ccproxy-api 0.1.6__py3-none-any.whl → 0.2.0__py3-none-any.whl

ccproxy/auth/openai/credentials.py

@@ -1,166 +0,0 @@
-"""OpenAI credentials management for Codex authentication."""
-
-from datetime import UTC, datetime
-from typing import Any
-
-import jwt
-import structlog
-from pydantic import BaseModel, Field, field_validator
-
-from .storage import OpenAITokenStorage
-
-
-logger = structlog.get_logger(__name__)
-
-
-class OpenAICredentials(BaseModel):
-    """OpenAI authentication credentials model."""
-
-    access_token: str = Field(..., description="OpenAI access token (JWT)")
-    refresh_token: str = Field(..., description="OpenAI refresh token")
-    expires_at: datetime = Field(..., description="Token expiration timestamp")
-    account_id: str = Field(..., description="OpenAI account ID extracted from token")
-    active: bool = Field(default=True, description="Whether credentials are active")
-
-    @field_validator("expires_at", mode="before")
-    @classmethod
-    def parse_expires_at(cls, v: Any) -> datetime:
-        """Parse expiration timestamp."""
-        if isinstance(v, datetime):
-            # Ensure timezone-aware datetime
-            if v.tzinfo is None:
-                return v.replace(tzinfo=UTC)
-            return v
-
-        if isinstance(v, str):
-            # Handle ISO format strings
-            try:
-                dt = datetime.fromisoformat(v.replace("Z", "+00:00"))
-                if dt.tzinfo is None:
-                    dt = dt.replace(tzinfo=UTC)
-                return dt
-            except ValueError as e:
-                raise ValueError(f"Invalid datetime format: {v}") from e
-
-        if isinstance(v, int | float):
-            # Handle Unix timestamps
-            return datetime.fromtimestamp(v, tz=UTC)
-
-        raise ValueError(f"Cannot parse datetime from {type(v)}: {v}")
-
-    @field_validator("account_id", mode="before")
-    @classmethod
-    def extract_account_id(cls, v: Any, info: Any) -> str:
-        """Extract account ID from access token if not provided."""
-        if isinstance(v, str) and v:
-            return v
-
-        # Try to extract from access_token
-        access_token = None
-        if hasattr(info, "data") and info.data and isinstance(info.data, dict):
-            access_token = info.data.get("access_token")
-
-        if access_token and isinstance(access_token, str):
-            try:
-                # Decode JWT without verification to extract claims
-                decoded = jwt.decode(access_token, options={"verify_signature": False})
-                if "org_id" in decoded and isinstance(decoded["org_id"], str):
-                    return decoded["org_id"]
-                elif "sub" in decoded and isinstance(decoded["sub"], str):
-                    return decoded["sub"]
-                elif "account_id" in decoded and isinstance(decoded["account_id"], str):
-                    return decoded["account_id"]
-            except Exception as e:
-                logger.warning("Failed to extract account_id from token", error=str(e))
-
-        raise ValueError(
-            "account_id is required and could not be extracted from access_token"
-        )
-
-    def is_expired(self) -> bool:
-        """Check if the access token is expired."""
-        now = datetime.now(UTC)
-        return now >= self.expires_at
-
-    def expires_in_seconds(self) -> int:
-        """Get seconds until token expires."""
-        now = datetime.now(UTC)
-        delta = self.expires_at - now
-        return max(0, int(delta.total_seconds()))
-
-    def to_dict(self) -> dict[str, Any]:
-        """Convert to dictionary for storage."""
-        return {
-            "access_token": self.access_token,
-            "refresh_token": self.refresh_token,
-            "expires_at": self.expires_at.isoformat(),
-            "account_id": self.account_id,
-            "active": self.active,
-        }
-
-    @classmethod
-    def from_dict(cls, data: dict[str, Any]) -> "OpenAICredentials":
-        """Create from dictionary."""
-        return cls(**data)
-
-
-class OpenAITokenManager:
-    """Manages OpenAI token storage and refresh operations."""
-
-    def __init__(self, storage: OpenAITokenStorage | None = None):
-        """Initialize token manager.
-
-        Args:
-            storage: Token storage backend. If None, uses default TOML file storage.
-        """
-        self.storage = storage or OpenAITokenStorage()
-
-    async def load_credentials(self) -> OpenAICredentials | None:
-        """Load credentials from storage."""
-        try:
-            return await self.storage.load()
-        except Exception as e:
-            logger.error("Failed to load OpenAI credentials", error=str(e))
-            return None
-
-    async def save_credentials(self, credentials: OpenAICredentials) -> bool:
-        """Save credentials to storage."""
-        try:
-            return await self.storage.save(credentials)
-        except Exception as e:
-            logger.error("Failed to save OpenAI credentials", error=str(e))
-            return False
-
-    async def delete_credentials(self) -> bool:
-        """Delete credentials from storage."""
-        try:
-            return await self.storage.delete()
-        except Exception as e:
-            logger.error("Failed to delete OpenAI credentials", error=str(e))
-            return False
-
-    async def has_credentials(self) -> bool:
-        """Check if credentials exist."""
-        try:
-            return await self.storage.exists()
-        except Exception:
-            return False
-
-    async def get_valid_token(self) -> str | None:
-        """Get a valid access token, refreshing if necessary."""
-        credentials = await self.load_credentials()
-        if not credentials or not credentials.active:
-            return None
-
-        # If token is not expired, return it
-        if not credentials.is_expired():
-            return credentials.access_token
-
-        # TODO: Implement token refresh logic
-        # For now, return None if expired (user needs to re-authenticate)
-        logger.warning("OpenAI token expired, refresh not yet implemented")
-        return None
-
-    def get_storage_location(self) -> str:
-        """Get storage location description."""
-        return self.storage.get_location()

ccproxy/auth/openai/oauth_client.py

@@ -1,334 +0,0 @@
-"""OpenAI OAuth PKCE client implementation."""
-
-import asyncio
-import base64
-import contextlib
-import hashlib
-import secrets
-import urllib.parse
-import webbrowser
-from datetime import UTC, datetime, timedelta
-
-import httpx
-import structlog
-import uvicorn
-from fastapi import FastAPI, Request, Response
-from fastapi.responses import HTMLResponse
-
-from ccproxy.config.codex import CodexSettings
-
-from .credentials import OpenAICredentials, OpenAITokenManager
-
-
-logger = structlog.get_logger(__name__)
-
-
-class OpenAIOAuthClient:
-    """OpenAI OAuth PKCE flow client."""
-
-    def __init__(
-        self, settings: CodexSettings, token_manager: OpenAITokenManager | None = None
-    ):
-        """Initialize OAuth client.
-
-        Args:
-            settings: Codex configuration settings
-            token_manager: Token manager for credential storage
-        """
-        self.settings = settings
-        self.token_manager = token_manager or OpenAITokenManager()
-        self._server_task: asyncio.Task[None] | None = None
-        self._auth_complete = asyncio.Event()
-        self._auth_result: OpenAICredentials | None = None
-        self._auth_error: str | None = None
-
-    def _generate_pkce_pair(self) -> tuple[str, str]:
-        """Generate PKCE code verifier and challenge."""
-        # Generate code verifier (43-128 characters)
-        code_verifier = (
-            base64.urlsafe_b64encode(secrets.token_bytes(32)).decode().rstrip("=")
-        )
-
-        # Generate code challenge
-        code_challenge = (
-            base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest())
-            .decode()
-            .rstrip("=")
-        )
-
-        return code_verifier, code_challenge
-
-    def _build_auth_url(self, code_challenge: str, state: str) -> str:
-        """Build OAuth authorization URL."""
-        params = {
-            "response_type": "code",
-            "client_id": self.settings.oauth.client_id,
-            "redirect_uri": self.settings.get_redirect_uri(),
-            "scope": " ".join(self.settings.oauth.scopes),
-            "state": state,
-            "code_challenge": code_challenge,
-            "code_challenge_method": "S256",
-        }
-
-        query_string = urllib.parse.urlencode(params)
-        return f"{self.settings.oauth.base_url}/oauth/authorize?{query_string}"
-
-    async def _exchange_code_for_tokens(
-        self, code: str, code_verifier: str
-    ) -> OpenAICredentials:
-        """Exchange authorization code for tokens."""
-        token_url = f"{self.settings.oauth.base_url}/oauth/token"
-
-        data = {
-            "grant_type": "authorization_code",
-            "code": code,
-            "redirect_uri": self.settings.get_redirect_uri(),
-            "client_id": self.settings.oauth.client_id,
-            "code_verifier": code_verifier,
-        }
-
-        headers = {
-            "Content-Type": "application/x-www-form-urlencoded",
-            "Accept": "application/json",
-        }
-
-        async with httpx.AsyncClient() as client:
-            try:
-                response = await client.post(
-                    token_url, data=data, headers=headers, timeout=30.0
-                )
-                response.raise_for_status()
-
-                token_data = response.json()
-
-                # Calculate expiration time
-                expires_in = token_data.get("expires_in", 3600)  # Default 1 hour
-                expires_at = datetime.now(UTC).replace(microsecond=0) + timedelta(
-                    seconds=expires_in
-                )
-
-                # Create credentials (account_id will be extracted from access_token)
-                credentials = OpenAICredentials(
-                    access_token=token_data["access_token"],
-                    refresh_token=token_data.get("refresh_token", ""),
-                    expires_at=expires_at,
-                    account_id="",  # Will be auto-extracted by validator
-                    active=True,
-                )
-
-                return credentials
-
-            except httpx.HTTPStatusError as e:
-                error_detail = "Unknown error"
-                try:
-                    error_data = e.response.json()
-                    error_detail = error_data.get(
-                        "error_description", error_data.get("error", str(e))
-                    )
-                except Exception:
-                    error_detail = str(e)
-
-                raise ValueError(f"Token exchange failed: {error_detail}") from e
-            except Exception as e:
-                raise ValueError(f"Token exchange request failed: {e}") from e
-
-    def _create_callback_app(self, code_verifier: str, expected_state: str) -> FastAPI:
-        """Create FastAPI app to handle OAuth callback."""
-        app = FastAPI(title="OpenAI OAuth Callback")
-
-        @app.get("/auth/callback")
-        async def oauth_callback(request: Request) -> Response:
-            """Handle OAuth callback."""
-            params = dict(request.query_params)
-
-            # Check for error in callback
-            if "error" in params:
-                error_desc = params.get("error_description", params["error"])
-                self._auth_error = f"OAuth error: {error_desc}"
-                self._auth_complete.set()
-                return HTMLResponse(
-                    """
-                    <html>
-                    <head><title>Authentication Failed</title></head>
-                    <body>
-                        <h1>Authentication Failed</h1>
-                        <p>Error: """
-                    + error_desc
-                    + """</p>
-                        <p>You can close this window.</p>
-                        <script>setTimeout(() => window.close(), 3000);</script>
-                    </body>
-                    </html>
-                    """,
-                    status_code=400,
-                )
-
-            # Verify state parameter
-            received_state = params.get("state")
-            if received_state != expected_state:
-                self._auth_error = "Invalid state parameter"
-                self._auth_complete.set()
-                return HTMLResponse(
-                    """
-                    <html>
-                    <head><title>Authentication Failed</title></head>
-                    <body>
-                        <h1>Authentication Failed</h1>
-                        <p>Invalid state parameter. Possible CSRF attack.</p>
-                        <p>You can close this window.</p>
-                        <script>setTimeout(() => window.close(), 3000);</script>
-                    </body>
-                    </html>
-                    """,
-                    status_code=400,
-                )
-
-            # Get authorization code
-            auth_code = params.get("code")
-            if not auth_code:
-                self._auth_error = "No authorization code received"
-                self._auth_complete.set()
-                return HTMLResponse(
-                    """
-                    <html>
-                    <head><title>Authentication Failed</title></head>
-                    <body>
-                        <h1>Authentication Failed</h1>
-                        <p>No authorization code received.</p>
-                        <p>You can close this window.</p>
-                        <script>setTimeout(() => window.close(), 3000);</script>
-                    </body>
-                    </html>
-                    """,
-                    status_code=400,
-                )
-
-            # Exchange code for tokens
-            try:
-                credentials = await self._exchange_code_for_tokens(
-                    auth_code, code_verifier
-                )
-
-                # Save credentials
-                success = await self.token_manager.save_credentials(credentials)
-                if not success:
-                    raise ValueError("Failed to save credentials")
-
-                self._auth_result = credentials
-                self._auth_complete.set()
-
-                return HTMLResponse(
-                    """
-                    <html>
-                    <head><title>Authentication Successful</title></head>
-                    <body>
-                        <h1>Authentication Successful!</h1>
-                        <p>You have successfully authenticated with OpenAI.</p>
-                        <p>You can close this window and return to the terminal.</p>
-                        <script>setTimeout(() => window.close(), 3000);</script>
-                    </body>
-                    </html>
-                    """
-                )
-
-            except Exception as e:
-                logger.error("Token exchange failed", error=str(e))
-                self._auth_error = f"Token exchange failed: {e}"
-                self._auth_complete.set()
-                return HTMLResponse(
-                    f"""
-                    <html>
-                    <head><title>Authentication Failed</title></head>
-                    <body>
-                        <h1>Authentication Failed</h1>
-                        <p>Token exchange failed: {e}</p>
-                        <p>You can close this window.</p>
-                        <script>setTimeout(() => window.close(), 3000);</script>
-                    </body>
-                    </html>
-                    """,
-                    status_code=500,
-                )
-
-        return app
-
-    async def _run_callback_server(self, app: FastAPI) -> None:
-        """Run callback server."""
-        config = uvicorn.Config(
-            app=app,
-            host="127.0.0.1",
-            port=self.settings.callback_port,
-            log_level="warning",  # Reduce noise
-            access_log=False,
-        )
-        server = uvicorn.Server(config)
-        await server.serve()
-
-    async def authenticate(self, open_browser: bool = True) -> OpenAICredentials:
-        """Perform OAuth PKCE flow.
-
-        Args:
-            open_browser: Whether to automatically open browser
-
-        Returns:
-            OpenAI credentials
-
-        Raises:
-            ValueError: If authentication fails
-        """
-        # Reset state
-        self._auth_complete.clear()
-        self._auth_result = None
-        self._auth_error = None
-
-        # Generate PKCE parameters
-        code_verifier, code_challenge = self._generate_pkce_pair()
-        state = secrets.token_urlsafe(32)
-
-        # Create callback app
-        app = self._create_callback_app(code_verifier, state)
-
-        # Start callback server
-        self._server_task = asyncio.create_task(self._run_callback_server(app))
-
-        # Give server time to start
-        await asyncio.sleep(1)
-
-        # Build authorization URL
-        auth_url = self._build_auth_url(code_challenge, state)
-
-        logger.info("Starting OpenAI OAuth flow")
-        print("\nPlease visit this URL to authenticate with OpenAI:")
-        print(f"{auth_url}\n")
-
-        if open_browser:
-            try:
-                webbrowser.open(auth_url)
-                print("Opening browser...")
-            except Exception as e:
-                logger.warning("Failed to open browser automatically", error=str(e))
-                print("Please copy and paste the URL above into your browser.")
-
-        print("Waiting for authentication to complete...")
-
-        try:
-            # Wait for authentication to complete (with timeout)
-            await asyncio.wait_for(self._auth_complete.wait(), timeout=300)  # 5 minutes
-
-            if self._auth_error:
-                raise ValueError(self._auth_error)
-
-            if not self._auth_result:
-                raise ValueError("Authentication completed but no credentials received")
-
-            logger.info("OpenAI authentication successful")  # type: ignore[unreachable]
-            return self._auth_result
-
-        except TimeoutError as e:
-            raise ValueError("Authentication timed out (5 minutes)") from e
-        finally:
-            # Clean up server
-            if self._server_task and not self._server_task.done():
-                self._server_task.cancel()
-                with contextlib.suppress(asyncio.CancelledError):
-                    await self._server_task

ccproxy/auth/openai/storage.py

@@ -1,184 +0,0 @@
-"""JSON file storage for OpenAI credentials using Codex format."""
-
-import contextlib
-import json
-from datetime import UTC, datetime
-from pathlib import Path
-from typing import TYPE_CHECKING, Any
-
-import jwt
-import structlog
-
-
-if TYPE_CHECKING:
-    from .credentials import OpenAICredentials
-
-
-logger = structlog.get_logger(__name__)
-
-
-class OpenAITokenStorage:
-    """JSON file-based storage for OpenAI credentials using Codex format."""
-
-    def __init__(self, file_path: Path | None = None):
-        """Initialize storage with file path.
-
-        Args:
-            file_path: Path to JSON file. If None, uses ~/.codex/auth.json
-        """
-        self.file_path = file_path or Path.home() / ".codex" / "auth.json"
-
-    async def load(self) -> "OpenAICredentials | None":
-        """Load credentials from Codex JSON file."""
-        if not self.file_path.exists():
-            return None
-
-        try:
-            with self.file_path.open("r") as f:
-                data = json.load(f)
-
-            # Extract tokens section
-            tokens = data.get("tokens", {})
-            if not tokens:
-                logger.warning("No tokens section found in Codex auth file")
-                return None
-
-            # Get required fields
-            access_token = tokens.get("access_token")
-            refresh_token = tokens.get("refresh_token")
-            account_id = tokens.get("account_id")
-
-            if not access_token:
-                logger.warning("No access_token found in Codex auth file")
-                return None
-
-            # Extract expiration from JWT token
-            expires_at = self._extract_expiration_from_token(access_token)
-            if not expires_at:
-                logger.warning("Could not extract expiration from access token")
-                return None
-
-            # Import here to avoid circular import
-            from .credentials import OpenAICredentials
-
-            # Create credentials object
-            credentials_data = {
-                "access_token": access_token,
-                "refresh_token": refresh_token or "",
-                "expires_at": expires_at,
-                "account_id": account_id or "",
-                "active": True,
-            }
-
-            return OpenAICredentials.from_dict(credentials_data)
-
-        except Exception as e:
-            logger.error(
-                "Failed to load OpenAI credentials from Codex auth file",
-                file_path=str(self.file_path),
-                error=str(e),
-            )
-            return None
-
-    def _extract_expiration_from_token(self, access_token: str) -> datetime | None:
-        """Extract expiration time from JWT access token."""
-        try:
-            decoded = jwt.decode(access_token, options={"verify_signature": False})
-            exp_timestamp = decoded.get("exp")
-            if exp_timestamp:
-                return datetime.fromtimestamp(exp_timestamp, tz=UTC)
-        except Exception as e:
-            logger.warning("Failed to decode JWT token for expiration", error=str(e))
-        return None
-
-    async def save(self, credentials: "OpenAICredentials") -> bool:
-        """Save credentials to Codex JSON file."""
-        try:
-            # Create directory if it doesn't exist
-            self.file_path.parent.mkdir(parents=True, exist_ok=True)
-
-            # Load existing file or create new structure
-            existing_data: dict[str, Any] = {}
-            if self.file_path.exists():
-                try:
-                    with self.file_path.open("r") as f:
-                        existing_data = json.load(f)
-                except Exception:
-                    logger.warning(
-                        "Could not load existing auth file, creating new one"
-                    )
-
-            # Prepare Codex JSON data structure
-            codex_data = {
-                "OPENAI_API_KEY": existing_data.get("OPENAI_API_KEY"),
-                "tokens": {
-                    "id_token": existing_data.get("tokens", {}).get("id_token"),
-                    "access_token": credentials.access_token,
-                    "refresh_token": credentials.refresh_token,
-                    "account_id": credentials.account_id,
-                },
-                "last_refresh": datetime.now(UTC).isoformat().replace("+00:00", "Z"),
-            }
-
-            # Write atomically by writing to temp file then renaming
-            temp_file = self.file_path.with_suffix(f"{self.file_path.suffix}.tmp")
-
-            with temp_file.open("w") as f:
-                json.dump(codex_data, f, indent=2)
-
-            # Set restrictive permissions (readable only by owner)
-            temp_file.chmod(0o600)
-
-            # Atomic rename
-            temp_file.replace(self.file_path)
-
-            logger.info(
-                "Saved OpenAI credentials to Codex auth file",
-                file_path=str(self.file_path),
-            )
-            return True
-
-        except Exception as e:
-            logger.error(
-                "Failed to save OpenAI credentials to Codex auth file",
-                file_path=str(self.file_path),
-                error=str(e),
-            )
-            # Clean up temp file if it exists
-            temp_file = self.file_path.with_suffix(f"{self.file_path.suffix}.tmp")
-            if temp_file.exists():
-                with contextlib.suppress(Exception):
-                    temp_file.unlink()
-            return False
-
-    async def exists(self) -> bool:
-        """Check if credentials file exists."""
-        if not self.file_path.exists():
-            return False
-
-        try:
-            with self.file_path.open("r") as f:
-                data = json.load(f)
-            tokens = data.get("tokens", {})
-            return bool(tokens.get("access_token"))
-        except Exception:
-            return False
-
-    async def delete(self) -> bool:
-        """Delete credentials file."""
-        try:
-            if self.file_path.exists():
-                self.file_path.unlink()
-                logger.info("Deleted Codex auth file", file_path=str(self.file_path))
-            return True
-        except Exception as e:
-            logger.error(
-                "Failed to delete Codex auth file",
-                file_path=str(self.file_path),
-                error=str(e),
-            )
-            return False
-
-    def get_location(self) -> str:
-        """Get storage location description."""
-        return str(self.file_path)