ccproxy-api 0.1.7__py3-none-any.whl → 0.2.0__py3-none-any.whl

ccproxy/plugins/oauth_codex/manager.py

@@ -0,0 +1,256 @@
+"""OpenAI/Codex token manager implementation for the Codex plugin."""
+
+from datetime import UTC, datetime
+
+from ccproxy.auth.exceptions import OAuthTokenRefreshError
+from ccproxy.auth.managers.base import BaseTokenManager
+from ccproxy.auth.managers.token_snapshot import TokenSnapshot
+from ccproxy.auth.storage.base import TokenStorage
+from ccproxy.core.logging import get_plugin_logger
+
+from .models import OpenAICredentials, OpenAIProfileInfo, OpenAITokenWrapper
+
+
+logger = get_plugin_logger()
+
+
+class CodexTokenManager(BaseTokenManager[OpenAICredentials]):
+    """Manager for Codex/OpenAI token storage and operations.
+
+    Uses the generic storage and wrapper pattern for consistency.
+    """
+
+    def __init__(
+        self,
+        storage: TokenStorage[OpenAICredentials] | None = None,
+    ):
+        """Initialize Codex token manager.
+
+        Args:
+            storage: Optional custom storage, defaults to standard location
+        """
+        if storage is None:
+            # Use the Codex-specific storage for ~/.codex/auth.json
+            from .storage import CodexTokenStorage
+
+            storage = CodexTokenStorage()
+        super().__init__(storage)
+        self._profile_cache: OpenAIProfileInfo | None = None
+
+    @classmethod
+    async def create(
+        cls, storage: TokenStorage[OpenAICredentials] | None = None
+    ) -> "CodexTokenManager":
+        """Async factory for parity with other managers.
+
+        Codex/OpenAI does not need to preload remote data, but this keeps a
+        consistent async creation API across managers.
+        """
+        return cls(storage=storage)
+
+    def _build_token_snapshot(self, credentials: OpenAICredentials) -> TokenSnapshot:
+        """Construct a snapshot for OpenAI credentials."""
+        wrapper = OpenAITokenWrapper(credentials=credentials)
+        extras = {
+            "id_token_present": bool(wrapper.id_token),
+        }
+        return TokenSnapshot(
+            provider="codex",
+            account_id=wrapper.account_id,
+            access_token=str(wrapper.access_token_value),
+            refresh_token=wrapper.refresh_token_value,
+            expires_at=wrapper.expires_at_datetime,
+            extras=extras,
+        )
+
+    # ==================== Abstract Method Implementations ====================
+
+    async def refresh_token(self) -> OpenAICredentials | None:
+        """Refresh the access token using the refresh token.
+
+        Returns:
+            Updated credentials or None if refresh failed
+        """
+        # Load current credentials
+        credentials = await self.load_credentials()
+        if not credentials:
+            logger.error("no_credentials_to_refresh", category="auth")
+            return None
+
+        if not credentials.refresh_token:
+            logger.error("no_refresh_token_available", category="auth")
+            return None
+
+        try:
+            # Refresh directly using a local OAuth client/provider (no global registry)
+            from .provider import CodexOAuthProvider
+
+            provider = CodexOAuthProvider()
+            new_credentials: OpenAICredentials = await provider.refresh_access_token(
+                credentials.refresh_token
+            )
+
+            # Preserve account_id if not in new credentials
+            if not new_credentials.account_id and credentials.account_id:
+                # Preserve via nested tokens structure
+                new_credentials.tokens.account_id = credentials.account_id
+
+            # Save updated credentials
+            if await self.save_credentials(new_credentials):
+                logger.info(
+                    "Token refreshed successfully",
+                    account_id=new_credentials.account_id,
+                    category="auth",
+                )
+                # Clear profile cache as token changed
+                self._profile_cache = None
+                return new_credentials
+
+            logger.error("failed_to_save_refreshed_credentials", category="auth")
+            return None
+
+        except Exception as e:
+            logger.error(
+                "Token refresh failed",
+                error=str(e),
+                exc_info=False,
+                category="auth",
+            )
+            return None
+
+    def is_expired(self, credentials: OpenAICredentials) -> bool:
+        """Check if credentials are expired using wrapper."""
+        if isinstance(credentials, OpenAICredentials):
+            wrapper = OpenAITokenWrapper(credentials=credentials)
+            return bool(wrapper.is_expired)
+
+        expires_at = getattr(credentials, "expires_at", None)
+        if not expires_at:
+            return False
+
+        if isinstance(expires_at, datetime):
+            return expires_at <= datetime.now(UTC)
+
+        return False
+
+    def get_account_id(self, credentials: OpenAICredentials) -> str | None:
+        """Get account ID from credentials."""
+        return credentials.account_id
+
+    def get_expiration_time(self, credentials: OpenAICredentials) -> datetime | None:
+        """Get expiration time as datetime."""
+        return credentials.expires_at
+
+    # ==================== OpenAI-Specific Methods ====================
+
+    async def get_profile_quick(self) -> OpenAIProfileInfo | None:
+        """Lightweight profile from cached data or JWT claims.
+
+        Avoids any remote calls. Uses cache if populated, otherwise derives
+        directly from stored credentials' JWT claims.
+        """
+        if self._profile_cache:
+            return self._profile_cache
+
+        credentials = await self.load_credentials()
+        if not credentials or self.is_expired(credentials):
+            return None
+
+        self._profile_cache = OpenAIProfileInfo.from_token(credentials)
+        return self._profile_cache
+
+    async def get_profile(self) -> OpenAIProfileInfo | None:
+        """Get user profile from JWT token.
+
+        OpenAI doesn't provide a profile API, so we extract
+        all information from the JWT token claims.
+
+        Returns:
+            OpenAIProfileInfo or None if not authenticated
+        """
+        if self._profile_cache:
+            return self._profile_cache
+
+        credentials = await self.load_credentials()
+        if not credentials or self.is_expired(credentials):
+            return None
+
+        # Extract profile from JWT token claims
+        self._profile_cache = OpenAIProfileInfo.from_token(credentials)
+        return self._profile_cache
+
+    async def get_access_token_with_refresh(self) -> str | None:
+        """Get valid access token, automatically refreshing if expired.
+
+        Returns:
+            Access token if available and valid, None otherwise
+        """
+        credentials = await self.load_credentials()
+        if not credentials:
+            logger.debug("no_credentials_found", category="auth")
+            return None
+
+        needs_refresh = self.should_refresh(credentials)
+
+        if needs_refresh:
+            logger.info(
+                "openai_token_refresh_needed",
+                reason="expired" if self.is_expired(credentials) else "expiring_soon",
+                expires_in=self.seconds_until_expiration(credentials),
+                category="auth",
+            )
+
+            if credentials.refresh_token:
+                try:
+                    refreshed = await self.refresh_token()
+                except Exception as exc:  # pragma: no cover - defensive
+                    logger.warning(
+                        "openai_token_refresh_exception",
+                        error=str(exc),
+                        category="auth",
+                    )
+                    raise OAuthTokenRefreshError("OpenAI token refresh failed") from exc
+
+                if refreshed:
+                    logger.info("OpenAI token refreshed successfully", category="auth")
+                    credentials = refreshed
+                else:
+                    logger.warning("openai_token_refresh_failed", category="auth")
+                    raise OAuthTokenRefreshError("OpenAI token refresh failed")
+            else:
+                logger.warning(
+                    "Cannot refresh OpenAI token - no refresh token available",
+                    category="auth",
+                )
+                raise OAuthTokenRefreshError("OpenAI token refresh failed")
+
+        return credentials.access_token
+
+    async def get_access_token(self) -> str | None:
+        """Override base method to return token even if expired.
+
+        Will attempt refresh if expired but still returns the token
+        even if refresh fails, letting the API handle authorization.
+
+        Returns:
+            Access token if available (expired or not), None only if no credentials
+        """
+        credentials = await self.load_credentials()
+        if not credentials:
+            logger.debug("no_credentials_found", category="auth")
+            return None
+
+        # Check if token is expired
+        needs_refresh = self.should_refresh(credentials)
+
+        if needs_refresh:
+            try:
+                return await self.get_access_token_with_refresh()
+            except OAuthTokenRefreshError as exc:
+                logger.warning(
+                    "OpenAI token refresh failed, using existing token",
+                    error=str(exc),
+                    category="auth",
+                )
+
+        return credentials.access_token

ccproxy/plugins/oauth_codex/models.py

@@ -0,0 +1,239 @@
+"""OpenAI-specific authentication models."""
+
+from datetime import UTC, datetime
+from typing import Any, Literal
+
+import jwt
+from pydantic import (
+    BaseModel,
+    Field,
+    SecretStr,
+    computed_field,
+    field_serializer,
+    field_validator,
+)
+
+from ccproxy.auth.models.base import BaseProfileInfo, BaseTokenInfo
+from ccproxy.core.logging import get_plugin_logger
+
+
+logger = get_plugin_logger()
+
+
+class OpenAITokens(BaseModel):
+    """Nested token structure from OpenAI OAuth."""
+
+    id_token: SecretStr = Field(..., description="OpenAI ID token (JWT)")
+    access_token: SecretStr = Field(..., description="OpenAI access token (JWT)")
+    refresh_token: SecretStr = Field(..., description="OpenAI refresh token")
+    account_id: str = Field(..., description="OpenAI account ID")
+
+    @field_serializer("id_token", "access_token", "refresh_token")
+    def serialize_secret(self, value: SecretStr) -> str:
+        """Serialize SecretStr to plain string for JSON output."""
+        return value.get_secret_value() if value else ""
+
+    @field_validator("id_token", "access_token", "refresh_token", mode="before")
+    @classmethod
+    def validate_tokens(cls, v: str | SecretStr | None) -> SecretStr | None:
+        """Convert string values to SecretStr."""
+        if v is None:
+            return None
+        if isinstance(v, str):
+            return SecretStr(v)
+        return v
+
+
+class OpenAICredentials(BaseModel):
+    """OpenAI authentication credentials model matching actual auth file schema."""
+
+    OPENAI_API_KEY: str | None = Field(
+        None, description="Legacy API key (usually null)"
+    )
+    tokens: OpenAITokens = Field(..., description="OAuth token information")
+    last_refresh: str = Field(..., description="Last refresh timestamp as ISO string")
+    active: bool = Field(default=True, description="Whether credentials are active")
+    # No legacy compatibility shims; callers must provide nested `tokens` structure
+
+    @property
+    def access_token(self) -> str:
+        """Get access token from nested structure."""
+        return self.tokens.access_token.get_secret_value()
+
+    @property
+    def refresh_token(self) -> str:
+        """Get refresh token from nested structure."""
+        return self.tokens.refresh_token.get_secret_value()
+
+    @property
+    def id_token(self) -> str:
+        """Get ID token from nested structure."""
+        return self.tokens.id_token.get_secret_value()
+
+    @property
+    def account_id(self) -> str:
+        """Get account ID from nested structure."""
+        return self.tokens.account_id
+
+    @property
+    def expires_at(self) -> datetime:
+        """Extract expiration from access token JWT."""
+        try:
+            # Decode JWT without verification to extract 'exp' claim
+            decoded = jwt.decode(
+                self.tokens.access_token.get_secret_value(),
+                options={"verify_signature": False},
+            )
+            exp_timestamp = decoded.get("exp")
+            if exp_timestamp:
+                return datetime.fromtimestamp(exp_timestamp, tz=UTC)
+        except (jwt.DecodeError, jwt.InvalidTokenError, KeyError, ValueError) as e:
+            logger.debug("Failed to extract expiration from access token", error=str(e))
+
+        # Fallback to a reasonable default if we can't decode
+        return datetime.now(UTC).replace(hour=23, minute=59, second=59)
+
+    def is_expired(self) -> bool:
+        """Check if the access token is expired."""
+        now = datetime.now(UTC)
+        return now >= self.expires_at
+
+    def expires_in_seconds(self) -> int:
+        """Get seconds until token expires."""
+        now = datetime.now(UTC)
+        delta = self.expires_at - now
+        return max(0, int(delta.total_seconds()))
+
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary for storage.
+
+        Implements BaseCredentials protocol.
+        """
+        return {
+            "OPENAI_API_KEY": self.OPENAI_API_KEY,
+            "tokens": {
+                "id_token": self.tokens.id_token.get_secret_value(),
+                "access_token": self.tokens.access_token.get_secret_value(),
+                "refresh_token": self.tokens.refresh_token.get_secret_value(),
+                "account_id": self.tokens.account_id,
+            },
+            "last_refresh": self.last_refresh,
+            "active": self.active,
+        }
+
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> "OpenAICredentials":
+        """Create from dictionary.
+
+        Implements BaseCredentials protocol.
+        """
+        return cls(**data)
+
+
+class OpenAITokenWrapper(BaseTokenInfo):
+    """Wrapper for OpenAI credentials that adds computed properties.
+
+    This wrapper maintains the original OpenAICredentials structure
+    while providing a unified interface through BaseTokenInfo.
+    """
+
+    # Embed the original credentials to preserve JSON schema
+    credentials: OpenAICredentials
+
+    @computed_field
+    def access_token_value(self) -> str:
+        """Get access token (now SecretStr in OpenAI)."""
+        return self.credentials.access_token
+
+    @property
+    def refresh_token_value(self) -> str | None:
+        """Get refresh token."""
+        return self.credentials.refresh_token
+
+    @property
+    def expires_at_datetime(self) -> datetime:
+        """Get expiration (already a datetime in OpenAI)."""
+        return self.credentials.expires_at
+
+    @property
+    def account_id(self) -> str:
+        """Get account ID (extracted from JWT by validator)."""
+        return self.credentials.account_id
+
+    @property
+    def id_token(self) -> str | None:
+        """Get ID token if available."""
+        return self.credentials.id_token
+
+
+class OpenAIProfileInfo(BaseProfileInfo):
+    """OpenAI-specific profile extracted from JWT tokens.
+
+    OpenAI embeds profile information in JWT claims rather
+    than providing a separate API endpoint.
+    """
+
+    provider_type: Literal["openai"] = "openai"
+
+    @classmethod
+    def from_token(cls, credentials: OpenAICredentials) -> "OpenAIProfileInfo":
+        """Extract profile from JWT token claims.
+
+        Args:
+            credentials: OpenAI credentials containing JWT tokens
+
+        Returns:
+            OpenAIProfileInfo with all JWT claims preserved
+        """
+        # Prefer id_token as it has more claims, fallback to access_token
+        token_to_decode = credentials.id_token or credentials.access_token
+
+        try:
+            # Decode without verification to extract claims
+            claims = jwt.decode(token_to_decode, options={"verify_signature": False})
+            logger.debug(
+                "Extracted JWT claims", num_claims=len(claims), category="auth"
+            )
+        except Exception as e:
+            logger.warning("failed_to_decode_jwt_token", error=str(e), category="auth")
+            claims = {}
+
+        # Use the account_id already extracted by OpenAICredentials validator
+        account_id = credentials.account_id
+
+        # Extract common fields if present in claims
+        email = claims.get("email", "")
+        display_name = claims.get("name") or claims.get("given_name")
+
+        # Store ALL JWT claims in extras for complete information
+        # This includes: sub, aud, iss, exp, iat, org_id, chatgpt_account_id, etc.
+        return cls(
+            account_id=account_id,
+            email=email,
+            display_name=display_name,
+            extras=claims,  # Preserve all JWT claims
+        )
+
+    @property
+    def chatgpt_account_id(self) -> str | None:
+        """Get ChatGPT account ID from JWT claims."""
+        auth_claims = self.extras.get("https://api.openai.com/auth", {})
+        if isinstance(auth_claims, dict):
+            return auth_claims.get("chatgpt_account_id")
+        return None
+
+    @property
+    def organization_id(self) -> str | None:
+        """Get organization ID from JWT claims."""
+        # Check in auth claims first
+        auth_claims = self.extras.get("https://api.openai.com/auth", {})
+        if isinstance(auth_claims, dict) and "organization_id" in auth_claims:
+            return str(auth_claims["organization_id"])
+        # Fallback to top-level org_id
+        org_id = self.extras.get("org_id")
+        return str(org_id) if org_id is not None else None
+
+    @property
+    def auth0_subject(self) -> str | None:
+        """Get Auth0 subject (sub claim)."""
+        return self.extras.get("sub")

ccproxy/plugins/oauth_codex/plugin.py

@@ -0,0 +1,146 @@
+"""OAuth Codex plugin v2 implementation."""
+
+from typing import Any, cast
+
+from ccproxy.auth.oauth import OAuthProviderProtocol
+from ccproxy.core.logging import get_plugin_logger
+from ccproxy.core.plugins import (
+    AuthProviderPluginFactory,
+    AuthProviderPluginRuntime,
+    PluginContext,
+    PluginManifest,
+)
+
+from .config import CodexOAuthConfig
+from .provider import CodexOAuthProvider
+
+
+logger = get_plugin_logger()
+
+
+class OAuthCodexRuntime(AuthProviderPluginRuntime):
+    """Runtime for OAuth Codex plugin."""
+
+    def __init__(self, manifest: PluginManifest):
+        """Initialize runtime."""
+        super().__init__(manifest)
+        self.config: CodexOAuthConfig | None = None
+
+    async def _on_initialize(self) -> None:
+        """Initialize the OAuth Codex plugin."""
+        logger.debug(
+            "oauth_codex_initializing",
+            context_keys=list(self.context.keys()) if self.context else [],
+        )
+
+        # Get configuration
+        if self.context:
+            config = self.context.get("config")
+            if not isinstance(config, CodexOAuthConfig):
+                # Use default config if none provided
+                config = CodexOAuthConfig()
+            logger.debug("oauth_codex_using_default_config")
+            self.config = config
+
+        # Call parent initialization which handles provider registration
+        await super()._on_initialize()
+
+        logger.debug(
+            "oauth_codex_plugin_initialized",
+            status="initialized",
+            provider_name=self.auth_provider.provider_name
+            if self.auth_provider
+            else "unknown",
+            category="plugin",
+        )
+
+
+class OAuthCodexFactory(AuthProviderPluginFactory):
+    """Factory for OAuth Codex plugin."""
+
+    cli_safe = True  # Safe for CLI - provides auth only
+
+    def __init__(self) -> None:
+        """Initialize factory with manifest."""
+        # Create manifest with static declarations
+        manifest = PluginManifest(
+            name="oauth_codex",
+            version="0.1.0",
+            description="Standalone OpenAI Codex OAuth authentication provider plugin",
+            is_provider=True,  # It's a provider plugin but focused on OAuth
+            config_class=CodexOAuthConfig,
+            dependencies=[],
+            routes=[],  # No HTTP routes needed
+            tasks=[],  # No scheduled tasks needed
+        )
+
+        # Initialize with manifest
+        super().__init__(manifest)
+
+    def create_context(self, core_services: Any) -> PluginContext:
+        """Create context with auth provider components.
+
+        Args:
+            core_services: Core services container
+
+        Returns:
+            Plugin context with auth provider components
+        """
+        # Start with base context
+        context = super().create_context(core_services)
+
+        # Create auth provider for this plugin
+        auth_provider = self.create_auth_provider(context)
+        context["auth_provider"] = auth_provider
+
+        # Add other auth-specific components if needed
+        storage = self.create_storage()
+        if storage:
+            context["storage"] = storage
+
+        return context
+
+    def create_runtime(self) -> OAuthCodexRuntime:
+        """Create runtime instance."""
+        return OAuthCodexRuntime(self.manifest)
+
+    def create_auth_provider(
+        self, context: PluginContext | None = None
+    ) -> OAuthProviderProtocol:
+        """Create OAuth provider instance.
+
+        Args:
+            context: Optional plugin context containing http_client
+
+        Returns:
+            CodexOAuthProvider instance
+        """
+        # Prefer validated config from context when available
+        if context and isinstance(context.get("config"), CodexOAuthConfig):
+            cfg = cast(CodexOAuthConfig, context.get("config"))
+        else:
+            cfg = CodexOAuthConfig()
+        config: CodexOAuthConfig = cfg
+        http_client = context.get("http_client") if context else None
+        hook_manager = context.get("hook_manager") if context else None
+        settings = context.get("settings") if context else None
+        provider = CodexOAuthProvider(
+            config,
+            http_client=http_client,
+            hook_manager=hook_manager,
+            settings=settings,
+        )
+        return cast(OAuthProviderProtocol, provider)
+
+    def create_storage(self) -> Any | None:
+        """Create storage for OAuth credentials.
+
+        Returns:
+            Storage instance or None to use provider's default
+        """
+        # CodexOAuthProvider manages its own storage internally
+        return None
+
+
+# Export the factory instance
+factory = OAuthCodexFactory()