centersl/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-27 09:21:35 +07:00
Code Issues Packages Projects Releases Wiki Activity

refactor(openai): extract codex auth identity helper

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-25 04:23:51 -07:00
parent d363af8c13
commit c3d1dbc696
4 changed files with 142 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
extensions/openai/openai-codex-auth-identity.test.ts Normal file
View File

@@ -0,0 +1,56 @@
import { describe, expect, it } from "vitest";
import { resolveCodexAuthIdentity } from "./openai-codex-auth-identity.js";
function createJwt(payload: Record<string, unknown>): string {
const header = Buffer.from(JSON.stringify({ alg: "none", typ: "JWT" })).toString("base64url");
const body = Buffer.from(JSON.stringify(payload)).toString("base64url");
return `${header}.${body}.signature`;
}
describe("resolveCodexAuthIdentity", () => {
it("prefers JWT profile email when present", () => {
const identity = resolveCodexAuthIdentity({
accessToken: createJwt({
"https://api.openai.com/profile": {
email: "jwt-user@example.com",
},
}),
email: "credential@example.com",
});
expect(identity).toEqual({
email: "jwt-user@example.com",
profileName: "jwt-user@example.com",
});
});
it("falls back to credential email before synthetic ids", () => {
const identity = resolveCodexAuthIdentity({
accessToken: createJwt({}),
email: "credential@example.com",
});
expect(identity).toEqual({
email: "credential@example.com",
profileName: "credential@example.com",
});
});
it("derives a stable profile id when email is missing", () => {
const identity = resolveCodexAuthIdentity({
accessToken: createJwt({
"https://api.openai.com/auth": {
chatgpt_account_user_id: "user-123__acct-456",
},
}),
});
expect(identity).toEqual({
profileName: `id-${Buffer.from("user-123__acct-456").toString("base64url")}`,
});
});
it("returns no metadata when token parsing yields no identity", () => {
expect(resolveCodexAuthIdentity({ accessToken: "not-a-jwt-token" })).toEqual({});
});
});

78
extensions/openai/openai-codex-auth-identity.ts Normal file
View File

@@ -0,0 +1,78 @@
type CodexJwtPayload = {
iss?: unknown;
sub?: unknown;
"https://api.openai.com/profile"?: {
email?: unknown;
};
"https://api.openai.com/auth"?: {
chatgpt_account_user_id?: unknown;
chatgpt_user_id?: unknown;
user_id?: unknown;
};
};
function normalizeNonEmptyString(value: unknown): string | undefined {
if (typeof value !== "string") {
return undefined;
}
const trimmed = value.trim();
return trimmed || undefined;
}
export function decodeCodexJwtPayload(accessToken: string): CodexJwtPayload | null {
const parts = accessToken.split(".");
if (parts.length !== 3) {
return null;
}
try {
const decoded = Buffer.from(parts[1], "base64url").toString("utf8");
const parsed = JSON.parse(decoded);
return parsed && typeof parsed === "object" ? (parsed as CodexJwtPayload) : null;
} catch {
return null;
}
}
export function resolveCodexStableSubject(payload: CodexJwtPayload | null): string | undefined {
const auth = payload?.["https://api.openai.com/auth"];
const accountUserId = normalizeNonEmptyString(auth?.chatgpt_account_user_id);
if (accountUserId) {
return accountUserId;
}
const userId =
normalizeNonEmptyString(auth?.chatgpt_user_id) ?? normalizeNonEmptyString(auth?.user_id);
if (userId) {
return userId;
}
const iss = normalizeNonEmptyString(payload?.iss);
const sub = normalizeNonEmptyString(payload?.sub);
if (iss && sub) {
return `${iss}|${sub}`;
}
return sub;
}
export function resolveCodexAuthIdentity(params: { accessToken: string; email?: string | null }): {
email?: string;
profileName?: string;
} {
const payload = decodeCodexJwtPayload(params.accessToken);
const email =
normalizeNonEmptyString(payload?.["https://api.openai.com/profile"]?.email) ??
normalizeNonEmptyString(params.email);
if (email) {
return { email, profileName: email };
}
const stableSubject = resolveCodexStableSubject(payload);
if (!stableSubject) {
return {};
}
return {
profileName: `id-${Buffer.from(stableSubject).toString("base64url")}`,
};
}

73
extensions/openai/openai-codex-provider.ts
View File

@@ -20,6 +20,7 @@ import {
} from "openclaw/plugin-sdk/provider-models";
import { createOpenAIAttributionHeadersWrapper } from "openclaw/plugin-sdk/provider-stream";
import { fetchCodexUsage } from "openclaw/plugin-sdk/provider-usage";
import { resolveCodexAuthIdentity } from "./openai-codex-auth-identity.js";
import { buildOpenAICodexProvider } from "./openai-codex-catalog.js";
import {
cloneFirstTemplateModel,
@@ -54,62 +55,6 @@ const OPENAI_CODEX_MODERN_MODEL_IDS = [
OPENAI_CODEX_GPT_53_SPARK_MODEL_ID,
] as const;
type CodexJwtPayload = {
iss?: unknown;
sub?: unknown;
"https://api.openai.com/profile"?: {
email?: unknown;
};
"https://api.openai.com/auth"?: {
chatgpt_account_user_id?: unknown;
chatgpt_user_id?: unknown;
user_id?: unknown;
};
};
function normalizeNonEmptyString(value: unknown): string | undefined {
if (typeof value !== "string") {
return undefined;
}
return value.trim() || undefined;
}
function decodeCodexJwtPayload(accessToken: string): CodexJwtPayload | null {
const parts = accessToken.split(".");
if (parts.length !== 3) {
return null;
}
try {
const decoded = Buffer.from(parts[1], "base64url").toString("utf8");
const parsed = JSON.parse(decoded);
return parsed && typeof parsed === "object" ? (parsed as CodexJwtPayload) : null;
} catch {
return null;
}
}
function resolveCodexStableSubject(payload: CodexJwtPayload | null): string | undefined {
const auth = payload?.["https://api.openai.com/auth"];
const accountUserId = normalizeNonEmptyString(auth?.chatgpt_account_user_id);
if (accountUserId) {
return accountUserId;
}
const userId =
normalizeNonEmptyString(auth?.chatgpt_user_id) ?? normalizeNonEmptyString(auth?.user_id);
if (userId) {
return userId;
}
const iss = normalizeNonEmptyString(payload?.iss);
const sub = normalizeNonEmptyString(payload?.sub);
if (iss && sub) {
return `${iss}|${sub}`;
}
return sub;
}
function isOpenAICodexBaseUrl(baseUrl?: string): boolean {
const trimmed = baseUrl?.trim();
if (!trimmed) {
@@ -207,6 +152,7 @@ async function refreshOpenAICodexOAuthCredential(cred: OAuthCredential) {
type: "oauth" as const,
provider: PROVIDER_ID,
email: cred.email,
displayName: cred.displayName,
};
} catch (error) {
const message = error instanceof Error ? error.message : String(error);
@@ -238,14 +184,10 @@ async function runOpenAICodexOAuth(ctx: ProviderAuthContext) {
return { profiles: [] };
}
const payload = decodeCodexJwtPayload(creds.access);
const resolvedEmail =
normalizeNonEmptyString(payload?.["https://api.openai.com/profile"]?.email) ??
normalizeNonEmptyString(creds.email);
const stableSubject = resolveCodexStableSubject(payload);
const resolvedEmailOrFallback =
resolvedEmail ??
(stableSubject ? `id-${Buffer.from(stableSubject).toString("base64url")}` : undefined);
const identity = resolveCodexAuthIdentity({
accessToken: creds.access,
email: typeof creds.email === "string" ? creds.email : undefined,
});
return buildOauthProviderAuthResult({
providerId: PROVIDER_ID,
@@ -253,7 +195,8 @@ async function runOpenAICodexOAuth(ctx: ProviderAuthContext) {
access: creds.access,
refresh: creds.refresh,
expires: creds.expires,
email: resolvedEmailOrFallback,
email: identity.email,
profileName: identity.profileName,
});
}

3
src/plugins/contracts/auth.contract.test.ts
View File

@@ -229,7 +229,6 @@ describe("provider auth contract", () => {
access,
refresh: "refresh-token",
expires: 1_700_000_000_000,
email: `id-${expectedStableId}`,
},
},
],
@@ -274,7 +273,6 @@ describe("provider auth contract", () => {
access,
refresh: "refresh-token",
expires: 1_700_000_000_000,
email: `id-${expectedStableId}`,
},
},
],
@@ -316,7 +314,6 @@ describe("provider auth contract", () => {
access,
refresh: "refresh-token",
expires: 1_700_000_000_000,
email: `id-${expectedStableId}`,
},
},
],