mirror of
https://github.com/earendil-works/pi.git
synced 2026-06-18 15:54:04 +08:00
376 lines
12 KiB
TypeScript
376 lines
12 KiB
TypeScript
import { afterEach, describe, expect, it, vi } from "vitest";
|
|
import {
|
|
loginOpenAICodexDeviceCode,
|
|
openaiCodexOAuthProvider,
|
|
refreshOpenAICodexToken,
|
|
} from "../src/utils/oauth/openai-codex.js";
|
|
|
|
function jsonResponse(body: unknown, status: number = 200): Response {
|
|
return new Response(JSON.stringify(body), {
|
|
status,
|
|
headers: { "Content-Type": "application/json" },
|
|
});
|
|
}
|
|
|
|
function getUrl(input: unknown): string {
|
|
if (typeof input === "string") return input;
|
|
if (input instanceof URL) return input.toString();
|
|
if (input instanceof Request) return input.url;
|
|
throw new Error(`Unsupported fetch input: ${String(input)}`);
|
|
}
|
|
|
|
function createAccessToken(accountId: string): string {
|
|
const header = Buffer.from(JSON.stringify({ alg: "none" })).toString("base64");
|
|
const payload = Buffer.from(
|
|
JSON.stringify({
|
|
"https://api.openai.com/auth": {
|
|
chatgpt_account_id: accountId,
|
|
},
|
|
}),
|
|
).toString("base64");
|
|
return `${header}.${payload}.signature`;
|
|
}
|
|
|
|
describe("OpenAI Codex OAuth", () => {
|
|
afterEach(() => {
|
|
vi.restoreAllMocks();
|
|
vi.unstubAllGlobals();
|
|
vi.useRealTimers();
|
|
});
|
|
|
|
it("logs in with the OpenAI Codex device code flow", async () => {
|
|
vi.useFakeTimers();
|
|
const startTime = new Date("2026-05-20T00:00:00Z");
|
|
vi.setSystemTime(startTime);
|
|
|
|
const accessToken = createAccessToken("account-123");
|
|
const deviceInfos: Array<{
|
|
userCode: string;
|
|
verificationUri: string;
|
|
instructions?: string;
|
|
intervalSeconds?: number;
|
|
expiresInSeconds?: number;
|
|
openBrowser?: boolean;
|
|
}> = [];
|
|
const progressMessages: string[] = [];
|
|
const pollTimes: number[] = [];
|
|
const pollResponses = [
|
|
jsonResponse({ error: "authorization_pending" }, 403),
|
|
jsonResponse({
|
|
authorization_code: "oauth-code",
|
|
code_challenge: "device-code-challenge",
|
|
code_verifier: "device-code-verifier",
|
|
}),
|
|
];
|
|
|
|
const fetchMock = vi.fn(async (input: unknown, init?: RequestInit): Promise<Response> => {
|
|
const url = getUrl(input);
|
|
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/usercode") {
|
|
expect(init?.method).toBe("POST");
|
|
expect(init?.headers).toMatchObject({ "Content-Type": "application/json" });
|
|
expect(JSON.parse(String(init?.body))).toEqual({ client_id: "app_EMoamEEZ73f0CkXaXp7hrann" });
|
|
return jsonResponse({
|
|
device_auth_id: "device-auth-id",
|
|
user_code: "ABCD-1234",
|
|
interval: "5",
|
|
});
|
|
}
|
|
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/token") {
|
|
pollTimes.push(Date.now());
|
|
expect(init?.method).toBe("POST");
|
|
expect(init?.headers).toMatchObject({ "Content-Type": "application/json" });
|
|
expect(JSON.parse(String(init?.body))).toEqual({
|
|
device_auth_id: "device-auth-id",
|
|
user_code: "ABCD-1234",
|
|
});
|
|
const response = pollResponses.shift();
|
|
if (!response) {
|
|
throw new Error("Unexpected extra device auth poll");
|
|
}
|
|
return response;
|
|
}
|
|
|
|
if (url === "https://auth.openai.com/oauth/token") {
|
|
expect(init?.method).toBe("POST");
|
|
expect(init?.headers).toMatchObject({ "Content-Type": "application/x-www-form-urlencoded" });
|
|
const params = new URLSearchParams(String(init?.body));
|
|
expect(params.get("grant_type")).toBe("authorization_code");
|
|
expect(params.get("client_id")).toBe("app_EMoamEEZ73f0CkXaXp7hrann");
|
|
expect(params.get("code")).toBe("oauth-code");
|
|
expect(params.get("redirect_uri")).toBe("https://auth.openai.com/deviceauth/callback");
|
|
expect(params.get("code_verifier")).toBe("device-code-verifier");
|
|
return jsonResponse({
|
|
access_token: accessToken,
|
|
refresh_token: "refresh-token",
|
|
expires_in: 3600,
|
|
});
|
|
}
|
|
|
|
throw new Error(`Unexpected fetch URL: ${url}`);
|
|
});
|
|
|
|
vi.stubGlobal("fetch", fetchMock);
|
|
|
|
const credentialsPromise = loginOpenAICodexDeviceCode({
|
|
onDeviceCode: (info) => deviceInfos.push(info),
|
|
onProgress: (message) => progressMessages.push(message),
|
|
});
|
|
|
|
for (let i = 0; i < 5 && pollTimes.length === 0; i++) {
|
|
await vi.advanceTimersByTimeAsync(0);
|
|
}
|
|
expect(deviceInfos).toEqual([
|
|
{
|
|
userCode: "ABCD-1234",
|
|
verificationUri: "https://auth.openai.com/codex/device",
|
|
intervalSeconds: 5,
|
|
expiresInSeconds: 900,
|
|
openBrowser: false,
|
|
},
|
|
]);
|
|
expect(progressMessages).toEqual([]);
|
|
expect(pollTimes).toEqual([startTime.getTime()]);
|
|
|
|
await vi.advanceTimersByTimeAsync(4999);
|
|
expect(pollTimes).toEqual([startTime.getTime()]);
|
|
|
|
await vi.advanceTimersByTimeAsync(1);
|
|
await expect(credentialsPromise).resolves.toMatchObject({
|
|
access: accessToken,
|
|
refresh: "refresh-token",
|
|
expires: startTime.getTime() + 5000 + 3600 * 1000,
|
|
accountId: "account-123",
|
|
});
|
|
expect(pollTimes).toEqual([startTime.getTime(), startTime.getTime() + 5000]);
|
|
});
|
|
|
|
it("offers browser login first and uses the selected OpenAI Codex device code flow", async () => {
|
|
const accessToken = createAccessToken("account-456");
|
|
const selectPrompts: Array<{
|
|
message: string;
|
|
options: Array<{ id: string; label: string }>;
|
|
}> = [];
|
|
const deviceInfos: Array<{ userCode: string; verificationUri: string; openBrowser?: boolean }> = [];
|
|
|
|
vi.stubGlobal(
|
|
"fetch",
|
|
vi.fn(async (input: unknown, init?: RequestInit): Promise<Response> => {
|
|
const url = getUrl(input);
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/usercode") {
|
|
expect(JSON.parse(String(init?.body))).toEqual({ client_id: "app_EMoamEEZ73f0CkXaXp7hrann" });
|
|
return jsonResponse({
|
|
device_auth_id: "device-auth-id",
|
|
user_code: "WXYZ-7890",
|
|
interval: "5",
|
|
});
|
|
}
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/token") {
|
|
return jsonResponse({
|
|
authorization_code: "oauth-code",
|
|
code_challenge: "device-code-challenge",
|
|
code_verifier: "device-code-verifier",
|
|
});
|
|
}
|
|
if (url === "https://auth.openai.com/oauth/token") {
|
|
return jsonResponse({
|
|
access_token: accessToken,
|
|
refresh_token: "refresh-token",
|
|
expires_in: 3600,
|
|
});
|
|
}
|
|
throw new Error(`Unexpected fetch URL: ${url}`);
|
|
}),
|
|
);
|
|
|
|
await expect(
|
|
openaiCodexOAuthProvider.login({
|
|
onAuth: () => {
|
|
throw new Error("Browser login should not start");
|
|
},
|
|
onDeviceCode: (info) => deviceInfos.push(info),
|
|
onPrompt: async () => {
|
|
throw new Error("Prompt should not be used");
|
|
},
|
|
onSelect: async (prompt) => {
|
|
selectPrompts.push(prompt);
|
|
return "device_code";
|
|
},
|
|
}),
|
|
).resolves.toMatchObject({
|
|
access: accessToken,
|
|
refresh: "refresh-token",
|
|
accountId: "account-456",
|
|
});
|
|
|
|
expect(selectPrompts).toEqual([
|
|
{
|
|
message: "Select OpenAI Codex login method:",
|
|
options: [
|
|
{ id: "browser", label: "Browser login (default)" },
|
|
{ id: "device_code", label: "Device code login (headless)" },
|
|
],
|
|
},
|
|
]);
|
|
expect(deviceInfos).toEqual([
|
|
{
|
|
userCode: "WXYZ-7890",
|
|
verificationUri: "https://auth.openai.com/codex/device",
|
|
intervalSeconds: 5,
|
|
expiresInSeconds: 900,
|
|
openBrowser: false,
|
|
},
|
|
]);
|
|
});
|
|
|
|
it("cancels when OpenAI Codex login method selection is cancelled", async () => {
|
|
await expect(
|
|
openaiCodexOAuthProvider.login({
|
|
onAuth: () => {},
|
|
onPrompt: async () => "",
|
|
onSelect: async () => undefined,
|
|
}),
|
|
).rejects.toThrow("Login cancelled");
|
|
});
|
|
|
|
it("cancels the OpenAI Codex device code flow while waiting", async () => {
|
|
vi.useFakeTimers();
|
|
const controller = new AbortController();
|
|
const pollTimes: number[] = [];
|
|
|
|
vi.stubGlobal(
|
|
"fetch",
|
|
vi.fn(async (input: unknown, init?: RequestInit): Promise<Response> => {
|
|
const url = getUrl(input);
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/usercode") {
|
|
expect(JSON.parse(String(init?.body))).toEqual({ client_id: "app_EMoamEEZ73f0CkXaXp7hrann" });
|
|
return jsonResponse({
|
|
device_auth_id: "device-auth-id",
|
|
user_code: "ABCD-1234",
|
|
interval: "5",
|
|
});
|
|
}
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/token") {
|
|
pollTimes.push(Date.now());
|
|
return jsonResponse({ error: "authorization_pending" }, 403);
|
|
}
|
|
throw new Error(`Unexpected fetch URL: ${url}`);
|
|
}),
|
|
);
|
|
|
|
const credentialsPromise = loginOpenAICodexDeviceCode({
|
|
onDeviceCode: () => {},
|
|
signal: controller.signal,
|
|
});
|
|
const rejectionPromise = credentialsPromise.then(
|
|
() => new Error("Expected login to fail"),
|
|
(error: unknown) => error,
|
|
);
|
|
|
|
for (let i = 0; i < 5 && pollTimes.length === 0; i++) {
|
|
await vi.advanceTimersByTimeAsync(0);
|
|
}
|
|
expect(pollTimes).toHaveLength(1);
|
|
|
|
controller.abort();
|
|
const rejection = await rejectionPromise;
|
|
expect(rejection).toBeInstanceOf(Error);
|
|
expect((rejection as Error).message).toBe("Login cancelled");
|
|
});
|
|
|
|
it("times out the OpenAI Codex device code flow after 15 minutes", async () => {
|
|
vi.useFakeTimers();
|
|
const pollTimes: number[] = [];
|
|
|
|
vi.stubGlobal(
|
|
"fetch",
|
|
vi.fn(async (input: unknown, init?: RequestInit): Promise<Response> => {
|
|
const url = getUrl(input);
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/usercode") {
|
|
expect(JSON.parse(String(init?.body))).toEqual({ client_id: "app_EMoamEEZ73f0CkXaXp7hrann" });
|
|
return jsonResponse({
|
|
device_auth_id: "device-auth-id",
|
|
user_code: "ABCD-1234",
|
|
interval: "60",
|
|
});
|
|
}
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/token") {
|
|
pollTimes.push(Date.now());
|
|
return jsonResponse({ error: "authorization_pending" }, 403);
|
|
}
|
|
throw new Error(`Unexpected fetch URL: ${url}`);
|
|
}),
|
|
);
|
|
|
|
const credentialsPromise = loginOpenAICodexDeviceCode({
|
|
onDeviceCode: () => {},
|
|
});
|
|
const rejectionPromise = credentialsPromise.then(
|
|
() => new Error("Expected login to fail"),
|
|
(error: unknown) => error,
|
|
);
|
|
|
|
for (let i = 0; i < 5 && pollTimes.length === 0; i++) {
|
|
await vi.advanceTimersByTimeAsync(0);
|
|
}
|
|
expect(pollTimes).toHaveLength(1);
|
|
|
|
await vi.advanceTimersByTimeAsync(15 * 60 * 1000);
|
|
const rejection = await rejectionPromise;
|
|
expect(rejection).toBeInstanceOf(Error);
|
|
expect((rejection as Error).message).toBe("Device flow timed out");
|
|
});
|
|
|
|
it("includes the response body in OpenAI Codex device auth poll failures", async () => {
|
|
vi.stubGlobal(
|
|
"fetch",
|
|
vi.fn(async (input: unknown): Promise<Response> => {
|
|
const url = getUrl(input);
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/usercode") {
|
|
return jsonResponse({
|
|
device_auth_id: "device-auth-id",
|
|
user_code: "ABCD-1234",
|
|
interval: "5",
|
|
});
|
|
}
|
|
if (url === "https://auth.openai.com/api/accounts/deviceauth/token") {
|
|
return jsonResponse({ error: "server_error", error_description: "try again later" }, 500);
|
|
}
|
|
throw new Error(`Unexpected fetch URL: ${url}`);
|
|
}),
|
|
);
|
|
|
|
await expect(
|
|
loginOpenAICodexDeviceCode({
|
|
onDeviceCode: () => {},
|
|
}),
|
|
).rejects.toThrow(
|
|
'OpenAI Codex device auth failed with status 500: {"error":"server_error","error_description":"try again later"}',
|
|
);
|
|
});
|
|
|
|
it("does not write token refresh failures to stderr", async () => {
|
|
const consoleError = vi.spyOn(console, "error").mockImplementation(() => {});
|
|
vi.stubGlobal(
|
|
"fetch",
|
|
vi.fn(async (): Promise<Response> => {
|
|
return new Response(
|
|
JSON.stringify({
|
|
error: {
|
|
message: "Could not validate your token. Please try signing in again.",
|
|
type: "invalid_request_error",
|
|
},
|
|
}),
|
|
{ status: 401, statusText: "Unauthorized", headers: { "Content-Type": "application/json" } },
|
|
);
|
|
}),
|
|
);
|
|
|
|
await expect(refreshOpenAICodexToken("invalid-refresh-token")).rejects.toThrow(
|
|
/OpenAI Codex token refresh failed \(401\).*Could not validate your token/,
|
|
);
|
|
expect(consoleError).not.toHaveBeenCalled();
|
|
});
|
|
});
|