bloby-bot 0.30.1 → 0.32.0

package/worker/codex-auth.ts

@@ -1,7 +1,13 @@
 /**
  * Codex OAuth PKCE flow for ChatGPT Plus/Pro subscription authentication.
  *
- * Spins up a temporary HTTP server on port 1455 to capture the OAuth callback.
+ * Paste-back flow (no local HTTP callback) — the dashboard is typically
+ * served from a Pi via Cloudflare tunnel, so a browser-side `localhost:1455`
+ * callback can't reach the host running this code. We send the user through
+ * OpenAI's auth page; their browser redirects to the (unreachable) callback
+ * URL but its URL bar contains the `code`. The user pastes that URL or code
+ * back into the wizard, which POSTs it here for token exchange.
+ *
  * Credentials are stored in ~/.codex/auth.json in the same shape Codex CLI
  * itself writes, so a spawned `codex app-server` process can use them directly.
  *
@@ -20,7 +26,6 @@
  */
 
 import crypto from 'crypto';
-import http from 'http';
 import fs from 'fs';
 import path from 'path';
 import os from 'os';
@@ -32,7 +37,6 @@ const OAUTH_CONFIG = {
   REDIRECT_URI: 'http://localhost:1455/auth/callback',
   CLIENT_ID: 'app_EMoamEEZ73f0CkXaXp7hrann',
   SCOPES: 'openid profile email offline_access',
-  PORT: 1455,
 };
 
 const AUTH_DIR = path.join(os.homedir(), '.codex');
@@ -44,7 +48,6 @@ const REFRESH_LEEWAY_MS = 5 * 60 * 1000;
 
 let codeVerifier: string | null = null;
 let oauthState: string | null = null;
-let callbackServers: http.Server[] = [];
 
 interface AuthDotJson {
   OPENAI_API_KEY: string | null;
@@ -87,7 +90,7 @@ function decodeJwt(token: string): Record<string, any> | null {
   }
 }
 
-/** Read the JWT `exp` claim as a Unix epoch (seconds). Null if missing/invalid. */
+/** Read the JWT `exp` claim as a Unix epoch (ms). Null if missing/invalid. */
 function jwtExpiryMs(token: string): number | null {
   const payload = decodeJwt(token);
   if (!payload || typeof payload.exp !== 'number') return null;
@@ -104,7 +107,6 @@ function extractAccountId(idToken: string): string | undefined {
 /** One-shot migration from the old `codedeck-auth.json` layout (pre-codex-native). */
 function migrateLegacyFile(): void {
   if (fs.existsSync(AUTH_FILE)) {
-    // If auth.json already has chatgpt tokens, nothing to do.
     const existing = readAuthFile();
     if (existing?.tokens?.refresh_token) return;
   }
@@ -156,46 +158,6 @@ function storeTokens(tokens: { access_token: string; refresh_token?: string; id_
   writeAuthFile(next);
 }
 
-async function exchangeCode(code: string): Promise<{ success: boolean; error?: string }> {
-  if (!codeVerifier) {
-    return { success: false, error: 'No code verifier — OAuth flow was not started.' };
-  }
-
-  try {
-    const payload = new URLSearchParams({
-      grant_type: 'authorization_code',
-      client_id: OAUTH_CONFIG.CLIENT_ID,
-      code,
-      redirect_uri: OAUTH_CONFIG.REDIRECT_URI,
-      code_verifier: codeVerifier,
-    });
-
-    const response = await fetch(OAUTH_CONFIG.TOKEN_URL, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body: payload.toString(),
-    });
-
-    if (!response.ok) {
-      return { success: false, error: `Authentication failed (${response.status}). Please try again.` };
-    }
-
-    const tokens = await response.json();
-    if (!tokens.access_token) {
-      return { success: false, error: 'OAuth response missing access_token.' };
-    }
-    storeTokens(tokens);
-    codeVerifier = null;
-    oauthState = null;
-    log.ok('Codex credentials stored');
-    // Clean up the legacy file on first successful new auth.
-    try { fs.unlinkSync(LEGACY_AUTH_FILE); } catch {}
-    return { success: true };
-  } catch (err: any) {
-    return { success: false, error: err.message };
-  }
-}
-
 async function refreshTokens(refreshToken: string): Promise<boolean> {
   try {
     log.ok('Codex: refreshing access token...');
@@ -226,108 +188,124 @@ async function refreshTokens(refreshToken: string): Promise<boolean> {
   }
 }
 
-/* ── Public API ── */
+/**
+ * Parse what the user pasted — accepts:
+ *   - the full callback URL (`http://localhost:1455/auth/callback?code=...&state=...`)
+ *   - just the query string (`?code=...&state=...` or `code=...&state=...`)
+ *   - just the raw code (`ac_XXX...`)
+ */
+function parsePastedInput(input: string): { code: string; state?: string } | { error: string } {
+  const trimmed = input.trim();
+  if (!trimmed) return { error: 'Paste the URL or code from your browser.' };
+
+  // Full URL or just a path
+  if (/^https?:\/\//i.test(trimmed) || trimmed.startsWith('/')) {
+    try {
+      const url = new URL(trimmed.startsWith('/') ? `http://x${trimmed}` : trimmed);
+      const code = url.searchParams.get('code');
+      if (!code) return { error: 'URL is missing the code parameter.' };
+      return { code, state: url.searchParams.get('state') || undefined };
+    } catch {
+      return { error: 'Could not parse the pasted URL.' };
+    }
+  }
 
-export function startCodexOAuth(): Promise<{ success: boolean; authUrl?: string; error?: string }> {
-  return new Promise((resolve) => {
-    stopCallbackServer();
+  // Bare query string
+  if (trimmed.includes('=') && (trimmed.includes('&') || trimmed.startsWith('?'))) {
+    try {
+      const qs = trimmed.startsWith('?') ? trimmed.slice(1) : trimmed;
+      const params = new URLSearchParams(qs);
+      const code = params.get('code');
+      if (!code) return { error: 'Query string is missing the code parameter.' };
+      return { code, state: params.get('state') || undefined };
+    } catch {
+      return { error: 'Could not parse the pasted query string.' };
+    }
+  }
 
-    codeVerifier = crypto.randomBytes(32).toString('base64url');
-    const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-    oauthState = crypto.randomUUID();
+  // Treat as raw code
+  return { code: trimmed };
+}
 
-    const handleCallback = (req: http.IncomingMessage, res: http.ServerResponse) => {
-      if (!req.url?.startsWith('/auth/callback')) {
-        res.writeHead(404);
-        res.end();
-        return;
-      }
+/* ── Public API ── */
 
-      const url = new URL(req.url, `http://localhost:${OAUTH_CONFIG.PORT}`);
-      const code = url.searchParams.get('code');
-      const returnedState = url.searchParams.get('state');
-      const error = url.searchParams.get('error');
-      log.ok(`Codex OAuth callback hit (code=${code ? 'yes' : 'no'}, state=${returnedState === oauthState ? 'ok' : 'mismatch'}, error=${error || 'none'})`);
+export function startCodexOAuth(): { success: boolean; authUrl?: string; error?: string } {
+  codeVerifier = crypto.randomBytes(32).toString('base64url');
+  const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+  oauthState = crypto.randomUUID();
+
+  const params = new URLSearchParams({
+    response_type: 'code',
+    client_id: OAUTH_CONFIG.CLIENT_ID,
+    redirect_uri: OAUTH_CONFIG.REDIRECT_URI,
+    scope: OAUTH_CONFIG.SCOPES,
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+    state: oauthState,
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+  });
 
-      res.writeHead(200, { 'Content-Type': 'text/html' });
-      res.end(`<html><body style="font-family:sans-serif;text-align:center;padding:60px;background:#0a0a0a;color:#fff">
-        <h2>${error ? 'Authentication Failed' : 'Authenticated!'}</h2>
-        <p style="color:#888">${error || 'You can close this tab and return to Bloby.'}</p>
-      </body></html>`);
+  log.ok('Codex OAuth flow started (paste-back mode)');
+  return { success: true, authUrl: `${OAUTH_CONFIG.AUTHORIZE_URL}?${params.toString()}` };
+}
 
-      stopCallbackServer();
+export async function exchangeCodexCode(input: string): Promise<{ success: boolean; error?: string }> {
+  if (!codeVerifier || !oauthState) {
+    return { success: false, error: 'Authentication wasn\'t started. Click "Authenticate" first.' };
+  }
 
-      if (error || !code || returnedState !== oauthState) return;
-      exchangeCode(code);
-    };
+  const parsed = parsePastedInput(input);
+  if ('error' in parsed) return { success: false, error: parsed.error };
 
-    // Bind BOTH IPv4 and IPv6 loopback. On dual-stack systems where
-    // `localhost` resolves to ::1 first, an IPv4-only bind silently fails
-    // when the browser hits the callback URL.
-    const bindHosts: Array<{ host: string; required: boolean }> = [
-      { host: '127.0.0.1', required: true },
-      { host: '::1', required: false }, // tolerate machines without IPv6
-    ];
-
-    let resolved = false;
-    let pendingBinds = bindHosts.length;
-    let bindFailures = 0;
-
-    const finishWithSuccess = () => {
-      if (resolved) return;
-      resolved = true;
-      log.ok(`Codex OAuth callback servers listening on port ${OAUTH_CONFIG.PORT} (${callbackServers.length} bind${callbackServers.length === 1 ? '' : 's'})`);
-      const params = new URLSearchParams({
-        response_type: 'code',
-        client_id: OAUTH_CONFIG.CLIENT_ID,
-        redirect_uri: OAUTH_CONFIG.REDIRECT_URI,
-        scope: OAUTH_CONFIG.SCOPES,
-        code_challenge: codeChallenge,
-        code_challenge_method: 'S256',
-        state: oauthState!,
-        id_token_add_organizations: 'true',
-        codex_cli_simplified_flow: 'true',
-      });
-      resolve({ success: true, authUrl: `${OAUTH_CONFIG.AUTHORIZE_URL}?${params.toString()}` });
+  if (parsed.state && parsed.state !== oauthState) {
+    log.warn(`Codex OAuth: state mismatch (got=${parsed.state}, expected=${oauthState})`);
+    return {
+      success: false,
+      error: 'State mismatch — start the flow again from the wizard.',
     };
+  }
 
-    const finishWithError = (err: any) => {
-      if (resolved) return;
-      resolved = true;
-      stopCallbackServer();
-      const error = err?.code === 'EADDRINUSE'
-        ? `Port ${OAUTH_CONFIG.PORT} is busy. Close other Codex instances.`
-        : (err?.message || String(err));
-      resolve({ success: false, error });
-    };
+  try {
+    const payload = new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: OAUTH_CONFIG.CLIENT_ID,
+      code: parsed.code,
+      redirect_uri: OAUTH_CONFIG.REDIRECT_URI,
+      code_verifier: codeVerifier,
+    });
 
-    for (const { host, required } of bindHosts) {
-      const server = http.createServer(handleCallback);
-
-      server.once('error', (err: any) => {
-        log.warn(`Codex OAuth bind ${host}:${OAUTH_CONFIG.PORT} failed — ${err.code || err.message}`);
-        if (required) {
-          finishWithError(err);
-        } else {
-          bindFailures++;
-          pendingBinds--;
-          // If only the optional bind failed but we already have at least one
-          // server up, that's still a success.
-          if (pendingBinds === 0 && callbackServers.length > 0) finishWithSuccess();
-        }
-      });
+    const response = await fetch(OAUTH_CONFIG.TOKEN_URL, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: payload.toString(),
+    });
 
-      server.listen(OAUTH_CONFIG.PORT, host, () => {
-        callbackServers.push(server);
-        pendingBinds--;
-        if (pendingBinds === 0) finishWithSuccess();
-      });
+    if (!response.ok) {
+      const body = await response.text().catch(() => '');
+      log.warn(`Codex OAuth exchange failed (${response.status}): ${body.slice(0, 200)}`);
+      return {
+        success: false,
+        error: `Authentication failed (${response.status}). Codes are single-use — start over and paste a fresh one.`,
+      };
     }
-  });
+
+    const tokens = await response.json();
+    if (!tokens.access_token) {
+      return { success: false, error: 'OAuth response missing access_token.' };
+    }
+    storeTokens(tokens);
+    codeVerifier = null;
+    oauthState = null;
+    try { fs.unlinkSync(LEGACY_AUTH_FILE); } catch {}
+    log.ok('Codex credentials stored');
+    return { success: true };
+  } catch (err: any) {
+    return { success: false, error: err.message };
+  }
 }
 
 export function cancelCodexOAuth(): void {
-  stopCallbackServer();
   codeVerifier = null;
   oauthState = null;
 }
@@ -392,11 +370,258 @@ export function readCodexAccessToken(): string | null {
   return token;
 }
 
-/* ── Helpers ── */
+/* ────────────────────────────────────────────────────────────────────────────
+ * Device-code flow — preferred for headless / remote dashboards.
+ *
+ *   1. POST {AUTH_BASE}/api/accounts/deviceauth/usercode  body {client_id}
+ *      → { device_auth_id, user_code, interval }
+ *   2. Poll POST {AUTH_BASE}/api/accounts/deviceauth/token body {device_auth_id, user_code}
+ *      403/404 = pending, 2xx = { authorization_code, code_challenge, code_verifier }
+ *   3. POST {AUTH_BASE}/oauth/token body {grant_type, client_id, code, code_verifier,
+ *      redirect_uri="{AUTH_BASE}/deviceauth/callback"} → standard token response
+ *
+ * The user opens DEVICE_VERIFICATION_URL and types user_code there. We poll
+ * in the background; the wizard polls /api/auth/codex/device/status for the
+ * current state.
+ * ──────────────────────────────────────────────────────────────────────────── */
+
+const AUTH_BASE = 'https://auth.openai.com';
+const DEVICE_USER_CODE_URL = `${AUTH_BASE}/api/accounts/deviceauth/usercode`;
+const DEVICE_POLL_URL = `${AUTH_BASE}/api/accounts/deviceauth/token`;
+const DEVICE_REDIRECT_URI = `${AUTH_BASE}/deviceauth/callback`;
+const DEVICE_VERIFICATION_URL = `${AUTH_BASE}/codex/device`;
+const DEVICE_TIMEOUT_MS = 15 * 60 * 1000;
+const DEVICE_DEFAULT_INTERVAL_SEC = 5;
+
+interface DeviceLoginState {
+  /** Bumped on each `startDeviceCodeLogin` so a stale poll loop can self-cancel. */
+  generation: number;
+  state: 'idle' | 'pending' | 'success' | 'error';
+  userCode?: string;
+  verificationUrl?: string;
+  expiresAt?: number; // epoch ms
+  error?: string;
+}
+
+let deviceLogin: DeviceLoginState = { generation: 0, state: 'idle' };
+
+export function getDeviceCodeStatus(): {
+  state: DeviceLoginState['state'];
+  userCode?: string;
+  verificationUrl?: string;
+  expiresInSec?: number;
+  error?: string;
+} {
+  const expiresInSec = deviceLogin.expiresAt
+    ? Math.max(0, Math.round((deviceLogin.expiresAt - Date.now()) / 1000))
+    : undefined;
+  return {
+    state: deviceLogin.state,
+    userCode: deviceLogin.userCode,
+    verificationUrl: deviceLogin.verificationUrl,
+    expiresInSec,
+    error: deviceLogin.error,
+  };
+}
+
+export function cancelDeviceCodeLogin(): void {
+  // Bumping the generation makes any in-flight poll loop a no-op on its next tick.
+  deviceLogin = { generation: deviceLogin.generation + 1, state: 'idle' };
+  log.ok('Codex device-code login cancelled');
+}
 
-function stopCallbackServer(): void {
-  for (const server of callbackServers) {
-    try { server.close(); } catch {}
+export async function startDeviceCodeLogin(): Promise<{
+  success: boolean;
+  userCode?: string;
+  verificationUrl?: string;
+  error?: string;
+}> {
+  // Cancel any existing in-flight login before starting a new one.
+  const generation = deviceLogin.generation + 1;
+  deviceLogin = { generation, state: 'pending' };
+
+  try {
+    const res = await fetch(DEVICE_USER_CODE_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'User-Agent': 'bloby-bot',
+      },
+      body: JSON.stringify({ client_id: OAUTH_CONFIG.CLIENT_ID }),
+    });
+
+    if (!res.ok) {
+      const body = await res.text().catch(() => '');
+      const error = `Failed to request device code (${res.status}). ${body.slice(0, 200)}`;
+      deviceLogin = { generation, state: 'error', error };
+      log.warn(`Codex device-code start failed: ${error}`);
+      return { success: false, error };
+    }
+
+    const data = await res.json();
+    const userCode: string = data.user_code || data.usercode;
+    const deviceAuthId: string = data.device_auth_id;
+    const intervalSec: number = Number(data.interval) || DEVICE_DEFAULT_INTERVAL_SEC;
+    if (!userCode || !deviceAuthId) {
+      const error = 'Device code response missing user_code or device_auth_id.';
+      deviceLogin = { generation, state: 'error', error };
+      return { success: false, error };
+    }
+
+    deviceLogin = {
+      generation,
+      state: 'pending',
+      userCode,
+      verificationUrl: DEVICE_VERIFICATION_URL,
+      expiresAt: Date.now() + DEVICE_TIMEOUT_MS,
+    };
+    log.ok(`Codex device-code login started (code=${userCode}, poll every ${intervalSec}s)`);
+
+    // Fire-and-forget background poll.
+    void pollDeviceCode(generation, deviceAuthId, userCode, intervalSec);
+
+    return { success: true, userCode, verificationUrl: DEVICE_VERIFICATION_URL };
+  } catch (err: any) {
+    const error = err?.message || String(err);
+    deviceLogin = { generation, state: 'error', error };
+    log.warn(`Codex device-code start error: ${error}`);
+    return { success: false, error };
   }
-  callbackServers = [];
+}
+
+async function pollDeviceCode(
+  generation: number,
+  deviceAuthId: string,
+  userCode: string,
+  intervalSec: number,
+): Promise<void> {
+  const startedAt = Date.now();
+
+  while (true) {
+    // Stale generation = a newer login was started or this one was cancelled.
+    if (deviceLogin.generation !== generation) {
+      log.ok(`Codex device-code poll for gen ${generation} stopped (superseded)`);
+      return;
+    }
+
+    if (Date.now() - startedAt > DEVICE_TIMEOUT_MS) {
+      deviceLogin = {
+        generation,
+        state: 'error',
+        error: 'Device-code login timed out (15 minutes). Try again.',
+      };
+      log.warn('Codex device-code login timed out');
+      return;
+    }
+
+    let res: Response;
+    try {
+      res = await fetch(DEVICE_POLL_URL, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'User-Agent': 'bloby-bot',
+        },
+        body: JSON.stringify({ device_auth_id: deviceAuthId, user_code: userCode }),
+      });
+    } catch (err: any) {
+      // Transient network errors — log and keep polling within timeout.
+      log.warn(`Codex device-code poll network error: ${err?.message || err}`);
+      await sleep(intervalSec * 1000);
+      continue;
+    }
+
+    if (res.status === 403 || res.status === 404) {
+      // Pending — user hasn't approved yet.
+      await sleep(intervalSec * 1000);
+      continue;
+    }
+
+    if (!res.ok) {
+      const body = await res.text().catch(() => '');
+      const error = `Device-code poll failed (${res.status}). ${body.slice(0, 200)}`;
+      if (deviceLogin.generation === generation) {
+        deviceLogin = { generation, state: 'error', error };
+      }
+      log.warn(error);
+      return;
+    }
+
+    // 2xx — server returned the authorization_code + PKCE verifier.
+    let data: { authorization_code?: string; code_verifier?: string };
+    try {
+      data = await res.json();
+    } catch (err: any) {
+      const error = `Device-code poll: malformed JSON (${err?.message || err})`;
+      if (deviceLogin.generation === generation) {
+        deviceLogin = { generation, state: 'error', error };
+      }
+      return;
+    }
+
+    if (!data.authorization_code || !data.code_verifier) {
+      const error = 'Device-code poll: response missing authorization_code or code_verifier.';
+      if (deviceLogin.generation === generation) {
+        deviceLogin = { generation, state: 'error', error };
+      }
+      return;
+    }
+
+    // Final step: exchange for tokens.
+    const exchanged = await exchangeDeviceCode(data.authorization_code, data.code_verifier);
+    if (deviceLogin.generation !== generation) return;
+
+    if (exchanged.success) {
+      deviceLogin = { generation, state: 'success' };
+      log.ok('Codex device-code login complete');
+    } else {
+      deviceLogin = {
+        generation,
+        state: 'error',
+        error: exchanged.error || 'Token exchange failed.',
+      };
+    }
+    return;
+  }
+}
+
+async function exchangeDeviceCode(
+  authorizationCode: string,
+  codeVerifierFromServer: string,
+): Promise<{ success: boolean; error?: string }> {
+  try {
+    const payload = new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: OAUTH_CONFIG.CLIENT_ID,
+      code: authorizationCode,
+      redirect_uri: DEVICE_REDIRECT_URI,
+      code_verifier: codeVerifierFromServer,
+    });
+    const res = await fetch(OAUTH_CONFIG.TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'User-Agent': 'bloby-bot',
+      },
+      body: payload.toString(),
+    });
+    if (!res.ok) {
+      const body = await res.text().catch(() => '');
+      log.warn(`Codex device-code token exchange failed (${res.status}): ${body.slice(0, 200)}`);
+      return { success: false, error: `Token exchange failed (${res.status}).` };
+    }
+    const tokens = await res.json();
+    if (!tokens.access_token) {
+      return { success: false, error: 'Token exchange response missing access_token.' };
+    }
+    storeTokens(tokens);
+    try { fs.unlinkSync(LEGACY_AUTH_FILE); } catch {}
+    return { success: true };
+  } catch (err: any) {
+    return { success: false, error: err?.message || String(err) };
+  }
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
 }

package/worker/index.ts

@@ -9,7 +9,10 @@ import { initDb, closeDb, listConversations, createConversation, deleteConversat
 import webpush from 'web-push';
 import { TOTP } from 'otpauth';
 import QRCode from 'qrcode';
-import { startCodexOAuth, cancelCodexOAuth, getCodexAuthStatus } from './codex-auth.js';
+import {
+  startCodexOAuth, cancelCodexOAuth, getCodexAuthStatus, exchangeCodexCode,
+  startDeviceCodeLogin, getDeviceCodeStatus, cancelDeviceCodeLogin,
+} from './codex-auth.js';
 import { startClaudeOAuth, exchangeClaudeCode, getClaudeAuthStatus, readClaudeAccessToken } from './claude-auth.js';
 import { checkAvailability, registerHandle, claimReservedHandle, releaseHandle, updateTunnelUrl, startHeartbeat, stopHeartbeat } from '../shared/relay.js';
 import { ensureFileDirs } from '../supervisor/file-saver.js';
@@ -171,9 +174,17 @@ app.post('/api/context/clear', (_, res) => {
 
 // ── Codex OAuth routes ──
 
-app.post('/api/auth/codex/start', async (_req, res) => {
-  const result = await startCodexOAuth();
-  res.json(result);
+app.post('/api/auth/codex/start', (_req, res) => {
+  res.json(startCodexOAuth());
+});
+
+app.post('/api/auth/codex/exchange', async (req, res) => {
+  const { code } = req.body || {};
+  if (!code || typeof code !== 'string') {
+    res.json({ success: false, error: 'No code provided' });
+    return;
+  }
+  res.json(await exchangeCodexCode(code));
 });
 
 app.post('/api/auth/codex/cancel', (_req, res) => {
@@ -185,6 +196,21 @@ app.get('/api/auth/codex/status', async (_req, res) => {
   res.json(await getCodexAuthStatus());
 });
 
+// ── Codex device-code routes (preferred for headless dashboards) ──
+
+app.post('/api/auth/codex/device/start', async (_req, res) => {
+  res.json(await startDeviceCodeLogin());
+});
+
+app.get('/api/auth/codex/device/status', (_req, res) => {
+  res.json(getDeviceCodeStatus());
+});
+
+app.post('/api/auth/codex/device/cancel', (_req, res) => {
+  cancelDeviceCodeLogin();
+  res.json({ ok: true });
+});
+
 // ── Claude OAuth routes ──
 
 app.post('/api/auth/claude/start', (_req, res) => {