mirror of
https://github.com/openai/codex.git
synced 2026-06-02 11:22:01 +00:00
d692b74007
CXC-392 [With 401](https://openai.sentry.io/issues/7333870443/?project=4510195390611458&query=019ce8f8-560c-7f10-a00a-c59553740674&referrer=issue-stream) <img width="1909" height="555" alt="401 auth tags in Sentry" src="https://github.com/user-attachments/assets/412ea950-61c4-4780-9697-15c270971ee3" /> - auth_401_*: preserved facts from the latest unauthorized response snapshot - auth_*: latest auth-related facts from the latest request attempt - auth_recovery_*: unauthorized recovery state and follow-up result Without 401 <img width="1917" height="522" alt="happy-path auth tags in Sentry" src="https://github.com/user-attachments/assets/3381ed28-8022-43b0-b6c0-623a630e679f" /> ###### Summary - Add client-visible 401 diagnostics for auth attachment, upstream auth classification, and 401 request id / cf-ray correlation. - Record unauthorized recovery mode, phase, outcome, and retry/follow-up status without changing auth behavior. - Surface the highest-signal auth and recovery fields on uploaded client bug reports so they are usable in Sentry. - Preserve original unauthorized evidence under `auth_401_*` while keeping follow-up result tags separate. ###### Rationale (from spec findings) - The dominant bucket needed proof of whether the client attached auth before send or upstream still classified the request as missing auth. - Client uploads needed to show whether unauthorized recovery ran and what the client tried next. - Request id and cf-ray needed to be preserved on the unauthorized response so server-side correlation is immediate. - The bug-report path needed the same auth evidence as the request telemetry path, otherwise the observability would not be operationally useful. ###### Scope - Add auth 401 and unauthorized-recovery observability in `codex-rs/core`, `codex-rs/codex-api`, and `codex-rs/otel`, including feedback-tag surfacing. - Keep auth semantics, refresh behavior, retry behavior, endpoint classification, and geo-denial follow-up work out of this PR. ###### Trade-offs - This exports only safe auth evidence: header presence/name, upstream auth classification, request ids, and recovery state. It does not export token values or raw upstream bodies. - This keeps websocket connection reuse as a transport clue because it can help distinguish stale reused sessions from fresh reconnects. - Misroute/base-url classification and geo-denial are intentionally deferred to a separate follow-up PR so this review stays focused on the dominant auth 401 bucket. ###### Client follow-up - PR 2 will add misroute/provider and geo-denial observability plus the matching feedback-tag surfacing. - A separate host/app-server PR should log auth-decision inputs so pre-send host auth state can be correlated with client request evidence. - `device_id` remains intentionally separate until there is a safe existing source on the feedback upload path. ###### Testing - `cargo test -p codex-core refresh_available_models_sorts_by_priority` - `cargo test -p codex-core emit_feedback_request_tags_` - `cargo test -p codex-core emit_feedback_auth_recovery_tags_` - `cargo test -p codex-core auth_request_telemetry_context_tracks_attached_auth_and_retry_phase` - `cargo test -p codex-core extract_response_debug_context_decodes_identity_headers` - `cargo test -p codex-core identity_auth_details` - `cargo test -p codex-core telemetry_error_messages_preserve_non_http_details` - `cargo test -p codex-core --all-features --no-run` - `cargo test -p codex-otel otel_export_routing_policy_routes_api_request_auth_observability` - `cargo test -p codex-otel otel_export_routing_policy_routes_websocket_connect_auth_observability` - `cargo test -p codex-otel otel_export_routing_policy_routes_websocket_request_transport_observability`
461 lines
14 KiB
Rust
461 lines
14 KiB
Rust
use super::*;
|
|
use crate::auth::storage::FileAuthStorage;
|
|
use crate::auth::storage::get_auth_file;
|
|
use crate::config::Config;
|
|
use crate::config::ConfigBuilder;
|
|
use crate::token_data::IdTokenInfo;
|
|
use crate::token_data::KnownPlan as InternalKnownPlan;
|
|
use crate::token_data::PlanType as InternalPlanType;
|
|
use codex_protocol::account::PlanType as AccountPlanType;
|
|
|
|
use base64::Engine;
|
|
use codex_protocol::config_types::ForcedLoginMethod;
|
|
use pretty_assertions::assert_eq;
|
|
use serde::Serialize;
|
|
use serde_json::json;
|
|
use std::sync::Arc;
|
|
use tempfile::tempdir;
|
|
|
|
#[tokio::test]
|
|
async fn refresh_without_id_token() {
|
|
let codex_home = tempdir().unwrap();
|
|
let fake_jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: Some("pro".to_string()),
|
|
chatgpt_account_id: None,
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let storage = create_auth_storage(
|
|
codex_home.path().to_path_buf(),
|
|
AuthCredentialsStoreMode::File,
|
|
);
|
|
let updated = super::persist_tokens(
|
|
&storage,
|
|
None,
|
|
Some("new-access-token".to_string()),
|
|
Some("new-refresh-token".to_string()),
|
|
)
|
|
.expect("update_tokens should succeed");
|
|
|
|
let tokens = updated.tokens.expect("tokens should exist");
|
|
assert_eq!(tokens.id_token.raw_jwt, fake_jwt);
|
|
assert_eq!(tokens.access_token, "new-access-token");
|
|
assert_eq!(tokens.refresh_token, "new-refresh-token");
|
|
}
|
|
|
|
#[test]
|
|
fn login_with_api_key_overwrites_existing_auth_json() {
|
|
let dir = tempdir().unwrap();
|
|
let auth_path = dir.path().join("auth.json");
|
|
let stale_auth = json!({
|
|
"OPENAI_API_KEY": "sk-old",
|
|
"tokens": {
|
|
"id_token": "stale.header.payload",
|
|
"access_token": "stale-access",
|
|
"refresh_token": "stale-refresh",
|
|
"account_id": "stale-acc"
|
|
}
|
|
});
|
|
std::fs::write(
|
|
&auth_path,
|
|
serde_json::to_string_pretty(&stale_auth).unwrap(),
|
|
)
|
|
.unwrap();
|
|
|
|
super::login_with_api_key(dir.path(), "sk-new", AuthCredentialsStoreMode::File)
|
|
.expect("login_with_api_key should succeed");
|
|
|
|
let storage = FileAuthStorage::new(dir.path().to_path_buf());
|
|
let auth = storage
|
|
.try_read_auth_json(&auth_path)
|
|
.expect("auth.json should parse");
|
|
assert_eq!(auth.openai_api_key.as_deref(), Some("sk-new"));
|
|
assert!(auth.tokens.is_none(), "tokens should be cleared");
|
|
}
|
|
|
|
#[test]
|
|
fn missing_auth_json_returns_none() {
|
|
let dir = tempdir().unwrap();
|
|
let auth = CodexAuth::from_auth_storage(dir.path(), AuthCredentialsStoreMode::File)
|
|
.expect("call should succeed");
|
|
assert_eq!(auth, None);
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[serial(codex_api_key)]
|
|
async fn pro_account_with_no_api_key_uses_chatgpt_auth() {
|
|
let codex_home = tempdir().unwrap();
|
|
let fake_jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: Some("pro".to_string()),
|
|
chatgpt_account_id: None,
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
|
|
.unwrap()
|
|
.unwrap();
|
|
assert_eq!(None, auth.api_key());
|
|
assert_eq!(AuthMode::Chatgpt, auth.auth_mode());
|
|
assert_eq!(auth.get_chatgpt_user_id().as_deref(), Some("user-12345"));
|
|
|
|
let auth_dot_json = auth
|
|
.get_current_auth_json()
|
|
.expect("AuthDotJson should exist");
|
|
let last_refresh = auth_dot_json
|
|
.last_refresh
|
|
.expect("last_refresh should be recorded");
|
|
|
|
assert_eq!(
|
|
AuthDotJson {
|
|
auth_mode: None,
|
|
openai_api_key: None,
|
|
tokens: Some(TokenData {
|
|
id_token: IdTokenInfo {
|
|
email: Some("user@example.com".to_string()),
|
|
chatgpt_plan_type: Some(InternalPlanType::Known(InternalKnownPlan::Pro)),
|
|
chatgpt_user_id: Some("user-12345".to_string()),
|
|
chatgpt_account_id: None,
|
|
raw_jwt: fake_jwt,
|
|
},
|
|
access_token: "test-access-token".to_string(),
|
|
refresh_token: "test-refresh-token".to_string(),
|
|
account_id: None,
|
|
}),
|
|
last_refresh: Some(last_refresh),
|
|
},
|
|
auth_dot_json
|
|
);
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[serial(codex_api_key)]
|
|
async fn loads_api_key_from_auth_json() {
|
|
let dir = tempdir().unwrap();
|
|
let auth_file = dir.path().join("auth.json");
|
|
std::fs::write(
|
|
auth_file,
|
|
r#"{"OPENAI_API_KEY":"sk-test-key","tokens":null,"last_refresh":null}"#,
|
|
)
|
|
.unwrap();
|
|
|
|
let auth = super::load_auth(dir.path(), false, AuthCredentialsStoreMode::File)
|
|
.unwrap()
|
|
.unwrap();
|
|
assert_eq!(auth.auth_mode(), AuthMode::ApiKey);
|
|
assert_eq!(auth.api_key(), Some("sk-test-key"));
|
|
|
|
assert!(auth.get_token_data().is_err());
|
|
}
|
|
|
|
#[test]
|
|
fn logout_removes_auth_file() -> Result<(), std::io::Error> {
|
|
let dir = tempdir()?;
|
|
let auth_dot_json = AuthDotJson {
|
|
auth_mode: Some(ApiAuthMode::ApiKey),
|
|
openai_api_key: Some("sk-test-key".to_string()),
|
|
tokens: None,
|
|
last_refresh: None,
|
|
};
|
|
super::save_auth(dir.path(), &auth_dot_json, AuthCredentialsStoreMode::File)?;
|
|
let auth_file = get_auth_file(dir.path());
|
|
assert!(auth_file.exists());
|
|
assert!(logout(dir.path(), AuthCredentialsStoreMode::File)?);
|
|
assert!(!auth_file.exists());
|
|
Ok(())
|
|
}
|
|
|
|
#[test]
|
|
fn unauthorized_recovery_reports_mode_and_step_names() {
|
|
let dir = tempdir().unwrap();
|
|
let manager = AuthManager::shared(
|
|
dir.path().to_path_buf(),
|
|
false,
|
|
AuthCredentialsStoreMode::File,
|
|
);
|
|
let managed = UnauthorizedRecovery {
|
|
manager: Arc::clone(&manager),
|
|
step: UnauthorizedRecoveryStep::Reload,
|
|
expected_account_id: None,
|
|
mode: UnauthorizedRecoveryMode::Managed,
|
|
};
|
|
assert_eq!(managed.mode_name(), "managed");
|
|
assert_eq!(managed.step_name(), "reload");
|
|
|
|
let external = UnauthorizedRecovery {
|
|
manager,
|
|
step: UnauthorizedRecoveryStep::ExternalRefresh,
|
|
expected_account_id: None,
|
|
mode: UnauthorizedRecoveryMode::External,
|
|
};
|
|
assert_eq!(external.mode_name(), "external");
|
|
assert_eq!(external.step_name(), "external_refresh");
|
|
}
|
|
|
|
struct AuthFileParams {
|
|
openai_api_key: Option<String>,
|
|
chatgpt_plan_type: Option<String>,
|
|
chatgpt_account_id: Option<String>,
|
|
}
|
|
|
|
fn write_auth_file(params: AuthFileParams, codex_home: &Path) -> std::io::Result<String> {
|
|
let auth_file = get_auth_file(codex_home);
|
|
// Create a minimal valid JWT for the id_token field.
|
|
#[derive(Serialize)]
|
|
struct Header {
|
|
alg: &'static str,
|
|
typ: &'static str,
|
|
}
|
|
let header = Header {
|
|
alg: "none",
|
|
typ: "JWT",
|
|
};
|
|
let mut auth_payload = serde_json::json!({
|
|
"chatgpt_user_id": "user-12345",
|
|
"user_id": "user-12345",
|
|
});
|
|
|
|
if let Some(chatgpt_plan_type) = params.chatgpt_plan_type {
|
|
auth_payload["chatgpt_plan_type"] = serde_json::Value::String(chatgpt_plan_type);
|
|
}
|
|
|
|
if let Some(chatgpt_account_id) = params.chatgpt_account_id {
|
|
let org_value = serde_json::Value::String(chatgpt_account_id);
|
|
auth_payload["chatgpt_account_id"] = org_value;
|
|
}
|
|
|
|
let payload = serde_json::json!({
|
|
"email": "user@example.com",
|
|
"email_verified": true,
|
|
"https://api.openai.com/auth": auth_payload,
|
|
});
|
|
let b64 = |b: &[u8]| base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(b);
|
|
let header_b64 = b64(&serde_json::to_vec(&header)?);
|
|
let payload_b64 = b64(&serde_json::to_vec(&payload)?);
|
|
let signature_b64 = b64(b"sig");
|
|
let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
|
|
|
|
let auth_json_data = json!({
|
|
"OPENAI_API_KEY": params.openai_api_key,
|
|
"tokens": {
|
|
"id_token": fake_jwt,
|
|
"access_token": "test-access-token",
|
|
"refresh_token": "test-refresh-token"
|
|
},
|
|
"last_refresh": Utc::now(),
|
|
});
|
|
let auth_json = serde_json::to_string_pretty(&auth_json_data)?;
|
|
std::fs::write(auth_file, auth_json)?;
|
|
Ok(fake_jwt)
|
|
}
|
|
|
|
async fn build_config(
|
|
codex_home: &Path,
|
|
forced_login_method: Option<ForcedLoginMethod>,
|
|
forced_chatgpt_workspace_id: Option<String>,
|
|
) -> Config {
|
|
let mut config = ConfigBuilder::default()
|
|
.codex_home(codex_home.to_path_buf())
|
|
.build()
|
|
.await
|
|
.expect("config should load");
|
|
config.forced_login_method = forced_login_method;
|
|
config.forced_chatgpt_workspace_id = forced_chatgpt_workspace_id;
|
|
config
|
|
}
|
|
|
|
/// Use sparingly.
|
|
/// TODO (gpeal): replace this with an injectable env var provider.
|
|
#[cfg(test)]
|
|
struct EnvVarGuard {
|
|
key: &'static str,
|
|
original: Option<std::ffi::OsString>,
|
|
}
|
|
|
|
#[cfg(test)]
|
|
impl EnvVarGuard {
|
|
fn set(key: &'static str, value: &str) -> Self {
|
|
let original = env::var_os(key);
|
|
unsafe {
|
|
env::set_var(key, value);
|
|
}
|
|
Self { key, original }
|
|
}
|
|
}
|
|
|
|
#[cfg(test)]
|
|
impl Drop for EnvVarGuard {
|
|
fn drop(&mut self) {
|
|
unsafe {
|
|
match &self.original {
|
|
Some(value) => env::set_var(self.key, value),
|
|
None => env::remove_var(self.key),
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn enforce_login_restrictions_logs_out_for_method_mismatch() {
|
|
let codex_home = tempdir().unwrap();
|
|
login_with_api_key(codex_home.path(), "sk-test", AuthCredentialsStoreMode::File)
|
|
.expect("seed api key");
|
|
|
|
let config = build_config(codex_home.path(), Some(ForcedLoginMethod::Chatgpt), None).await;
|
|
|
|
let err =
|
|
super::enforce_login_restrictions(&config).expect_err("expected method mismatch to error");
|
|
assert!(err.to_string().contains("ChatGPT login is required"));
|
|
assert!(
|
|
!codex_home.path().join("auth.json").exists(),
|
|
"auth.json should be removed on mismatch"
|
|
);
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[serial(codex_api_key)]
|
|
async fn enforce_login_restrictions_logs_out_for_workspace_mismatch() {
|
|
let codex_home = tempdir().unwrap();
|
|
let _jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: Some("pro".to_string()),
|
|
chatgpt_account_id: Some("org_another_org".to_string()),
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let config = build_config(codex_home.path(), None, Some("org_mine".to_string())).await;
|
|
|
|
let err = super::enforce_login_restrictions(&config)
|
|
.expect_err("expected workspace mismatch to error");
|
|
assert!(err.to_string().contains("workspace org_mine"));
|
|
assert!(
|
|
!codex_home.path().join("auth.json").exists(),
|
|
"auth.json should be removed on mismatch"
|
|
);
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[serial(codex_api_key)]
|
|
async fn enforce_login_restrictions_allows_matching_workspace() {
|
|
let codex_home = tempdir().unwrap();
|
|
let _jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: Some("pro".to_string()),
|
|
chatgpt_account_id: Some("org_mine".to_string()),
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let config = build_config(codex_home.path(), None, Some("org_mine".to_string())).await;
|
|
|
|
super::enforce_login_restrictions(&config).expect("matching workspace should succeed");
|
|
assert!(
|
|
codex_home.path().join("auth.json").exists(),
|
|
"auth.json should remain when restrictions pass"
|
|
);
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn enforce_login_restrictions_allows_api_key_if_login_method_not_set_but_forced_chatgpt_workspace_id_is_set()
|
|
{
|
|
let codex_home = tempdir().unwrap();
|
|
login_with_api_key(codex_home.path(), "sk-test", AuthCredentialsStoreMode::File)
|
|
.expect("seed api key");
|
|
|
|
let config = build_config(codex_home.path(), None, Some("org_mine".to_string())).await;
|
|
|
|
super::enforce_login_restrictions(&config).expect("matching workspace should succeed");
|
|
assert!(
|
|
codex_home.path().join("auth.json").exists(),
|
|
"auth.json should remain when restrictions pass"
|
|
);
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[serial(codex_api_key)]
|
|
async fn enforce_login_restrictions_blocks_env_api_key_when_chatgpt_required() {
|
|
let _guard = EnvVarGuard::set(CODEX_API_KEY_ENV_VAR, "sk-env");
|
|
let codex_home = tempdir().unwrap();
|
|
|
|
let config = build_config(codex_home.path(), Some(ForcedLoginMethod::Chatgpt), None).await;
|
|
|
|
let err = super::enforce_login_restrictions(&config)
|
|
.expect_err("environment API key should not satisfy forced ChatGPT login");
|
|
assert!(
|
|
err.to_string()
|
|
.contains("ChatGPT login is required, but an API key is currently being used.")
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn plan_type_maps_known_plan() {
|
|
let codex_home = tempdir().unwrap();
|
|
let _jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: Some("pro".to_string()),
|
|
chatgpt_account_id: None,
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
|
|
.expect("load auth")
|
|
.expect("auth available");
|
|
|
|
pretty_assertions::assert_eq!(auth.account_plan_type(), Some(AccountPlanType::Pro));
|
|
}
|
|
|
|
#[test]
|
|
fn plan_type_maps_unknown_to_unknown() {
|
|
let codex_home = tempdir().unwrap();
|
|
let _jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: Some("mystery-tier".to_string()),
|
|
chatgpt_account_id: None,
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
|
|
.expect("load auth")
|
|
.expect("auth available");
|
|
|
|
pretty_assertions::assert_eq!(auth.account_plan_type(), Some(AccountPlanType::Unknown));
|
|
}
|
|
|
|
#[test]
|
|
fn missing_plan_type_maps_to_unknown() {
|
|
let codex_home = tempdir().unwrap();
|
|
let _jwt = write_auth_file(
|
|
AuthFileParams {
|
|
openai_api_key: None,
|
|
chatgpt_plan_type: None,
|
|
chatgpt_account_id: None,
|
|
},
|
|
codex_home.path(),
|
|
)
|
|
.expect("failed to write auth file");
|
|
|
|
let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
|
|
.expect("load auth")
|
|
.expect("auth available");
|
|
|
|
pretty_assertions::assert_eq!(auth.account_plan_type(), Some(AccountPlanType::Unknown));
|
|
}
|