@khanglvm/llm-router 1.1.1 → 1.3.0

package/src/runtime/subscription-auth.js

@@ -1,12 +1,67 @@
 /**
- * OAuth authentication for ChatGPT Codex subscription providers.
- * Implements browser-based login and device code flow.
+ * OAuth authentication for subscription providers.
+ * Supports ChatGPT Codex and Claude Code OAuth flows.
  */
 
 import http from 'node:http';
 import crypto from 'node:crypto';
-import { CODEX_OAUTH_CONFIG } from './subscription-constants.js';
-import { saveTokens, loadTokens, isTokenExpired, deleteTokens, listTokenProfiles as listTokenProfilesFromStore } from './subscription-tokens.js';
+import { spawn } from 'node:child_process';
+import {
+  CODEX_OAUTH_CONFIG,
+  CLAUDE_CODE_OAUTH_CONFIG
+} from './subscription-constants.js';
+import {
+  saveTokens,
+  loadTokens,
+  isTokenExpired,
+  deleteTokens,
+  listTokenProfiles as listTokenProfilesFromStore
+} from './subscription-tokens.js';
+
+const SUBSCRIPTION_TYPE_CHATGPT_CODEX = 'chatgpt-codex';
+const SUBSCRIPTION_TYPE_CLAUDE_CODE = 'claude-code';
+const CLAUDE_PROFILE_PREFIX = `${SUBSCRIPTION_TYPE_CLAUDE_CODE}__`;
+
+function normalizeSubscriptionType(value, { allowEmpty = false } = {}) {
+  const normalized = String(value || '').trim().toLowerCase();
+  if (!normalized) {
+    return allowEmpty ? '' : SUBSCRIPTION_TYPE_CHATGPT_CODEX;
+  }
+  if (normalized === SUBSCRIPTION_TYPE_CHATGPT_CODEX) return SUBSCRIPTION_TYPE_CHATGPT_CODEX;
+  if (normalized === SUBSCRIPTION_TYPE_CLAUDE_CODE) return SUBSCRIPTION_TYPE_CLAUDE_CODE;
+  throw new Error(`Unsupported subscription type '${value}'.`);
+}
+
+function resolveOAuthConfig(subscriptionType) {
+  const normalized = normalizeSubscriptionType(subscriptionType);
+  if (normalized === SUBSCRIPTION_TYPE_CLAUDE_CODE) {
+    return CLAUDE_CODE_OAUTH_CONFIG;
+  }
+  return CODEX_OAUTH_CONFIG;
+}
+
+function toTokenProfileKey(profileId, subscriptionType) {
+  const normalizedProfile = String(profileId || 'default').trim() || 'default';
+  const normalizedType = normalizeSubscriptionType(subscriptionType);
+  if (normalizedType === SUBSCRIPTION_TYPE_CLAUDE_CODE) {
+    return `${CLAUDE_PROFILE_PREFIX}${normalizedProfile}`;
+  }
+  return normalizedProfile;
+}
+
+function fromTokenProfileKey(profileKey) {
+  const value = String(profileKey || '').trim();
+  if (value.startsWith(CLAUDE_PROFILE_PREFIX)) {
+    return {
+      profileId: value.slice(CLAUDE_PROFILE_PREFIX.length) || 'default',
+      subscriptionType: SUBSCRIPTION_TYPE_CLAUDE_CODE
+    };
+  }
+  return {
+    profileId: value || 'default',
+    subscriptionType: SUBSCRIPTION_TYPE_CHATGPT_CODEX
+  };
+}
 
 /**
  * Generate PKCE code verifier and challenge.
@@ -27,22 +82,60 @@ function generateState() {
   return crypto.randomBytes(16).toString('hex');
 }
 
+function tryOpenBrowser(url) {
+  const target = String(url || '').trim();
+  if (!target) return false;
+
+  try {
+    let child;
+    if (process.platform === 'darwin') {
+      child = spawn('open', [target], { stdio: 'ignore', detached: true });
+    } else if (process.platform === 'win32') {
+      child = spawn('cmd', ['/c', 'start', '', target], { stdio: 'ignore', detached: true });
+    } else {
+      child = spawn('xdg-open', [target], { stdio: 'ignore', detached: true });
+    }
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function normalizeTokenData(data, fallbackRefreshToken = undefined) {
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token || fallbackRefreshToken,
+    expiresAt: Date.now() + (Number(data.expires_in || 0) * 1000),
+    tokenType: data.token_type || 'Bearer',
+    scope: data.scope
+  };
+}
+
 /**
  * Refresh an access token using refresh token.
  * @param {string} refreshToken - OAuth refresh token
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
  * @returns {Promise<Object>} New token data
  */
-export async function refreshAccessToken(refreshToken) {
-  const response = await fetch(CODEX_OAUTH_CONFIG.tokenUrl, {
+export async function refreshAccessToken(refreshToken, options = {}) {
+  const config = resolveOAuthConfig(options.subscriptionType);
+  const body = {
+    grant_type: 'refresh_token',
+    refresh_token: refreshToken,
+    client_id: config.clientId
+  };
+  if (typeof config.scopes === 'string' && config.scopes.trim()) {
+    body.scope = config.scopes;
+  }
+
+  const response = await fetch(config.tokenUrl, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json'
     },
-    body: JSON.stringify({
-      grant_type: 'refresh_token',
-      refresh_token: refreshToken,
-      client_id: CODEX_OAUTH_CONFIG.clientId
-    })
+    body: JSON.stringify(body)
   });
 
   if (!response.ok) {
@@ -51,38 +144,36 @@ export async function refreshAccessToken(refreshToken) {
   }
 
   const data = await response.json();
-  
-  return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token || refreshToken,
-    expiresAt: Date.now() + (data.expires_in * 1000),
-    tokenType: data.token_type || 'Bearer',
-    scope: data.scope
-  };
+  return normalizeTokenData(data, refreshToken);
 }
 
 /**
  * Get valid access token for a profile, refreshing if needed.
  * @param {string} profileId - Provider profile ID
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
  * @returns {Promise<string|null>} Valid access token or null
  */
-export async function getValidAccessToken(profileId) {
-  const tokens = await loadTokens(profileId);
+export async function getValidAccessToken(profileId, options = {}) {
+  const config = resolveOAuthConfig(options.subscriptionType);
+  const tokenProfileKey = toTokenProfileKey(profileId, options.subscriptionType);
+  const tokens = await loadTokens(tokenProfileKey);
   if (!tokens) return null;
 
   // Check if token needs refresh
-  if (isTokenExpired(tokens, CODEX_OAUTH_CONFIG.tokenRefreshBufferMs)) {
+  if (isTokenExpired(tokens, config.tokenRefreshBufferMs)) {
     if (!tokens.refreshToken) {
-      return null; // Cannot refresh without refresh token
+      return null;
     }
 
     try {
-      const newTokens = await refreshAccessToken(tokens.refreshToken);
-      await saveTokens(profileId, newTokens);
+      const newTokens = await refreshAccessToken(tokens.refreshToken, {
+        subscriptionType: options.subscriptionType
+      });
+      await saveTokens(tokenProfileKey, newTokens);
       return newTokens.accessToken;
     } catch {
-      // Refresh failed, tokens are invalid
-      await deleteTokens(profileId);
+      await deleteTokens(tokenProfileKey);
       return null;
     }
   }
@@ -95,21 +186,30 @@ export async function getValidAccessToken(profileId) {
  * @param {string} code - Authorization code
  * @param {string} codeVerifier - PKCE code verifier
  * @param {string} redirectUri - Redirect URI used in auth request
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
+ * @param {string} [options.state] - OAuth state
  * @returns {Promise<Object>} Token data
  */
-async function exchangeCodeForTokens(code, codeVerifier, redirectUri) {
-  const response = await fetch(CODEX_OAUTH_CONFIG.tokenUrl, {
+async function exchangeCodeForTokens(code, codeVerifier, redirectUri, options = {}) {
+  const config = resolveOAuthConfig(options.subscriptionType);
+  const body = {
+    grant_type: 'authorization_code',
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri,
+    client_id: config.clientId
+  };
+  if (typeof options.state === 'string' && options.state.trim()) {
+    body.state = options.state.trim();
+  }
+
+  const response = await fetch(config.tokenUrl, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json'
     },
-    body: JSON.stringify({
-      grant_type: 'authorization_code',
-      code,
-      code_verifier: codeVerifier,
-      redirect_uri: redirectUri,
-      client_id: CODEX_OAUTH_CONFIG.clientId
-    })
+    body: JSON.stringify(body)
   });
 
   if (!response.ok) {
@@ -118,47 +218,57 @@ async function exchangeCodeForTokens(code, codeVerifier, redirectUri) {
   }
 
   const data = await response.json();
-  
-  return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token,
-    expiresAt: Date.now() + (data.expires_in * 1000),
-    tokenType: data.token_type || 'Bearer',
-    scope: data.scope
-  };
+  return normalizeTokenData(data);
 }
 
 /**
  * Start browser-based OAuth login.
  * @param {string} profileId - Provider profile ID
  * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
  * @param {number} [options.port] - Callback server port
  * @param {function} [options.onUrl] - Callback when auth URL is ready
  * @returns {Promise<boolean>} Success status
  */
 export async function loginWithBrowser(profileId, options = {}) {
-  const port = options.port || CODEX_OAUTH_CONFIG.callbackPort;
-  const redirectUri = `http://localhost:${port}${CODEX_OAUTH_CONFIG.callbackPath}`;
-  
+  const config = resolveOAuthConfig(options.subscriptionType);
+  const tokenProfileKey = toTokenProfileKey(profileId, options.subscriptionType);
+  const port = options.port || config.callbackPort;
+  const redirectUri = `http://localhost:${port}${config.callbackPath}`;
+
   const pkce = generatePKCE();
   const state = generateState();
-  
-  const authUrl = new URL(CODEX_OAUTH_CONFIG.authorizeUrl);
+
+  const authUrl = new URL(config.authorizeUrl);
   authUrl.searchParams.set('response_type', 'code');
-  authUrl.searchParams.set('client_id', CODEX_OAUTH_CONFIG.clientId);
+  authUrl.searchParams.set('client_id', config.clientId);
   authUrl.searchParams.set('redirect_uri', redirectUri);
-  authUrl.searchParams.set('scope', CODEX_OAUTH_CONFIG.scopes);
-  authUrl.searchParams.set('audience', CODEX_OAUTH_CONFIG.audience);
+  authUrl.searchParams.set('scope', config.scopes);
   authUrl.searchParams.set('state', state);
   authUrl.searchParams.set('code_challenge', pkce.challenge);
   authUrl.searchParams.set('code_challenge_method', 'S256');
+  if (config.authorizeParams && typeof config.authorizeParams === 'object') {
+    for (const [key, value] of Object.entries(config.authorizeParams)) {
+      if (value !== undefined && value !== null && String(value).trim() !== '') {
+        authUrl.searchParams.set(key, String(value));
+      }
+    }
+  }
 
   return new Promise((resolve, reject) => {
+    let completed = false;
+    const finish = (fn) => {
+      if (completed) return;
+      completed = true;
+      clearTimeout(timeout);
+      fn();
+    };
+
     const server = http.createServer(async (req, res) => {
       try {
         const url = new URL(req.url, `http://localhost:${port}`);
-        
-        if (url.pathname !== CODEX_OAUTH_CONFIG.callbackPath) {
+
+        if (url.pathname !== config.callbackPath) {
           res.writeHead(404);
           res.end('Not found');
           return;
@@ -172,7 +282,7 @@ export async function loginWithBrowser(profileId, options = {}) {
           res.writeHead(400, { 'Content-Type': 'text/html' });
           res.end(`<h1>Authentication failed</h1><p>${error}</p>`);
           server.close();
-          reject(new Error(`OAuth error: ${error}`));
+          finish(() => reject(new Error(`OAuth error: ${error}`)));
           return;
         }
 
@@ -180,38 +290,39 @@ export async function loginWithBrowser(profileId, options = {}) {
           res.writeHead(400, { 'Content-Type': 'text/html' });
           res.end('<h1>Invalid callback</h1><p>Missing or invalid state/code</p>');
           server.close();
-          reject(new Error('Invalid OAuth callback'));
+          finish(() => reject(new Error('Invalid OAuth callback')));
           return;
         }
 
-        // Exchange code for tokens
-        const tokens = await exchangeCodeForTokens(code, pkce.verifier, redirectUri);
-        await saveTokens(profileId, tokens);
+        const tokens = await exchangeCodeForTokens(code, pkce.verifier, redirectUri, {
+          subscriptionType: options.subscriptionType,
+          state
+        });
+        await saveTokens(tokenProfileKey, tokens);
 
         res.writeHead(200, { 'Content-Type': 'text/html' });
         res.end('<h1>Success!</h1><p>You can close this window and return to the terminal.</p>');
-        
         server.close();
-        resolve(true);
+        finish(() => resolve(true));
       } catch (err) {
         res.writeHead(500, { 'Content-Type': 'text/html' });
         res.end(`<h1>Error</h1><p>${err.message}</p>`);
         server.close();
-        reject(err);
+        finish(() => reject(err));
       }
     });
 
     server.listen(port, () => {
       const authUrlStr = authUrl.toString();
+      const openedBrowser = options.autoOpen !== false ? tryOpenBrowser(authUrlStr) : false;
       if (options.onUrl) {
-        options.onUrl(authUrlStr);
+        options.onUrl(authUrlStr, { openedBrowser });
       }
     });
 
-    // Timeout after 5 minutes
-    setTimeout(() => {
+    const timeout = setTimeout(() => {
       server.close();
-      reject(new Error('Login timed out after 5 minutes'));
+      finish(() => reject(new Error('Login timed out after 5 minutes')));
     }, 5 * 60 * 1000);
   });
 }
@@ -219,20 +330,26 @@ export async function loginWithBrowser(profileId, options = {}) {
 /**
  * Start device code OAuth login (for headless environments).
  * @param {string} profileId - Provider profile ID
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
  * @param {function} [options.onCode] - Callback when device code is ready
  * @returns {Promise<boolean>} Success status
  */
 export async function loginWithDeviceCode(profileId, options = {}) {
-  // Request device code
-  const response = await fetch(CODEX_OAUTH_CONFIG.deviceCodeUrl, {
+  const config = resolveOAuthConfig(options.subscriptionType);
+  if (!config.deviceCodeUrl) {
+    throw new Error(`Device code OAuth flow is not supported for subscription type '${normalizeSubscriptionType(options.subscriptionType)}'.`);
+  }
+
+  const tokenProfileKey = toTokenProfileKey(profileId, options.subscriptionType);
+  const response = await fetch(config.deviceCodeUrl, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/x-www-form-urlencoded'
     },
     body: new URLSearchParams({
-      client_id: CODEX_OAUTH_CONFIG.clientId,
-      scope: CODEX_OAUTH_CONFIG.scopes,
-      audience: CODEX_OAUTH_CONFIG.audience
+      client_id: config.clientId,
+      scope: config.scopes
     }).toString()
   });
 
@@ -248,18 +365,16 @@ export async function loginWithDeviceCode(profileId, options = {}) {
   const expiresIn = data.expires_in;
   const interval = data.interval || 5;
 
-  // Notify user
   if (options.onCode) {
     options.onCode({ userCode, verificationUri, expiresIn });
   }
 
-  // Poll for token
   const startTime = Date.now();
   while (Date.now() - startTime < expiresIn * 1000) {
-    await new Promise(r => setTimeout(r, interval * 1000));
+    await new Promise((resolve) => setTimeout(resolve, interval * 1000));
 
     try {
-      const tokenResponse = await fetch(CODEX_OAUTH_CONFIG.tokenUrl, {
+      const tokenResponse = await fetch(config.tokenUrl, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json'
@@ -267,29 +382,22 @@ export async function loginWithDeviceCode(profileId, options = {}) {
         body: JSON.stringify({
           grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
           device_code: deviceCode,
-          client_id: CODEX_OAUTH_CONFIG.clientId
+          client_id: config.clientId
         })
       });
 
       if (tokenResponse.ok) {
         const tokenData = await tokenResponse.json();
-        const tokens = {
-          accessToken: tokenData.access_token,
-          refreshToken: tokenData.refresh_token,
-          expiresAt: Date.now() + (tokenData.expires_in * 1000),
-          tokenType: tokenData.token_type || 'Bearer',
-          scope: tokenData.scope
-        };
-        await saveTokens(profileId, tokens);
+        await saveTokens(tokenProfileKey, normalizeTokenData(tokenData));
         return true;
       }
 
       const errorData = await tokenResponse.json();
       if (errorData.error === 'authorization_pending') {
-        continue; // Keep polling
+        continue;
       }
       if (errorData.error === 'slow_down') {
-        await new Promise(r => setTimeout(r, interval * 1000));
+        await new Promise((resolve) => setTimeout(resolve, interval * 1000));
         continue;
       }
       throw new Error(`Token polling error: ${errorData.error}`);
@@ -307,32 +415,41 @@ export async function loginWithDeviceCode(profileId, options = {}) {
 /**
  * Logout (delete tokens) for a profile.
  * @param {string} profileId - Provider profile ID
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
  */
-export async function logout(profileId) {
-  await deleteTokens(profileId);
+export async function logout(profileId, options = {}) {
+  const tokenProfileKey = toTokenProfileKey(profileId, options.subscriptionType);
+  await deleteTokens(tokenProfileKey);
 }
 
 /**
  * Check authentication status for a profile.
  * @param {string} profileId - Provider profile ID
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type
  * @returns {Promise<Object>} Status object
  */
-export async function getAuthStatus(profileId) {
-  const tokens = await loadTokens(profileId);
-  
+export async function getAuthStatus(profileId, options = {}) {
+  const config = resolveOAuthConfig(options.subscriptionType);
+  const tokenProfileKey = toTokenProfileKey(profileId, options.subscriptionType);
+  const tokens = await loadTokens(tokenProfileKey);
+
   if (!tokens) {
     return {
       authenticated: false,
       profileId,
+      subscriptionType: normalizeSubscriptionType(options.subscriptionType),
       reason: 'No tokens found'
     };
   }
 
-  const expired = isTokenExpired(tokens, CODEX_OAUTH_CONFIG.tokenRefreshBufferMs);
-  
+  const expired = isTokenExpired(tokens, config.tokenRefreshBufferMs);
+
   return {
     authenticated: !expired,
     profileId,
+    subscriptionType: normalizeSubscriptionType(options.subscriptionType),
     expiresAt: tokens.expiresAt,
     expiresAtIso: new Date(tokens.expiresAt).toISOString(),
     expired,
@@ -342,8 +459,24 @@ export async function getAuthStatus(profileId) {
 
 /**
  * List all token profiles with stored subscription credentials.
+ * When subscriptionType is provided, returns only profiles for that type.
+ * @param {Object} [options] - Options
+ * @param {string} [options.subscriptionType] - Subscription type filter
  * @returns {Promise<string[]>} Profile IDs
  */
-export async function listTokenProfiles() {
-  return listTokenProfilesFromStore();
+export async function listTokenProfiles(options = {}) {
+  const requestedType = normalizeSubscriptionType(options.subscriptionType, { allowEmpty: true });
+  const profileKeys = await listTokenProfilesFromStore();
+  const visibleProfiles = [];
+  const seen = new Set();
+
+  for (const profileKey of profileKeys) {
+    const parsed = fromTokenProfileKey(profileKey);
+    if (requestedType && parsed.subscriptionType !== requestedType) continue;
+    if (seen.has(parsed.profileId)) continue;
+    seen.add(parsed.profileId);
+    visibleProfiles.push(parsed.profileId);
+  }
+
+  return visibleProfiles;
 }

package/src/runtime/subscription-constants.js

@@ -1,29 +1,65 @@
 /**
  * Hardcoded Codex subscription models.
- * These are official ChatGPT Codex models that users cannot edit.
- * Updated via llm-router version releases to reflect OpenAI changes.
+ * These are used as the default seed list for ChatGPT subscription providers.
+ * Users can still customize the final saved model list.
  */
 export const CODEX_SUBSCRIPTION_MODELS = Object.freeze([
   'gpt-5.3-codex',
-  'gpt-5.2',
+  'gpt-5.2-codex',
   'gpt-5.1-codex-mini'
 ]);
 
+/**
+ * Hardcoded Claude Code subscription models.
+ * These defaults mirror current Claude Code model naming.
+ * Users can still customize the final saved model list.
+ */
+export const CLAUDE_CODE_SUBSCRIPTION_MODELS = Object.freeze([
+  'claude-sonnet-4-6',
+  'claude-opus-4-6',
+  'claude-haiku-4-5'
+]);
+
 /**
  * OAuth configuration for ChatGPT Codex subscription.
  */
 export const CODEX_OAUTH_CONFIG = Object.freeze({
-  authorizeUrl: 'https://auth.openai.com/authorize',
+  authorizeUrl: 'https://auth.openai.com/oauth/authorize',
   tokenUrl: 'https://auth.openai.com/oauth/token',
   deviceCodeUrl: 'https://auth.openai.com/oauth/device/code',
   callbackPort: 1455,
-  callbackPath: '/callback',
+  callbackPath: '/auth/callback',
   scopes: 'openid profile email offline_access',
-  clientId: 'pdlLIX2Y72MIl2rhLhTE9VV9bN905kBh', // Public Codex CLI client ID
-  audience: 'https://api.openai.com/v1',
+  clientId: 'app_EMoamEEZ73f0CkXaXp7hrann', // Matches current codex-cli browser login flow
+  authorizeParams: Object.freeze({
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    originator: 'codex_cli_rs'
+  }),
   tokenRefreshBufferMs: 5 * 60 * 1000 // 5 minutes before expiration
 });
 
+/**
+ * OAuth configuration for Claude Code subscription.
+ * Values align with the current Claude Code CLI runtime.
+ */
+export const CLAUDE_CODE_OAUTH_CONFIG = Object.freeze({
+  authorizeUrl: 'https://claude.ai/oauth/authorize',
+  tokenUrl: 'https://platform.claude.com/v1/oauth/token',
+  callbackPort: 1456,
+  callbackPath: '/callback',
+  manualRedirectUrl: 'https://platform.claude.com/oauth/code/callback',
+  scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers',
+  clientId: '9d1c250a-e61b-44d9-88ed-5944d1962f5e',
+  authorizeParams: Object.freeze({
+    code: 'true'
+  }),
+  oauthBeta: 'oauth-2025-04-20',
+  apiBaseUrl: 'https://api.anthropic.com',
+  messagesPath: '/v1/messages?beta=true',
+  tokenRefreshBufferMs: 5 * 60 * 1000
+});
+
 /**
  * Token storage directory relative to home.
  */