codex-auth 0.1.0__tar.gz

codex_auth-0.1.0/.gitignore

@@ -0,0 +1,23 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+*.egg
+dist/
+build/
+.eggs/
+*.so
+.tox/
+.nox/
+.mypy_cache/
+.pytest_cache/
+.ruff_cache/
+htmlcov/
+.coverage
+.coverage.*
+*.cover
+.venv/
+venv/
+env/
+.env
+*.log

codex_auth-0.1.0/LICENSE

@@ -0,0 +1,11 @@
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

codex_auth-0.1.0/PKG-INFO

@@ -0,0 +1,128 @@
+Metadata-Version: 2.4
+Name: codex-auth
+Version: 0.1.0
+Summary: Drop-in OpenAI SDK patch for ChatGPT Codex OAuth authentication
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Typing :: Typed
+Requires-Python: >=3.10
+Requires-Dist: httpx>=0.24
+Requires-Dist: openai>=1.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.21; extra == 'dev'
+Requires-Dist: pytest>=7.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# codex-auth
+
+Drop-in OAuth for the OpenAI Python SDK — use the ChatGPT Codex API with your Pro/Plus account instead of an API key.
+
+## Install
+
+```bash
+pip install codex-auth
+```
+
+## Usage
+
+```python
+import codex_auth
+
+from openai import OpenAI
+client = OpenAI()  # no API key needed
+
+response = client.responses.create(
+    model="gpt-5.1-codex-mini",
+    input="Write a one-sentence bedtime story about a unicorn.",
+)
+print(response.output_text)
+```
+
+A browser window opens on first run for OAuth. Tokens are cached in
+`~/.codex-auth/auth.json` and refreshed automatically.
+
+Both streaming and non-streaming calls work — the library handles the
+Codex endpoint's streaming requirement transparently.
+
+### Streaming
+
+```python
+stream = client.responses.create(
+    model="gpt-5.1-codex-mini",
+    input="Write a hello-world in Rust.",
+    stream=True,
+)
+for event in stream:
+    if event.type == "response.completed":
+        print(event.response.output_text)
+```
+
+### `chat.completions` compatibility
+
+Existing code using `chat.completions` works too — requests are converted
+to the Responses API format automatically:
+
+```python
+response = client.chat.completions.create(
+    model="gpt-5.1-codex-mini",
+    messages=[{"role": "user", "content": "Hello!"}],
+)
+print(response.choices[0].message.content)
+```
+
+### Explicit client
+
+If you prefer not to monkey-patch:
+
+```python
+from codex_auth import CodexClient
+
+client = CodexClient()            # browser / device auth
+client = CodexClient(token="…")   # existing token
+```
+
+Async variant:
+
+```python
+from codex_auth import AsyncCodexClient
+client = AsyncCodexClient()
+```
+
+### Disable auto-patch
+
+```bash
+export CODEX_AUTH_NO_PATCH=1
+```
+
+Or in code:
+
+```python
+import codex_auth
+codex_auth.init(auto_patch=False)
+```
+
+## How it works
+
+A custom [httpx transport](https://www.python-httpx.org/advanced/transports/) intercepts OpenAI SDK requests to:
+
+1. Rewrite URLs to the Codex backend (`chatgpt.com/backend-api/codex/responses`)
+2. Convert `chat.completions` payloads to the Responses API format
+3. Buffer SSE responses for non-streaming callers
+4. Inject OAuth bearer tokens and refresh them transparently
+
+Browser-based PKCE auth is used on desktop; device-code flow on headless/SSH.
+
+## Token storage
+
+`~/.codex-auth/auth.json` (mode `0600`). Override with `CODEX_AUTH_TOKEN` env var.
+
+## License
+
+MIT

codex_auth-0.1.0/README.md

@@ -0,0 +1,106 @@
+# codex-auth
+
+Drop-in OAuth for the OpenAI Python SDK — use the ChatGPT Codex API with your Pro/Plus account instead of an API key.
+
+## Install
+
+```bash
+pip install codex-auth
+```
+
+## Usage
+
+```python
+import codex_auth
+
+from openai import OpenAI
+client = OpenAI()  # no API key needed
+
+response = client.responses.create(
+    model="gpt-5.1-codex-mini",
+    input="Write a one-sentence bedtime story about a unicorn.",
+)
+print(response.output_text)
+```
+
+A browser window opens on first run for OAuth. Tokens are cached in
+`~/.codex-auth/auth.json` and refreshed automatically.
+
+Both streaming and non-streaming calls work — the library handles the
+Codex endpoint's streaming requirement transparently.
+
+### Streaming
+
+```python
+stream = client.responses.create(
+    model="gpt-5.1-codex-mini",
+    input="Write a hello-world in Rust.",
+    stream=True,
+)
+for event in stream:
+    if event.type == "response.completed":
+        print(event.response.output_text)
+```
+
+### `chat.completions` compatibility
+
+Existing code using `chat.completions` works too — requests are converted
+to the Responses API format automatically:
+
+```python
+response = client.chat.completions.create(
+    model="gpt-5.1-codex-mini",
+    messages=[{"role": "user", "content": "Hello!"}],
+)
+print(response.choices[0].message.content)
+```
+
+### Explicit client
+
+If you prefer not to monkey-patch:
+
+```python
+from codex_auth import CodexClient
+
+client = CodexClient()            # browser / device auth
+client = CodexClient(token="…")   # existing token
+```
+
+Async variant:
+
+```python
+from codex_auth import AsyncCodexClient
+client = AsyncCodexClient()
+```
+
+### Disable auto-patch
+
+```bash
+export CODEX_AUTH_NO_PATCH=1
+```
+
+Or in code:
+
+```python
+import codex_auth
+codex_auth.init(auto_patch=False)
+```
+
+## How it works
+
+A custom [httpx transport](https://www.python-httpx.org/advanced/transports/) intercepts OpenAI SDK requests to:
+
+1. Rewrite URLs to the Codex backend (`chatgpt.com/backend-api/codex/responses`)
+2. Convert `chat.completions` payloads to the Responses API format
+3. Buffer SSE responses for non-streaming callers
+4. Inject OAuth bearer tokens and refresh them transparently
+
+Browser-based PKCE auth is used on desktop; device-code flow on headless/SSH.
+
+## Token storage
+
+`~/.codex-auth/auth.json` (mode `0600`). Override with `CODEX_AUTH_TOKEN` env var.
+
+## License
+
+MIT

codex_auth-0.1.0/pyproject.toml

@@ -0,0 +1,34 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "codex-auth"
+version = "0.1.0"
+description = "Drop-in OpenAI SDK patch for ChatGPT Codex OAuth authentication"
+readme = "README.md"
+requires-python = ">=3.10"
+license = "MIT"
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Typing :: Typed",
+]
+dependencies = [
+    "openai>=1.0",
+    "httpx>=0.24",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=7.0",
+    "pytest-asyncio>=0.21",
+]
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/codex_auth"]

codex_auth-0.1.0/src/codex_auth/__init__.py

@@ -0,0 +1,46 @@
+"""codex-auth — drop-in Codex OAuth for the OpenAI Python SDK.
+
+    import codex_auth           # patches openai automatically
+    from openai import OpenAI
+    client = OpenAI()           # uses Codex OAuth, no API key needed
+
+Or use the explicit client:
+
+    from codex_auth import CodexClient
+    client = CodexClient()
+"""
+
+import os
+
+from .auth import authenticate
+from .client import AsyncCodexClient, CodexClient
+from .patch import apply_patch, remove_patch
+from .tokens import VERSION as __version__  # noqa: N811
+
+__all__ = [
+    "__version__",
+    "CodexClient",
+    "AsyncCodexClient",
+    "authenticate",
+    "apply_patch",
+    "remove_patch",
+    "init",
+]
+
+_auto_patched = False
+
+
+def init(auto_patch: bool = True) -> None:
+    """Called on import. Set ``CODEX_AUTH_NO_PATCH=1`` to suppress."""
+    global _auto_patched
+    if auto_patch and not _auto_patched:
+        if os.environ.get("CODEX_AUTH_NO_PATCH") == "1":
+            return
+        apply_patch()
+        _auto_patched = True
+    elif not auto_patch and _auto_patched:
+        remove_patch()
+        _auto_patched = False
+
+
+init()

codex_auth-0.1.0/src/codex_auth/auth.py

@@ -0,0 +1,268 @@
+"""Browser (PKCE) and device-code OAuth flows."""
+
+from __future__ import annotations
+
+import http.server
+import logging
+import os
+import sys
+import threading
+import time
+import urllib.parse
+import webbrowser
+from typing import Any
+
+import httpx
+
+from .tokens import (
+    CLIENT_ID,
+    ISSUER,
+    OAUTH_PORT,
+    OAUTH_SCOPES,
+    TOKEN_URL,
+    USER_AGENT,
+    AuthTokens,
+    TokenStore,
+    generate_pkce,
+    generate_state,
+)
+
+log = logging.getLogger(__name__)
+
+_TIMEOUT = httpx.Timeout(30.0, connect=10.0)
+_token_store = TokenStore()
+
+
+def _exchange_code(code: str, redirect_uri: str, verifier: str) -> dict[str, Any]:
+    r = httpx.post(
+        TOKEN_URL,
+        data={
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "client_id": CLIENT_ID,
+            "code_verifier": verifier,
+        },
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+        timeout=_TIMEOUT,
+    )
+    r.raise_for_status()
+    return r.json()
+
+
+def refresh_access_token(refresh_token: str) -> dict[str, Any]:
+    r = httpx.post(
+        TOKEN_URL,
+        data={
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+            "client_id": CLIENT_ID,
+        },
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+        timeout=_TIMEOUT,
+    )
+    r.raise_for_status()
+    return r.json()
+
+
+def _authorize_url(redirect_uri: str, challenge: str, state: str) -> str:
+    params = urllib.parse.urlencode({
+        "response_type": "code",
+        "client_id": CLIENT_ID,
+        "redirect_uri": redirect_uri,
+        "scope": OAUTH_SCOPES,
+        "code_challenge": challenge,
+        "code_challenge_method": "S256",
+        "id_token_add_organizations": "true",
+        "codex_cli_simplified_flow": "true",
+        "state": state,
+        "originator": "codex-auth",
+    })
+    return f"{ISSUER}/oauth/authorize?{params}"
+
+
+_HTML_OK = (
+    "<!doctype html><html><head><title>Codex Auth</title>"
+    "<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;"
+    "align-items:center;height:100vh;margin:0;background:#131010;color:#f1ecec}"
+    ".c{text-align:center;padding:2rem}h1{margin-bottom:1rem}p{color:#b7b1b1}</style>"
+    "</head><body><div class='c'><h1>Authorization Successful</h1>"
+    "<p>You can close this window.</p></div>"
+    "<script>setTimeout(()=>window.close(),2000)</script></body></html>"
+)
+
+_HTML_ERR = (
+    "<!doctype html><html><head><title>Codex Auth</title>"
+    "<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;"
+    "align-items:center;height:100vh;margin:0;background:#131010;color:#f1ecec}"
+    ".c{text-align:center;padding:2rem}h1{color:#fc533a;margin-bottom:1rem}"
+    "p{color:#b7b1b1}.e{color:#ff917b;font-family:monospace;margin-top:1rem;"
+    "padding:1rem;background:#3c140d;border-radius:.5rem}</style>"
+    "</head><body><div class='c'><h1>Authorization Failed</h1>"
+    "<p>An error occurred.</p><div class='e'>%s</div></div></body></html>"
+)
+
+
+class _CallbackHandler(http.server.BaseHTTPRequestHandler):
+    code: str | None = None
+    state: str | None = None
+    error: str | None = None
+
+    def do_GET(self) -> None:
+        parsed = urllib.parse.urlparse(self.path)
+        qs = urllib.parse.parse_qs(parsed.query)
+
+        if parsed.path != "/auth/callback":
+            self.send_response(404)
+            self.end_headers()
+            return
+
+        if "error" in qs:
+            msg = qs.get("error_description", qs["error"])[0]
+            _CallbackHandler.error = msg
+            self._html(200, _HTML_ERR % msg)
+            return
+
+        code = qs.get("code", [None])[0]
+        if not code:
+            _CallbackHandler.error = "Missing authorization code"
+            self._html(400, _HTML_ERR % "Missing authorization code")
+            return
+
+        _CallbackHandler.code = code
+        _CallbackHandler.state = qs.get("state", [None])[0]
+        self._html(200, _HTML_OK)
+
+    def _html(self, status: int, body: str) -> None:
+        self.send_response(status)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+        self.wfile.write(body.encode())
+
+    def log_message(self, format: str, *args: Any) -> None:
+        pass
+
+
+def browser_auth() -> AuthTokens:
+    verifier, challenge = generate_pkce()
+    state = generate_state()
+    redirect = f"http://localhost:{OAUTH_PORT}/auth/callback"
+    url = _authorize_url(redirect, challenge, state)
+
+    _CallbackHandler.code = _CallbackHandler.state = _CallbackHandler.error = None
+
+    srv = http.server.HTTPServer(("localhost", OAUTH_PORT), _CallbackHandler)
+    srv.timeout = 300
+
+    def serve() -> None:
+        while _CallbackHandler.code is None and _CallbackHandler.error is None:
+            srv.handle_request()
+
+    t = threading.Thread(target=serve, daemon=True)
+    t.start()
+
+    print(f"Opening browser for authentication...\nIf it doesn't open, visit:\n  {url}")
+    webbrowser.open(url)
+
+    t.join(timeout=300)
+    srv.server_close()
+
+    if _CallbackHandler.error:
+        raise RuntimeError(f"OAuth error: {_CallbackHandler.error}")
+    if not _CallbackHandler.code:
+        raise TimeoutError("OAuth callback timed out")
+    if _CallbackHandler.state != state:
+        raise RuntimeError("OAuth state mismatch — possible CSRF")
+
+    raw = _exchange_code(_CallbackHandler.code, redirect, verifier)
+    auth = AuthTokens.from_response(raw)
+    _token_store.save(auth)
+    return auth
+
+
+def device_auth() -> AuthTokens:
+    r = httpx.post(
+        f"{ISSUER}/api/accounts/deviceauth/usercode",
+        json={"client_id": CLIENT_ID},
+        headers={"Content-Type": "application/json", "User-Agent": USER_AGENT},
+        timeout=_TIMEOUT,
+    )
+    r.raise_for_status()
+    data = r.json()
+
+    device_id = data["device_auth_id"]
+    user_code = data["user_code"]
+    interval = max(int(data.get("interval", 5)), 1)
+
+    print(f"\nTo authenticate, visit: {ISSUER}/codex/device")
+    print(f"Enter code: {user_code}\n")
+
+    for _ in range(300 // interval):
+        time.sleep(interval + 3)
+
+        poll = httpx.post(
+            f"{ISSUER}/api/accounts/deviceauth/token",
+            json={"device_auth_id": device_id, "user_code": user_code},
+            headers={"Content-Type": "application/json", "User-Agent": USER_AGENT},
+            timeout=_TIMEOUT,
+        )
+
+        if poll.status_code in (403, 404):
+            continue
+
+        if poll.is_success:
+            d = poll.json()
+            tok = httpx.post(
+                TOKEN_URL,
+                data={
+                    "grant_type": "authorization_code",
+                    "code": d["authorization_code"],
+                    "redirect_uri": f"{ISSUER}/deviceauth/callback",
+                    "client_id": CLIENT_ID,
+                    "code_verifier": d["code_verifier"],
+                },
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+                timeout=_TIMEOUT,
+            )
+            tok.raise_for_status()
+            auth = AuthTokens.from_response(tok.json())
+            _token_store.save(auth)
+            print("Authentication successful!")
+            return auth
+
+        raise RuntimeError(f"Device auth failed: HTTP {poll.status_code}")
+
+    raise TimeoutError("Device authentication timed out")
+
+
+def _has_display() -> bool:
+    if sys.platform in ("darwin", "win32"):
+        return True
+    return bool(os.environ.get("DISPLAY") or os.environ.get("WAYLAND_DISPLAY"))
+
+
+def authenticate(force: bool = False) -> AuthTokens:
+    """Return valid tokens — from cache, refresh, or a fresh OAuth flow."""
+    if not force:
+        existing = _token_store.load()
+        if existing and existing.access_token:
+            if not existing.is_expired():
+                return existing
+            if existing.refresh_token:
+                try:
+                    raw = refresh_access_token(existing.refresh_token)
+                    auth = AuthTokens.from_response(
+                        raw, existing.refresh_token, existing.account_id,
+                    )
+                    _token_store.save(auth)
+                    return auth
+                except Exception:
+                    log.debug("Token refresh failed, re-authenticating", exc_info=True)
+
+    if _has_display():
+        try:
+            return browser_auth()
+        except Exception as exc:
+            print(f"Browser auth failed ({exc}), trying device flow...")
+
+    return device_auth()

codex_auth-0.1.0/src/codex_auth/client.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+import httpx
+import openai
+
+from .auth import authenticate
+from .patch import AsyncCodexTransport, CodexTransport
+from .tokens import AuthTokens, TokenStore
+
+
+class CodexClient(openai.OpenAI):
+    """``openai.OpenAI`` subclass that authenticates via Codex OAuth."""
+
+    def __init__(self, *, token: str | None = None, **kwargs: object) -> None:
+        store = TokenStore()
+        auth = AuthTokens(access_token=token) if token else authenticate()
+
+        kwargs.setdefault(
+            "http_client",
+            httpx.Client(transport=CodexTransport(auth_tokens=auth, token_store=store)),
+        )
+        kwargs.setdefault("api_key", "codex-auth-dummy-key")
+        super().__init__(**kwargs)
+
+
+class AsyncCodexClient(openai.AsyncOpenAI):
+    """Async variant of :class:`CodexClient`."""
+
+    def __init__(self, *, token: str | None = None, **kwargs: object) -> None:
+        store = TokenStore()
+        auth = AuthTokens(access_token=token) if token else authenticate()
+
+        kwargs.setdefault(
+            "http_client",
+            httpx.AsyncClient(transport=AsyncCodexTransport(auth_tokens=auth, token_store=store)),
+        )
+        kwargs.setdefault("api_key", "codex-auth-dummy-key")
+        super().__init__(**kwargs)