Skip to content

fix(auth): prioritize login API keys over env fallbacks#4694

Open
roboomp wants to merge 1 commit into
mainfrom
farm/e4427042/opencode-go-login-env-precedence
Open

fix(auth): prioritize login API keys over env fallbacks#4694
roboomp wants to merge 1 commit into
mainfrom
farm/e4427042/opencode-go-login-env-precedence

Conversation

@roboomp

@roboomp roboomp commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Repro

A focused regression test sets the OpenCode Go env fallback to old-opencode-key, runs AuthStorage.login("opencode-go", ...) with new-opencode-key, then calls getApiKey("opencode-go", "session-opencode-go-login"); before the fix, bun test packages/ai/test/auth-storage-api-key-login.test.ts -t "fresh OpenCode Go" failed because the env key was returned.

Cause

packages/ai/src/auth-storage.ts persisted API-key login results as ordinary api_key credentials, and AuthStorage.getApiKey resolved env fallbacks before stored api_key rows. That preserved env precedence for stale broker/static keys, but also made a deliberate OpenCode Go /login account switch indistinguishable from an old stored key.

Fix

  • Mark API keys persisted by AuthStorage.login with login provenance in packages/ai/src/auth-storage.ts.
  • Resolve login-persisted API keys before env fallbacks while leaving ordinary stored API keys below env vars.
  • Keep getCredentialOrigin and describeCredentialSource aligned with the updated credential cascade.
  • Add an OpenCode Go regression test in packages/ai/test/auth-storage-api-key-login.test.ts.
  • Add the packages/ai changelog entry.

Verification

bun test packages/ai/test/auth-storage-api-key-login.test.ts packages/ai/test/auth-storage-credential-origin.test.ts passed with 13 tests and 38 assertions. bun check passed. bun run fix passed before commit and during publish. Fixes #4688

- Marked API keys persisted by login so deliberate account switches outrank stale env fallbacks.

- Kept ordinary stored API keys below explicit env vars and covered OpenCode Go regression.

Fixes #4688
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Repo admins can enable using credits for code reviews in their settings.

@roboomp

roboomp commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

No code change requested here. The Codex review did not run because code-review usage credits are exhausted; repo admin action is needed in the linked Codex settings to re-enable those reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

vouched Passed the vouch gate

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OpenCode Go /login is shadowed by an existing OPENCODE_API_KEY env fallback

1 participant