clanka 0.2.49 → 0.2.51

package/src/CodexAuth.test.ts

@@ -1,20 +1,10 @@
 import { assert, describe, it } from "@effect/vitest"
-import * as Deferred from "effect/Deferred"
 import * as Effect from "effect/Effect"
 import * as Encoding from "effect/Encoding"
-import * as Fiber from "effect/Fiber"
 import * as Option from "effect/Option"
-import * as Ref from "effect/Ref"
-import {
-  HttpClient,
-  type HttpClientRequest,
-  HttpClientResponse,
-} from "effect/unstable/http"
 import * as KeyValueStore from "effect/unstable/persistence/KeyValueStore"
 import {
-  CodexAuth,
   CodexAuthError,
-  ISSUER,
   STORE_PREFIX,
   STORE_TOKEN_KEY,
   TOKEN_EXPIRY_BUFFER_MS,
@@ -32,75 +22,6 @@ const createJwt = (payload: string): string =>
 const createTestJwt = (payload: Record<string, unknown>): string =>
   createJwt(JSON.stringify(payload))
 
-const jsonResponse = (body: unknown, status = 200): Response =>
-  new Response(JSON.stringify(body), {
-    status,
-    headers: {
-      "content-type": "application/json",
-    },
-  })
-
-const getBody = (request: HttpClientRequest.HttpClientRequest): string => {
-  if (request.body._tag !== "Uint8Array") {
-    throw new Error("Expected request body to be a Uint8Array payload")
-  }
-
-  return new TextDecoder().decode(request.body.body)
-}
-
-const makeClient = Effect.fn("makeClient")(function* (
-  handler: (
-    request: HttpClientRequest.HttpClientRequest,
-    attempt: number,
-  ) => Response,
-) {
-  const attempts = yield* Ref.make(0)
-  const requests = yield* Ref.make<Array<HttpClientRequest.HttpClientRequest>>(
-    [],
-  )
-  const client = HttpClient.make((request) =>
-    Effect.gen(function* () {
-      const attempt = yield* Ref.updateAndGet(attempts, (count) => count + 1)
-      yield* Ref.update(requests, (current) => [...current, request])
-      return HttpClientResponse.fromWeb(request, handler(request, attempt))
-    }),
-  )
-
-  return {
-    attempts,
-    client,
-    requests,
-  } as const
-})
-
-const makeEffectClient = Effect.fn("makeEffectClient")(function* (
-  handler: (
-    request: HttpClientRequest.HttpClientRequest,
-    attempt: number,
-  ) => Effect.Effect<Response>,
-) {
-  const attempts = yield* Ref.make(0)
-  const requests = yield* Ref.make<Array<HttpClientRequest.HttpClientRequest>>(
-    [],
-  )
-  const client = HttpClient.make((request) =>
-    Effect.gen(function* () {
-      const attempt = yield* Ref.updateAndGet(attempts, (count) => count + 1)
-      yield* Ref.update(requests, (current) => [...current, request])
-      return HttpClientResponse.fromWeb(
-        request,
-        yield* handler(request, attempt),
-      )
-    }),
-  )
-
-  return {
-    attempts,
-    client,
-    requests,
-  } as const
-})
-
 describe("CodexAuth", () => {
   it.effect(
     "persists token data through the prefixed schema store",
@@ -377,358 +298,4 @@ describe("CodexAuth", () => {
       true,
     )
   })
-
-  it.effect(
-    "preserves the stored account id when refreshed tokens omit parseable claims",
-    () =>
-      Effect.gen(function* () {
-        const kvs = yield* KeyValueStore.KeyValueStore
-        const tokenStore = toTokenStore(kvs)
-        yield* Effect.orDie(
-          tokenStore.set(
-            STORE_TOKEN_KEY,
-            new TokenData({
-              access: "stale-access-token",
-              refresh: "stale-refresh-token",
-              expires: Date.now() - 60_000,
-              accountId: Option.some("persisted-account"),
-            }),
-          ),
-        )
-
-        const { attempts, client } = yield* makeClient(() =>
-          jsonResponse({
-            id_token: "invalid",
-            access_token: "also-invalid",
-            refresh_token: "next-refresh-token",
-            expires_in: 120,
-          }),
-        )
-
-        const auth = yield* CodexAuth.make.pipe(
-          Effect.provideService(HttpClient.HttpClient, client),
-        )
-
-        const token = yield* auth.get
-
-        assert.strictEqual(token.refresh, "next-refresh-token")
-        assert.strictEqual(
-          Option.getOrUndefined(token.accountId),
-          "persisted-account",
-        )
-        assert.strictEqual(yield* Ref.get(attempts), 1)
-
-        const stored = yield* Effect.orDie(tokenStore.get(STORE_TOKEN_KEY))
-        assert.strictEqual(Option.isSome(stored), true)
-        if (Option.isNone(stored)) {
-          return
-        }
-
-        assert.strictEqual(
-          Option.getOrUndefined(stored.value.accountId),
-          "persisted-account",
-        )
-      }).pipe(Effect.provide(KeyValueStore.layerMemory)),
-  )
-
-  it.effect(
-    "falls back to device auth when refreshing an expired token fails",
-    () =>
-      Effect.gen(function* () {
-        const kvs = yield* KeyValueStore.KeyValueStore
-        const tokenStore = toTokenStore(kvs)
-        yield* Effect.orDie(
-          tokenStore.set(
-            STORE_TOKEN_KEY,
-            new TokenData({
-              access: "stale-access-token",
-              refresh: "stale-refresh-token",
-              expires: Date.now() - 60_000,
-              accountId: Option.some("stale-account"),
-            }),
-          ),
-        )
-
-        const { client, requests } = yield* makeClient((request) => {
-          if (request.url === `${ISSUER}/api/accounts/deviceauth/usercode`) {
-            return jsonResponse({
-              device_auth_id: "device-auth-id",
-              user_code: "WXYZ-9876",
-              interval: "1",
-            })
-          }
-
-          if (request.url === `${ISSUER}/api/accounts/deviceauth/token`) {
-            return jsonResponse({
-              authorization_code: "authorization-code",
-              code_verifier: "code-verifier",
-            })
-          }
-
-          if (request.url === `${ISSUER}/oauth/token`) {
-            const body = new URLSearchParams(getBody(request))
-            if (body.get("grant_type") === "refresh_token") {
-              return new Response(null, { status: 401 })
-            }
-
-            return jsonResponse({
-              id_token: createTestJwt({
-                chatgpt_account_id: "account-from-id",
-              }),
-              access_token: createTestJwt({
-                chatgpt_account_id: "account-from-access",
-              }),
-              refresh_token: "next-refresh-token",
-              expires_in: 120,
-            })
-          }
-
-          return new Response(null, { status: 500 })
-        })
-
-        const auth = yield* CodexAuth.make.pipe(
-          Effect.provideService(HttpClient.HttpClient, client),
-        )
-
-        const token = yield* auth.get
-
-        assert.strictEqual(token.refresh, "next-refresh-token")
-        assert.strictEqual(
-          Option.getOrUndefined(token.accountId),
-          "account-from-id",
-        )
-
-        const stored = yield* Effect.orDie(tokenStore.get(STORE_TOKEN_KEY))
-        assert.strictEqual(Option.isSome(stored), true)
-        if (Option.isSome(stored)) {
-          assert.strictEqual(stored.value.refresh, "next-refresh-token")
-        }
-
-        const seenRequests = yield* Ref.get(requests)
-        assert.strictEqual(seenRequests.length, 4)
-        assert.strictEqual(seenRequests[0]?.url, `${ISSUER}/oauth/token`)
-        assert.strictEqual(
-          new URLSearchParams(getBody(seenRequests[0]!)).get("grant_type"),
-          "refresh_token",
-        )
-        assert.strictEqual(
-          new URLSearchParams(getBody(seenRequests[3]!)).get("grant_type"),
-          "authorization_code",
-        )
-      }).pipe(Effect.provide(KeyValueStore.layerMemory)),
-  )
-
-  it.effect("clears corrupted persisted tokens before re-authenticating", () =>
-    Effect.gen(function* () {
-      const kvs = yield* KeyValueStore.KeyValueStore
-      yield* Effect.orDie(
-        kvs.set(`${STORE_PREFIX}${STORE_TOKEN_KEY}`, "not-json"),
-      )
-
-      const { attempts, client } = yield* makeClient((request) => {
-        if (request.url === `${ISSUER}/api/accounts/deviceauth/usercode`) {
-          return jsonResponse({
-            device_auth_id: "device-auth-id",
-            user_code: "ABCD-EFGH",
-            interval: "1",
-          })
-        }
-
-        if (request.url === `${ISSUER}/api/accounts/deviceauth/token`) {
-          return jsonResponse({
-            authorization_code: "authorization-code",
-            code_verifier: "code-verifier",
-          })
-        }
-
-        if (request.url === `${ISSUER}/oauth/token`) {
-          return jsonResponse({
-            access_token: createTestJwt({
-              chatgpt_account_id: "fresh-account",
-            }),
-            refresh_token: "fresh-refresh-token",
-            expires_in: 120,
-          })
-        }
-
-        return new Response(null, { status: 500 })
-      })
-
-      const auth = yield* CodexAuth.make.pipe(
-        Effect.provideService(HttpClient.HttpClient, client),
-      )
-
-      assert.strictEqual(
-        yield* Effect.orDie(kvs.get(`${STORE_PREFIX}${STORE_TOKEN_KEY}`)),
-        undefined,
-      )
-      assert.strictEqual(yield* Ref.get(attempts), 0)
-
-      const token = yield* auth.get
-
-      assert.strictEqual(token.refresh, "fresh-refresh-token")
-      assert.strictEqual(
-        Option.getOrUndefined(token.accountId),
-        "fresh-account",
-      )
-      assert.strictEqual(yield* Ref.get(attempts), 3)
-    }).pipe(Effect.provide(KeyValueStore.layerMemory)),
-  )
-
-  it.effect("serializes concurrent get calls behind one refresh", () =>
-    Effect.gen(function* () {
-      const kvs = yield* KeyValueStore.KeyValueStore
-      const tokenStore = toTokenStore(kvs)
-      yield* Effect.orDie(
-        tokenStore.set(
-          STORE_TOKEN_KEY,
-          new TokenData({
-            access: "expired-access-token",
-            refresh: "refresh-token",
-            expires: Date.now() - 60_000,
-            accountId: Option.none(),
-          }),
-        ),
-      )
-
-      const refreshStarted = yield* Deferred.make<void>()
-      const releaseRefresh = yield* Deferred.make<void>()
-      const { attempts, client } = yield* makeEffectClient((request) => {
-        if (request.url !== `${ISSUER}/oauth/token`) {
-          return Effect.succeed(new Response(null, { status: 500 }))
-        }
-
-        const body = new URLSearchParams(getBody(request))
-        if (body.get("grant_type") !== "refresh_token") {
-          return Effect.succeed(new Response(null, { status: 500 }))
-        }
-
-        return Effect.gen(function* () {
-          yield* Deferred.succeed(refreshStarted, void 0)
-          yield* Deferred.await(releaseRefresh)
-          return jsonResponse({
-            access_token: createTestJwt({
-              chatgpt_account_id: "fresh-account",
-            }),
-            refresh_token: "fresh-refresh-token",
-            expires_in: 120,
-          })
-        })
-      })
-
-      const auth = yield* CodexAuth.make.pipe(
-        Effect.provideService(HttpClient.HttpClient, client),
-      )
-
-      const firstFiber = yield* auth.get.pipe(
-        Effect.forkChild({ startImmediately: true }),
-      )
-      yield* Deferred.await(refreshStarted)
-
-      const secondFiber = yield* auth.get.pipe(
-        Effect.forkChild({ startImmediately: true }),
-      )
-      yield* Effect.yieldNow
-
-      assert.strictEqual(yield* Ref.get(attempts), 1)
-
-      yield* Deferred.succeed(releaseRefresh, void 0)
-
-      const first = yield* Fiber.join(firstFiber)
-      const second = yield* Fiber.join(secondFiber)
-
-      assert.strictEqual(yield* Ref.get(attempts), 1)
-      assert.strictEqual(first.refresh, "fresh-refresh-token")
-      assert.strictEqual(second.refresh, "fresh-refresh-token")
-      assert.strictEqual(
-        Option.getOrUndefined(first.accountId),
-        "fresh-account",
-      )
-      assert.strictEqual(
-        Option.getOrUndefined(second.accountId),
-        "fresh-account",
-      )
-    }).pipe(Effect.provide(KeyValueStore.layerMemory)),
-  )
-
-  it.effect(
-    "forces device auth on authenticate and clears cache plus storage on logout",
-    () =>
-      Effect.gen(function* () {
-        const kvs = yield* KeyValueStore.KeyValueStore
-        const tokenStore = toTokenStore(kvs)
-        yield* Effect.orDie(
-          tokenStore.set(
-            STORE_TOKEN_KEY,
-            new TokenData({
-              access: "cached-access-token",
-              refresh: "cached-refresh-token",
-              expires: Date.now() + 600_000,
-              accountId: Option.some("cached-account"),
-            }),
-          ),
-        )
-
-        let deviceFlowCount = 0
-        const { attempts, client } = yield* makeClient((request) => {
-          if (request.url === `${ISSUER}/api/accounts/deviceauth/usercode`) {
-            deviceFlowCount += 1
-            return jsonResponse({
-              device_auth_id: `device-auth-${deviceFlowCount}`,
-              user_code: `CODE-${deviceFlowCount}`,
-              interval: "1",
-            })
-          }
-
-          if (request.url === `${ISSUER}/api/accounts/deviceauth/token`) {
-            return jsonResponse({
-              authorization_code: `authorization-code-${deviceFlowCount}`,
-              code_verifier: `code-verifier-${deviceFlowCount}`,
-            })
-          }
-
-          if (request.url === `${ISSUER}/oauth/token`) {
-            return jsonResponse({
-              access_token: createTestJwt({
-                chatgpt_account_id: `device-account-${deviceFlowCount}`,
-              }),
-              refresh_token: `device-refresh-${deviceFlowCount}`,
-              expires_in: 120,
-            })
-          }
-
-          return new Response(null, { status: 500 })
-        })
-
-        const auth = yield* CodexAuth.make.pipe(
-          Effect.provideService(HttpClient.HttpClient, client),
-        )
-
-        const cachedToken = yield* auth.get
-        assert.strictEqual(cachedToken.refresh, "cached-refresh-token")
-        assert.strictEqual(yield* Ref.get(attempts), 0)
-
-        const authenticated = yield* auth.authenticate
-        assert.strictEqual(authenticated.refresh, "device-refresh-1")
-        assert.strictEqual(
-          Option.getOrUndefined(authenticated.accountId),
-          "device-account-1",
-        )
-        assert.strictEqual(yield* Ref.get(attempts), 3)
-
-        yield* auth.logout
-        const storedAfterLogout = yield* Effect.orDie(
-          tokenStore.get(STORE_TOKEN_KEY),
-        )
-        assert.strictEqual(Option.isNone(storedAfterLogout), true)
-
-        const tokenAfterLogout = yield* auth.get
-        assert.strictEqual(tokenAfterLogout.refresh, "device-refresh-2")
-        assert.strictEqual(
-          Option.getOrUndefined(tokenAfterLogout.accountId),
-          "device-account-2",
-        )
-        assert.strictEqual(yield* Ref.get(attempts), 6)
-      }).pipe(Effect.provide(KeyValueStore.layerMemory)),
-  )
 })

package/src/CodexAuth.ts

@@ -1,7 +1,6 @@
 /**
  * @since 1.0.0
  */
-import * as Console from "effect/Console"
 import * as Effect from "effect/Effect"
 import * as Encoding from "effect/Encoding"
 import * as Function from "effect/Function"
@@ -11,11 +10,12 @@ import * as Result from "effect/Result"
 import * as Schedule from "effect/Schedule"
 import * as Schema from "effect/Schema"
 import * as Semaphore from "effect/Semaphore"
-import * as ServiceMap from "effect/ServiceMap"
+import * as Context from "effect/Context"
 import * as HttpClient from "effect/unstable/http/HttpClient"
 import * as HttpClientRequest from "effect/unstable/http/HttpClientRequest"
 import * as HttpClientResponse from "effect/unstable/http/HttpClientResponse"
 import * as KeyValueStore from "effect/unstable/persistence/KeyValueStore"
+import { DeviceCodeHandler } from "./DeviceCodeHandler.ts"
 
 export const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
 export const ISSUER = "https://auth.openai.com"
@@ -284,15 +284,17 @@ export const toCodexAuthKeyValueStore = (store: KeyValueStore.KeyValueStore) =>
 export const toTokenStore = (store: KeyValueStore.KeyValueStore) =>
   KeyValueStore.toSchemaStore(toCodexAuthKeyValueStore(store), TokenData)
 
-export class CodexAuth extends ServiceMap.Service<
+export class CodexAuth extends Context.Service<
   CodexAuth,
   {
+    readonly verifyUrl: string
     readonly get: Effect.Effect<TokenData, CodexAuthError>
     readonly authenticate: Effect.Effect<TokenData, CodexAuthError>
     readonly logout: Effect.Effect<void>
   }
 >()("clanka/CodexAuth") {
   static readonly make = Effect.gen(function* () {
+    const verfication = yield* DeviceCodeHandler
     const tokenStore = toTokenStore(yield* KeyValueStore.KeyValueStore)
     const httpClient = (yield* HttpClient.HttpClient).pipe(
       HttpClient.mapRequest(
@@ -310,7 +312,7 @@ export class CodexAuth extends ServiceMap.Service<
 
     let currentToken = yield* tokenStore.get(STORE_TOKEN_KEY).pipe(
       Effect.catchTag("SchemaError", (error) =>
-        Console.warn(
+        Effect.logDebug(
           `Failed to decode persisted Codex token, clearing it: ${error.message}`,
         ).pipe(
           Effect.andThen(tokenStore.remove(STORE_TOKEN_KEY)),
@@ -340,22 +342,23 @@ export class CodexAuth extends ServiceMap.Service<
 
     const authenticateWithDeviceFlow = Effect.gen(function* () {
       const deviceCode = yield* requestDeviceCode
-      yield* Console.log(
-        `Open ${ISSUER}${DEVICE_VERIFICATION_URL} and enter code: ${deviceCode.userCode}`,
-      )
+      yield* verfication.onCode({
+        verifyUrl: ISSUER + DEVICE_VERIFICATION_URL,
+        deviceCode: deviceCode.userCode,
+      })
       const authorization = yield* pollAuthorization(deviceCode)
       return yield* exchangeAuthorizationCode(authorization)
     })
 
-    const authenticateNoLock = Effect.uninterruptibleMask((restore) =>
-      Effect.gen(function* () {
+    const authenticateNoLock = Effect.uninterruptibleMask(
+      Effect.fnUntraced(function* (restore) {
         const token = yield* restore(authenticateWithDeviceFlow)
         return yield* saveToken(token)
       }),
     )
 
-    const getNoLock = Effect.uninterruptibleMask((restore) =>
-      Effect.gen(function* () {
+    const getNoLock = Effect.uninterruptibleMask(
+      Effect.fnUntraced(function* (restore) {
         if (Option.isSome(currentToken) && !currentToken.value.isExpired()) {
           return currentToken.value
         }
@@ -366,14 +369,7 @@ export class CodexAuth extends ServiceMap.Service<
         }
 
         const refreshedToken = yield* restore(
-          refreshToken(currentToken.value.refresh).pipe(
-            Effect.tapError((error) =>
-              Console.warn(
-                `Codex token refresh failed, falling back to device auth: ${error.message}`,
-              ),
-            ),
-            Effect.option,
-          ),
+          refreshToken(currentToken.value.refresh).pipe(Effect.option),
         )
 
         if (Option.isSome(refreshedToken)) {
@@ -537,6 +533,7 @@ export class CodexAuth extends ServiceMap.Service<
     })
 
     return CodexAuth.of({
+      verifyUrl: ISSUER + DEVICE_VERIFICATION_URL,
       get: semaphore.withPermit(getNoLock),
       authenticate: semaphore.withPermit(authenticateNoLock),
       logout: semaphore.withPermit(Effect.uninterruptible(clearToken)),

package/src/CopilotAuth.test.ts

@@ -25,6 +25,7 @@ import {
   toGithubCopilotAuthKeyValueStore,
   toTokenStore,
 } from "./CopilotAuth.ts"
+import * as DeviceCodeHandler from "./DeviceCodeHandler.ts"
 
 const jsonResponse = (body: unknown, status = 200): Response =>
   new Response(JSON.stringify(body), {
@@ -52,8 +53,8 @@ const makeClient = Effect.fn("makeClient")(function* (
   const requests = yield* Ref.make<Array<HttpClientRequest.HttpClientRequest>>(
     [],
   )
-  const client = HttpClient.make((request) =>
-    Effect.gen(function* () {
+  const client = HttpClient.make(
+    Effect.fnUntraced(function* (request) {
       const attempt = yield* Ref.updateAndGet(attempts, (count) => count + 1)
       yield* Ref.update(requests, (current) => [...current, request])
       return HttpClientResponse.fromWeb(request, handler(request, attempt))
@@ -181,6 +182,7 @@ describe("GithubCopilotAuth", () => {
 
       const auth = yield* GithubCopilotAuth.make.pipe(
         Effect.provideService(HttpClient.HttpClient, client),
+        Effect.provide(DeviceCodeHandler.layerConsole),
       )
 
       const token = yield* auth.get
@@ -220,6 +222,7 @@ describe("GithubCopilotAuth", () => {
 
         const auth = yield* GithubCopilotAuth.make.pipe(
           Effect.provideService(HttpClient.HttpClient, client),
+          Effect.provide(DeviceCodeHandler.layerConsole),
         )
 
         const authenticated = yield* auth.authenticate
@@ -282,6 +285,7 @@ describe("GithubCopilotAuth", () => {
 
       const auth = yield* GithubCopilotAuth.make.pipe(
         Effect.provideService(HttpClient.HttpClient, client),
+        Effect.provide(DeviceCodeHandler.layerConsole),
       )
 
       assert.strictEqual(
@@ -328,6 +332,7 @@ describe("GithubCopilotAuth", () => {
 
       const auth = yield* GithubCopilotAuth.make.pipe(
         Effect.provideService(HttpClient.HttpClient, client),
+        Effect.provide(DeviceCodeHandler.layerConsole),
       )
 
       const firstFiber = yield* auth.get.pipe(
@@ -373,15 +378,14 @@ describe("GithubCopilotAuth", () => {
           jsonResponse({ ok: true }),
         )
 
-        const wrappedClient = yield* Effect.gen(function* () {
-          return yield* HttpClient.HttpClient
-        }).pipe(
+        const wrappedClient = yield* HttpClient.HttpClient.asEffect().pipe(
           Effect.provide(GithubCopilotAuth.layerClientNoDeps),
           Effect.provideService(HttpClient.HttpClient, client),
-          Effect.provideService(
+          Effect.provideServiceEffect(
             GithubCopilotAuth,
-            yield* GithubCopilotAuth.make.pipe(
+            GithubCopilotAuth.make.pipe(
               Effect.provideService(HttpClient.HttpClient, client),
+              Effect.provide(DeviceCodeHandler.layerConsole),
             ),
           ),
         )

package/src/CopilotAuth.ts

@@ -1,7 +1,6 @@
 /**
  * @since 1.0.0
  */
-import * as Console from "effect/Console"
 import * as Effect from "effect/Effect"
 import * as Function from "effect/Function"
 import * as Layer from "effect/Layer"
@@ -9,11 +8,12 @@ import * as Option from "effect/Option"
 import * as Schedule from "effect/Schedule"
 import * as Schema from "effect/Schema"
 import * as Semaphore from "effect/Semaphore"
-import * as ServiceMap from "effect/ServiceMap"
+import * as Context from "effect/Context"
 import * as HttpClient from "effect/unstable/http/HttpClient"
 import * as HttpClientRequest from "effect/unstable/http/HttpClientRequest"
 import * as HttpClientResponse from "effect/unstable/http/HttpClientResponse"
 import * as KeyValueStore from "effect/unstable/persistence/KeyValueStore"
+import { DeviceCodeHandler } from "./DeviceCodeHandler.ts"
 
 export const CLIENT_ID = "Ov23li8tweQw6odWQebz"
 export const ISSUER = "https://github.com"
@@ -213,15 +213,17 @@ export const toTokenStore = (store: KeyValueStore.KeyValueStore) =>
     TokenData,
   )
 
-export class GithubCopilotAuth extends ServiceMap.Service<
+export class GithubCopilotAuth extends Context.Service<
   GithubCopilotAuth,
   {
+    readonly verifyUrl: string
     readonly get: Effect.Effect<TokenData, GithubCopilotAuthError>
     readonly authenticate: Effect.Effect<TokenData, GithubCopilotAuthError>
     readonly logout: Effect.Effect<void>
   }
 >()("clanka/GithubCopilotAuth") {
   static readonly make = Effect.gen(function* () {
+    const verfication = yield* DeviceCodeHandler
     const tokenStore = toTokenStore(yield* KeyValueStore.KeyValueStore)
     const httpClient = (yield* HttpClient.HttpClient).pipe(
       HttpClient.mapRequest(
@@ -242,7 +244,7 @@ export class GithubCopilotAuth extends ServiceMap.Service<
 
     let currentToken = yield* tokenStore.get(STORE_TOKEN_KEY).pipe(
       Effect.catchTag("SchemaError", (error) =>
-        Console.warn(
+        Effect.logDebug(
           `Failed to decode persisted GitHub Copilot token, clearing it: ${error.message}`,
         ).pipe(
           Effect.andThen(tokenStore.remove(STORE_TOKEN_KEY)),
@@ -373,9 +375,10 @@ export class GithubCopilotAuth extends ServiceMap.Service<
 
     const authenticateWithDeviceFlow = Effect.gen(function* () {
       const deviceCode = yield* requestDeviceCode()
-      yield* Console.log(
-        `Open ${deviceCode.verificationUri} and enter code: ${deviceCode.userCode}`,
-      )
+      yield* verfication.onCode({
+        verifyUrl: deviceCode.verificationUri,
+        deviceCode: deviceCode.userCode,
+      })
       return yield* pollAccessToken(deviceCode)
     })
 
@@ -402,6 +405,7 @@ export class GithubCopilotAuth extends ServiceMap.Service<
     )
 
     return GithubCopilotAuth.of({
+      verifyUrl: ISSUER + DEVICE_VERIFICATION_URL,
       get: semaphore.withPermit(getNoLock),
       authenticate: semaphore.withPermit(authenticateNoLock),
       logout: semaphore.withPermit(Effect.uninterruptible(clearToken)),