anomalyco
fix: Plugin client returns 401 Unauthorized when OPENCODE_SERVER_PASSWORD is set (Desktop)
Bug Description
When running OpenCode via Desktop app, plugins that use client.session.create(), client.session.prompt(), or other HTTP API calls receive 401 Unauthorized errors.
Root Cause
OpenCode Desktop (Tauri) automatically generates a UUID password and sets OPENCODE_SERVER_PASSWORD environment variable when spawning the local server:
packages/desktop/src-tauri/src/lib.rs:416
let password = uuid::Uuid::new_v4().to_string();
packages/desktop/src-tauri/src/lib.rs:159
.env("OPENCODE_SERVER_PASSWORD", password)
This enables the basicAuth middleware in server.ts:
packages/opencode/src/server/server.ts:100-104
const password = Flag.OPENCODE_SERVER_PASSWORD
if (!password) return next()
return basicAuth({ username, password })(c, next)
However, the client created for plugins in plugin/index.ts does not include the corresponding Basic Auth credentials, causing all plugin HTTP requests to fail with 401.
Steps to Reproduce
- Install OpenCode Desktop (exe version)
- Install a plugin that uses
client.session.create()(e.g., @menkan/opencode with sisyphus_task) - Run the plugin tool
- Observe 401 Unauthorized error
Proposed Fix
Add Basic Auth headers to the plugin client when OPENCODE_SERVER_PASSWORD is configured:
packages/opencode/src/plugin/index.ts
const authHeaders: Record<string, string> = {}
if (Flag.OPENCODE_SERVER_PASSWORD) {
const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
const credentials = Buffer.from(`${username}:${Flag.OPENCODE_SERVER_PASSWORD}`).toString("base64")
authHeaders["Authorization"] = `Basic ${credentials}`
}
const client = createOpencodeClient({
baseUrl: "http://localhost:4096",
fetch: async (...args) => Server.App().fetch(...args),
headers: Object.keys(authHeaders).length > 0 ? authHeaders : undefined,
})
Workaround
Use CLI version (opencode command) instead of Desktop, as CLI does not set OPENCODE_SERVER_PASSWORD.
Environment
- OpenCode Desktop on Windows
- Plugin SDK version: 1.1.21
