feat(accounts): export OpenCode auth json

.github/workflows/docker.yml

@@ -0,0 +1,59 @@
+name: Build and publish Docker image
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - feat/opencode-auth-export
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  IMAGE_NAME: ghcr.io/lnimien/codex-lb
+
+jobs:
+  docker:
+    name: Docker image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=opencode-auth-export,enable=${{ github.ref == 'refs/heads/feat/opencode-auth-export' }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=ref,event=tag
+            type=sha,prefix=sha-
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

app/core/auth/__init__.py

@@ -90,6 +90,16 @@ def claims_from_auth(auth: AuthFile) -> AccountClaims:
     )
 
 
+def token_expiry_epoch_ms(token: str) -> int | None:
+    claims = extract_id_token_claims(token)
+    exp = claims.exp
+    if isinstance(exp, (int, float)):
+        return max(0, int(float(exp) * 1000))
+    if isinstance(exp, str) and exp.isdigit():
+        return max(0, int(exp) * 1000)
+    return None
+
+
 def generate_unique_account_id(account_id: str | None, email: str | None) -> str:
     if account_id and email and email != DEFAULT_EMAIL:
         email_hash = hashlib.sha256(email.encode()).hexdigest()[:8]

app/modules/accounts/api.py

@@ -10,6 +10,7 @@
 from app.modules.accounts.schemas import (
     AccountDeleteResponse,
     AccountImportResponse,
+    AccountOpenCodeAuthExportResponse,
     AccountPauseResponse,
     AccountReactivateResponse,
     AccountsResponse,
@@ -43,6 +44,23 @@ async def get_account_trends(
     return result
 
 
+@router.post("/{account_id}/export/opencode-auth", response_model=AccountOpenCodeAuthExportResponse)
+async def export_account_opencode_auth(
+    request: Request,
+    account_id: str,
+    context: AccountsContext = Depends(get_accounts_context),
+) -> AccountOpenCodeAuthExportResponse:
+    result = await context.service.export_opencode_auth(account_id)
+    if not result:
+        raise DashboardNotFoundError("Account not found", code="account_not_found")
+    AuditService.log_async(
+        "account_auth_exported",
+        actor_ip=request.client.host if request.client else None,
+        details={"account_id": account_id},
+    )
+    return result
+
+
 @router.post("/import", response_model=AccountImportResponse)
 async def import_account(
     request: Request,

app/modules/accounts/mappers.py

@@ -3,7 +3,7 @@
 from datetime import datetime, timezone
 
 from app.core import usage as usage_core
-from app.core.auth import DEFAULT_PLAN, extract_id_token_claims
+from app.core.auth import DEFAULT_PLAN, extract_id_token_claims, token_expiry_epoch_ms
 from app.core.crypto import TokenEncryptor
 from app.core.plan_types import coerce_account_plan_type
 from app.core.usage.types import UsageTrendBucket, UsageWindowRow
@@ -177,12 +177,9 @@ def _decrypt_token(encryptor: TokenEncryptor, encrypted: bytes | None) -> str |
 def _token_expiry(token: str | None) -> datetime | None:
     if not token:
         return None
-    claims = extract_id_token_claims(token)
-    exp = claims.exp
-    if isinstance(exp, (int, float)):
-        return datetime.fromtimestamp(exp, tz=timezone.utc)
-    if isinstance(exp, str) and exp.isdigit():
-        return datetime.fromtimestamp(int(exp), tz=timezone.utc)
+    expires_ms = token_expiry_epoch_ms(token)
+    if expires_ms is not None:
+        return datetime.fromtimestamp(expires_ms / 1000, tz=timezone.utc)
     return None
 
 

app/modules/accounts/schemas.py

@@ -89,6 +89,30 @@ class AccountImportResponse(DashboardModel):
     status: str
 
 
+class OpenCodeOAuthAuth(DashboardModel):
+    type: str = "oauth"
+    refresh: str
+    access: str
+    expires: int = Field(ge=0)
+    account_id: str | None = None
+
+
+class OpenCodeAuthJson(DashboardModel):
+    openai: OpenCodeOAuthAuth
+
+
+class AccountOpenCodeAuthExportAccount(DashboardModel):
+    account_id: str
+    chatgpt_account_id: str | None = None
+    email: str
+
+
+class AccountOpenCodeAuthExportResponse(DashboardModel):
+    filename: str
+    account: AccountOpenCodeAuthExportAccount
+    auth_json: OpenCodeAuthJson
+
+
 class AccountPauseResponse(DashboardModel):
     status: str
 

app/modules/accounts/service.py

@@ -12,6 +12,7 @@
     claims_from_auth,
     generate_unique_account_id,
     parse_auth_json,
+    token_expiry_epoch_ms,
 )
 from app.core.auth.api_key_cache import get_api_key_cache
 from app.core.cache.invalidation import NAMESPACE_API_KEY, get_cache_invalidation_poller
@@ -25,9 +26,13 @@
     AccountAdditionalQuota,
     AccountAdditionalWindow,
     AccountImportResponse,
+    AccountOpenCodeAuthExportAccount,
+    AccountOpenCodeAuthExportResponse,
     AccountRequestUsage,
     AccountSummary,
     AccountTrendsResponse,
+    OpenCodeAuthJson,
+    OpenCodeOAuthAuth,
 )
 from app.modules.proxy.account_cache import get_account_selection_cache
 from app.modules.usage.additional_quota_keys import get_additional_display_label_for_quota_key
@@ -142,6 +147,33 @@ async def get_account_trends(self, account_id: str) -> AccountTrendsResponse | N
             secondary=trend.secondary if trend else [],
         )
 
+    async def export_opencode_auth(self, account_id: str) -> AccountOpenCodeAuthExportResponse | None:
+        account = await self._repo.get_by_id(account_id)
+        if account is None:
+            return None
+
+        access_token = self._encryptor.decrypt(account.access_token_encrypted)
+        refresh_token = self._encryptor.decrypt(account.refresh_token_encrypted)
+        expires = token_expiry_epoch_ms(access_token) or 0
+        opencode_account_id = account.chatgpt_account_id or account.id
+
+        return AccountOpenCodeAuthExportResponse(
+            filename=_opencode_auth_export_filename(account),
+            account=AccountOpenCodeAuthExportAccount(
+                account_id=account.id,
+                chatgpt_account_id=account.chatgpt_account_id,
+                email=account.email,
+            ),
+            auth_json=OpenCodeAuthJson(
+                openai=OpenCodeOAuthAuth(
+                    refresh=refresh_token,
+                    access=access_token,
+                    expires=expires,
+                    account_id=opencode_account_id,
+                ),
+            ),
+        )
+
     async def import_account(self, raw: bytes) -> AccountImportResponse:
         try:
             auth = parse_auth_json(raw)
@@ -201,3 +233,9 @@ async def delete_account(self, account_id: str) -> bool:
             if poller is not None:
                 await poller.bump(NAMESPACE_API_KEY)
         return result
+
+
+def _opencode_auth_export_filename(account: Account) -> str:
+    source = account.email or account.id
+    safe = "".join(char if char.isalnum() or char in "._-" else "-" for char in source).strip("-._")
+    return f"opencode-auth-{safe or account.id}.json"

frontend/src/components/alert-message.tsx

@@ -1,21 +1,23 @@
-import { AlertCircle, CheckCircle2 } from "lucide-react";
+import { AlertCircle, CheckCircle2, TriangleAlert } from "lucide-react";
 
 import { cn } from "@/lib/utils";
 
 export type AlertMessageProps = {
-  variant: "error" | "success";
+  variant: "error" | "success" | "warning";
   className?: string;
   children: React.ReactNode;
 };
 
 const variantStyles: Record<AlertMessageProps["variant"], string> = {
   error: "bg-destructive/10 text-destructive border border-destructive/20",
   success: "bg-emerald-500/10 text-emerald-700 dark:text-emerald-400 border border-emerald-500/20",
+  warning: "border border-amber-500/20 bg-amber-500/10 text-amber-700 dark:text-amber-300",
 };
 
 const variantIcons: Record<AlertMessageProps["variant"], React.ElementType> = {
   error: AlertCircle,
   success: CheckCircle2,
+  warning: TriangleAlert,
 };
 
 export function AlertMessage({ variant, className, children }: AlertMessageProps) {

frontend/src/features/accounts/api.ts

@@ -2,6 +2,7 @@ import { del, get, post } from "@/lib/api-client";
 
 import {
   AccountActionResponseSchema,
+  AccountOpenCodeAuthExportResponseSchema,
   AccountImportResponseSchema,
   AccountsResponseSchema,
   AccountTrendsResponseSchema,
@@ -51,6 +52,13 @@ export function getAccountTrends(accountId: string) {
   );
 }
 
+export function exportAccountOpenCodeAuth(accountId: string) {
+  return post(
+    `${ACCOUNTS_BASE_PATH}/${encodeURIComponent(accountId)}/export/opencode-auth`,
+    AccountOpenCodeAuthExportResponseSchema,
+  );
+}
+
 export function deleteAccount(accountId: string) {
   return del(
     `${ACCOUNTS_BASE_PATH}/${encodeURIComponent(accountId)}`,

frontend/src/features/accounts/components/account-actions.tsx

@@ -1,4 +1,4 @@
-import { Pause, Play, RefreshCw, Trash2 } from "lucide-react";
+import { Download, Pause, Play, RefreshCw, Trash2 } from "lucide-react";
 
 import { Button } from "@/components/ui/button";
 import type { AccountSummary } from "@/features/accounts/schemas";
@@ -10,6 +10,7 @@ export type AccountActionsProps = {
   onResume: (accountId: string) => void;
   onDelete: (accountId: string) => void;
   onReauth: () => void;
+  onExportOpenCodeAuth: (accountId: string) => void;
 };
 
 export function AccountActions({
@@ -19,6 +20,7 @@ export function AccountActions({
   onResume,
   onDelete,
   onReauth,
+  onExportOpenCodeAuth,
 }: AccountActionsProps) {
   return (
     <div className="flex flex-wrap gap-2 border-t pt-4">
@@ -61,6 +63,18 @@ export function AccountActions({
         </Button>
       ) : null}
 
+      <Button
+        type="button"
+        size="sm"
+        variant="outline"
+        className="h-8 gap-1.5 text-xs"
+        onClick={() => onExportOpenCodeAuth(account.accountId)}
+        disabled={busy}
+      >
+        <Download className="h-3.5 w-3.5" />
+        Export OpenCode auth
+      </Button>
+
       <Button
         type="button"
         size="sm"

frontend/src/features/accounts/components/account-detail.tsx

@@ -17,6 +17,7 @@ export type AccountDetailProps = {
   onResume: (accountId: string) => void;
   onDelete: (accountId: string) => void;
   onReauth: () => void;
+  onExportOpenCodeAuth: (accountId: string) => void;
 };
 
 export function AccountDetail({
@@ -27,6 +28,7 @@ export function AccountDetail({
   onResume,
   onDelete,
   onReauth,
+  onExportOpenCodeAuth,
 }: AccountDetailProps) {
   const { data: trends } = useAccountTrends(account?.accountId ?? null);
   const blurred = usePrivacyStore((s) => s.blurred);
@@ -74,6 +76,7 @@ export function AccountDetail({
         onResume={onResume}
         onDelete={onDelete}
         onReauth={onReauth}
+        onExportOpenCodeAuth={onExportOpenCodeAuth}
       />
     </div>
   );