codex-auth-automation 0.1.0

package/src/oauth-flow.ts

@@ -0,0 +1,253 @@
+import { chromium, Browser, BrowserContext, Page } from 'playwright';
+import http from 'http';
+import crypto from 'crypto';
+import url from 'url';
+import path from 'path';
+import fs from 'fs';
+
+export class OAuthFlowError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'OAuthFlowError';
+  }
+}
+
+const AUTHORIZE_URL = 'https://auth.openai.com/oauth/authorize';
+const TOKEN_URL = 'https://auth.openai.com/oauth/token';
+const CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const SCOPES = ['openid', 'profile', 'email', 'offline_access', 'api.connectors.read', 'api.connectors.invoke'];
+const REDIRECT_PORT = 1455;
+const DEBUG_DIR = path.join(process.cwd(), 'debug');
+
+function generatePkce() {
+  const raw = crypto.randomBytes(32);
+  const codeVerifier = raw.toString('base64url');
+  const digest = crypto.createHash('sha256').update(codeVerifier).digest();
+  const codeChallenge = digest.toString('base64url');
+  return { codeVerifier, codeChallenge };
+}
+
+function generateState() {
+  return crypto.randomBytes(32).toString('base64url');
+}
+
+function buildAuthUrl(codeChallenge: string, state: string): string {
+  const params = new URLSearchParams({
+    client_id: CLIENT_ID,
+    redirect_uri: `http://localhost:${REDIRECT_PORT}/auth/callback`,
+    response_type: 'code',
+    scope: SCOPES.join(' '),
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    state,
+    originator: 'opencode',
+  });
+  return `${AUTHORIZE_URL}?${params.toString()}`;
+}
+
+function startCallbackServer(): Promise<{ code: string; server: http.Server }> {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      const parsed = url.parse(req.url || '', true);
+      const code = parsed.query.code as string | undefined;
+
+      if (code) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end('<h1>Login successful!</h1><p>Close this window.</p>');
+        server.close(() => resolve({ code, server }));
+      } else {
+        res.writeHead(400);
+        res.end('No code found.');
+      }
+    });
+
+    server.listen(REDIRECT_PORT);
+    server.on('error', reject);
+  });
+}
+
+async function exchangeCode(code: string, codeVerifier: string): Promise<Record<string, any>> {
+  const data = new URLSearchParams({
+    grant_type: 'authorization_code',
+    code,
+    redirect_uri: `http://localhost:${REDIRECT_PORT}/auth/callback`,
+    client_id: CLIENT_ID,
+    code_verifier: codeVerifier,
+  });
+
+  const resp = await fetch(TOKEN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: data.toString(),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new OAuthFlowError(`Token exchange failed (HTTP ${resp.status}): ${text.slice(0, 300)}`);
+  }
+
+  return resp.json() as Promise<Record<string, any>>;
+}
+
+async function findElement(page: Page, selectors: string[], timeout = 10000) {
+  for (const sel of selectors) {
+    try {
+      const el = await page.waitForSelector(sel, { timeout });
+      if (el) return el;
+    } catch { /* empty */ }
+  }
+  throw new OAuthFlowError(`Element not found. Tried: ${selectors.join(', ')}. URL: ${page.url()}`);
+}
+
+async function handleConsent(page: Page) {
+  try {
+    const btn = await page.$('button:has-text("Continue"), button:has-text("Allow"), button:has-text("Authorize"), button:has-text("Accept")');
+    if (btn) {
+      const text = await btn.innerText();
+      console.log(`  Clicking: '${text.trim()}'`);
+      await btn.click();
+      await page.waitForTimeout(2000);
+    }
+  } catch {
+    // No consent page
+  }
+}
+
+async function saveScreenshot(page: Page, name: string) {
+  try {
+    fs.mkdirSync(DEBUG_DIR, { recursive: true });
+    const filePath = path.join(DEBUG_DIR, `${name}_${Date.now()}.png`);
+    await page.screenshot({ path: filePath });
+    console.log(`  Screenshot: ${filePath}`);
+  } catch {
+    // Screenshot failed, non-critical
+  }
+}
+
+export interface BrowserSignupResult {
+  tokens: Record<string, any>;
+  email: string;
+}
+
+export async function browserSignup(
+  email: string,
+  otpCode: string,
+  headless = true,
+): Promise<Record<string, any>> {
+  const { codeVerifier, codeChallenge } = generatePkce();
+  const state = generateState();
+  const authUrl = buildAuthUrl(codeChallenge, state);
+  const callbackPromise = startCallbackServer();
+
+  let browser: Browser | null = null;
+  let context: BrowserContext | null = null;
+  let page: Page | null = null;
+
+  try {
+    browser = await chromium.launch({
+      headless,
+      args: ['--disable-blink-features=AutomationControlled', '--no-sandbox'],
+    });
+    context = await browser.newContext({
+      userAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36',
+      viewport: { width: 1280, height: 800 },
+    });
+    page = await context.newPage();
+
+    console.log('  [1/6] Navigating to OpenAI auth...');
+    await page.goto(authUrl, { waitUntil: 'domcontentloaded', timeout: 30000 });
+    await page.waitForTimeout(3000);
+
+    console.log(`  [2/6] Entering email: ${email}...`);
+    const emailInput = await findElement(page, [
+      'input[name="email"]',
+      'input[name="username"]',
+      'input[type="email"]',
+      'input[placeholder*="email" i]',
+    ]);
+    await emailInput.fill(email);
+    await page.waitForTimeout(500);
+
+    const contBtn = await findElement(page, [
+      'button[type="submit"]',
+      'button:has-text("Continue")',
+      'button:has-text("Next")',
+    ]);
+    await contBtn.click();
+    await page.waitForTimeout(3000);
+
+    console.log('  [3/6] Using one-time code login...');
+    const otpLink = await page.$(
+      'button:has-text("one-time code"), a:has-text("one-time code"), button:has-text("Log in with a one-time code"), a:has-text("Log in with a one-time code")',
+    );
+
+    if (otpLink) {
+      await otpLink.click();
+      await page.waitForTimeout(3000);
+
+      const otpEmailInput = await page.$('input[name="email"], input[type="email"]');
+      if (otpEmailInput) {
+        await otpEmailInput.fill(email);
+        await page.waitForTimeout(300);
+        const otpSubmit = await page.$('button[type="submit"], button:has-text("Continue")');
+        if (otpSubmit) {
+          await otpSubmit.click();
+          await page.waitForTimeout(2000);
+        }
+      }
+
+      console.log(`  [4/6] Entering OTP code: ${otpCode}...`);
+      const codeField = await findElement(page, [
+        'input[name="code"]',
+        'input[type="text"]',
+        'input[inputmode="numeric"]',
+        'input[placeholder*="ode" i]',
+      ], 10000);
+      await codeField.fill(otpCode);
+      await page.waitForTimeout(500);
+
+      const verifyBtn = await findElement(page, [
+        'button[type="submit"]',
+        'button:has-text("Continue")',
+        'button:has-text("Verify")',
+      ]);
+      await verifyBtn.click();
+      await page.waitForTimeout(5000);
+    } else {
+      console.log('  [3/6] No OTP link found, checking page state...');
+    }
+
+    console.log('  [5/6] Handling consent page...');
+    await page.waitForTimeout(2000);
+    await handleConsent(page);
+
+    console.log('  [6/6] Waiting for OAuth callback...');
+    const { code } = await callbackPromise;
+    console.log(`  Got OAuth code: ${code.slice(0, 20)}...`);
+
+    console.log('  Exchanging code for tokens...');
+    const tokens = await exchangeCode(code, codeVerifier);
+    return tokens;
+  } catch (err) {
+    if (page) {
+      await saveScreenshot(page, 'browser_signup_error');
+    }
+    if (browser) {
+      await browser.close();
+    }
+    throw new OAuthFlowError(`Browser signup failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
+
+export async function fullBrowserFlow(
+  email: string,
+  otpCode: string,
+  headless = true,
+): Promise<Record<string, any>> {
+  console.log('[Browser Flow] Starting OAuth flow...');
+  const tokens = await browserSignup(email, otpCode, headless);
+  console.log(`[Browser Flow] Tokens received for ${email}`);
+  return tokens;
+}

package/src/token-store.ts

@@ -0,0 +1,244 @@
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+
+export class TokenStoreError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'TokenStoreError';
+  }
+}
+
+export interface Account {
+  accessToken: string;
+  refreshToken: string;
+  idToken: string;
+  accountId?: string;
+  expiresAt: number;
+  email: string;
+  lastRefresh: string;
+  lastSeenAt: number;
+  addedAt: number;
+  source: string;
+  authInvalid: boolean;
+  usageCount: number;
+  enabled: boolean;
+  quota: unknown;
+  rateLimitHistory?: unknown[];
+}
+
+export interface StoreData {
+  version: number;
+  accounts: Account[];
+  activeIndex: number;
+  rotationIndex: number;
+  lastRotation: number;
+}
+
+function defaultStore(): StoreData {
+  return {
+    version: 2,
+    accounts: [],
+    activeIndex: 0,
+    rotationIndex: 0,
+    lastRotation: Date.now(),
+  };
+}
+
+function decodeJwt(token: string): Record<string, unknown> | null {
+  if (!token) return null;
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const padded = payload.padEnd(payload.length + ((4 - (payload.length % 4)) % 4), '=');
+    return JSON.parse(Buffer.from(padded, 'base64').toString('utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+function getExpiryFromClaims(claims: Record<string, unknown> | null): number | null {
+  if (!claims) return null;
+  const exp = claims.exp;
+  if (typeof exp === 'number') return Math.floor(exp * 1000);
+  return null;
+}
+
+function getAccountId(claims: Record<string, unknown> | null): string | null {
+  if (!claims) return null;
+  const auth = claims['https://api.openai.com/auth'] as Record<string, unknown> | undefined;
+  if (auth && typeof auth.chatgpt_account_id === 'string') return auth.chatgpt_account_id;
+  return null;
+}
+
+export class TokenStore {
+  private storePath: string;
+  private store: StoreData;
+
+  constructor(storePath?: string) {
+    this.storePath = storePath || path.join(
+      process.env.HOME || process.env.USERPROFILE || '',
+      '.config',
+      'opencode',
+      'codex-automation-accounts.json',
+    );
+    fs.mkdirSync(path.dirname(this.storePath), { recursive: true });
+    this.store = this.load();
+  }
+
+  get path(): string {
+    return this.storePath;
+  }
+
+  private load(): StoreData {
+    if (!fs.existsSync(this.storePath)) return defaultStore();
+    try {
+      const data = JSON.parse(fs.readFileSync(this.storePath, 'utf-8'));
+      if (typeof data !== 'object' || !Array.isArray(data.accounts)) return defaultStore();
+      return {
+        version: data.version || 2,
+        accounts: data.accounts,
+        activeIndex: data.activeIndex ?? 0,
+        rotationIndex: data.rotationIndex ?? 0,
+        lastRotation: data.lastRotation ?? Date.now(),
+      };
+    } catch {
+      return defaultStore();
+    }
+  }
+
+  save(): void {
+    fs.mkdirSync(path.dirname(this.storePath), { recursive: true });
+    if (fs.existsSync(this.storePath)) {
+      fs.copyFileSync(this.storePath, this.storePath + '.bak');
+    }
+    const tmpPath = `${this.storePath}.tmp-${process.pid}-${Date.now()}`;
+    fs.writeFileSync(tmpPath, JSON.stringify(this.store, null, 2));
+    fs.renameSync(tmpPath, this.storePath);
+    fs.chmodSync(this.storePath, 0o600);
+  }
+
+  addAccount(tokens: Record<string, unknown>, email: string): number {
+    const nowMs = Date.now();
+    const nowIso = new Date().toISOString();
+
+    const accessClaims = decodeJwt(String(tokens.access_token || ''));
+    const idClaims = decodeJwt(String(tokens.id_token || ''));
+
+    const expiresIn = typeof tokens.expires_in === 'number' ? tokens.expires_in : 3600;
+    const expiresAt = getExpiryFromClaims(accessClaims)
+      || getExpiryFromClaims(idClaims)
+      || nowMs + (expiresIn as number) * 1000;
+
+    const accountId = getAccountId(accessClaims) || getAccountId(idClaims);
+
+    const newAccount: Account = {
+      accessToken: String(tokens.access_token || ''),
+      refreshToken: String(tokens.refresh_token || ''),
+      idToken: String(tokens.id_token || ''),
+      accountId: accountId || undefined,
+      expiresAt,
+      email,
+      lastRefresh: nowIso,
+      lastSeenAt: nowMs,
+      addedAt: nowMs,
+      source: 'opencode',
+      authInvalid: false,
+      usageCount: 0,
+      enabled: true,
+      quota: null,
+    };
+
+    const existingIdx = this.store.accounts.findIndex((a) => a.email === email);
+    if (existingIdx >= 0) {
+      const old = this.store.accounts[existingIdx];
+      this.store.accounts[existingIdx] = {
+        ...old,
+        ...newAccount,
+        usageCount: old.usageCount,
+        addedAt: old.addedAt,
+        rateLimitHistory: old.rateLimitHistory,
+      };
+      this.save();
+      return existingIdx;
+    }
+
+    this.store.accounts.push(newAccount);
+    const idx = this.store.accounts.length - 1;
+    if (this.store.activeIndex < 0) this.store.activeIndex = idx;
+    this.save();
+    return idx;
+  }
+
+  getAccount(index: number): Account | null {
+    return this.store.accounts[index] || null;
+  }
+
+  getActiveAccount(): { index: number; account: Account } | null {
+    const idx = this.store.activeIndex;
+    const accounts = this.store.accounts;
+    if (!accounts.length) return null;
+
+    for (let offset = 0; offset < accounts.length; offset++) {
+      const i = (idx + offset) % accounts.length;
+      const acc = accounts[i];
+      if (acc.enabled && !acc.authInvalid) return { index: i, account: acc };
+    }
+    return null;
+  }
+
+  setActive(index: number): void {
+    if (index >= 0 && index < this.store.accounts.length) {
+      this.store.activeIndex = index;
+      this.save();
+    }
+  }
+
+  removeAccount(index: number): void {
+    if (index >= 0 && index < this.store.accounts.length) {
+      this.store.accounts.splice(index, 1);
+      if (this.store.activeIndex >= this.store.accounts.length) {
+        this.store.activeIndex = Math.max(0, this.store.accounts.length - 1);
+      }
+      if (this.store.accounts.length > 0) this.save();
+    }
+  }
+
+  listAccounts(): Array<{ index: number; email: string; enabled: boolean; authInvalid: boolean; expiresAt: number; usageCount: number; quota: unknown }> {
+    return this.store.accounts.map((acc, i) => ({
+      index: i,
+      email: acc.email,
+      enabled: acc.enabled,
+      authInvalid: acc.authInvalid,
+      expiresAt: acc.expiresAt,
+      usageCount: acc.usageCount,
+      quota: acc.quota,
+    }));
+  }
+
+  cleanInvalid(): number {
+    const nowMs = Date.now();
+    const originalCount = this.store.accounts.length;
+    this.store.accounts = this.store.accounts.filter(
+      (acc) => !acc.authInvalid && acc.expiresAt > nowMs,
+    );
+    const removed = originalCount - this.store.accounts.length;
+    if (removed > 0) {
+      if (this.store.accounts.length > 0) {
+        this.store.activeIndex = Math.min(this.store.activeIndex, this.store.accounts.length - 1);
+      } else {
+        this.store.activeIndex = 0;
+      }
+      this.save();
+    }
+    return removed;
+  }
+
+  updateAccount(index: number, updates: Partial<Account>): void {
+    if (index >= 0 && index < this.store.accounts.length) {
+      Object.assign(this.store.accounts[index], updates);
+      this.save();
+    }
+  }
+}

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "commonjs",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}