ccproxy-api 0.1.6__py3-none-any.whl → 0.2.0__py3-none-any.whl

ccproxy/plugins/oauth_claude/storage.py

@@ -0,0 +1,212 @@
+"""Token storage for Claude OAuth plugin."""
+
+import asyncio
+import json
+import tempfile
+from pathlib import Path
+from typing import Any, cast
+
+from ccproxy.auth.storage.base import BaseJsonStorage
+from ccproxy.core.logging import get_plugin_logger
+
+from .models import ClaudeCredentials, ClaudeProfileInfo
+
+
+logger = get_plugin_logger()
+
+
+class ClaudeOAuthStorage(BaseJsonStorage[ClaudeCredentials]):
+    """Claude OAuth-specific token storage implementation."""
+
+    def __init__(self, storage_path: Path | None = None):
+        """Initialize Claude OAuth token storage.
+
+        Args:
+            storage_path: Path to storage file
+        """
+        if storage_path is None:
+            # Default to standard Claude credentials location
+            storage_path = Path.home() / ".claude" / ".credentials.json"
+
+        super().__init__(storage_path)
+        self.provider_name = "claude-api"
+
+    async def save(self, credentials: ClaudeCredentials) -> bool:
+        """Save Claude credentials.
+
+        Args:
+            credentials: Claude credentials to save
+
+        Returns:
+            True if saved successfully, False otherwise
+        """
+        try:
+            # Convert to dict for storage (uses by_alias=True by default)
+            data = credentials.model_dump(mode="json", exclude_none=True)
+
+            # Use parent class's atomic write with backup
+            await self._write_json(data)
+
+            logger.debug(
+                "claude_oauth_credentials_saved",
+                has_oauth=bool(credentials.claude_ai_oauth),
+                storage_path=str(self.file_path),
+                category="auth",
+            )
+            return True
+        except Exception as e:
+            logger.error(
+                "claude_oauth_save_failed", error=str(e), exc_info=e, category="auth"
+            )
+            return False
+
+    async def load(self) -> ClaudeCredentials | None:
+        """Load Claude credentials.
+
+        Returns:
+            Stored credentials or None
+        """
+        try:
+            # Use parent class's read method
+            data = await self._read_json()
+            if not data:
+                return None
+
+            credentials = ClaudeCredentials.model_validate(data)
+            logger.debug(
+                "claude_oauth_credentials_loaded",
+                has_oauth=bool(credentials.claude_ai_oauth),
+                category="auth",
+            )
+            return credentials
+        except Exception as e:
+            logger.error(
+                "claude_oauth_credentials_load_error",
+                error=str(e),
+                exc_info=e,
+                category="auth",
+            )
+            return None
+
+    # The exists(), delete(), and get_location() methods are inherited from BaseJsonStorage
+
+
+class ClaudeProfileStorage:
+    """Claude profile storage implementation for .account.json."""
+
+    def __init__(self, storage_path: Path | None = None):
+        """Initialize Claude profile storage.
+
+        Args:
+            storage_path: Path to storage file
+        """
+        if storage_path is None:
+            # Default to standard Claude account location
+            storage_path = Path.home() / ".claude" / ".account.json"
+
+        self.file_path = storage_path
+
+    async def _write_json(self, data: dict[str, Any]) -> None:
+        """Write JSON data to file atomically.
+
+        Args:
+            data: JSON data to write
+        """
+        # Ensure parent directory exists
+        self.file_path.parent.mkdir(parents=True, exist_ok=True)
+
+        # Write to temp file first for atomic operation
+        def write_file() -> None:
+            with tempfile.NamedTemporaryFile(
+                mode="w",
+                dir=self.file_path.parent,
+                delete=False,
+                prefix=".tmp_",
+                suffix=".json",
+            ) as tmp_file:
+                json.dump(data, tmp_file, indent=2)
+                tmp_path = Path(tmp_file.name)
+
+            # Set proper permissions before moving
+            tmp_path.chmod(0o600)
+            # Atomic rename
+            tmp_path.replace(self.file_path)
+
+        await asyncio.to_thread(write_file)
+
+    async def _read_json(self) -> dict[str, Any] | None:
+        """Read JSON data from file.
+
+        Returns:
+            Parsed JSON data or None if file doesn't exist
+        """
+        if not self.file_path.exists():
+            return None
+
+        def read_file() -> dict[str, Any]:
+            with self.file_path.open("r") as f:
+                return cast(dict[str, Any], json.load(f))
+
+        return cast(dict[str, Any], await asyncio.to_thread(read_file))
+
+    async def save_profile(self, profile_data: dict[str, Any]) -> bool:
+        """Save Claude profile data.
+
+        Args:
+            profile_data: Raw profile data from API
+
+        Returns:
+            True if saved successfully, False otherwise
+        """
+        try:
+            # Write the raw profile data
+            await self._write_json(profile_data)
+
+            # Extract key info for logging
+            account = profile_data.get("account", {})
+            logger.info(
+                "claude_profile_saved",
+                account_id=account.get("uuid"),
+                email=account.get("email"),
+                has_claude_pro=account.get("has_claude_pro"),
+                has_claude_max=account.get("has_claude_max"),
+                storage_path=str(self.file_path),
+                category="auth",
+            )
+            return True
+        except Exception as e:
+            logger.error(
+                "claude_profile_save_failed",
+                error=str(e),
+                exc_info=e,
+                category="auth",
+            )
+            return False
+
+    async def load_profile(self) -> ClaudeProfileInfo | None:
+        """Load Claude profile.
+
+        Returns:
+            ClaudeProfileInfo or None if not found
+        """
+        try:
+            data = await self._read_json()
+            if not data:
+                return None
+
+            profile = ClaudeProfileInfo.from_api_response(data)
+            logger.debug(
+                "claude_profile_loaded",
+                account_id=profile.account_id,
+                email=profile.email,
+                category="auth",
+            )
+            return profile
+        except Exception as e:
+            logger.error(
+                "claude_profile_load_error",
+                error=str(e),
+                exc_info=e,
+                category="auth",
+            )
+            return None

ccproxy/plugins/oauth_codex/README.md

@@ -0,0 +1,38 @@
+# OAuth Codex Plugin
+
+OAuth-only plugin that issues and refreshes tokens for the Codex provider.
+
+## Highlights
+- Provides `CodexOAuthProvider` implementing the OAuth dance for Codex APIs
+- Registers an auth manager consumable by `codex` and related plugins
+- Leverages shared HTTP client and hook infrastructure from the container
+
+## Configuration
+- `CodexOAuthConfig` configures client ID, secrets, scopes, and cache paths
+- Enable when using Codex endpoints that require OAuth tokens
+- Generate defaults with `python3 scripts/generate_config_from_model.py \
+  --format toml --plugin oauth_codex --config-class CodexOAuthConfig`
+
+```toml
+[plugins.oauth_codex]
+# enabled = true
+# base_url = "https://auth.openai.com"
+# token_url = "https://auth.openai.com/oauth/token"
+# authorize_url = "https://auth.openai.com/oauth/authorize"
+# profile_url = "https://api.openai.com/oauth/profile"
+# client_id = "app_EMoamEEZ73f0CkXaXp7hrann"
+# redirect_uri = "http://localhost:1455/auth/callback"
+# scopes = ["openid", "profile", "email", "offline_access"]
+# headers = {"User-Agent" = "Codex-Code/1.0.43"}
+# audience = "https://api.openai.com/v1"
+# user_agent = "Codex-Code/1.0.43"
+# request_timeout = 30
+# callback_timeout = 300
+# callback_port = 1455
+# use_pkce = true
+```
+
+## Related Components
+- `provider.py`: OAuth implementation for Codex credentials
+- `plugin.py`: runtime lifecycle for the auth plugin
+- `config.py`: settings model for OAuth parameters

ccproxy/plugins/oauth_codex/__init__.py

@@ -0,0 +1,14 @@
+"""OAuth Codex plugin for standalone OpenAI Codex OAuth authentication."""
+
+from .client import CodexOAuthClient
+from .config import CodexOAuthConfig
+from .provider import CodexOAuthProvider
+from .storage import CodexTokenStorage
+
+
+__all__ = [
+    "CodexOAuthClient",
+    "CodexOAuthConfig",
+    "CodexOAuthProvider",
+    "CodexTokenStorage",
+]

ccproxy/plugins/oauth_codex/client.py

@@ -0,0 +1,224 @@
+"""Codex/OpenAI OAuth client implementation."""
+
+from datetime import UTC, datetime
+from typing import Any
+
+import httpx
+import jwt
+from pydantic import SecretStr
+
+from ccproxy.auth.exceptions import OAuthError
+from ccproxy.auth.oauth.base import BaseOAuthClient
+from ccproxy.auth.storage.base import TokenStorage
+from ccproxy.config.settings import Settings
+from ccproxy.core.logging import get_plugin_logger
+
+from .config import CodexOAuthConfig
+from .models import OpenAICredentials, OpenAITokens
+
+
+logger = get_plugin_logger()
+
+
+class CodexOAuthClient(BaseOAuthClient[OpenAICredentials]):
+    """Codex/OpenAI OAuth implementation for the OAuth Codex plugin."""
+
+    def __init__(
+        self,
+        config: CodexOAuthConfig,
+        storage: TokenStorage[OpenAICredentials] | None = None,
+        http_client: httpx.AsyncClient | None = None,
+        hook_manager: Any | None = None,
+        settings: Settings | None = None,
+    ):
+        """Initialize Codex OAuth client.
+
+        Args:
+            config: OAuth configuration
+            storage: Token storage backend
+            http_client: Optional HTTP client (for request tracing support)
+            hook_manager: Optional hook manager for emitting events
+            settings: Optional settings for HTTP client configuration
+        """
+        self.oauth_config = config
+
+        # Resolve effective redirect URI from config
+        redirect_uri = config.get_redirect_uri()
+
+        # Initialize base class
+        super().__init__(
+            client_id=config.client_id,
+            redirect_uri=redirect_uri,
+            base_url=config.base_url,
+            scopes=config.scopes,
+            storage=storage,
+            http_client=http_client,
+            hook_manager=hook_manager,
+            settings=settings,
+        )
+
+    def _get_auth_endpoint(self) -> str:
+        """Get OpenAI OAuth authorization endpoint.
+
+        Returns:
+            Full authorization endpoint URL
+        """
+        return self.oauth_config.authorize_url
+
+    def _get_token_endpoint(self) -> str:
+        """Get OpenAI OAuth token exchange endpoint.
+
+        Returns:
+            Full token endpoint URL
+        """
+        return self.oauth_config.token_url
+
+    def get_custom_auth_params(self) -> dict[str, str]:
+        """Get OpenAI-specific authorization parameters.
+
+        Returns:
+            Dictionary of custom parameters
+        """
+        # OpenAI does not use the audience parameter in authorization requests
+        return {}
+
+    def get_custom_headers(self) -> dict[str, str]:
+        """Get OpenAI-specific HTTP headers.
+
+        Returns:
+            Dictionary of custom headers
+        """
+        return {
+            "User-Agent": self.oauth_config.user_agent,
+        }
+
+    async def parse_token_response(self, data: dict[str, Any]) -> OpenAICredentials:
+        """Parse OpenAI-specific token response.
+
+        Args:
+            data: Raw token response from OpenAI
+
+        Returns:
+            OpenAI credentials object
+
+        Raises:
+            OAuthError: If response parsing fails
+        """
+        try:
+            # Extract tokens
+            access_token: str = data["access_token"]
+            refresh_token: str = data.get("refresh_token", "")
+            id_token: str = data.get("id_token", "")
+
+            # Build credentials in the current nested schema; legacy inputs are also accepted
+            # by the model's validator if needed.
+            tokens = OpenAITokens(
+                id_token=SecretStr(id_token),
+                access_token=SecretStr(access_token),
+                refresh_token=SecretStr(refresh_token or ""),
+                account_id="",
+            )
+            credentials = OpenAICredentials(
+                OPENAI_API_KEY=None,
+                tokens=tokens,
+                last_refresh=datetime.now(UTC).replace(microsecond=0).isoformat(),
+                active=True,
+            )
+
+            # Try to extract account_id from JWT claims (id_token preferred)
+            try:
+                token_to_decode = id_token or access_token
+                decoded = jwt.decode(
+                    token_to_decode, options={"verify_signature": False}
+                )
+                account_id = (
+                    decoded.get("sub")
+                    or decoded.get("account_id")
+                    or decoded.get("org_id")
+                    or ""
+                )
+                # Pydantic model has properties mapping; update underlying field
+                credentials.tokens.account_id = str(account_id)
+                logger.debug(
+                    "codex_oauth_id_token_decoded",
+                    sub=decoded.get("sub"),
+                    email=decoded.get("email"),
+                    category="auth",
+                )
+            except Exception as e:
+                logger.warning(
+                    "codex_oauth_id_token_decode_error",
+                    error=str(e),
+                    exc_info=e,
+                    category="auth",
+                )
+
+            logger.info(
+                "codex_oauth_credentials_parsed",
+                has_refresh_token=bool(refresh_token),
+                has_id_token=bool(id_token),
+                account_id=credentials.account_id,
+                category="auth",
+            )
+
+            return credentials
+
+        except KeyError as e:
+            logger.error(
+                "codex_oauth_token_response_missing_field",
+                missing_field=str(e),
+                response_keys=list(data.keys()),
+                category="auth",
+            )
+            raise OAuthError(f"Missing required field in token response: {e}") from e
+        except Exception as e:
+            logger.error(
+                "codex_oauth_token_response_parse_error",
+                error=str(e),
+                error_type=type(e).__name__,
+                category="auth",
+            )
+            raise OAuthError(f"Failed to parse OpenAI token response: {e}") from e
+
+    async def refresh_token(self, refresh_token: str) -> OpenAICredentials:
+        """Refresh OpenAI access token.
+
+        Args:
+            refresh_token: Refresh token
+
+        Returns:
+            New OpenAI credentials
+
+        Raises:
+            OAuthError: If refresh fails
+        """
+        token_endpoint = self._get_token_endpoint()
+        data = {
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+            "client_id": self.client_id,
+            "scope": "openid profile email offline_access",
+        }
+        headers = self.get_custom_headers()
+        headers["Content-Type"] = "application/x-www-form-urlencoded"
+
+        try:
+            response = await self.http_client.post(
+                token_endpoint,
+                data=data,  # OpenAI uses form encoding
+                headers=headers,
+                timeout=30.0,
+            )
+            response.raise_for_status()
+
+            token_response = response.json()
+            return await self.parse_token_response(token_response)
+
+        except Exception as e:
+            logger.error(
+                "codex_oauth_token_refresh_failed",
+                error=str(e),
+                exc_info=False,
+                category="auth",
+            )
+            raise OAuthError(f"Failed to refresh OpenAI token: {e}") from e

ccproxy/plugins/oauth_codex/config.py

@@ -0,0 +1,95 @@
+"""OpenAI Codex-specific configuration settings."""
+
+from pydantic import BaseModel, Field
+
+
+class CodexOAuthConfig(BaseModel):
+    """OAuth-specific configuration for OpenAI Codex."""
+
+    enabled: bool = Field(
+        default=True,
+        description="Enable the plugin",
+    )
+
+    # Core OAuth endpoints and identifiers (aligns with Claude config structure)
+    base_url: str = Field(
+        default="https://auth.openai.com",
+        description="Base URL for OAuth API endpoints",
+    )
+    token_url: str = Field(
+        default="https://auth.openai.com/oauth/token",
+        description="OAuth token endpoint URL",
+    )
+    authorize_url: str = Field(
+        default="https://auth.openai.com/oauth/authorize",
+        description="OAuth authorization endpoint URL",
+    )
+    profile_url: str = Field(
+        default="https://api.openai.com/oauth/profile",
+        description="OAuth profile endpoint URL",
+    )
+    client_id: str = Field(
+        default="app_EMoamEEZ73f0CkXaXp7hrann",
+        description="OpenAI OAuth client ID",
+    )
+    redirect_uri: str | None = Field(
+        default=None,
+        description="OAuth redirect URI (auto-generated from callback_port if not set)",
+    )
+    scopes: list[str] = Field(
+        default_factory=lambda: [
+            "openid",
+            "profile",
+            "email",
+            "offline_access",
+        ],
+        description="OAuth scopes to request",
+    )
+
+    # Additional request configuration (mirrors Claude config shape)
+    headers: dict[str, str] = Field(
+        default_factory=lambda: {
+            "User-Agent": "Codex-Code/1.0.43",  # Match default user agent in config
+        },
+        description="Additional headers for OAuth requests",
+    )
+    # Optional audience parameter for auth requests (OpenAI specific)
+    audience: str = Field(
+        default="https://api.openai.com/v1",
+        description="OAuth audience parameter for OpenAI",
+    )
+    # Convenience user agent string (mirrors headers[\"User-Agent\"]) for typed access
+    user_agent: str = Field(
+        default="Codex-Code/1.0.43",
+        description="User-Agent header value for OAuth requests",
+    )
+    request_timeout: int = Field(
+        default=30,
+        description="Timeout in seconds for OAuth requests",
+    )
+    callback_timeout: int = Field(
+        default=300,
+        description="Timeout in seconds for OAuth callback",
+        ge=60,
+        le=600,
+    )
+    callback_port: int = Field(
+        default=1455,
+        description="Port for OAuth callback server",
+        ge=1024,
+        le=65535,
+    )
+
+    def get_redirect_uri(self) -> str:
+        """Return redirect URI, auto-generated from callback_port when unset.
+
+        Uses the standard plugin callback path: `/auth/callback`.
+        """
+        if self.redirect_uri:
+            return self.redirect_uri
+        return f"http://localhost:{self.callback_port}/auth/callback"
+
+    use_pkce: bool = Field(
+        default=True,
+        description="Whether to use PKCE flow (OpenAI requires it)",
+    )