feat(kiro): 新增授权码登录流程，优化邮箱获取与官方 Thinking 模式解析 预支持

cmd/server/main.go

@@ -78,6 +78,7 @@ func main() {
 	var kiroLogin bool
 	var kiroGoogleLogin bool
 	var kiroAWSLogin bool
+	var kiroAWSAuthCode bool
 	var kiroImport bool
 	var githubCopilotLogin bool
 	var projectID string
@@ -101,6 +102,7 @@ func main() {
 	flag.BoolVar(&kiroLogin, "kiro-login", false, "Login to Kiro using Google OAuth")
 	flag.BoolVar(&kiroGoogleLogin, "kiro-google-login", false, "Login to Kiro using Google OAuth (same as --kiro-login)")
 	flag.BoolVar(&kiroAWSLogin, "kiro-aws-login", false, "Login to Kiro using AWS Builder ID (device code flow)")
+	flag.BoolVar(&kiroAWSAuthCode, "kiro-aws-authcode", false, "Login to Kiro using AWS Builder ID (authorization code flow, better UX)")
 	flag.BoolVar(&kiroImport, "kiro-import", false, "Import Kiro token from Kiro IDE (~/.aws/sso/cache/kiro-auth-token.json)")
 	flag.BoolVar(&githubCopilotLogin, "github-copilot-login", false, "Login to GitHub Copilot using device flow")
 	flag.StringVar(&projectID, "project_id", "", "Project ID (Gemini only, not required)")
@@ -513,6 +515,10 @@ func main() {
 		// Users can explicitly override with --no-incognito
 		setKiroIncognitoMode(cfg, useIncognito, noIncognito)
 		cmd.DoKiroAWSLogin(cfg, options)
+	} else if kiroAWSAuthCode {
+		// For Kiro auth with authorization code flow (better UX)
+		setKiroIncognitoMode(cfg, useIncognito, noIncognito)
+		cmd.DoKiroAWSAuthCodeLogin(cfg, options)
 	} else if kiroImport {
 		cmd.DoKiroImport(cfg, options)
 	} else {

internal/auth/kiro/codewhisperer_client.go

@@ -0,0 +1,166 @@
+// Package kiro provides CodeWhisperer API client for fetching user info.
+package kiro
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	codeWhispererAPI = "https://codewhisperer.us-east-1.amazonaws.com"
+	kiroVersion      = "0.6.18"
+)
+
+// CodeWhispererClient handles CodeWhisperer API calls.
+type CodeWhispererClient struct {
+	httpClient *http.Client
+	machineID  string
+}
+
+// UsageLimitsResponse represents the getUsageLimits API response.
+type UsageLimitsResponse struct {
+	DaysUntilReset     *int                `json:"daysUntilReset,omitempty"`
+	NextDateReset      *float64            `json:"nextDateReset,omitempty"`
+	UserInfo           *UserInfo           `json:"userInfo,omitempty"`
+	SubscriptionInfo   *SubscriptionInfo   `json:"subscriptionInfo,omitempty"`
+	UsageBreakdownList []UsageBreakdown    `json:"usageBreakdownList,omitempty"`
+}
+
+// UserInfo contains user information from the API.
+type UserInfo struct {
+	Email  string `json:"email,omitempty"`
+	UserID string `json:"userId,omitempty"`
+}
+
+// SubscriptionInfo contains subscription details.
+type SubscriptionInfo struct {
+	SubscriptionTitle string `json:"subscriptionTitle,omitempty"`
+	Type              string `json:"type,omitempty"`
+}
+
+// UsageBreakdown contains usage details.
+type UsageBreakdown struct {
+	UsageLimit                 *int     `json:"usageLimit,omitempty"`
+	CurrentUsage               *int     `json:"currentUsage,omitempty"`
+	UsageLimitWithPrecision    *float64 `json:"usageLimitWithPrecision,omitempty"`
+	CurrentUsageWithPrecision  *float64 `json:"currentUsageWithPrecision,omitempty"`
+	NextDateReset              *float64 `json:"nextDateReset,omitempty"`
+	DisplayName                string   `json:"displayName,omitempty"`
+	ResourceType               string   `json:"resourceType,omitempty"`
+}
+
+// NewCodeWhispererClient creates a new CodeWhisperer client.
+func NewCodeWhispererClient(cfg *config.Config, machineID string) *CodeWhispererClient {
+	client := &http.Client{Timeout: 30 * time.Second}
+	if cfg != nil {
+		client = util.SetProxy(&cfg.SDKConfig, client)
+	}
+	if machineID == "" {
+		machineID = uuid.New().String()
+	}
+	return &CodeWhispererClient{
+		httpClient: client,
+		machineID:  machineID,
+	}
+}
+
+// generateInvocationID generates a unique invocation ID.
+func generateInvocationID() string {
+	return uuid.New().String()
+}
+
+// GetUsageLimits fetches usage limits and user info from CodeWhisperer API.
+// This is the recommended way to get user email after login.
+func (c *CodeWhispererClient) GetUsageLimits(ctx context.Context, accessToken string) (*UsageLimitsResponse, error) {
+	url := fmt.Sprintf("%s/getUsageLimits?isEmailRequired=true&origin=AI_EDITOR&resourceType=AGENTIC_REQUEST", codeWhispererAPI)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	// Set headers to match Kiro IDE
+	xAmzUserAgent := fmt.Sprintf("aws-sdk-js/1.0.0 KiroIDE-%s-%s", kiroVersion, c.machineID)
+	userAgent := fmt.Sprintf("aws-sdk-js/1.0.0 ua/2.1 os/windows lang/js md/nodejs#20.16.0 api/codewhispererruntime#1.0.0 m/E KiroIDE-%s-%s", kiroVersion, c.machineID)
+
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+	req.Header.Set("x-amz-user-agent", xAmzUserAgent)
+	req.Header.Set("User-Agent", userAgent)
+	req.Header.Set("amz-sdk-invocation-id", generateInvocationID())
+	req.Header.Set("amz-sdk-request", "attempt=1; max=1")
+	req.Header.Set("Connection", "close")
+
+	log.Debugf("codewhisperer: GET %s", url)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	log.Debugf("codewhisperer: status=%d, body=%s", resp.StatusCode, string(body))
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API returned status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var result UsageLimitsResponse
+	if err := json.Unmarshal(body, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result, nil
+}
+
+// FetchUserEmailFromAPI fetches user email using CodeWhisperer getUsageLimits API.
+// This is more reliable than JWT parsing as it uses the official API.
+func (c *CodeWhispererClient) FetchUserEmailFromAPI(ctx context.Context, accessToken string) string {
+	resp, err := c.GetUsageLimits(ctx, accessToken)
+	if err != nil {
+		log.Debugf("codewhisperer: failed to get usage limits: %v", err)
+		return ""
+	}
+
+	if resp.UserInfo != nil && resp.UserInfo.Email != "" {
+		log.Debugf("codewhisperer: got email from API: %s", resp.UserInfo.Email)
+		return resp.UserInfo.Email
+	}
+
+	log.Debugf("codewhisperer: no email in response")
+	return ""
+}
+
+// FetchUserEmailWithFallback fetches user email with multiple fallback methods.
+// Priority: 1. CodeWhisperer API  2. userinfo endpoint  3. JWT parsing
+func FetchUserEmailWithFallback(ctx context.Context, cfg *config.Config, accessToken string) string {
+	// Method 1: Try CodeWhisperer API (most reliable)
+	cwClient := NewCodeWhispererClient(cfg, "")
+	email := cwClient.FetchUserEmailFromAPI(ctx, accessToken)
+	if email != "" {
+		return email
+	}
+
+	// Method 2: Try SSO OIDC userinfo endpoint
+	ssoClient := NewSSOOIDCClient(cfg)
+	email = ssoClient.FetchUserEmail(ctx, accessToken)
+	if email != "" {
+		return email
+	}
+
+	// Method 3: Fallback to JWT parsing
+	return ExtractEmailFromJWT(accessToken)
+}

internal/auth/kiro/oauth.go

@@ -163,6 +163,13 @@ func (o *KiroOAuth) LoginWithBuilderID(ctx context.Context) (*KiroTokenData, err
 	return ssoClient.LoginWithBuilderID(ctx)
 }
 
+// LoginWithBuilderIDAuthCode performs OAuth login with AWS Builder ID using authorization code flow.
+// This provides a better UX than device code flow as it uses automatic browser callback.
+func (o *KiroOAuth) LoginWithBuilderIDAuthCode(ctx context.Context) (*KiroTokenData, error) {
+	ssoClient := NewSSOOIDCClient(o.cfg)
+	return ssoClient.LoginWithBuilderIDAuthCode(ctx)
+}
+
 // exchangeCodeForToken exchanges the authorization code for tokens.
 func (o *KiroOAuth) exchangeCodeForToken(ctx context.Context, code, codeVerifier, redirectURI string) (*KiroTokenData, error) {
 	payload := map[string]string{