ai_usagebar/openai/
creds.rs1use std::path::{Path, PathBuf};
5
6use base64::Engine;
7use serde::{Deserialize, Serialize};
8
9use crate::cache::atomic_write;
10use crate::error::{AppError, Result};
11
12#[derive(Debug, Clone, Deserialize, Serialize)]
13pub struct AuthFile {
14 pub tokens: Tokens,
15 #[serde(default, skip_serializing_if = "Option::is_none")]
16 pub last_refresh: Option<String>,
17 #[serde(flatten, default)]
18 pub extra: serde_json::Map<String, serde_json::Value>,
19}
20
21#[derive(Debug, Clone, Deserialize, Serialize)]
22pub struct Tokens {
23 pub access_token: String,
24 pub refresh_token: String,
25 pub id_token: String,
26 #[serde(default)]
27 pub account_id: Option<String>,
28 #[serde(default)]
31 pub expires_at: Option<String>,
32 #[serde(flatten, default)]
33 pub extra: serde_json::Map<String, serde_json::Value>,
34}
35
36pub fn default_path() -> Result<PathBuf> {
42 Ok(crate::cache::home_dir()?.join(".codex").join("auth.json"))
43}
44
45pub fn read_from(path: &Path) -> Result<AuthFile> {
46 let raw = std::fs::read_to_string(path).map_err(|e| AppError::io_at(path, e))?;
47 serde_json::from_str(&raw).map_err(|e| {
48 AppError::Credentials(format!(
49 "could not parse {}: {e}. Run `codex login` to re-authenticate.",
50 path.display()
51 ))
52 })
53}
54
55pub fn write_back(path: &Path, auth: &AuthFile) -> Result<()> {
57 let bytes = serde_json::to_vec_pretty(auth).map_err(AppError::Json)?;
58 atomic_write(path, &bytes)
59}
60
61impl Tokens {
62 pub fn expires_at_secs(&self) -> i64 {
65 parse_jwt_exp(&self.id_token).unwrap_or(0)
66 }
67
68 pub fn plan_type_from_id_token(&self) -> Option<String> {
71 let claims = parse_jwt_claims(&self.id_token)?;
72 claims
73 .get("https://api.openai.com/auth")
74 .and_then(|v| v.get("chatgpt_plan_type"))
75 .and_then(|v| v.as_str())
76 .map(|s| s.to_string())
77 }
78}
79
80fn parse_jwt_exp(token: &str) -> Option<i64> {
82 let claims = parse_jwt_claims(token)?;
83 claims
84 .get("exp")
85 .and_then(|v| v.as_i64())
86 .or_else(|| claims.get("exp").and_then(|v| v.as_f64()).map(|f| f as i64))
87}
88
89fn parse_jwt_claims(token: &str) -> Option<serde_json::Value> {
90 let mut parts = token.split('.');
91 let _header = parts.next()?;
92 let payload = parts.next()?;
93 let decoded = base64::engine::general_purpose::URL_SAFE_NO_PAD
94 .decode(payload)
95 .or_else(|_| base64::engine::general_purpose::URL_SAFE.decode(payload))
96 .ok()?;
97 serde_json::from_slice(&decoded).ok()
98}
99
100#[cfg(test)]
101mod tests {
102 use super::*;
103 use std::io::Write;
104 use tempfile::{NamedTempFile, TempDir};
105
106 fn write_auth(s: &str) -> NamedTempFile {
107 let mut f = NamedTempFile::new().unwrap();
108 f.write_all(s.as_bytes()).unwrap();
109 f.flush().unwrap();
110 f
111 }
112
113 fn write_auth_closed(s: &str) -> (TempDir, std::path::PathBuf) {
117 crate::cache::closed_temp_file("auth.json", Some(s))
118 }
119
120 fn fake_jwt(claims: serde_json::Value) -> String {
122 let header = base64::engine::general_purpose::URL_SAFE_NO_PAD
123 .encode(br#"{"alg":"none","typ":"JWT"}"#);
124 let payload =
125 base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(claims.to_string().as_bytes());
126 format!("{header}.{payload}.sig")
127 }
128
129 #[test]
130 fn parses_minimal_auth_file() {
131 let jwt = fake_jwt(serde_json::json!({"exp": 1234567890}));
132 let body = format!(
133 r#"{{"tokens":{{"access_token":"AT","refresh_token":"RT",
134 "id_token":"{jwt}","account_id":"acc"}}}}"#
135 );
136 let f = write_auth(&body);
137 let auth = read_from(f.path()).unwrap();
138 assert_eq!(auth.tokens.access_token, "AT");
139 assert_eq!(auth.tokens.account_id.as_deref(), Some("acc"));
140 assert_eq!(auth.tokens.expires_at_secs(), 1234567890);
141 }
142
143 #[test]
144 fn extracts_plan_type_from_id_token() {
145 let jwt = fake_jwt(serde_json::json!({
146 "exp": 1234567890,
147 "https://api.openai.com/auth": {"chatgpt_plan_type": "plus"}
148 }));
149 let body = format!(
150 r#"{{"tokens":{{"access_token":"AT","refresh_token":"RT","id_token":"{jwt}"}}}}"#
151 );
152 let f = write_auth(&body);
153 let auth = read_from(f.path()).unwrap();
154 assert_eq!(
155 auth.tokens.plan_type_from_id_token().as_deref(),
156 Some("plus")
157 );
158 }
159
160 #[test]
161 fn malformed_jwt_returns_zero_exp() {
162 let body = r#"{"tokens":{"access_token":"x","refresh_token":"y","id_token":"not.a.jwt"}}"#;
163 let f = write_auth(body);
164 let auth = read_from(f.path()).unwrap();
165 assert_eq!(auth.tokens.expires_at_secs(), 0);
166 assert!(auth.tokens.plan_type_from_id_token().is_none());
167 }
168
169 #[test]
170 fn malformed_file_returns_credentials_error() {
171 let f = write_auth("not json");
172 let err = read_from(f.path()).unwrap_err();
173 assert!(matches!(err, AppError::Credentials(_)));
174 }
175
176 #[test]
177 fn write_back_preserves_unknown_fields() {
178 let jwt = fake_jwt(serde_json::json!({"exp": 1234567890}));
179 let body = format!(
180 r#"{{"tokens":{{"access_token":"AT","refresh_token":"RT","id_token":"{jwt}"}},
181 "some_other_field":"keep-me"}}"#
182 );
183 let (_dir, path) = write_auth_closed(&body);
184 let mut auth = read_from(&path).unwrap();
185 auth.tokens.access_token = "NEW".into();
186 write_back(&path, &auth).unwrap();
187
188 let v: serde_json::Value =
189 serde_json::from_str(&std::fs::read_to_string(&path).unwrap()).unwrap();
190 assert_eq!(v["some_other_field"], "keep-me");
191 assert_eq!(v["tokens"]["access_token"], "NEW");
192 }
193
194 #[test]
195 fn default_path_ends_with_codex_auth() {
196 let p = default_path().unwrap();
197 assert!(p.ends_with(std::path::Path::new(".codex").join("auth.json")));
200 }
201
202 #[cfg(windows)]
204 #[test]
205 fn default_path_uses_userprofile_on_windows() {
206 let p = default_path().unwrap();
207 let userprofile = std::env::var("USERPROFILE").expect("USERPROFILE set on Windows");
208 let norm = |s: &str| s.to_lowercase().replace('/', "\\");
213 let p_norm = norm(&p.to_string_lossy());
214 let up_norm = norm(&userprofile);
215 assert!(
216 p_norm.starts_with(up_norm.as_str()),
217 "{} should live under {}",
218 p.display(),
219 userprofile
220 );
221 }
222}