Skip to main content

ai_usagebar/openai/
creds.rs

1//! Read and write `~/.codex/auth.json` — the OAuth state the OpenAI Codex CLI
2//! maintains. Mirrors codexbar's jq paths.
3
4use std::path::{Path, PathBuf};
5
6use base64::Engine;
7use serde::{Deserialize, Serialize};
8
9use crate::cache::atomic_write;
10use crate::error::{AppError, Result};
11
12#[derive(Debug, Clone, Deserialize, Serialize)]
13pub struct AuthFile {
14    pub tokens: Tokens,
15    #[serde(default, skip_serializing_if = "Option::is_none")]
16    pub last_refresh: Option<String>,
17    #[serde(flatten, default)]
18    pub extra: serde_json::Map<String, serde_json::Value>,
19}
20
21#[derive(Debug, Clone, Deserialize, Serialize)]
22pub struct Tokens {
23    pub access_token: String,
24    pub refresh_token: String,
25    pub id_token: String,
26    #[serde(default)]
27    pub account_id: Option<String>,
28    /// Optional explicit expiry from the OAuth server. When absent, we infer
29    /// from the id_token's `exp` claim.
30    #[serde(default)]
31    pub expires_at: Option<String>,
32    #[serde(flatten, default)]
33    pub extra: serde_json::Map<String, serde_json::Value>,
34}
35
36/// Default location: `~/.codex/auth.json` (Unix/macOS) or
37/// `%USERPROFILE%\.codex\auth.json` (Windows).
38///
39/// Home is resolved through [`crate::cache::home_dir`] so every platform's
40/// convention is honored in one place.
41pub fn default_path() -> Result<PathBuf> {
42    Ok(crate::cache::home_dir()?.join(".codex").join("auth.json"))
43}
44
45pub fn read_from(path: &Path) -> Result<AuthFile> {
46    let raw = std::fs::read_to_string(path).map_err(|e| AppError::io_at(path, e))?;
47    serde_json::from_str(&raw).map_err(|e| {
48        AppError::Credentials(format!(
49            "could not parse {}: {e}. Run `codex login` to re-authenticate.",
50            path.display()
51        ))
52    })
53}
54
55/// Persist updated tokens, preserving any unknown fields. Atomic.
56pub fn write_back(path: &Path, auth: &AuthFile) -> Result<()> {
57    let bytes = serde_json::to_vec_pretty(auth).map_err(AppError::Json)?;
58    atomic_write(path, &bytes)
59}
60
61impl Tokens {
62    /// Compute the Unix-seconds expiry from the embedded id_token. Returns
63    /// 0 (forcing immediate refresh) when the token isn't parseable.
64    pub fn expires_at_secs(&self) -> i64 {
65        parse_jwt_exp(&self.id_token).unwrap_or(0)
66    }
67
68    /// Plan tier from the id_token's nested claim
69    /// `https://api.openai.com/auth.chatgpt_plan_type`.
70    pub fn plan_type_from_id_token(&self) -> Option<String> {
71        let claims = parse_jwt_claims(&self.id_token)?;
72        claims
73            .get("https://api.openai.com/auth")
74            .and_then(|v| v.get("chatgpt_plan_type"))
75            .and_then(|v| v.as_str())
76            .map(|s| s.to_string())
77    }
78}
79
80/// Parse a JWT's `exp` claim. Returns None for malformed tokens.
81fn parse_jwt_exp(token: &str) -> Option<i64> {
82    let claims = parse_jwt_claims(token)?;
83    claims
84        .get("exp")
85        .and_then(|v| v.as_i64())
86        .or_else(|| claims.get("exp").and_then(|v| v.as_f64()).map(|f| f as i64))
87}
88
89fn parse_jwt_claims(token: &str) -> Option<serde_json::Value> {
90    let mut parts = token.split('.');
91    let _header = parts.next()?;
92    let payload = parts.next()?;
93    let decoded = base64::engine::general_purpose::URL_SAFE_NO_PAD
94        .decode(payload)
95        .or_else(|_| base64::engine::general_purpose::URL_SAFE.decode(payload))
96        .ok()?;
97    serde_json::from_slice(&decoded).ok()
98}
99
100#[cfg(test)]
101mod tests {
102    use super::*;
103    use std::io::Write;
104    use tempfile::{NamedTempFile, TempDir};
105
106    fn write_auth(s: &str) -> NamedTempFile {
107        let mut f = NamedTempFile::new().unwrap();
108        f.write_all(s.as_bytes()).unwrap();
109        f.flush().unwrap();
110        f
111    }
112
113    /// Like `write_auth`, but with no open handle on the file, so
114    /// `write_back`'s atomic rename-over-destination succeeds on Windows.
115    /// See [`crate::cache::closed_temp_file`].
116    fn write_auth_closed(s: &str) -> (TempDir, std::path::PathBuf) {
117        crate::cache::closed_temp_file("auth.json", Some(s))
118    }
119
120    /// Build a fake JWT with the given claims (no signature verification).
121    fn fake_jwt(claims: serde_json::Value) -> String {
122        let header = base64::engine::general_purpose::URL_SAFE_NO_PAD
123            .encode(br#"{"alg":"none","typ":"JWT"}"#);
124        let payload =
125            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(claims.to_string().as_bytes());
126        format!("{header}.{payload}.sig")
127    }
128
129    #[test]
130    fn parses_minimal_auth_file() {
131        let jwt = fake_jwt(serde_json::json!({"exp": 1234567890}));
132        let body = format!(
133            r#"{{"tokens":{{"access_token":"AT","refresh_token":"RT",
134                "id_token":"{jwt}","account_id":"acc"}}}}"#
135        );
136        let f = write_auth(&body);
137        let auth = read_from(f.path()).unwrap();
138        assert_eq!(auth.tokens.access_token, "AT");
139        assert_eq!(auth.tokens.account_id.as_deref(), Some("acc"));
140        assert_eq!(auth.tokens.expires_at_secs(), 1234567890);
141    }
142
143    #[test]
144    fn extracts_plan_type_from_id_token() {
145        let jwt = fake_jwt(serde_json::json!({
146            "exp": 1234567890,
147            "https://api.openai.com/auth": {"chatgpt_plan_type": "plus"}
148        }));
149        let body = format!(
150            r#"{{"tokens":{{"access_token":"AT","refresh_token":"RT","id_token":"{jwt}"}}}}"#
151        );
152        let f = write_auth(&body);
153        let auth = read_from(f.path()).unwrap();
154        assert_eq!(
155            auth.tokens.plan_type_from_id_token().as_deref(),
156            Some("plus")
157        );
158    }
159
160    #[test]
161    fn malformed_jwt_returns_zero_exp() {
162        let body = r#"{"tokens":{"access_token":"x","refresh_token":"y","id_token":"not.a.jwt"}}"#;
163        let f = write_auth(body);
164        let auth = read_from(f.path()).unwrap();
165        assert_eq!(auth.tokens.expires_at_secs(), 0);
166        assert!(auth.tokens.plan_type_from_id_token().is_none());
167    }
168
169    #[test]
170    fn malformed_file_returns_credentials_error() {
171        let f = write_auth("not json");
172        let err = read_from(f.path()).unwrap_err();
173        assert!(matches!(err, AppError::Credentials(_)));
174    }
175
176    #[test]
177    fn write_back_preserves_unknown_fields() {
178        let jwt = fake_jwt(serde_json::json!({"exp": 1234567890}));
179        let body = format!(
180            r#"{{"tokens":{{"access_token":"AT","refresh_token":"RT","id_token":"{jwt}"}},
181                "some_other_field":"keep-me"}}"#
182        );
183        let (_dir, path) = write_auth_closed(&body);
184        let mut auth = read_from(&path).unwrap();
185        auth.tokens.access_token = "NEW".into();
186        write_back(&path, &auth).unwrap();
187
188        let v: serde_json::Value =
189            serde_json::from_str(&std::fs::read_to_string(&path).unwrap()).unwrap();
190        assert_eq!(v["some_other_field"], "keep-me");
191        assert_eq!(v["tokens"]["access_token"], "NEW");
192    }
193
194    #[test]
195    fn default_path_ends_with_codex_auth() {
196        let p = default_path().unwrap();
197        // Trailing segments are stable across platforms; only the home prefix
198        // differs (resolved by directories::BaseDirs).
199        assert!(p.ends_with(std::path::Path::new(".codex").join("auth.json")));
200    }
201
202    // On Windows the home prefix is %USERPROFILE%, not $HOME.
203    #[cfg(windows)]
204    #[test]
205    fn default_path_uses_userprofile_on_windows() {
206        let p = default_path().unwrap();
207        let userprofile = std::env::var("USERPROFILE").expect("USERPROFILE set on Windows");
208        // directories::BaseDirs resolves the home via SHGetKnownFolderPath, which
209        // can differ from %USERPROFILE% in casing or path separator. Compare on a
210        // normalized basis (lowercased, backslashes) rather than Path::starts_with,
211        // which compares components case-sensitively even on Windows.
212        let norm = |s: &str| s.to_lowercase().replace('/', "\\");
213        let p_norm = norm(&p.to_string_lossy());
214        let up_norm = norm(&userprofile);
215        assert!(
216            p_norm.starts_with(up_norm.as_str()),
217            "{} should live under {}",
218            p.display(),
219            userprofile
220        );
221    }
222}