codexauth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 16, 2026 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	StatusOK          = "ok"
	StatusAuthFailed  = "auth_failed"
	StatusRateLimited = "rate_limited"
)

Variables

View Source
var (
	ErrReloginRequired = errors.New("codex: re-login required")
	ErrLoginTimeout    = errors.New("codex: device login timed out")
	ErrNoCredentials   = errors.New("codex: no healthy credentials available")
	ErrInvalidJWT      = errors.New("codex: invalid JWT format")
)
View Source
var CodexBaseURL = resolvedCodexBaseURL()

CodexBaseURL is the base URL for Codex Responses API requests. Override with DOWNLINK_CODEX_BASE_URL for testing or alternative deployments.

Functions

func ChatGPTAccountID

func ChatGPTAccountID(token string) string

ChatGPTAccountID extracts the chatgpt_account_id from the nested auth claim.

func CodexHeaders

func CodexHeaders(accessToken string) http.Header

CodexHeaders returns the Cloudflare-mitigation headers required for every request to chatgpt.com/backend-api/codex.

func ExpiresWithin

func ExpiresWithin(token string, skew time.Duration) bool

ExpiresWithin returns true when the access token's exp claim falls within skew of now. Returns false (not-expiring) when exp is absent or the token cannot be decoded, so callers never panic on a bad token.

func LabelFromJWT

func LabelFromJWT(token string, fallback string) string

LabelFromJWT extracts a human-readable label from the token payload.

func MaxWaitDuration

func MaxWaitDuration() time.Duration

MaxWaitDuration is the maximum time to wait for a device-code login.

func PollForAuthorization

func PollForAuthorization(ctx context.Context, dc *DeviceCodeResponse) (authCode, codeVerifier string, err error)

PollForAuthorization polls until the user completes login or the deadline passes. Returns authorization_code and code_verifier on success.

func VerificationURL

func VerificationURL() string

VerificationURL is the URL the user visits to complete the device-code login.

Types

type ConfigGetter

type ConfigGetter func() *models.ServerConfig

ConfigGetter returns the current in-memory config.

type ConfigSaver

type ConfigSaver func(cfg *models.ServerConfig) error

ConfigSaver is the function the manager calls to atomically persist config.

type DeviceCodeResponse

type DeviceCodeResponse struct {
	UserCode     string  `json:"user_code"`
	DeviceAuthID string  `json:"device_auth_id"`
	Interval     flexInt `json:"interval"`
}

DeviceCodeResponse is returned by the usercode endpoint.

func RequestDeviceCode

func RequestDeviceCode(ctx context.Context) (*DeviceCodeResponse, error)

RequestDeviceCode starts the device-code flow and returns the code to show the user.

type Lease

type Lease struct {
	CredID      string
	AccessToken string
	Headers     http.Header
	// contains filtered or unexported fields
}

Lease is a handle to a live credential for a single LLM call. Call one of the Mark* methods when done to update the credential's health state.

func (*Lease) MarkAuthFailed

func (l *Lease) MarkAuthFailed(reason string)

func (*Lease) MarkOK

func (l *Lease) MarkOK()

func (*Lease) MarkRateLimited

func (l *Lease) MarkRateLimited(resetAt time.Time)

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager holds one Pool per openai-codex provider config entry and wires pool persistence back to config.json via the ConfigSaver.

func NewManager

func NewManager(get ConfigGetter, save ConfigSaver) *Manager

NewManager creates a Manager and initialises pools from the current config.

func (*Manager) EnsurePool

func (m *Manager) EnsurePool(providerName string) *Pool

EnsurePool creates an empty pool for providerName if one doesn't exist yet.

func (*Manager) Pool

func (m *Manager) Pool(providerName string) (*Pool, bool)

Pool returns the Pool for the named provider config entry.

func (*Manager) Reload

func (m *Manager) Reload()

Reload rebuilds pools from the current config. Call after config hot-reload.

type PersistFn

type PersistFn func(creds []models.CodexCredential) error

PersistFn is called by the pool whenever credentials need to be persisted.

type Pool

type Pool struct {
	// contains filtered or unexported fields
}

Pool manages a set of CodexCredentials for one provider config entry.

func NewPool

func NewPool(creds []models.CodexCredential, persist PersistFn) *Pool

NewPool creates a pool backed by the given credentials and persist function.

func (*Pool) Acquire

func (p *Pool) Acquire(ctx context.Context) (*Lease, error)

Acquire picks the best available credential, refreshing its access token if needed, and returns a Lease. Returns ErrNoCredentials when all credentials are either rate-limited or auth-failed.

The mutex is released before any network I/O (token refresh) to avoid blocking all concurrent callers. After the refresh we re-acquire and re-verify before committing, a double-check latch.

func (*Pool) AddCredential

func (p *Pool) AddCredential(cred models.CodexCredential) error

AddCredential appends a new credential and persists.

func (*Pool) Credentials

func (p *Pool) Credentials() []models.CodexCredential

Credentials returns a snapshot of the current credential list.

func (*Pool) RemoveCredential

func (p *Pool) RemoveCredential(id string) error

RemoveCredential removes a credential by ID and persists.

func (*Pool) SetPriority

func (p *Pool) SetPriority(id string, priority int) error

SetPriority updates the priority of a credential by ID and persists.

func (*Pool) UpdateCredentials

func (p *Pool) UpdateCredentials(creds []models.CodexCredential)

UpdateCredentials replaces the pool's credential set (e.g. after config reload).

type TokenPair

type TokenPair struct {
	AccessToken  string
	RefreshToken string
}

TokenPair holds the access and refresh tokens.

func ExchangeCode

func ExchangeCode(ctx context.Context, authCode, codeVerifier string) (*TokenPair, error)

ExchangeCode exchanges the authorization_code+code_verifier for OAuth tokens.

func RefreshTokens

func RefreshTokens(ctx context.Context, refreshToken string) (*TokenPair, error)

RefreshTokens exchanges a refresh token for a new access token (and possibly a new refresh token).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL