convenient production/test
+ * layers.
+ *
+ * ```ts
+ * class ServerAuthConfig extends ConfigService.Service<ServerAuthConfig>()(
+ *   "@opencode/ServerAuthConfig",
+ *   {
+ *     password: Config.string("OPENCODE_SERVER_PASSWORD").pipe(Config.option),
+ *     username: Config.string("OPENCODE_SERVER_USERNAME").pipe(Config.withDefault("opencode")),
+ *   },
+ * ) {}
+ *
+ * const live = ServerAuthConfig.defaultLayer
+ * const test = ServerAuthConfig.layer({ password: Option.some("secret"), username: "kit" })
+ * ```
+ */
+export const Service =
+  <Self>() =>
+  <const Id extends string, const Fields extends ConfigMap>(id: Id, fields: Fields) => {
+    class ConfigTag extends Context.Service<Self, Shape<Fields>>()(id) {
+      static layer(input: Shape<Fields>) {
+        return Layer.succeed(this, this.of(input))
+      }
+
+      static get defaultLayer() {
+        return Layer.effect(
+          this,
+          Config.all(fields)
+            .asEffect()
+            .pipe(
+              // oxlint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- Config.all preserves the field shape, but its conditional return type also supports iterable inputs.
+              Effect.map((config) => this.of(config as Shape<Fields>)),
+            ),
+        )
+      }
+    }
+
+    // oxlint-disable-next-line typescript-eslint/no-unsafe-type-assertion -- The generated class carries typed static helpers.
+    return ConfigTag as ServiceClass<Self, Id, Shape<Fields>>
+  }
+
+export * as ConfigService from "./config-service"

packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts

@@ -1,47 +1,50 @@
-import { Effect, Encoding, Layer, Redacted, Schema } from "effect"
-import { HttpApiMiddleware, HttpApiSecurity } from "effect/unstable/httpapi"
-import { Flag } from "@opencode-ai/core/flag/flag"
-
-class Unauthorized extends Schema.TaggedErrorClass<Unauthorized>()(
-  "Unauthorized",
-  { message: Schema.String },
-  { httpApiStatus: 401 },
-) {}
+import { ConfigService } from "@/effect/config-service"
+import { Config, Context, Effect, Encoding, Layer, Option, Redacted } from "effect"
+import { HttpApiError, HttpApiMiddleware, HttpApiSecurity } from "effect/unstable/httpapi"
 
 export class Authorization extends HttpApiMiddleware.Service<Authorization>()(
   "@opencode/ExperimentalHttpApiAuthorization",
   {
-    error: Unauthorized,
+    error: HttpApiError.UnauthorizedNoContent,
     security: {
       basic: HttpApiSecurity.basic,
       authToken: HttpApiSecurity.apiKey({ in: "query", key: "auth_token" }),
     },
   },
 ) {}
 
-const emptyCredential = {
-  username: "",
-  password: Redacted.make(""),
-}
+export class ServerAuthConfig extends ConfigService.Service<ServerAuthConfig>()(
+  "@opencode/ExperimentalHttpApiServerAuthConfig",
+  {
+    password: Config.string("OPENCODE_SERVER_PASSWORD").pipe(Config.option),
+    username: Config.string("OPENCODE_SERVER_USERNAME").pipe(Config.withDefault("opencode")),
+  },
+) {}
 
 function validateCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: { readonly username: string; readonly password: typeof emptyCredential.password },
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
 ) {
   return Effect.gen(function* () {
-    if (!Flag.OPENCODE_SERVER_PASSWORD) return yield* effect
+    if (Option.isNone(config.password) || config.password.value === "") return yield* effect
 
-    if (credential.username !== (Flag.OPENCODE_SERVER_USERNAME ?? "opencode")) {
-      return yield* new Unauthorized({ message: "Unauthorized" })
+    if (credential.username !== config.username) {
+      return yield* new HttpApiError.Unauthorized({})
     }
-    if (Redacted.value(credential.password) !== Flag.OPENCODE_SERVER_PASSWORD) {
-      return yield* new Unauthorized({ message: "Unauthorized" })
+    if (Redacted.value(credential.password) !== config.password.value) {
+      return yield* new HttpApiError.Unauthorized({})
     }
     return yield* effect
   })
 }
 
 function decodeCredential(input: string) {
+  const emptyCredential = {
+    username: "",
+    password: Redacted.make(""),
+  }
+
   return Encoding.decodeBase64String(input)
     .asEffect()
     .pipe(
@@ -59,13 +62,16 @@ function decodeCredential(input: string) {
     )
 }
 
-export const authorizationLayer = Layer.succeed(
+export const authorizationLayer = Layer.effect(
   Authorization,
-  Authorization.of({
-    basic: (effect, { credential }) => validateCredential(effect, credential),
-    authToken: (effect, { credential }) =>
-      Effect.gen(function* () {
-        return yield* validateCredential(effect, yield* decodeCredential(Redacted.value(credential)))
-      }),
+  Effect.gen(function* () {
+    const config = yield* ServerAuthConfig
+    return Authorization.of({
+      basic: (effect, { credential }) => validateCredential(effect, credential, config),
+      authToken: (effect, { credential }) =>
+        decodeCredential(Redacted.value(credential)).pipe(
+          Effect.flatMap((decoded) => validateCredential(effect, decoded, config)),
+        ),
+    })
   }),
 )

packages/opencode/src/server/routes/instance/httpapi/server.ts

@@ -32,7 +32,7 @@ import { lazy } from "@/util/lazy"
 import { Vcs } from "@/project/vcs"
 import { Worktree } from "@/worktree"
 import { InstanceHttpApi, RootHttpApi } from "./api"
-import { authorizationLayer } from "./middleware/authorization"
+import { ServerAuthConfig, authorizationLayer } from "./middleware/authorization"
 import { eventRoute } from "./event"
 import { configHandlers } from "./handlers/config"
 import { controlHandlers } from "./handlers/control"
@@ -56,7 +56,7 @@ import { disposeMiddleware } from "./lifecycle"
 import { memoMap } from "@opencode-ai/core/effect/memo-map"
 import * as ServerBackend from "@/server/backend"
 
-export const context = Context.empty() as Context.Context<unknown>
+export const context = Context.makeUnsafe<unknown>(new Map())
 
 const runtime = HttpRouter.middleware()(
   Effect.succeed((effect) =>
@@ -97,7 +97,7 @@ const rawInstanceRoutes = Layer.mergeAll(eventRoute, ptyConnectRoute).pipe(
 )
 const instanceRoutes = Layer.mergeAll(rawInstanceRoutes, instanceApiRoutes).pipe(
   Layer.provide([
-    authorizationLayer,
+    authorizationLayer.pipe(Layer.provide(ServerAuthConfig.defaultLayer)),
     workspaceRoutingLayer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal)),
     instanceContextLayer,
   ]),

packages/opencode/test/server/httpapi-authorization.test.ts

@@ -1,10 +1,13 @@
 import { NodeHttpServer } from "@effect/platform-node"
-import { Flag } from "@opencode-ai/core/flag/flag"
 import { describe, expect } from "bun:test"
-import { Effect, Layer, Schema } from "effect"
+import { Effect, Layer, Option, Schema } from "effect"
 import { HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
 import { HttpApi, HttpApiBuilder, HttpApiEndpoint, HttpApiGroup } from "effect/unstable/httpapi"
-import { Authorization, authorizationLayer } from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import {
+  Authorization,
+  ServerAuthConfig,
+  authorizationLayer,
+} from "../../src/server/routes/instance/httpapi/middleware/authorization"
 import { testEffect } from "../lib/effect"
 
 const Api = HttpApi.make("test-authorization").add(
@@ -24,48 +27,19 @@ const apiLayer = HttpRouter.serve(
   { disableListenLog: true, disableLogger: true },
 ).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
 
-const testStateLayer = Layer.effectDiscard(
-  Effect.gen(function* () {
-    const original = {
-      OPENCODE_SERVER_PASSWORD: Flag.OPENCODE_SERVER_PASSWORD,
-      OPENCODE_SERVER_USERNAME: Flag.OPENCODE_SERVER_USERNAME,
-    }
-    Flag.OPENCODE_SERVER_PASSWORD = undefined
-    Flag.OPENCODE_SERVER_USERNAME = undefined
-    yield* Effect.addFinalizer(() =>
-      Effect.sync(() => {
-        Flag.OPENCODE_SERVER_PASSWORD = original.OPENCODE_SERVER_PASSWORD
-        Flag.OPENCODE_SERVER_USERNAME = original.OPENCODE_SERVER_USERNAME
-      }),
-    )
-  }),
-)
+const noAuthLayer = ServerAuthConfig.layer({ password: Option.none(), username: "opencode" })
+const secretLayer = ServerAuthConfig.layer({ password: Option.some("secret"), username: "opencode" })
+const kitSecretLayer = ServerAuthConfig.layer({ password: Option.some("secret"), username: "kit" })
 
-const it = testEffect(apiLayer.pipe(Layer.provideMerge(testStateLayer)))
+const it = testEffect(apiLayer.pipe(Layer.provide(noAuthLayer)))
+const itSecret = testEffect(apiLayer.pipe(Layer.provide(secretLayer)))
+const itKitSecret = testEffect(apiLayer.pipe(Layer.provide(kitSecretLayer)))
 
 const basic = (username: string, password: string) =>
   `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
 
 const token = (username: string, password: string) => Buffer.from(`${username}:${password}`).toString("base64")
 
-const useAuth = (input: { password: string; username?: string }) =>
-  Effect.acquireRelease(
-    Effect.sync(() => {
-      const original = {
-        OPENCODE_SERVER_PASSWORD: Flag.OPENCODE_SERVER_PASSWORD,
-        OPENCODE_SERVER_USERNAME: Flag.OPENCODE_SERVER_USERNAME,
-      }
-      Flag.OPENCODE_SERVER_PASSWORD = input.password
-      Flag.OPENCODE_SERVER_USERNAME = input.username
-      return original
-    }),
-    (original) =>
-      Effect.sync(() => {
-        Flag.OPENCODE_SERVER_PASSWORD = original.OPENCODE_SERVER_PASSWORD
-        Flag.OPENCODE_SERVER_USERNAME = original.OPENCODE_SERVER_USERNAME
-      }),
-  )
-
 const getProbe = (headers?: Record<string, string>) =>
   HttpClientRequest.get("/probe").pipe(
     headers ? HttpClientRequest.setHeaders(headers) : (request) => request,
@@ -82,10 +56,8 @@ describe("HttpApi authorization middleware", () => {
     }),
   )
 
-  it.live("requires configured password for basic auth", () =>
+  itSecret.live("requires configured password for basic auth", () =>
     Effect.gen(function* () {
-      yield* useAuth({ password: "secret" })
-
       const [missing, badPassword, good] = yield* Effect.all(
         [
           getProbe(),
@@ -101,10 +73,8 @@ describe("HttpApi authorization middleware", () => {
     }),
   )
 
-  it.live("respects configured basic auth username", () =>
+  itKitSecret.live("respects configured basic auth username", () =>
     Effect.gen(function* () {
-      yield* useAuth({ username: "kit", password: "secret" })
-
       const [defaultUser, configuredUser] = yield* Effect.all(
         [getProbe({ authorization: basic("opencode", "secret") }), getProbe({ authorization: basic("kit", "secret") })],
         { concurrency: "unbounded" },
@@ -115,20 +85,16 @@ describe("HttpApi authorization middleware", () => {
     }),
   )
 
-  it.live("accepts auth token query credentials", () =>
+  itSecret.live("accepts auth token query credentials", () =>
     Effect.gen(function* () {
-      yield* useAuth({ password: "secret" })
-
       const response = yield* HttpClient.get(`/probe?auth_token=${encodeURIComponent(token("opencode", "secret"))}`)
 
       expect(response.status).toBe(200)
     }),
   )
 
-  it.live("rejects malformed auth token query credentials", () =>
+  itSecret.live("rejects malformed auth token query credentials", () =>
     Effect.gen(function* () {
-      yield* useAuth({ password: "secret" })
-
       const response = yield* HttpClient.get("/probe?auth_token=not-base64")
 
       expect(response.status).toBe(401)