Summary
The plugin currently writes and clears OpenCode host auth from the refresh path even though opencode-supabase itself does not read host auth back anywhere.
That makes setHostAuth() / clearHostAuth() an unused side-effect for this plugin, and the clear path is especially misleading because it passes directory even though the OpenCode host route removes auth by provider ID only.
If plugin-local auth is the source of truth, this should either be removed or made explicitly optional/documented.
Evidence In This Repo
src/server/tools.ts
145-159: setHostAuth(...) calls input.client.auth.set({ path: { id: "supabase" }, query: { directory: input.directory }, body: ... })161-169: clearHostAuth(...) calls DELETE /auth/supabase?directory=...203-205: refresh success tries to setHostAuth(...)208-213: refresh failure tries to clearHostAuth(...)
Repo-wide verification:
- No
client.auth.get(...) usage found in opencode-supabase
- No plugin code reads host auth back after writing/clearing it
- Plugin exports only
auth and tool hooks, not a provider hook or loader that consumes host auth
src/server/index.ts:12-15package.json:12-24
Relevant OpenCode Host Behavior
Verified against current OpenCode code:
~/Code/github/opencode/packages/opencode/src/server/routes/control/index.ts:14-49
PUT /auth/:providerID stores host auth by provider ID
~/Code/github/opencode/packages/opencode/src/server/routes/control/index.ts:51-83
DELETE /auth/:providerID removes host auth by provider ID
- the
directory query exists on the route, but the auth set/remove operations themselves are still provider-ID based
So the plugin's manual clear call is not meaningfully scoped by directory.
Why This Is Worth Tracking
Even if the plugin never consumes host auth, these calls still mutate host state when executed.
That means the current code has all of the downside of host sync without a demonstrated benefit inside this plugin.
Reproduction
- Connect Supabase and let the tool refresh path run.
- Observe that the plugin attempts to mirror auth into host auth.
- Trigger a
400/401 refresh failure.
- Observe that the plugin attempts to delete host auth for provider
supabase.
Expected
If plugin-local auth is authoritative, refresh should only update/clear the local auth store unless host sync is explicitly required.
Actual
Refresh mutates host auth as a side effect.
Suggested Fix
Pick one explicit direction:
Option A: Remove manual host sync from this plugin
- delete
setHostAuth() / clearHostAuth() from src/server/tools.ts
- keep plugin-local auth as the only state this plugin manages directly
Option B: Keep host sync, but make it intentional
- document why it exists
- define the expected consumer path
- ensure clear semantics are correctly scoped and not implied to be directory-local if they are not
Acceptance Criteria
opencode-supabase no longer performs undocumented/unused host-auth side effects, or- host-auth sync is documented as intentional with a verified consumer and correct scoping semantics.
Note
This issue is separate from OpenCode core's own automatic host-auth persistence on successful OAuth callback. This issue is only about the plugin's manual refresh-path sync in src/server/tools.ts.
Summary
The plugin currently writes and clears OpenCode host auth from the refresh path even though
opencode-supabaseitself does not read host auth back anywhere.That makes
setHostAuth()/clearHostAuth()an unused side-effect for this plugin, and the clear path is especially misleading because it passesdirectoryeven though the OpenCode host route removes auth by provider ID only.If plugin-local auth is the source of truth, this should either be removed or made explicitly optional/documented.
Evidence In This Repo
src/server/tools.ts145-159:setHostAuth(...)callsinput.client.auth.set({ path: { id: "supabase" }, query: { directory: input.directory }, body: ... })161-169:clearHostAuth(...)callsDELETE /auth/supabase?directory=...203-205: refresh success tries tosetHostAuth(...)208-213: refresh failure tries toclearHostAuth(...)Repo-wide verification:
client.auth.get(...)usage found inopencode-supabaseauthandtoolhooks, not aproviderhook or loader that consumes host authsrc/server/index.ts:12-15package.json:12-24Relevant OpenCode Host Behavior
Verified against current OpenCode code:
~/Code/github/opencode/packages/opencode/src/server/routes/control/index.ts:14-49PUT /auth/:providerIDstores host auth by provider ID~/Code/github/opencode/packages/opencode/src/server/routes/control/index.ts:51-83DELETE /auth/:providerIDremoves host auth by provider IDdirectoryquery exists on the route, but the auth set/remove operations themselves are still provider-ID basedSo the plugin's manual clear call is not meaningfully scoped by directory.
Why This Is Worth Tracking
Even if the plugin never consumes host auth, these calls still mutate host state when executed.
That means the current code has all of the downside of host sync without a demonstrated benefit inside this plugin.
Reproduction
400/401refresh failure.supabase.Expected
If plugin-local auth is authoritative, refresh should only update/clear the local auth store unless host sync is explicitly required.
Actual
Refresh mutates host auth as a side effect.
Suggested Fix
Pick one explicit direction:
Option A: Remove manual host sync from this plugin
setHostAuth()/clearHostAuth()fromsrc/server/tools.tsOption B: Keep host sync, but make it intentional
Acceptance Criteria
opencode-supabaseno longer performs undocumented/unused host-auth side effects, orNote
This issue is separate from OpenCode core's own automatic host-auth persistence on successful OAuth callback. This issue is only about the plugin's manual refresh-path sync in
src/server/tools.ts.