@oh-my-pi/pi-ai 6.7.670 → 6.8.1

package/src/utils/oauth/oauth.html

@@ -0,0 +1,199 @@
+<!doctype html>
+<html lang="en">
+	<head>
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<title>Authentication</title>
+		<style>
+			:root {
+				--bg: #09090b;
+				--card-bg: #18181b;
+				--text-main: #fafafa;
+				--text-muted: #a1a1aa;
+				--success: #22c55e;
+				--error: #ef4444;
+				--border: #27272a;
+			}
+			body {
+				font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+				background-color: var(--bg);
+				color: var(--text-main);
+				display: flex;
+				align-items: center;
+				justify-content: center;
+				height: 100vh;
+				margin: 0;
+				overflow: hidden;
+			}
+			.container {
+				background: var(--card-bg);
+				border: 1px solid var(--border);
+				border-radius: 12px;
+				padding: 2.5rem;
+				width: 100%;
+				max-width: 400px;
+				text-align: center;
+				box-shadow:
+					0 20px 25px -5px rgba(0, 0, 0, 0.1),
+					0 10px 10px -5px rgba(0, 0, 0, 0.04);
+				opacity: 0;
+				transform: translateY(10px);
+				animation: fadeIn 0.4s ease-out forwards;
+			}
+			@keyframes fadeIn {
+				to {
+					opacity: 1;
+					transform: translateY(0);
+				}
+			}
+			.icon-circle {
+				position: relative;
+				width: 64px;
+				height: 64px;
+				border-radius: 50%;
+				display: flex;
+				align-items: center;
+				justify-content: center;
+				margin: 0 auto 1.5rem;
+				background: rgba(255, 255, 255, 0.05);
+			}
+			.icon {
+				width: 32px;
+				height: 32px;
+				z-index: 2;
+			}
+			.timer-svg {
+				position: absolute;
+				top: -2px;
+				left: -2px;
+				width: 68px;
+				height: 68px;
+				transform: rotate(-90deg);
+				z-index: 1;
+				pointer-events: none;
+			}
+			.timer-circle {
+				fill: none;
+				stroke-width: 2;
+				stroke-linecap: round;
+				stroke-dasharray: 201;
+				stroke-dashoffset: 0;
+			}
+			.countdown .timer-circle {
+				animation: countdown 3s linear forwards;
+			}
+			@keyframes countdown {
+				to {
+					stroke-dashoffset: 201;
+				}
+			}
+			h1 {
+				font-size: 1.5rem;
+				font-weight: 600;
+				margin: 0 0 0.75rem;
+				letter-spacing: -0.025em;
+			}
+			p {
+				color: var(--text-muted);
+				line-height: 1.5;
+				margin: 0 0 1.5rem;
+				font-size: 0.95rem;
+			}
+			.btn {
+				display: inline-block;
+				background: var(--text-main);
+				color: var(--bg);
+				font-weight: 500;
+				padding: 0.6rem 1.2rem;
+				border-radius: 6px;
+				text-decoration: none;
+				font-size: 0.9rem;
+				transition: opacity 0.2s;
+				cursor: pointer;
+				border: none;
+			}
+			.btn:hover {
+				opacity: 0.9;
+			}
+
+			/* State: success */
+			.success .icon-circle {
+				background: rgba(34, 197, 94, 0.1);
+			}
+			.success .icon {
+				color: var(--success);
+			}
+			.success .timer-circle {
+				stroke: var(--success);
+			}
+			.success .icon-error {
+				display: none;
+			}
+
+			/* State: error */
+			.error .icon-circle {
+				background: rgba(239, 68, 68, 0.1);
+			}
+			.error .icon {
+				color: var(--error);
+			}
+			.error .timer-circle {
+				stroke: var(--error);
+			}
+			.error .icon-success,
+			.error .timer-svg {
+				display: none;
+			}
+		</style>
+	</head>
+	<body>
+		<div id="app" class="container">
+			<div class="icon-circle">
+				<svg class="timer-svg" viewBox="0 0 68 68">
+					<circle class="timer-circle" cx="34" cy="34" r="32"></circle>
+				</svg>
+				<svg class="icon icon-success" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+					<path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7" />
+				</svg>
+				<svg class="icon icon-error" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2">
+					<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
+				</svg>
+			</div>
+			<h1 id="title">Authentication</h1>
+			<p id="message"></p>
+			<button onclick="window.close()" class="btn">Close Window</button>
+		</div>
+
+		<script id="server-state" type="application/json">
+			__OAUTH_STATE__
+		</script>
+
+		<script>
+			let serverState;
+			try {
+				serverState = JSON.parse(document.getElementById("server-state").textContent);
+			} catch {
+				const params = new URLSearchParams(window.location.search);
+				serverState = {
+					ok: params.get("ok") === "1",
+					error: params.get("error") || "Authentication failed",
+				};
+			}
+
+			const app = document.getElementById("app");
+			const title = document.getElementById("title");
+			const message = document.getElementById("message");
+
+			if (serverState.ok) {
+				app.classList.add("success", "countdown");
+				title.textContent = "Authentication Successful";
+				message.innerHTML = "You have successfully logged in.<br>This window will close automatically.";
+				setTimeout(() => window.close(), 3000);
+			} else {
+				app.classList.add("error");
+				title.textContent = "Authentication Failed";
+				message.textContent = serverState.error || "An error occurred";
+			}
+		</script>
+	</body>
+</html>

package/src/utils/oauth/openai-codex.ts

@@ -2,34 +2,18 @@
  * OpenAI Codex (ChatGPT OAuth) flow
  */
 
-import { randomBytes } from "node:crypto";
-import http from "node:http";
+import { OAuthCallbackFlow, parseCallbackInput } from "./callback-server";
 import { generatePKCE } from "./pkce";
-import type { OAuthCredentials, OAuthPrompt } from "./types";
+import type { OAuthController, OAuthCredentials } from "./types";
 
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
 const TOKEN_URL = "https://auth.openai.com/oauth/token";
-const REDIRECT_URI = "http://localhost:1455/auth/callback";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
 const SCOPE = "openid profile email offline_access";
 const JWT_CLAIM_PATH = "https://api.openai.com/auth";
 
-const SUCCESS_HTML = `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>Authentication successful</title>
-</head>
-<body>
-  <p>Authentication successful. Return to your terminal to continue.</p>
-</body>
-</html>`;
-
-type TokenSuccess = { type: "success"; access: string; refresh: string; expires: number };
-type TokenFailure = { type: "failed" };
-type TokenResult = TokenSuccess | TokenFailure;
-
 type JwtPayload = {
 	[JWT_CLAIM_PATH]?: {
 		chatgpt_account_id?: string;
@@ -37,40 +21,6 @@ type JwtPayload = {
 	[key: string]: unknown;
 };
 
-function createState(): string {
-	return randomBytes(16).toString("hex");
-}
-
-function parseAuthorizationInput(input: string): { code?: string; state?: string } {
-	const value = input.trim();
-	if (!value) return {};
-
-	try {
-		const url = new URL(value);
-		return {
-			code: url.searchParams.get("code") ?? undefined,
-			state: url.searchParams.get("state") ?? undefined,
-		};
-	} catch {
-		// not a URL
-	}
-
-	if (value.includes("#")) {
-		const [code, state] = value.split("#", 2);
-		return { code, state };
-	}
-
-	if (value.includes("code=")) {
-		const params = new URLSearchParams(value);
-		return {
-			code: params.get("code") ?? undefined,
-			state: params.get("state") ?? undefined,
-		};
-	}
-
-	return { code: value };
-}
-
 function decodeJwt(token: string): JwtPayload | null {
 	try {
 		const parts = token.split(".");
@@ -83,12 +33,54 @@ function decodeJwt(token: string): JwtPayload | null {
 	}
 }
 
-async function exchangeAuthorizationCode(
-	code: string,
-	verifier: string,
-	redirectUri: string = REDIRECT_URI,
-): Promise<TokenResult> {
-	const response = await fetch(TOKEN_URL, {
+function getAccountId(accessToken: string): string | null {
+	const payload = decodeJwt(accessToken);
+	const auth = payload?.[JWT_CLAIM_PATH];
+	const accountId = auth?.chatgpt_account_id;
+	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
+
+interface PKCE {
+	verifier: string;
+	challenge: string;
+}
+
+class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
+	constructor(
+		ctrl: OAuthController,
+		private readonly pkce: PKCE,
+	) {
+		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
+	}
+
+	protected async generateAuthUrl(
+		state: string,
+		redirectUri: string,
+	): Promise<{ url: string; instructions?: string }> {
+		const searchParams = new URLSearchParams({
+			response_type: "code",
+			client_id: CLIENT_ID,
+			redirect_uri: redirectUri,
+			scope: SCOPE,
+			code_challenge: this.pkce.challenge,
+			code_challenge_method: "S256",
+			state,
+			id_token_add_organizations: "true",
+			codex_cli_simplified_flow: "true",
+			originator: "opencode",
+		});
+
+		const url = `${AUTHORIZE_URL}?${searchParams.toString()}`;
+		return { url, instructions: "A browser window should open. Complete login to finish." };
+	}
+
+	protected async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+		return exchangeCodeForToken(code, this.pkce.verifier, redirectUri);
+	}
+}
+
+async function exchangeCodeForToken(code: string, verifier: string, redirectUri: string): Promise<OAuthCredentials> {
+	const tokenResponse = await fetch(TOKEN_URL, {
 		method: "POST",
 		headers: { "Content-Type": "application/x-www-form-urlencoded" },
 		body: new URLSearchParams({
@@ -100,289 +92,60 @@ async function exchangeAuthorizationCode(
 		}),
 	});
 
-	if (!response.ok) {
-		const text = await response.text().catch(() => "");
-		console.error("[openai-codex] code->token failed:", response.status, text);
-		return { type: "failed" };
+	if (!tokenResponse.ok) {
+		throw new Error(`Token exchange failed: ${tokenResponse.status}`);
 	}
 
-	const json = (await response.json()) as {
+	const tokenData = (await tokenResponse.json()) as {
 		access_token?: string;
 		refresh_token?: string;
 		expires_in?: number;
 	};
 
-	if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
-		console.error("[openai-codex] token response missing fields:", json);
-		return { type: "failed" };
+	if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+		throw new Error("Token response missing required fields");
 	}
 
-	return {
-		type: "success",
-		access: json.access_token,
-		refresh: json.refresh_token,
-		expires: Date.now() + json.expires_in * 1000,
-	};
-}
-
-async function refreshAccessToken(refreshToken: string): Promise<TokenResult> {
-	try {
-		const response = await fetch(TOKEN_URL, {
-			method: "POST",
-			headers: { "Content-Type": "application/x-www-form-urlencoded" },
-			body: new URLSearchParams({
-				grant_type: "refresh_token",
-				refresh_token: refreshToken,
-				client_id: CLIENT_ID,
-			}),
-		});
-
-		if (!response.ok) {
-			const text = await response.text().catch(() => "");
-			console.error("[openai-codex] Token refresh failed:", response.status, text);
-			return { type: "failed" };
-		}
-
-		const json = (await response.json()) as {
-			access_token?: string;
-			refresh_token?: string;
-			expires_in?: number;
-		};
-
-		if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
-			console.error("[openai-codex] Token refresh response missing fields:", json);
-			return { type: "failed" };
-		}
-
-		return {
-			type: "success",
-			access: json.access_token,
-			refresh: json.refresh_token,
-			expires: Date.now() + json.expires_in * 1000,
-		};
-	} catch (error) {
-		console.error("[openai-codex] Token refresh error:", error);
-		return { type: "failed" };
+	const accountId = getAccountId(tokenData.access_token);
+	if (!accountId) {
+		throw new Error("Failed to extract accountId from token");
 	}
-}
-
-async function createAuthorizationFlow(): Promise<{ verifier: string; state: string; url: string }> {
-	const { verifier, challenge } = await generatePKCE();
-	const state = createState();
-
-	const url = new URL(AUTHORIZE_URL);
-	url.searchParams.set("response_type", "code");
-	url.searchParams.set("client_id", CLIENT_ID);
-	url.searchParams.set("redirect_uri", REDIRECT_URI);
-	url.searchParams.set("scope", SCOPE);
-	url.searchParams.set("code_challenge", challenge);
-	url.searchParams.set("code_challenge_method", "S256");
-	url.searchParams.set("state", state);
-	url.searchParams.set("id_token_add_organizations", "true");
-	url.searchParams.set("codex_cli_simplified_flow", "true");
-	url.searchParams.set("originator", "opencode");
-
-	return { verifier, state, url: url.toString() };
-}
-
-type OAuthServerInfo = {
-	close: () => void;
-	cancelWait: () => void;
-	waitForCode: () => Promise<{ code: string } | null>;
-};
-
-function startLocalOAuthServer(state: string): Promise<OAuthServerInfo> {
-	let lastCode: string | null = null;
-	let cancelled = false;
-	const server = http.createServer((req, res) => {
-		try {
-			const url = new URL(req.url || "", "http://localhost");
-			if (url.pathname !== "/auth/callback") {
-				res.statusCode = 404;
-				res.end("Not found");
-				return;
-			}
-			if (url.searchParams.get("state") !== state) {
-				res.statusCode = 400;
-				res.end("State mismatch");
-				return;
-			}
-			const code = url.searchParams.get("code");
-			if (!code) {
-				res.statusCode = 400;
-				res.end("Missing authorization code");
-				return;
-			}
-			res.statusCode = 200;
-			res.setHeader("Content-Type", "text/html; charset=utf-8");
-			res.end(SUCCESS_HTML);
-			lastCode = code;
-		} catch {
-			res.statusCode = 500;
-			res.end("Internal error");
-		}
-	});
-
-	return new Promise((resolve) => {
-		server
-			.listen(1455, "127.0.0.1", () => {
-				resolve({
-					close: () => server.close(),
-					cancelWait: () => {
-						cancelled = true;
-					},
-					waitForCode: async () => {
-						const sleep = () => new Promise((r) => setTimeout(r, 100));
-						for (let i = 0; i < 600; i += 1) {
-							if (lastCode) return { code: lastCode };
-							if (cancelled) return null;
-							await sleep();
-						}
-						return null;
-					},
-				});
-			})
-			.on("error", (err: NodeJS.ErrnoException) => {
-				console.error(
-					"[openai-codex] Failed to bind http://127.0.0.1:1455 (",
-					err.code,
-					") Falling back to manual paste.",
-				);
-				resolve({
-					close: () => {
-						try {
-							server.close();
-						} catch {
-							// ignore
-						}
-					},
-					cancelWait: () => {},
-					waitForCode: async () => null,
-				});
-			});
-	});
-}
 
-function getAccountId(accessToken: string): string | null {
-	const payload = decodeJwt(accessToken);
-	const auth = payload?.[JWT_CLAIM_PATH];
-	const accountId = auth?.chatgpt_account_id;
-	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+	return {
+		access: tokenData.access_token,
+		refresh: tokenData.refresh_token,
+		expires: Date.now() + tokenData.expires_in * 1000,
+		accountId,
+	};
 }
 
 /**
  * Login with OpenAI Codex OAuth
- *
- * @param options.onAuth - Called with URL and instructions when auth starts
- * @param options.onPrompt - Called to prompt user for manual code paste (fallback if no onManualCodeInput)
- * @param options.onProgress - Optional progress messages
- * @param options.onManualCodeInput - Optional promise that resolves with user-pasted code.
- *                                    Races with browser callback - whichever completes first wins.
- *                                    Useful for showing paste input immediately alongside browser flow.
  */
-export async function loginOpenAICodex(options: {
-	onAuth: (info: { url: string; instructions?: string }) => void;
-	onPrompt: (prompt: OAuthPrompt) => Promise<string>;
-	onProgress?: (message: string) => void;
-	onManualCodeInput?: () => Promise<string>;
-}): Promise<OAuthCredentials> {
-	const { verifier, state, url } = await createAuthorizationFlow();
-	const server = await startLocalOAuthServer(state);
-
-	options.onAuth({ url, instructions: "A browser window should open. Complete login to finish." });
+export async function loginOpenAICodex(ctrl: OAuthController): Promise<OAuthCredentials> {
+	const pkce = await generatePKCE();
+	const flow = new OpenAICodexOAuthFlow(ctrl, pkce);
+	const redirectUri = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
 
-	let code: string | undefined;
 	try {
-		if (options.onManualCodeInput) {
-			// Race between browser callback and manual input
-			let manualCode: string | undefined;
-			let manualError: Error | undefined;
-			const manualPromise = options
-				.onManualCodeInput()
-				.then((input) => {
-					manualCode = input;
-					server.cancelWait();
-				})
-				.catch((err) => {
-					manualError = err instanceof Error ? err : new Error(String(err));
-					server.cancelWait();
-				});
-
-			const result = await server.waitForCode();
-
-			// If manual input was cancelled, throw that error
-			if (manualError) {
-				throw manualError;
-			}
-
-			if (result?.code) {
-				// Browser callback won
-				code = result.code;
-			} else if (manualCode) {
-				// Manual input won (or callback timed out and user had entered code)
-				const parsed = parseAuthorizationInput(manualCode);
-				if (parsed.state && parsed.state !== state) {
-					throw new Error("State mismatch");
-				}
-				code = parsed.code;
-			}
-
-			// If still no code, wait for manual promise to complete and try that
-			if (!code) {
-				await manualPromise;
-				if (manualError) {
-					throw manualError;
-				}
-				if (manualCode) {
-					const parsed = parseAuthorizationInput(manualCode);
-					if (parsed.state && parsed.state !== state) {
-						throw new Error("State mismatch");
-					}
-					code = parsed.code;
-				}
-			}
-		} else {
-			// Original flow: wait for callback, then prompt if needed
-			const result = await server.waitForCode();
-			if (result?.code) {
-				code = result.code;
-			}
+		return await flow.login();
+	} catch (error) {
+		if (!ctrl.onPrompt) {
+			throw error;
 		}
 
-		// Fallback to onPrompt if still no code
-		if (!code) {
-			const input = await options.onPrompt({
-				message: "Paste the authorization code (or full redirect URL):",
-			});
-			const parsed = parseAuthorizationInput(input);
-			if (parsed.state && parsed.state !== state) {
-				throw new Error("State mismatch");
-			}
-			code = parsed.code;
-		}
+		ctrl.onProgress?.("Callback server failed, falling back to manual input");
 
-		if (!code) {
-			throw new Error("Missing authorization code");
-		}
-
-		const tokenResult = await exchangeAuthorizationCode(code, verifier);
-		if (tokenResult.type !== "success") {
-			throw new Error("Token exchange failed");
-		}
+		const input = await ctrl.onPrompt({
+			message: "Paste the authorization code (or full redirect URL):",
+		});
 
-		const accountId = getAccountId(tokenResult.access);
-		if (!accountId) {
-			throw new Error("Failed to extract accountId from token");
+		const parsed = parseCallbackInput(input);
+		if (!parsed.code) {
+			throw new Error("No authorization code found in input");
 		}
 
-		return {
-			access: tokenResult.access,
-			refresh: tokenResult.refresh,
-			expires: tokenResult.expires,
-			accountId,
-		};
-	} finally {
-		server.close();
+		return exchangeCodeForToken(parsed.code, pkce.verifier, redirectUri);
 	}
 }
 
@@ -390,20 +153,36 @@ export async function loginOpenAICodex(options: {
  * Refresh OpenAI Codex OAuth token
  */
 export async function refreshOpenAICodexToken(refreshToken: string): Promise<OAuthCredentials> {
-	const result = await refreshAccessToken(refreshToken);
-	if (result.type !== "success") {
-		throw new Error("Failed to refresh OpenAI Codex token");
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			client_id: CLIENT_ID,
+		}),
+	});
+
+	if (!response.ok) {
+		throw new Error(`OpenAI Codex token refresh failed: ${response.status}`);
 	}
 
-	const accountId = getAccountId(result.access);
-	if (!accountId) {
-		throw new Error("Failed to extract accountId from token");
+	const tokenData = (await response.json()) as {
+		access_token?: string;
+		refresh_token?: string;
+		expires_in?: number;
+	};
+
+	if (!tokenData.access_token || !tokenData.refresh_token || typeof tokenData.expires_in !== "number") {
+		throw new Error("Token response missing required fields");
 	}
 
+	const accountId = getAccountId(tokenData.access_token);
+
 	return {
-		access: result.access,
-		refresh: result.refresh,
-		expires: result.expires,
-		accountId,
+		access: tokenData.access_token,
+		refresh: tokenData.refresh_token || refreshToken,
+		expires: Date.now() + tokenData.expires_in * 1000,
+		accountId: accountId ?? undefined,
 	};
 }