feat: add OpenCode server authentication settings and config

Author: chriswritescode-dev

.env.example

@@ -17,11 +17,16 @@ LOG_LEVEL=info
 OPENCODE_SERVER_PORT=5551
 OPENCODE_HOST=127.0.0.1
 
-# Optional - bearer password required to talk to the spawned OpenCode server.
-# When set, the backend spawns OpenCode with this password and attaches it to
-# every proxied request. Leave unset to disable OpenCode-level auth.
+# Optional - bearer password required when OPENCODE_HOST=0.0.0.0 (external exposure).
+# The managed OpenCode server will refuse to start if OPENCODE_HOST is not
+# localhost/127.0.0.1 and no password is configured (either here or via
+# Settings → OpenCode → Server Auth).
+# DB-stored passwords (set via UI) override this env var.
 # OPENCODE_SERVER_PASSWORD=
 
+# Optional - Basic Auth username (default: opencode)
+# OPENCODE_SERVER_USERNAME=opencode
+
 # Optional - import an existing standalone OpenCode install on first startup
 # Useful for Docker when your host OpenCode data is bind-mounted into the container
 # OPENCODE_IMPORT_CONFIG_PATH=/import/opencode-config/opencode.json

backend/src/index.ts

@@ -86,7 +86,7 @@ app.use('/*', cors({
 const db = initializeDatabase(DB_PATH)
 const auth = createAuth(db)
 const requireAuth = createAuthMiddleware(auth)
-const openCodeClient = createOpenCodeClient()
+const openCodeClient = createOpenCodeClient(() => new SettingsService(db).getOpenCodeServerPassword())
 
 import { DEFAULT_AGENTS_MD } from './constants'
 
@@ -264,16 +264,16 @@ try {
   await gitAuthService.initialize(ipcServer, db)
   logger.info(`Git IPC server running at ${ipcServer.ipcHandlePath}`)
 
+  await syncAdminFromEnv(auth, db)
+
   opencodeServerManager.setDatabase(db)
-  opencodeServerManager.setOpenCodeClient(openCodeClient)
   const openCodeStatus = await openCodeSupervisor.start()
   if (openCodeStatus.healthy) {
     logger.info(`OpenCode server running on port ${openCodeStatus.port}`)
   } else {
     logger.warn(`OpenCode server unavailable after startup recovery: ${openCodeStatus.lastError ?? openCodeStatus.state}`)
   }
 
-  await syncAdminFromEnv(auth, db)
 } catch (error) {
   logger.error('Failed to initialize workspace:', error)
 }

backend/src/routes/settings.ts

@@ -29,6 +29,7 @@ import { encryptSecret } from '../utils/crypto'
 import { compareVersions, isValidVersion } from '../utils/version-utils'
 import { getImportedSessionDirectories, getOpenCodeImportStatus, OpenCodeImportProtectionError, syncOpenCodeImport } from '../services/opencode-import'
 import { relinkReposFromSessionDirectories } from '../services/repo'
+import { ENV } from '@opencode-manager/shared/config/env'
 import {
   listManagedSkills,
   getSkill,
@@ -1509,5 +1510,58 @@ export function createSettingsRoutes(db: Database, gitAuthService: GitAuthServic
     }
   })
 
+  const OpenCodeServerAuthBodySchema = z.object({
+    password: z.union([z.string().min(8), z.null()]),
+  })
+
+  app.get('/opencode-server-auth', async (c) => {
+    try {
+      const hasStored = settingsService.hasStoredOpenCodeServerPassword()
+      const source = hasStored ? 'db' : ENV.OPENCODE.SERVER_PASSWORD ? 'env' : 'none'
+      const isSet = source !== 'none'
+      return c.json({ isSet, source })
+    } catch (error) {
+      logger.error('Failed to get OpenCode server auth status:', error)
+      return c.json({ error: 'Failed to get OpenCode server auth status' }, 500)
+    }
+  })
+
+  app.patch('/opencode-server-auth', async (c) => {
+    try {
+      const body = await c.req.json()
+      const validated = OpenCodeServerAuthBodySchema.parse(body)
+      const previousPasswordState = settingsService.getStoredOpenCodeServerPasswordState()
+
+      if (validated.password === null) {
+        settingsService.clearOpenCodeServerPassword()
+      } else if (validated.password) {
+        settingsService.setOpenCodeServerPassword(validated.password)
+      }
+
+      try {
+        await opencodeServerManager.restart()
+      } catch (restartError) {
+        try {
+          settingsService.restoreOpenCodeServerPasswordState(previousPasswordState)
+          await opencodeServerManager.restart()
+        } catch (restoreError) {
+          logger.error('Failed to restore OpenCode server auth runtime after restart failure:', restoreError)
+        }
+        throw restartError
+      }
+
+      const hasStored = settingsService.hasStoredOpenCodeServerPassword()
+      const source = hasStored ? 'db' : ENV.OPENCODE.SERVER_PASSWORD ? 'env' : 'none'
+      const isSet = source !== 'none'
+      return c.json({ isSet, source })
+    } catch (error) {
+      logger.error('Failed to update OpenCode server auth:', error)
+      if (error instanceof z.ZodError) {
+        return c.json({ error: 'Invalid request data', details: error.issues }, 400)
+      }
+      return c.json({ error: 'Failed to update OpenCode server auth' }, 500)
+    }
+  })
+
   return app
 }

backend/src/services/opencode-single-server.ts

@@ -24,11 +24,8 @@ import { patchConfigWithRecovery } from './opencode/config-recovery'
 import type { OpenCodeClient } from './opencode/client'
 import { writeFileContent } from './file-operations'
 
-const OPENCODE_SERVER_PORT = ENV.OPENCODE.PORT
 const OPENCODE_SERVER_HOST = ENV.OPENCODE.HOST
-const OPENCODE_SERVER_PUBLIC_URL = ENV.OPENCODE.PUBLIC_URL
-const OPENCODE_SERVER_PASSWORD = ENV.OPENCODE.SERVER_PASSWORD
-const OPENCODE_SERVER_USERNAME = ENV.OPENCODE.SERVER_USERNAME
+export const OPENCODE_SERVER_CONNECT_HOST = OPENCODE_SERVER_HOST === '0.0.0.0' ? '127.0.0.1' : OPENCODE_SERVER_HOST
 const MIN_OPENCODE_VERSION = '1.0.137'
 const MAX_STDERR_SIZE = 10240
 const HEALTH_CHECK_TIMEOUT_MS = 3000
@@ -91,6 +88,10 @@ function formatStartupError(stderrOutput: string, fallback: string): string {
 // This allows proper mocking in tests
 const getOpenCodeServerDirectory = () => getWorkspacePath()
 const getOpenCodeConfigPath = () => getOpenCodeConfigFilePath()
+const getOpenCodeServerPort = () => ENV.OPENCODE.PORT
+const getOpenCodeServerHost = () => ENV.OPENCODE.HOST
+const getOpenCodeServerPublicUrl = () => ENV.OPENCODE.PUBLIC_URL
+const getOpenCodeServerUsername = () => ENV.OPENCODE.SERVER_USERNAME
 
 class OpenCodeServerManager {
   private static instance: OpenCodeServerManager
@@ -113,6 +114,20 @@ class OpenCodeServerManager {
     this.openCodeClient = client
   }
 
+  async rebuildClient(): Promise<void> {
+    const password = this.getResolvedPassword()
+    const { createOpenCodeClient } = await import('./opencode/client')
+    this.openCodeClient = createOpenCodeClient(password)
+  }
+
+  private getResolvedPassword(): string {
+    if (this.db) {
+      const settingsService = new SettingsService(this.db)
+      return settingsService.getOpenCodeServerPassword()
+    }
+    return ENV.OPENCODE.SERVER_PASSWORD
+  }
+
   private requireClient(): OpenCodeClient {
     if (!this.openCodeClient) {
       throw new Error('OpenCodeClient not configured on OpenCodeServerManager. Call setOpenCodeClient() during startup.')
@@ -166,7 +181,18 @@ class OpenCodeServerManager {
         return
       }
 
+    await this.rebuildClient()
+
     const isDevelopment = ENV.SERVER.NODE_ENV !== 'production'
+    const password = this.getResolvedPassword()
+    const openCodeServerHost = getOpenCodeServerHost()
+    const isExposed = openCodeServerHost !== '127.0.0.1' && openCodeServerHost !== 'localhost'
+    if (isExposed && !password) {
+      const msg = `OPENCODE_HOST=${openCodeServerHost} exposes the OpenCode server externally but no password is configured. Set OPENCODE_SERVER_PASSWORD env var or configure a password via Settings → OpenCode → Server Auth.`
+      this.lastStartupError = msg
+      logger.error(msg)
+      throw new Error(msg)
+    }
 
     let gitCredentials: GitCredential[] = []
     let gitIdentityEnv: Record<string, string> = {}
@@ -186,9 +212,10 @@ class OpenCodeServerManager {
       }
     }
 
-    const existingProcesses = await this.findProcessesByPort(OPENCODE_SERVER_PORT)
+    const openCodeServerPort = getOpenCodeServerPort()
+    const existingProcesses = await this.findProcessesByPort(openCodeServerPort)
     if (existingProcesses.length > 0) {
-      logger.info(`OpenCode server already running on port ${OPENCODE_SERVER_PORT}`)
+      logger.info(`OpenCode server already running on port ${openCodeServerPort}`)
       const healthy = await this.checkHealth()
       if (healthy) {
         if (isDevelopment) {
@@ -288,7 +315,7 @@ class OpenCodeServerManager {
 
     this.serverProcess = spawn(
       'opencode',
-      ['serve', '--port', OPENCODE_SERVER_PORT.toString(), '--hostname', OPENCODE_SERVER_HOST],
+      ['serve', '--port', openCodeServerPort.toString(), '--hostname', openCodeServerHost],
       {
         cwd: openCodeServerDirectory,
         detached: !isDevelopment,
@@ -301,11 +328,11 @@ class OpenCodeServerManager {
           XDG_DATA_HOME: path.join(openCodeServerDirectory, '.opencode/state'),
           XDG_STATE_HOME: path.join(openCodeServerDirectory, '.opencode/state'),
           XDG_CONFIG_HOME: path.join(openCodeServerDirectory, '.config'),
-          ...(OPENCODE_SERVER_PUBLIC_URL ? { OPENCODE_PUBLIC_URL: OPENCODE_SERVER_PUBLIC_URL } : {}),
-          ...(OPENCODE_SERVER_PASSWORD
+          ...(getOpenCodeServerPublicUrl() ? { OPENCODE_PUBLIC_URL: getOpenCodeServerPublicUrl() } : {}),
+          ...(password
             ? {
-              OPENCODE_SERVER_PASSWORD,
-              OPENCODE_SERVER_USERNAME,
+              OPENCODE_SERVER_PASSWORD: password,
+              OPENCODE_SERVER_USERNAME: getOpenCodeServerUsername(),
             }
             : {}),
           OPENCODE_CONFIG: openCodeConfigPath,
@@ -531,7 +558,7 @@ class OpenCodeServerManager {
   }
 
   getPort(): number {
-    return OPENCODE_SERVER_PORT
+    return getOpenCodeServerPort()
   }
 
   getVersion(): string | null {

backend/src/services/opencode/auth.ts

@@ -1,7 +1,16 @@
 import { ENV } from '@opencode-manager/shared/config/env'
 
-export function buildOpenCodeBasicAuthHeader(): string | null {
-  const password = ENV.OPENCODE.SERVER_PASSWORD
+export type OpenCodePasswordResolver = () => string | Promise<string>
+
+export function getOpenCodeBasicAuthHeader(): string | null
+export function getOpenCodeBasicAuthHeader(password: string): string | null
+export function getOpenCodeBasicAuthHeader(passwordResolver: OpenCodePasswordResolver): Promise<string | null>
+export function getOpenCodeBasicAuthHeader(source?: string | OpenCodePasswordResolver): string | null | Promise<string | null> {
+  if (typeof source === 'function') {
+    return Promise.resolve(source()).then((password) => getOpenCodeBasicAuthHeader(password))
+  }
+
+  const password = source ?? ENV.OPENCODE.SERVER_PASSWORD
   const username = ENV.OPENCODE.SERVER_USERNAME
   if (!password) return null
   const token = Buffer.from(`${username}:${password}`).toString('base64')

backend/src/services/opencode/client.ts

@@ -1,6 +1,6 @@
 import { logger } from '../../utils/logger'
 import { ENV } from '@opencode-manager/shared/config/env'
-import { buildOpenCodeBasicAuthHeader } from './auth'
+import { getOpenCodeBasicAuthHeader, type OpenCodePasswordResolver } from './auth'
 
 export interface ForwardRequest {
   method: string
@@ -42,6 +42,7 @@ export interface OpenCodeClient {
 export interface FetchOpenCodeClientConfig {
   baseUrl: string
   basicAuth: string | null
+  passwordResolver?: OpenCodePasswordResolver
   fetchFn?: typeof fetch
 }
 
@@ -52,6 +53,14 @@ export class FetchOpenCodeClient implements OpenCodeClient {
     return this.config.fetchFn ?? fetch
   }
 
+  private async getBasicAuth(): Promise<string> {
+    if (!this.config.passwordResolver) {
+      return this.config.basicAuth ?? ''
+    }
+
+    return await getOpenCodeBasicAuthHeader(this.config.passwordResolver) ?? ''
+  }
+
   private async request(req: ForwardRequest): Promise<Response> {
     const url = new URL(this.config.baseUrl + req.path)
 
@@ -60,9 +69,10 @@ export class FetchOpenCodeClient implements OpenCodeClient {
     }
 
     const headers: Record<string, string> = { ...(req.headers ?? {}) }
+    const basicAuth = await this.getBasicAuth()
 
-    if (this.config.basicAuth) {
-      headers.Authorization = this.config.basicAuth
+    if (basicAuth) {
+      headers.Authorization = basicAuth
     }
 
     try {
@@ -238,9 +248,12 @@ export class FetchOpenCodeClient implements OpenCodeClient {
   }
 }
 
-export function createOpenCodeClient(): OpenCodeClient {
-  const baseUrl = `http://${ENV.OPENCODE.HOST}:${ENV.OPENCODE.PORT}`
-  const basicAuth = buildOpenCodeBasicAuthHeader()
+export function createOpenCodeClient(passwordOverride?: string | OpenCodePasswordResolver): OpenCodeClient {
+  const host = ENV.OPENCODE.HOST === '0.0.0.0' ? '127.0.0.1' : ENV.OPENCODE.HOST
+  const baseUrl = `http://${host}:${ENV.OPENCODE.PORT}`
+  const passwordResolver = typeof passwordOverride === 'function' ? passwordOverride : undefined
+  const password = typeof passwordOverride === 'string' ? passwordOverride : ENV.OPENCODE.SERVER_PASSWORD
+  const basicAuth = getOpenCodeBasicAuthHeader(password)
 
-  return new FetchOpenCodeClient({ baseUrl, basicAuth })
+  return new FetchOpenCodeClient({ baseUrl, basicAuth, passwordResolver })
 }

backend/src/services/settings.ts

@@ -4,6 +4,8 @@ import { getOpenCodeConfigFilePath } from '@opencode-manager/shared/config/env'
 import { logger } from '../utils/logger'
 import { parseJsonc } from '@opencode-manager/shared/utils'
 import { z } from 'zod'
+import { encryptSecret, decryptSecret } from '../utils/crypto'
+import { ENV } from '@opencode-manager/shared/config/env'
 import type { 
   UserPreferences, 
   SettingsResponse, 
@@ -42,6 +44,12 @@ interface CreateOpenCodeConfigOptions {
   suppressAutoDefault?: boolean
 }
 
+interface OpenCodeServerPasswordState {
+  value: string
+  createdAt: number
+  updatedAt: number
+}
+
 
 export class SettingsService {
   private static lastKnownGoodConfigContent: string | null = null
@@ -597,4 +605,60 @@ export class SettingsService {
       return false
     }
   }
+
+  getOpenCodeServerPassword(): string {
+    const row = this.db.prepare('SELECT value FROM app_secrets WHERE key = ?').get('opencode_server_password') as { value: string } | undefined
+    if (!row) {
+      return ENV.OPENCODE.SERVER_PASSWORD
+    }
+    try {
+      return decryptSecret(row.value)
+    } catch (error) {
+      logger.error('Failed to decrypt opencode_server_password, falling back to env', error)
+      return ENV.OPENCODE.SERVER_PASSWORD
+    }
+  }
+
+  hasStoredOpenCodeServerPassword(): boolean {
+    const row = this.db.prepare('SELECT 1 FROM app_secrets WHERE key = ?').get('opencode_server_password')
+    return Boolean(row)
+  }
+
+  getStoredOpenCodeServerPasswordState(): OpenCodeServerPasswordState | null {
+    const row = this.db.prepare('SELECT value, created_at, updated_at FROM app_secrets WHERE key = ?').get('opencode_server_password') as { value: string; created_at: number; updated_at: number } | undefined
+    if (!row) {
+      return null
+    }
+
+    return {
+      value: row.value,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at,
+    }
+  }
+
+  restoreOpenCodeServerPasswordState(state: OpenCodeServerPasswordState | null): void {
+    if (!state) {
+      this.clearOpenCodeServerPassword()
+      return
+    }
+
+    this.db.prepare(`
+      INSERT INTO app_secrets (key, value, created_at, updated_at) VALUES (?, ?, ?, ?)
+      ON CONFLICT(key) DO UPDATE SET value = excluded.value, created_at = excluded.created_at, updated_at = excluded.updated_at
+    `).run('opencode_server_password', state.value, state.createdAt, state.updatedAt)
+  }
+
+  setOpenCodeServerPassword(password: string): void {
+    const now = Date.now()
+    const encrypted = encryptSecret(password)
+    this.db.prepare(`
+      INSERT INTO app_secrets (key, value, created_at, updated_at) VALUES (?, ?, ?, ?)
+      ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at
+    `).run('opencode_server_password', encrypted, now, now)
+  }
+
+  clearOpenCodeServerPassword(): void {
+    this.db.prepare('DELETE FROM app_secrets WHERE key = ?').run('opencode_server_password')
+  }
 }