@oh-my-pi/pi-ai 6.7.67 → 6.8.0

package/src/utils/oauth/openai-codex.ts

@@ -2,34 +2,18 @@
  * OpenAI Codex (ChatGPT OAuth) flow
  */
 
-import { randomBytes } from "node:crypto";
-import http from "node:http";
+import { OAuthCallbackFlow, parseCallbackInput } from "./callback-server";
 import { generatePKCE } from "./pkce";
-import type { OAuthCredentials, OAuthPrompt } from "./types";
+import type { OAuthController, OAuthCredentials } from "./types";
 
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
 const TOKEN_URL = "https://auth.openai.com/oauth/token";
-const REDIRECT_URI = "http://localhost:1455/auth/callback";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
 const SCOPE = "openid profile email offline_access";
 const JWT_CLAIM_PATH = "https://api.openai.com/auth";
 
-const SUCCESS_HTML = `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>Authentication successful</title>
-</head>
-<body>
-  <p>Authentication successful. Return to your terminal to continue.</p>
-</body>
-</html>`;
-
-type TokenSuccess = { type: "success"; access: string; refresh: string; expires: number };
-type TokenFailure = { type: "failed" };
-type TokenResult = TokenSuccess | TokenFailure;
-
 type JwtPayload = {
 	[JWT_CLAIM_PATH]?: {
 		chatgpt_account_id?: string;
@@ -37,40 +21,6 @@ type JwtPayload = {
 	[key: string]: unknown;
 };
 
-function createState(): string {
-	return randomBytes(16).toString("hex");
-}
-
-function parseAuthorizationInput(input: string): { code?: string; state?: string } {
-	const value = input.trim();
-	if (!value) return {};
-
-	try {
-		const url = new URL(value);
-		return {
-			code: url.searchParams.get("code") ?? undefined,
-			state: url.searchParams.get("state") ?? undefined,
-		};
-	} catch {
-		// not a URL
-	}
-
-	if (value.includes("#")) {
-		const [code, state] = value.split("#", 2);
-		return { code, state };
-	}
-
-	if (value.includes("code=")) {
-		const params = new URLSearchParams(value);
-		return {
-			code: params.get("code") ?? undefined,
-			state: params.get("state") ?? undefined,
-		};
-	}
-
-	return { code: value };
-}
-
 function decodeJwt(token: string): JwtPayload | null {
 	try {
 		const parts = token.split(".");
@@ -83,306 +33,153 @@ function decodeJwt(token: string): JwtPayload | null {
 	}
 }
 
-async function exchangeAuthorizationCode(
-	code: string,
-	verifier: string,
-	redirectUri: string = REDIRECT_URI,
-): Promise<TokenResult> {
-	const response = await fetch(TOKEN_URL, {
-		method: "POST",
-		headers: { "Content-Type": "application/x-www-form-urlencoded" },
-		body: new URLSearchParams({
-			grant_type: "authorization_code",
-			client_id: CLIENT_ID,
-			code,
-			code_verifier: verifier,
-			redirect_uri: redirectUri,
-		}),
-	});
+function getAccountId(accessToken: string): string | null {
+	const payload = decodeJwt(accessToken);
+	const auth = payload?.[JWT_CLAIM_PATH];
+	const accountId = auth?.chatgpt_account_id;
+	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
 
-	if (!response.ok) {
-		const text = await response.text().catch(() => "");
-		console.error("[openai-codex] code->token failed:", response.status, text);
-		return { type: "failed" };
+class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
+	private verifier: string = "";
+	private challenge: string = "";
+
+	constructor(ctrl: OAuthController) {
+		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
 	}
 
-	const json = (await response.json()) as {
-		access_token?: string;
-		refresh_token?: string;
-		expires_in?: number;
-	};
+	protected async generateAuthUrl(
+		state: string,
+		redirectUri: string,
+	): Promise<{ url: string; instructions?: string }> {
+		const pkce = await generatePKCE();
+		this.verifier = pkce.verifier;
+		this.challenge = pkce.challenge;
 
-	if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
-		console.error("[openai-codex] token response missing fields:", json);
-		return { type: "failed" };
-	}
+		const searchParams = new URLSearchParams({
+			response_type: "code",
+			client_id: CLIENT_ID,
+			redirect_uri: redirectUri,
+			scope: SCOPE,
+			code_challenge: this.challenge,
+			code_challenge_method: "S256",
+			state,
+			id_token_add_organizations: "true",
+			codex_cli_simplified_flow: "true",
+			originator: "opencode",
+		});
 
-	return {
-		type: "success",
-		access: json.access_token,
-		refresh: json.refresh_token,
-		expires: Date.now() + json.expires_in * 1000,
-	};
-}
+		const url = `${AUTHORIZE_URL}?${searchParams.toString()}`;
+		return { url, instructions: "A browser window should open. Complete login to finish." };
+	}
 
-async function refreshAccessToken(refreshToken: string): Promise<TokenResult> {
-	try {
-		const response = await fetch(TOKEN_URL, {
+	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+		const tokenResponse = await fetch(TOKEN_URL, {
 			method: "POST",
 			headers: { "Content-Type": "application/x-www-form-urlencoded" },
 			body: new URLSearchParams({
-				grant_type: "refresh_token",
-				refresh_token: refreshToken,
+				grant_type: "authorization_code",
 				client_id: CLIENT_ID,
+				code,
+				code_verifier: this.verifier,
+				redirect_uri: redirectUri,
 			}),
 		});
 
-		if (!response.ok) {
-			const text = await response.text().catch(() => "");
-			console.error("[openai-codex] Token refresh failed:", response.status, text);
-			return { type: "failed" };
+		if (!tokenResponse.ok) {
+			throw new Error(`Token exchange failed: ${tokenResponse.status}`);
 		}
 
-		const json = (await response.json()) as {
+		const tokenData = (await tokenResponse.json()) as {
 			access_token?: string;
 			refresh_token?: string;
 			expires_in?: number;
 		};
 
-		if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
-			console.error("[openai-codex] Token refresh response missing fields:", json);
-			return { type: "failed" };
+		if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+			throw new Error("Token response missing required fields");
+		}
+
+		const accountId = getAccountId(tokenData.access_token);
+		if (!accountId) {
+			throw new Error("Failed to extract accountId from token");
 		}
 
 		return {
-			type: "success",
-			access: json.access_token,
-			refresh: json.refresh_token,
-			expires: Date.now() + json.expires_in * 1000,
+			access: tokenData.access_token,
+			refresh: tokenData.refresh_token,
+			expires: Date.now() + tokenData.expires_in * 1000,
+			accountId,
 		};
-	} catch (error) {
-		console.error("[openai-codex] Token refresh error:", error);
-		return { type: "failed" };
 	}
 }
 
-async function createAuthorizationFlow(): Promise<{ verifier: string; state: string; url: string }> {
-	const { verifier, challenge } = await generatePKCE();
-	const state = createState();
-
-	const url = new URL(AUTHORIZE_URL);
-	url.searchParams.set("response_type", "code");
-	url.searchParams.set("client_id", CLIENT_ID);
-	url.searchParams.set("redirect_uri", REDIRECT_URI);
-	url.searchParams.set("scope", SCOPE);
-	url.searchParams.set("code_challenge", challenge);
-	url.searchParams.set("code_challenge_method", "S256");
-	url.searchParams.set("state", state);
-	url.searchParams.set("id_token_add_organizations", "true");
-	url.searchParams.set("codex_cli_simplified_flow", "true");
-	url.searchParams.set("originator", "opencode");
-
-	return { verifier, state, url: url.toString() };
-}
-
-type OAuthServerInfo = {
-	close: () => void;
-	cancelWait: () => void;
-	waitForCode: () => Promise<{ code: string } | null>;
-};
-
-function startLocalOAuthServer(state: string): Promise<OAuthServerInfo> {
-	let lastCode: string | null = null;
-	let cancelled = false;
-	const server = http.createServer((req, res) => {
-		try {
-			const url = new URL(req.url || "", "http://localhost");
-			if (url.pathname !== "/auth/callback") {
-				res.statusCode = 404;
-				res.end("Not found");
-				return;
-			}
-			if (url.searchParams.get("state") !== state) {
-				res.statusCode = 400;
-				res.end("State mismatch");
-				return;
-			}
-			const code = url.searchParams.get("code");
-			if (!code) {
-				res.statusCode = 400;
-				res.end("Missing authorization code");
-				return;
-			}
-			res.statusCode = 200;
-			res.setHeader("Content-Type", "text/html; charset=utf-8");
-			res.end(SUCCESS_HTML);
-			lastCode = code;
-		} catch {
-			res.statusCode = 500;
-			res.end("Internal error");
-		}
-	});
-
-	return new Promise((resolve) => {
-		server
-			.listen(1455, "127.0.0.1", () => {
-				resolve({
-					close: () => server.close(),
-					cancelWait: () => {
-						cancelled = true;
-					},
-					waitForCode: async () => {
-						const sleep = () => new Promise((r) => setTimeout(r, 100));
-						for (let i = 0; i < 600; i += 1) {
-							if (lastCode) return { code: lastCode };
-							if (cancelled) return null;
-							await sleep();
-						}
-						return null;
-					},
-				});
-			})
-			.on("error", (err: NodeJS.ErrnoException) => {
-				console.error(
-					"[openai-codex] Failed to bind http://127.0.0.1:1455 (",
-					err.code,
-					") Falling back to manual paste.",
-				);
-				resolve({
-					close: () => {
-						try {
-							server.close();
-						} catch {
-							// ignore
-						}
-					},
-					cancelWait: () => {},
-					waitForCode: async () => null,
-				});
-			});
-	});
-}
-
-function getAccountId(accessToken: string): string | null {
-	const payload = decodeJwt(accessToken);
-	const auth = payload?.[JWT_CLAIM_PATH];
-	const accountId = auth?.chatgpt_account_id;
-	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
-}
-
 /**
  * Login with OpenAI Codex OAuth
- *
- * @param options.onAuth - Called with URL and instructions when auth starts
- * @param options.onPrompt - Called to prompt user for manual code paste (fallback if no onManualCodeInput)
- * @param options.onProgress - Optional progress messages
- * @param options.onManualCodeInput - Optional promise that resolves with user-pasted code.
- *                                    Races with browser callback - whichever completes first wins.
- *                                    Useful for showing paste input immediately alongside browser flow.
  */
-export async function loginOpenAICodex(options: {
-	onAuth: (info: { url: string; instructions?: string }) => void;
-	onPrompt: (prompt: OAuthPrompt) => Promise<string>;
-	onProgress?: (message: string) => void;
-	onManualCodeInput?: () => Promise<string>;
-}): Promise<OAuthCredentials> {
-	const { verifier, state, url } = await createAuthorizationFlow();
-	const server = await startLocalOAuthServer(state);
-
-	options.onAuth({ url, instructions: "A browser window should open. Complete login to finish." });
-
-	let code: string | undefined;
+export async function loginOpenAICodex(ctrl: OAuthController): Promise<OAuthCredentials> {
+	const flow = new OpenAICodexOAuthFlow(ctrl);
+
 	try {
-		if (options.onManualCodeInput) {
-			// Race between browser callback and manual input
-			let manualCode: string | undefined;
-			let manualError: Error | undefined;
-			const manualPromise = options
-				.onManualCodeInput()
-				.then((input) => {
-					manualCode = input;
-					server.cancelWait();
-				})
-				.catch((err) => {
-					manualError = err instanceof Error ? err : new Error(String(err));
-					server.cancelWait();
-				});
-
-			const result = await server.waitForCode();
-
-			// If manual input was cancelled, throw that error
-			if (manualError) {
-				throw manualError;
-			}
-
-			if (result?.code) {
-				// Browser callback won
-				code = result.code;
-			} else if (manualCode) {
-				// Manual input won (or callback timed out and user had entered code)
-				const parsed = parseAuthorizationInput(manualCode);
-				if (parsed.state && parsed.state !== state) {
-					throw new Error("State mismatch");
-				}
-				code = parsed.code;
-			}
-
-			// If still no code, wait for manual promise to complete and try that
-			if (!code) {
-				await manualPromise;
-				if (manualError) {
-					throw manualError;
-				}
-				if (manualCode) {
-					const parsed = parseAuthorizationInput(manualCode);
-					if (parsed.state && parsed.state !== state) {
-						throw new Error("State mismatch");
-					}
-					code = parsed.code;
-				}
-			}
-		} else {
-			// Original flow: wait for callback, then prompt if needed
-			const result = await server.waitForCode();
-			if (result?.code) {
-				code = result.code;
-			}
+		return await flow.login();
+	} catch (error) {
+		// Callback failed - fall back to onPrompt if available
+		if (!ctrl.onPrompt) {
+			throw error;
 		}
 
-		// Fallback to onPrompt if still no code
-		if (!code) {
-			const input = await options.onPrompt({
-				message: "Paste the authorization code (or full redirect URL):",
-			});
-			const parsed = parseAuthorizationInput(input);
-			if (parsed.state && parsed.state !== state) {
-				throw new Error("State mismatch");
-			}
-			code = parsed.code;
+		ctrl.onProgress?.("Callback server failed, falling back to manual input");
+
+		const input = await ctrl.onPrompt({
+			message: "Paste the authorization code (or full redirect URL):",
+		});
+
+		const parsed = parseCallbackInput(input);
+		if (!parsed.code) {
+			throw new Error("No authorization code found in input");
 		}
 
-		if (!code) {
-			throw new Error("Missing authorization code");
+		const redirectUri = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
+
+		// Manual token exchange
+		const pkce = await generatePKCE();
+		const tokenResponse = await fetch(TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				grant_type: "authorization_code",
+				client_id: CLIENT_ID,
+				code: parsed.code,
+				code_verifier: pkce.verifier,
+				redirect_uri: redirectUri,
+			}),
+		});
+
+		if (!tokenResponse.ok) {
+			throw new Error(`Token exchange failed: ${tokenResponse.status}`);
 		}
 
-		const tokenResult = await exchangeAuthorizationCode(code, verifier);
-		if (tokenResult.type !== "success") {
-			throw new Error("Token exchange failed");
+		const tokenData = (await tokenResponse.json()) as {
+			access_token?: string;
+			refresh_token?: string;
+			expires_in?: number;
+		};
+
+		if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+			throw new Error("Token response missing required fields");
 		}
 
-		const accountId = getAccountId(tokenResult.access);
+		const accountId = getAccountId(tokenData.access_token);
 		if (!accountId) {
 			throw new Error("Failed to extract accountId from token");
 		}
 
 		return {
-			access: tokenResult.access,
-			refresh: tokenResult.refresh,
-			expires: tokenResult.expires,
+			access: tokenData.access_token,
+			refresh: tokenData.refresh_token,
+			expires: Date.now() + tokenData.expires_in * 1000,
 			accountId,
 		};
-	} finally {
-		server.close();
 	}
 }
 
@@ -390,20 +187,36 @@ export async function loginOpenAICodex(options: {
  * Refresh OpenAI Codex OAuth token
  */
 export async function refreshOpenAICodexToken(refreshToken: string): Promise<OAuthCredentials> {
-	const result = await refreshAccessToken(refreshToken);
-	if (result.type !== "success") {
-		throw new Error("Failed to refresh OpenAI Codex token");
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			client_id: CLIENT_ID,
+		}),
+	});
+
+	if (!response.ok) {
+		throw new Error(`OpenAI Codex token refresh failed: ${response.status}`);
 	}
 
-	const accountId = getAccountId(result.access);
-	if (!accountId) {
-		throw new Error("Failed to extract accountId from token");
+	const tokenData = (await response.json()) as {
+		access_token?: string;
+		refresh_token?: string;
+		expires_in?: number;
+	};
+
+	if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+		throw new Error("Token response missing required fields");
 	}
 
+	const accountId = getAccountId(tokenData.access_token);
+
 	return {
-		access: result.access,
-		refresh: result.refresh,
-		expires: result.expires,
-		accountId,
+		access: tokenData.access_token,
+		refresh: tokenData.refresh_token || refreshToken,
+		expires: Date.now() + tokenData.expires_in * 1000,
+		accountId: accountId ?? undefined,
 	};
 }

package/src/utils/oauth/pkce.ts

@@ -20,7 +20,7 @@ function base64urlEncode(bytes: Uint8Array): string {
  */
 export async function generatePKCE(): Promise<{ verifier: string; challenge: string }> {
 	// Generate random verifier
-	const verifierBytes = new Uint8Array(32);
+	const verifierBytes = new Uint8Array(96);
 	crypto.getRandomValues(verifierBytes);
 	const verifier = base64urlEncode(verifierBytes);
 

package/src/utils/oauth/types.ts

@@ -32,3 +32,11 @@ export interface OAuthProviderInfo {
 	name: string;
 	available: boolean;
 }
+
+export interface OAuthController {
+	onAuth?(info: { url: string; instructions?: string }): void;
+	onProgress?(message: string): void;
+	onManualCodeInput?(): Promise<string>;
+	onPrompt?(prompt: OAuthPrompt): Promise<string>;
+	signal?: AbortSignal;
+}