opencode-copilot-account-switcher 0.12.4 → 0.13.0

package/dist/codex-oauth.d.ts

@@ -0,0 +1,39 @@
+export type TokenResponse = {
+    id_token?: string;
+    access_token?: string;
+    refresh_token?: string;
+    expires_in?: number;
+};
+export type IdTokenClaims = {
+    chatgpt_account_id?: string;
+    organizations?: Array<{
+        id: string;
+    }>;
+    email?: string;
+    "https://api.openai.com/auth"?: {
+        chatgpt_account_id?: string;
+    };
+};
+export type CodexOAuthAccount = {
+    refresh?: string;
+    access?: string;
+    expires?: number;
+    accountId?: string;
+    email?: string;
+};
+type OAuthMode = "browser" | "headless";
+type RunCodexOAuthInput = {
+    now?: () => number;
+    timeoutMs?: number;
+    fetchImpl?: typeof globalThis.fetch;
+    selectMode?: () => Promise<OAuthMode | undefined>;
+    runBrowserAuth?: () => Promise<TokenResponse>;
+    runDeviceAuth?: () => Promise<TokenResponse>;
+    openUrl?: (url: string) => Promise<void>;
+    log?: (message: string) => void;
+};
+export declare function parseJwtClaims(token: string): IdTokenClaims | undefined;
+export declare function extractAccountIdFromClaims(claims: IdTokenClaims): string | undefined;
+export declare function extractAccountId(tokens: TokenResponse): string | undefined;
+export declare function runCodexOAuth(input?: RunCodexOAuthInput): Promise<CodexOAuthAccount | undefined>;
+export {};

package/dist/codex-oauth.js

@@ -0,0 +1,316 @@
+import { randomBytes, createHash } from "node:crypto";
+import { createServer } from "node:http";
+import { spawn } from "node:child_process";
+import os from "node:os";
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output, platform } from "node:process";
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const ISSUER = "https://auth.openai.com";
+const OAUTH_PORT = 1455;
+const OAUTH_TIMEOUT_MS = 5 * 60 * 1000;
+const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
+const USER_AGENT = `opencode-copilot-account-switcher (${platform} ${os.release()}; ${os.arch()})`;
+const HTML_SUCCESS = `<!doctype html>
+<html>
+  <head>
+    <title>Codex Authorization Successful</title>
+  </head>
+  <body>
+    <h1>Authorization Successful</h1>
+    <p>You can close this window and return to OpenCode.</p>
+    <script>
+      setTimeout(() => window.close(), 2000)
+    </script>
+  </body>
+</html>`;
+const htmlError = (message) => `<!doctype html>
+<html>
+  <head>
+    <title>Codex Authorization Failed</title>
+  </head>
+  <body>
+    <h1>Authorization Failed</h1>
+    <p>${message}</p>
+  </body>
+</html>`;
+function base64UrlEncode(input) {
+    const bytes = input instanceof Uint8Array ? input : new Uint8Array(input);
+    return Buffer.from(bytes)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/g, "");
+}
+function generateRandomString(length) {
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+    const bytes = randomBytes(length);
+    return Array.from(bytes, (byte) => chars[byte % chars.length]).join("");
+}
+async function generatePKCE() {
+    const verifier = generateRandomString(43);
+    const challenge = base64UrlEncode(createHash("sha256").update(verifier).digest());
+    return { verifier, challenge };
+}
+function generateState() {
+    return base64UrlEncode(randomBytes(32));
+}
+export function parseJwtClaims(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return undefined;
+    try {
+        return JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    }
+    catch {
+        return undefined;
+    }
+}
+export function extractAccountIdFromClaims(claims) {
+    return (claims.chatgpt_account_id
+        || claims["https://api.openai.com/auth"]?.chatgpt_account_id
+        || claims.organizations?.[0]?.id);
+}
+export function extractAccountId(tokens) {
+    if (tokens.id_token) {
+        const claims = parseJwtClaims(tokens.id_token);
+        const accountId = claims && extractAccountIdFromClaims(claims);
+        if (accountId)
+            return accountId;
+    }
+    if (!tokens.access_token)
+        return undefined;
+    const claims = parseJwtClaims(tokens.access_token);
+    return claims ? extractAccountIdFromClaims(claims) : undefined;
+}
+function extractEmail(tokens) {
+    if (tokens.id_token) {
+        const claims = parseJwtClaims(tokens.id_token);
+        if (claims?.email)
+            return claims.email;
+    }
+    if (!tokens.access_token)
+        return undefined;
+    return parseJwtClaims(tokens.access_token)?.email;
+}
+function buildAuthorizeUrl(redirectUri, pkce, state) {
+    const params = new URLSearchParams({
+        response_type: "code",
+        client_id: CLIENT_ID,
+        redirect_uri: redirectUri,
+        scope: "openid profile email offline_access",
+        code_challenge: pkce.challenge,
+        code_challenge_method: "S256",
+        id_token_add_organizations: "true",
+        codex_cli_simplified_flow: "true",
+        state,
+        originator: "opencode",
+    });
+    return `${ISSUER}/oauth/authorize?${params.toString()}`;
+}
+async function promptText(message) {
+    const rl = createInterface({ input, output });
+    try {
+        return (await rl.question(message)).trim();
+    }
+    finally {
+        rl.close();
+    }
+}
+async function selectModeDefault() {
+    const value = (await promptText("OpenAI/Codex login mode ([1] browser, [2] headless, Enter to cancel): ")).toLowerCase();
+    if (!value)
+        return undefined;
+    if (value === "1" || value === "browser" || value === "b")
+        return "browser";
+    if (value === "2" || value === "headless" || value === "h" || value === "device")
+        return "headless";
+    return undefined;
+}
+async function openUrlDefault(url) {
+    if (process.platform === "win32") {
+        await new Promise((resolve, reject) => {
+            const child = spawn("cmd", ["/c", "start", "", url], { stdio: "ignore", windowsHide: true });
+            child.on("error", reject);
+            child.on("exit", (code) => {
+                if (code && code !== 0)
+                    reject(new Error(`failed to open browser: ${code}`));
+                else
+                    resolve();
+            });
+        });
+        return;
+    }
+    const command = process.platform === "darwin" ? "open" : "xdg-open";
+    await new Promise((resolve, reject) => {
+        const child = spawn(command, [url], { stdio: "ignore" });
+        child.on("error", reject);
+        child.on("exit", (code) => {
+            if (code && code !== 0)
+                reject(new Error(`failed to open browser: ${code}`));
+            else
+                resolve();
+        });
+    });
+}
+async function exchangeCodeForTokens(input) {
+    const response = await input.fetchImpl(`${ISSUER}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "authorization_code",
+            code: input.code,
+            redirect_uri: input.redirectUri,
+            client_id: CLIENT_ID,
+            code_verifier: input.verifier,
+        }).toString(),
+    });
+    if (!response.ok) {
+        throw new Error(`Token exchange failed: ${response.status}`);
+    }
+    return response.json();
+}
+async function runBrowserAuthDefault(input) {
+    const pkce = await generatePKCE();
+    const state = generateState();
+    const redirectUri = `http://localhost:${OAUTH_PORT}/auth/callback`;
+    const authUrl = buildAuthorizeUrl(redirectUri, pkce, state);
+    const tokens = await new Promise((resolve, reject) => {
+        let closed = false;
+        const finish = (handler) => {
+            if (closed)
+                return;
+            closed = true;
+            clearTimeout(timeout);
+            void server.close(() => handler());
+        };
+        const respond = (res, status, body) => {
+            res.statusCode = status;
+            res.setHeader("Content-Type", "text/html");
+            res.end(body);
+        };
+        const server = createServer((req, res) => {
+            const url = new URL(req.url ?? "/", redirectUri);
+            if (url.pathname !== "/auth/callback") {
+                respond(res, 404, htmlError("Not found"));
+                return;
+            }
+            const code = url.searchParams.get("code");
+            const returnedState = url.searchParams.get("state");
+            const error = url.searchParams.get("error");
+            const errorDescription = url.searchParams.get("error_description");
+            if (error) {
+                const message = errorDescription || error;
+                respond(res, 400, htmlError(message));
+                finish(() => reject(new Error(message)));
+                return;
+            }
+            if (!code) {
+                respond(res, 400, htmlError("Missing authorization code"));
+                finish(() => reject(new Error("Missing authorization code")));
+                return;
+            }
+            if (returnedState !== state) {
+                respond(res, 400, htmlError("Invalid state - potential CSRF attack"));
+                finish(() => reject(new Error("Invalid state - potential CSRF attack")));
+                return;
+            }
+            respond(res, 200, HTML_SUCCESS);
+            void exchangeCodeForTokens({
+                code,
+                redirectUri,
+                verifier: pkce.verifier,
+                fetchImpl: input.fetchImpl,
+            }).then((result) => finish(() => resolve(result)), (error) => finish(() => reject(error instanceof Error ? error : new Error(String(error)))));
+        });
+        server.on("error", reject);
+        server.listen(OAUTH_PORT, async () => {
+            try {
+                input.log("Opening browser for OpenAI/Codex authorization...");
+                await input.openUrl(authUrl);
+            }
+            catch (error) {
+                finish(() => reject(error instanceof Error ? error : new Error(String(error))));
+            }
+        });
+        const timeout = setTimeout(() => {
+            finish(() => reject(new Error("OAuth callback timeout - authorization took too long")));
+        }, input.timeoutMs);
+    });
+    return tokens;
+}
+async function runDeviceAuthDefault(input) {
+    const deadline = Date.now() + input.timeoutMs;
+    const deviceResponse = await input.fetchImpl(`${ISSUER}/api/accounts/deviceauth/usercode`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "User-Agent": USER_AGENT,
+        },
+        body: JSON.stringify({ client_id: CLIENT_ID }),
+    });
+    if (!deviceResponse.ok)
+        throw new Error("Failed to initiate device authorization");
+    const deviceData = await deviceResponse.json();
+    const interval = Math.max(parseInt(deviceData.interval) || 5, 1) * 1000;
+    input.log(`Open ${ISSUER}/codex/device and enter code: ${deviceData.user_code}`);
+    while (true) {
+        if (Date.now() >= deadline) {
+            throw new Error("Device authorization timeout - authorization took too long");
+        }
+        const response = await input.fetchImpl(`${ISSUER}/api/accounts/deviceauth/token`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "User-Agent": USER_AGENT,
+            },
+            body: JSON.stringify({
+                device_auth_id: deviceData.device_auth_id,
+                user_code: deviceData.user_code,
+            }),
+        });
+        if (response.ok) {
+            const data = await response.json();
+            return exchangeCodeForTokens({
+                code: data.authorization_code,
+                redirectUri: `${ISSUER}/deviceauth/callback`,
+                verifier: data.code_verifier,
+                fetchImpl: input.fetchImpl,
+            });
+        }
+        if (response.status !== 403 && response.status !== 404) {
+            throw new Error(`Device authorization failed: ${response.status}`);
+        }
+        if (Date.now() + interval + OAUTH_POLLING_SAFETY_MARGIN_MS >= deadline) {
+            throw new Error("Device authorization timeout - authorization took too long");
+        }
+        await new Promise((resolve) => setTimeout(resolve, interval + OAUTH_POLLING_SAFETY_MARGIN_MS));
+    }
+}
+function normalizeTokens(tokens, now) {
+    const refresh = tokens.refresh_token;
+    const access = tokens.access_token;
+    if (!refresh && !access)
+        return undefined;
+    return {
+        refresh,
+        access,
+        expires: now() + (tokens.expires_in ?? 3600) * 1000,
+        accountId: extractAccountId(tokens),
+        email: extractEmail(tokens),
+    };
+}
+export async function runCodexOAuth(input = {}) {
+    const now = input.now ?? Date.now;
+    const timeoutMs = input.timeoutMs ?? OAUTH_TIMEOUT_MS;
+    const fetchImpl = input.fetchImpl ?? globalThis.fetch;
+    const selectMode = input.selectMode ?? selectModeDefault;
+    const openUrl = input.openUrl ?? openUrlDefault;
+    const log = input.log ?? console.log;
+    const mode = await selectMode();
+    if (!mode)
+        return undefined;
+    const runBrowserAuth = input.runBrowserAuth ?? (() => runBrowserAuthDefault({ fetchImpl, openUrl, log, timeoutMs }));
+    const runDeviceAuth = input.runDeviceAuth ?? (() => runDeviceAuthDefault({ fetchImpl, log, timeoutMs }));
+    const tokens = mode === "headless" ? await runDeviceAuth() : await runBrowserAuth();
+    return normalizeTokens(tokens, now);
+}

package/dist/codex-status-command.js

@@ -1,6 +1,6 @@
 import { resolveCodexAuthSource } from "./codex-auth-source.js";
 import { fetchCodexStatus } from "./codex-status-fetcher.js";
-import { readCodexStore, writeCodexStore } from "./codex-store.js";
+import { getActiveCodexAccount, normalizeCodexStore, readCodexStore, writeCodexStore, } from "./codex-store.js";
 import { readAuth } from "./store.js";
 export class CodexStatusCommandHandledError extends Error {
     constructor() {
@@ -64,25 +64,58 @@ function renderStatus(status) {
     ].join("\n");
 }
 function renderCachedStatus(store) {
+    const active = getActiveCodexAccount(store);
+    const entry = active?.entry;
+    const snapshot = entry?.snapshot;
     return [
         "[identity]",
-        `account: ${value(store.account?.id ?? store.activeAccountId)}`,
-        `email: ${value(store.account?.email ?? store.activeEmail)}`,
-        `plan: ${value(store.account?.plan)}`,
+        `account: ${value(entry?.accountId ?? active?.name)}`,
+        `email: ${value(entry?.email)}`,
+        `plan: ${value(snapshot?.plan)}`,
         "[usage]",
-        renderWindow("5h", store.status?.premium ?? {}),
+        renderWindow("5h", snapshot?.usage5h ?? {}),
+        "week: n/a",
+        "credits: n/a",
+    ].join("\n");
+}
+function getCachedAccountForSource(store, input) {
+    const accountId = input.accountId;
+    if (accountId) {
+        const match = Object.entries(store.accounts).find(([, entry]) => entry.accountId === accountId);
+        if (match) {
+            return {
+                name: match[0],
+                entry: match[1],
+            };
+        }
+    }
+    return getActiveCodexAccount(store);
+}
+function renderCachedStatusForAccount(store, input) {
+    const active = getCachedAccountForSource(store, input);
+    const entry = active?.entry;
+    const snapshot = entry?.snapshot;
+    return [
+        "[identity]",
+        `account: ${value(entry?.accountId ?? active?.name)}`,
+        `email: ${value(entry?.email)}`,
+        `plan: ${value(snapshot?.plan)}`,
+        "[usage]",
+        renderWindow("5h", snapshot?.usage5h ?? {}),
         "week: n/a",
         "credits: n/a",
     ].join("\n");
 }
 function hasCachedStore(store) {
-    return Boolean(store.activeAccountId
-        || store.activeEmail
-        || store.account?.id
-        || store.account?.email
-        || store.account?.plan
-        || store.status?.premium?.entitlement !== undefined
-        || store.status?.premium?.remaining !== undefined);
+    const active = getActiveCodexAccount(store);
+    const entry = active?.entry;
+    const usage5h = entry?.snapshot?.usage5h;
+    return Boolean(active
+        || entry?.accountId
+        || entry?.email
+        || entry?.snapshot?.plan
+        || usage5h?.entitlement !== undefined
+        || usage5h?.remaining !== undefined);
 }
 async function defaultLoadAuth(client) {
     return defaultLoadAuthWithFallback({
@@ -197,11 +230,12 @@ export async function handleCodexStatusCommand(input) {
         },
     }));
     if (!fetched.ok) {
-        const cached = await readStore().catch(() => ({}));
+        const cachedRaw = await readStore().catch(() => ({}));
+        const cached = normalizeCodexStore(cachedRaw);
         if (hasCachedStore(cached)) {
             await showToast({
                 client: input.client,
-                message: `Codex status fetch failed (${fetched.error.message}); showing cached snapshot.\n${renderCachedStatus(cached)}`,
+                message: `Codex status fetch failed (${fetched.error.message}); showing cached snapshot.\n${renderCachedStatusForAccount(cached, { accountId: source.accountId })}`,
                 variant: "warning",
             });
         }
@@ -224,22 +258,45 @@ export async function handleCodexStatusCommand(input) {
             });
         });
     }
-    const previousStore = await readStore().catch(() => ({}));
+    const previousRaw = await readStore().catch(() => ({}));
+    const previousStore = normalizeCodexStore(previousRaw);
+    const previousActive = getActiveCodexAccount(previousStore);
+    const nextActive = fetched.status.identity.accountId
+        ?? source.accountId
+        ?? previousActive?.entry.accountId
+        ?? previousActive?.name
+        ?? "default";
+    const previousEntry = previousStore.accounts[nextActive] ?? {};
     const nextStore = {
         ...previousStore,
-        activeProvider: "codex",
-        activeAccountId: fetched.status.identity.accountId ?? source.accountId ?? previousStore.activeAccountId,
-        activeEmail: fetched.status.identity.email ?? previousStore.activeEmail,
-        lastStatusRefresh: fetched.status.updatedAt,
-        account: {
-            id: fetched.status.identity.accountId ?? previousStore.account?.id,
-            email: fetched.status.identity.email ?? previousStore.account?.email,
-            plan: fetched.status.identity.plan ?? previousStore.account?.plan,
-        },
-        status: {
-            premium: {
-                entitlement: fetched.status.windows.primary.entitlement,
-                remaining: fetched.status.windows.primary.remaining,
+        active: nextActive,
+        lastSnapshotRefresh: fetched.status.updatedAt,
+        accounts: {
+            ...previousStore.accounts,
+            [nextActive]: {
+                ...previousEntry,
+                name: previousEntry.name ?? nextActive,
+                providerId: previousEntry.providerId ?? "codex",
+                accountId: fetched.status.identity.accountId ?? previousEntry.accountId ?? source.accountId,
+                email: fetched.status.identity.email ?? previousEntry.email,
+                lastUsed: fetched.status.updatedAt,
+                snapshot: {
+                    ...(previousEntry.snapshot ?? {}),
+                    plan: fetched.status.identity.plan ?? previousEntry.snapshot?.plan,
+                    usage5h: {
+                        entitlement: fetched.status.windows.primary.entitlement,
+                        remaining: fetched.status.windows.primary.remaining,
+                        used: fetched.status.windows.primary.used,
+                        resetAt: fetched.status.windows.primary.resetAt,
+                    },
+                    usageWeek: {
+                        entitlement: fetched.status.windows.secondary.entitlement,
+                        remaining: fetched.status.windows.secondary.remaining,
+                        used: fetched.status.windows.secondary.used,
+                        resetAt: fetched.status.windows.secondary.resetAt,
+                    },
+                    updatedAt: fetched.status.updatedAt,
+                },
             },
         },
     };

package/dist/codex-store.d.ts

@@ -1,25 +1,48 @@
+type CodexUsageWindow = {
+    entitlement?: number;
+    remaining?: number;
+    used?: number;
+    resetAt?: number;
+};
 export type CodexAccountSnapshot = {
-    id?: string;
-    email?: string;
     plan?: string;
+    usage5h?: CodexUsageWindow;
+    usageWeek?: CodexUsageWindow;
+    updatedAt?: number;
+    error?: string;
 };
-export type CodexStatusSnapshot = {
-    premium?: {
-        entitlement?: number;
-        remaining?: number;
-    };
+export type CodexAccountEntry = {
+    name?: string;
+    providerId?: string;
+    refresh?: string;
+    access?: string;
+    expires?: number;
+    accountId?: string;
+    email?: string;
+    addedAt?: number;
+    lastUsed?: number;
+    source?: string;
+    snapshot?: CodexAccountSnapshot;
 };
 export type CodexStoreFile = {
-    activeProvider?: string;
-    activeAccountId?: string;
-    activeEmail?: string;
-    lastStatusRefresh?: number;
-    account?: CodexAccountSnapshot;
-    status?: CodexStatusSnapshot;
+    accounts: Record<string, CodexAccountEntry>;
+    active?: string;
+    activeAccountNames?: string[];
+    autoRefresh?: boolean;
+    refreshMinutes?: number;
+    lastSnapshotRefresh?: number;
+    bootstrapAuthImportTried?: boolean;
+    bootstrapAuthImportAt?: number;
 };
+export declare function normalizeCodexStore(input: unknown): CodexStoreFile;
 export declare function parseCodexStore(raw: string): CodexStoreFile;
+export declare function getActiveCodexAccount(store: CodexStoreFile): {
+    name: string;
+    entry: CodexAccountEntry;
+} | undefined;
 export declare function codexStorePath(): string;
 export declare function readCodexStore(filePath?: string): Promise<CodexStoreFile>;
 export declare function writeCodexStore(store: CodexStoreFile, options?: {
     filePath?: string;
 }): Promise<void>;
+export {};