@bjesuiter/codex-switcher 1.7.2 → 1.7.4

package/README.md

@@ -6,11 +6,12 @@ Switch the coding-agents [pi](https://pi.dev/), [codex](https://developers.opena
 
 ## Latest Changes
 
-### 1.7.2
+### 1.7.4
 
 #### Fixes
 
-- Improve device OAuth failure diagnostics during login/relogin. When device flow startup or polling fails, `cdx` now prints technical details (HTTP status, OAuth error code, and response/body snippets where available) instead of only showing a generic "not available right now" message.
+- Detect Cloudflare/bot-protection HTML challenge responses during OAuth device flow startup and token polling, and report an explicit `cloudflare_challenge` reason instead of only a generic HTTP 403.
+- When that challenge is detected, show a clear workaround: retry without `--device-flow` to use browser/manual callback flow.
 
 see full changelog here: https://github.com/bjesuiter/codex-switcher/blob/main/CHANGELOG.md
 

package/cdx.mjs

@@ -15,7 +15,7 @@ import { generatePKCE } from "@openauthjs/openauth/pkce";
 import http from "node:http";
 
 //#region package.json
-var version = "1.7.2";
+var version = "1.7.4";
 
 //#endregion
 //#region lib/platform/path-resolver.ts
@@ -1036,6 +1036,46 @@ const truncateForLog = (value, maxLength = 300) => {
 	if (value.length <= maxLength) return value;
 	return `${value.slice(0, maxLength)}…`;
 };
+const isCloudflareChallengeResponse = (headers, bodyText) => {
+	if (headers.get("cf-mitigated")?.toLowerCase() === "challenge") return true;
+	if (!bodyText) return false;
+	return [
+		/<title>Just a moment\.\.\.<\/title>/i,
+		/Enable JavaScript and cookies to continue/i,
+		/challenge-platform/i,
+		/_cf_chl_opt/i
+	].some((pattern) => pattern.test(bodyText));
+};
+const parseOAuthErrorResponse = async (res) => {
+	let rawBody;
+	try {
+		rawBody = await res.text();
+	} catch {
+		rawBody = void 0;
+	}
+	const failureReason = isCloudflareChallengeResponse(res.headers, rawBody) ? "cloudflare_challenge" : void 0;
+	if (!rawBody) return { ...failureReason ? { failureReason } : {} };
+	const trimmed = rawBody.trim();
+	if (!trimmed) return { ...failureReason ? { failureReason } : {} };
+	try {
+		const json = JSON.parse(trimmed);
+		return {
+			...json.error ? { oauthError: json.error } : {},
+			...typeof json.interval === "number" ? { interval: json.interval } : {},
+			responseBody: truncateForLog(JSON.stringify({
+				...json.error ? { error: json.error } : {},
+				...json.error_description ? { error_description: json.error_description } : {},
+				...typeof json.interval === "number" ? { interval: json.interval } : {}
+			})),
+			...failureReason ? { failureReason } : {}
+		};
+	} catch {
+		return {
+			responseBody: failureReason === "cloudflare_challenge" ? "Cloudflare challenge response detected (HTML page)" : truncateForLog(trimmed),
+			...failureReason ? { failureReason } : {}
+		};
+	}
+};
 const startDeviceAuthorizationFlow = async () => {
 	try {
 		const res = await fetch(DEVICE_CODE_URL, {
@@ -1047,28 +1087,14 @@ const startDeviceAuthorizationFlow = async () => {
 			})
 		});
 		if (!res.ok) {
-			let oauthError;
-			let responseBody;
-			try {
-				const json = await res.json();
-				oauthError = json.error;
-				responseBody = truncateForLog(JSON.stringify({
-					...json.error ? { error: json.error } : {},
-					...json.error_description ? { error_description: json.error_description } : {}
-				}));
-			} catch {
-				try {
-					responseBody = truncateForLog(await res.text());
-				} catch {
-					responseBody = void 0;
-				}
-			}
+			const { oauthError, responseBody, failureReason } = await parseOAuthErrorResponse(res);
 			return {
 				type: "failed",
-				error: `Device code request failed with HTTP ${res.status} ${res.statusText}`,
+				error: failureReason === "cloudflare_challenge" ? "Device code request was blocked by a Cloudflare challenge response." : `Device code request failed with HTTP ${res.status} ${res.statusText}`,
 				status: res.status,
 				...oauthError ? { oauthError } : {},
-				...responseBody ? { responseBody } : {}
+				...responseBody ? { responseBody } : {},
+				...failureReason ? { failureReason } : {}
 			};
 		}
 		const json = await res.json();
@@ -1121,25 +1147,7 @@ const pollDeviceAuthorizationToken = async (deviceCode) => {
 				idToken: json.id_token
 			};
 		}
-		let errorCode;
-		let interval;
-		let responseBody;
-		try {
-			const json = await res.json();
-			errorCode = json.error;
-			interval = json.interval;
-			responseBody = truncateForLog(JSON.stringify({
-				...json.error ? { error: json.error } : {},
-				...json.error_description ? { error_description: json.error_description } : {},
-				...typeof json.interval === "number" ? { interval: json.interval } : {}
-			}));
-		} catch {
-			try {
-				responseBody = truncateForLog(await res.text());
-			} catch {
-				responseBody = void 0;
-			}
-		}
+		const { oauthError: errorCode, interval, responseBody, failureReason } = await parseOAuthErrorResponse(res);
 		if (errorCode === "authorization_pending") return {
 			type: "pending",
 			interval: typeof interval === "number" && interval > 0 ? interval : 5
@@ -1152,10 +1160,11 @@ const pollDeviceAuthorizationToken = async (deviceCode) => {
 		if (errorCode === "expired_token") return { type: "expired" };
 		return {
 			type: "failed",
-			error: `Device token polling failed with HTTP ${res.status} ${res.statusText}`,
+			error: failureReason === "cloudflare_challenge" ? "Device token polling was blocked by a Cloudflare challenge response." : `Device token polling failed with HTTP ${res.status} ${res.statusText}`,
 			status: res.status,
 			...errorCode ? { oauthError: errorCode } : {},
-			...responseBody ? { responseBody } : {}
+			...responseBody ? { responseBody } : {},
+			...failureReason ? { failureReason } : {}
 		};
 	} catch (error) {
 		return {
@@ -1310,10 +1319,14 @@ const startOAuthServer = (state) => {
 				},
 				waitForCode: () => codePromise
 			});
-		}).on("error", () => {
+		}).on("error", (error) => {
+			const err = error;
 			resolve({
 				port: CALLBACK_PORT,
 				ready: false,
+				reason: err?.code === "EADDRINUSE" ? "port_in_use" : "listen_failed",
+				...typeof err?.message === "string" ? { error: err.message } : {},
+				...typeof err?.code === "string" ? { errorCode: err.code } : {},
 				close: () => {
 					try {
 						server.close();
@@ -1333,6 +1346,101 @@ const isLikelyRemoteEnvironment = () => {
 	if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT || process.env.SSH_TTY) return true;
 	return !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY;
 };
+const parseLsofListeningProcess = (output) => {
+	const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+	let pid = null;
+	let command;
+	for (const line of lines) {
+		if (line.startsWith("p") && pid === null) {
+			const parsedPid = Number.parseInt(line.slice(1), 10);
+			if (!Number.isNaN(parsedPid) && parsedPid > 0) pid = parsedPid;
+			continue;
+		}
+		if (line.startsWith("c") && pid !== null && !command) {
+			const parsedCommand = line.slice(1).trim();
+			if (parsedCommand) command = parsedCommand;
+		}
+		if (pid !== null && command) break;
+	}
+	if (pid === null) return null;
+	return {
+		pid,
+		...command ? { command } : {}
+	};
+};
+const parseWindowsNetstatListeningPid = (output, port) => {
+	const lines = output.split(/\r?\n/);
+	const portSuffix = `:${port}`;
+	for (const rawLine of lines) {
+		const line = rawLine.trim();
+		if (!line || !/LISTENING/i.test(line) || !line.includes(portSuffix)) continue;
+		const pidRaw = line.split(/\s+/).at(-1);
+		const parsedPid = pidRaw ? Number.parseInt(pidRaw, 10) : NaN;
+		if (!Number.isNaN(parsedPid) && parsedPid > 0) return parsedPid;
+	}
+	return null;
+};
+const findListeningProcessOnPort = (port, platform = process.platform) => {
+	if (platform === "win32") {
+		const netstat = Bun.spawnSync({
+			cmd: [
+				"netstat",
+				"-ano",
+				"-p",
+				"tcp"
+			],
+			stdout: "pipe",
+			stderr: "pipe"
+		});
+		if (netstat.exitCode !== 0) return null;
+		const pid = parseWindowsNetstatListeningPid(Buffer.from(netstat.stdout).toString("utf8"), port);
+		if (!pid) return null;
+		const tasklist = Bun.spawnSync({
+			cmd: [
+				"tasklist",
+				"/FI",
+				`PID eq ${pid}`,
+				"/FO",
+				"CSV",
+				"/NH"
+			],
+			stdout: "pipe",
+			stderr: "pipe"
+		});
+		if (tasklist.exitCode !== 0) return { pid };
+		const line = Buffer.from(tasklist.stdout).toString("utf8").trim().split(/\r?\n/)[0] ?? "";
+		if (!line || /No tasks are running/i.test(line)) return { pid };
+		const command = line.replace(/^"|"$/g, "").split("\",\"")[0]?.trim();
+		return {
+			pid,
+			...command ? { command } : {}
+		};
+	}
+	const lsof = Bun.spawnSync({
+		cmd: [
+			"lsof",
+			"-nP",
+			`-iTCP:${port}`,
+			"-sTCP:LISTEN",
+			"-FpPc"
+		],
+		stdout: "pipe",
+		stderr: "pipe"
+	});
+	if (lsof.exitCode !== 0) return null;
+	return parseLsofListeningProcess(Buffer.from(lsof.stdout).toString("utf8"));
+};
+const killProcessByPid = (pid) => {
+	try {
+		process.kill(pid, "SIGTERM");
+		return { ok: true };
+	} catch (error) {
+		return {
+			ok: false,
+			error: error instanceof Error ? error.message : String(error)
+		};
+	}
+};
 const parseOAuthCallbackInput = (input) => {
 	const trimmed = input.trim();
 	if (!trimmed) return null;
@@ -1399,6 +1507,34 @@ const promptBrowserFallbackChoice = async () => {
 	if (p.isCancel(selection)) return "cancel";
 	return selection;
 };
+const promptPortConflictChoice = async (listeningProcess) => {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) {
+		p.log.info("Non-interactive terminal detected. Falling back to device OAuth flow.");
+		return "device";
+	}
+	const killHint = listeningProcess ? `PID ${listeningProcess.pid}${listeningProcess.command ? ` (${listeningProcess.command})` : ""}` : "Attempt to free port and retry";
+	const selection = await p.select({
+		message: `Port ${CALLBACK_PORT} is already in use. How do you want to continue?`,
+		options: [
+			{
+				value: "kill_and_retry",
+				label: `Kill existing listener on port ${CALLBACK_PORT} and retry browser flow`,
+				hint: killHint
+			},
+			{
+				value: "device",
+				label: "Continue with OAuth device flow",
+				hint: "No local callback server required"
+			},
+			{
+				value: "cancel",
+				label: "Cancel login"
+			}
+		]
+	});
+	if (p.isCancel(selection)) return "cancel";
+	return selection;
+};
 const promptManualAuthorizationCode = async (authorizationUrl, expectedState) => {
 	p.log.info("Manual login selected.");
 	p.log.message(`Open this URL in a browser:\n${authorizationUrl}`);
@@ -1434,6 +1570,10 @@ const runDeviceOAuthFlow = async (useSpinner) => {
 		if (typeof deviceFlowResult.status === "number") p.log.error(`HTTP status: ${deviceFlowResult.status}`);
 		if (deviceFlowResult.oauthError) p.log.error(`OAuth error: ${deviceFlowResult.oauthError}`);
 		if (deviceFlowResult.responseBody) p.log.error(`Response: ${deviceFlowResult.responseBody}`);
+		if (deviceFlowResult.failureReason === "cloudflare_challenge") {
+			p.log.warning("Detected Cloudflare challenge on auth.openai.com.");
+			p.log.info("Retry without --device-flow to use browser/manual callback flow.");
+		}
 		return null;
 	}
 	const deviceFlow = deviceFlowResult.flow;
@@ -1483,6 +1623,10 @@ const runDeviceOAuthFlow = async (useSpinner) => {
 			if (typeof pollResult.status === "number") p.log.error(`HTTP status: ${pollResult.status}`);
 			if (pollResult.oauthError) p.log.error(`OAuth error: ${pollResult.oauthError}`);
 			if (pollResult.responseBody) p.log.error(`Response: ${pollResult.responseBody}`);
+			if (pollResult.failureReason === "cloudflare_challenge") {
+				p.log.warning("Detected Cloudflare challenge on auth.openai.com.");
+				p.log.info("Retry without --device-flow to use browser/manual callback flow.");
+			}
 		}
 		return null;
 	}
@@ -1492,9 +1636,48 @@ const runDeviceOAuthFlow = async (useSpinner) => {
 };
 const requestTokenViaOAuth = async (flow, options) => {
 	if (options.authFlow === "device") return runDeviceOAuthFlow(options.useSpinner);
-	const server = await startOAuthServer(flow.state);
-	if (!server.ready) {
-		p.log.error("Failed to start local server on port 1455.");
+	let server = await startOAuthServer(flow.state);
+	if (!server.ready) if (server.reason === "port_in_use") {
+		p.log.warning(`Local callback server port ${CALLBACK_PORT} is already in use.`);
+		const listeningProcess = findListeningProcessOnPort(CALLBACK_PORT);
+		if (listeningProcess) p.log.info(`Detected listener on port ${CALLBACK_PORT}: PID ${listeningProcess.pid}${listeningProcess.command ? ` (${listeningProcess.command})` : ""}`);
+		const choice = await promptPortConflictChoice(listeningProcess);
+		if (choice === "cancel") {
+			p.log.info("Login cancelled.");
+			return null;
+		}
+		if (choice === "device") return runDeviceOAuthFlow(options.useSpinner);
+		if (listeningProcess) {
+			const confirmed = await p.confirm({
+				message: `Kill PID ${listeningProcess.pid}${listeningProcess.command ? ` (${listeningProcess.command})` : ""}?`,
+				initialValue: false
+			});
+			if (p.isCancel(confirmed) || !confirmed) {
+				p.log.info("Cancelled. No process was terminated.");
+				return null;
+			}
+			const killResult = killProcessByPid(listeningProcess.pid);
+			if (!killResult.ok) {
+				p.log.error(`Failed to terminate PID ${listeningProcess.pid}.`);
+				p.log.error(`Technical details: ${killResult.error ?? "unknown error"}`);
+				p.log.info("Try device flow instead: cdx login --device-flow");
+				return null;
+			}
+			p.log.success(`Sent SIGTERM to PID ${listeningProcess.pid}. Retrying local server...`);
+			await sleep(250);
+		} else p.log.warning(`Could not identify which process is listening on port ${CALLBACK_PORT}. Retrying once...`);
+		server = await startOAuthServer(flow.state);
+		if (!server.ready) {
+			p.log.error(`Failed to start local server on port ${CALLBACK_PORT} after retry.`);
+			if (server.error) p.log.error(`Technical details: ${server.error}`);
+			if (server.errorCode) p.log.error(`Error code: ${server.errorCode}`);
+			p.log.info("Try device flow instead: cdx login --device-flow");
+			return null;
+		}
+	} else {
+		p.log.error(`Failed to start local server on port ${CALLBACK_PORT}.`);
+		if (server.error) p.log.error(`Technical details: ${server.error}`);
+		if (server.errorCode) p.log.error(`Error code: ${server.errorCode}`);
 		p.log.info("Please ensure the port is not in use.");
 		return null;
 	}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bjesuiter/codex-switcher",
-  "version": "1.7.2",
+  "version": "1.7.4",
   "type": "module",
   "description": "CLI tool to switch between multiple OpenAI accounts for OpenCode",
   "bin": {