Documentation
¶
Overview ¶
ChatGPT-specific login flow. See openrouter.go for the package doc.
Package provideroauth implements provider-specific OAuth login flows that don't fit the generic env-driven engine in internal/oauth — notably OpenRouter's bespoke PKCE flow, which mints a normal API key rather than returning an OAuth bearer token. These flows are launched from the setup wizard / CLI so a user can "log in with the browser" instead of pasting a key.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ChatGPTLogin ¶
ChatGPTLogin runs ChatGPT's standard OAuth loopback flow against the chatgpt preset (see internal/oauth/presets.go) and returns a Token whose Account field is populated with the `chatgpt_account_id` claim. The bearer itself is valid against `https://chatgpt.com/backend-api/codex/responses` for ChatGPT Plus/Pro/Business/Enterprise subscribers; the account id is required as a header on every Codex call.
The login is the same generic loopback flow `oauth.Manager.Login` runs for every other provider; the bespoke part is the ID-token claim extraction. Returning the token (rather than persisting it) keeps the function composable: the CLI subcommand wraps it with the oauth.Manager's store, so the existing token-persistence and refresh-scheduling paths are unchanged.
func OpenRouterLogin ¶
func OpenRouterLogin(ctx context.Context, opts OpenRouterOptions) (string, error)
OpenRouterLogin runs OpenRouter's loopback PKCE flow and returns a freshly minted OpenRouter API key. The flow needs no client_id: a local callback captures the authorization code, which is exchanged (with the PKCE verifier) at /api/v1/auth/keys for a key. PKCE (S256) binds the code to this client, so no separate CSRF state is required. The returned key is a normal credential the caller stores as the provider's API key.
Types ¶
type ChatGPTOptions ¶
type ChatGPTOptions struct {
// Env supplies env-style overrides; nil falls back to the process environment.
// ZERO_OAUTH_ALLOW_PRESETS must be set in the effective env (or a preset-supplied
// env block) for the baked-in client_id to be used; otherwise the caller is
// expected to have configured ZERO_OAUTH_CHATGPT_* explicitly.
Env map[string]string
// HTTPClient performs the token exchange; nil => a client with a sane timeout.
HTTPClient *http.Client
// OpenBrowser is invoked with the authorize URL. When nil the URL is only
// printed (to Out) for the user to open manually. Tests inject a function
// that drives the loopback redirect.
OpenBrowser func(authURL string) error
// Out receives the "open this URL" line; nil => the URL is not printed.
Out io.Writer
// Timeout bounds the whole interactive login; 0 => 5 minutes.
Timeout time.Duration
// Now is the time source; nil => time.Now. Injected by tests.
Now func() time.Time
}
ChatGPTOptions configures the ChatGPT (Codex) login flow.
func (ChatGPTOptions) OutOrStderr ¶
func (o ChatGPTOptions) OutOrStderr(out io.Writer) io.Writer
OutOrStderr picks opts.Out when non-nil, otherwise io.Discard. Used for optional informational lines that should never reach a real os.Stderr (the library never touches the process stderr — only the CLI command may).
type OpenRouterOptions ¶
type OpenRouterOptions struct {
// BaseURL overrides https://openrouter.ai (for tests).
BaseURL string
// HTTPClient performs the key exchange; nil => a client with a sane timeout.
HTTPClient *http.Client
// OpenBrowser is invoked with the authorize URL. When nil the URL is only
// printed (to Out) for the user to open manually.
OpenBrowser func(authURL string) error
// Out receives the "open this URL" line; nil => the URL is not printed.
Out io.Writer
// Timeout bounds the whole interactive login; 0 => 5 minutes.
Timeout time.Duration
}
OpenRouterOptions configures the OpenRouter login flow.