codexia 1.0.3

OpenAI- and Anthropic-compatible local API gateway backed by Codex OAuth.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209

use crate::{
    Error, Result,
    config::{AuthStore, Credentials},
    oauth::CodexOAuthClient,
};
use std::sync::Arc;
use tokio::sync::RwLock;

const REFRESH_SKEW_SECS: i64 = 60;

/// Keeps OAuth credentials cached in memory and refreshes them when needed.
#[derive(Clone)]
pub struct TokenManager {
    store: AuthStore,
    oauth: CodexOAuthClient,
    cached: Arc<RwLock<Option<Credentials>>>,
}

impl TokenManager {
    /// Creates a token manager backed by the given credential store and OAuth client.
    #[must_use]
    pub fn new(store: AuthStore, oauth: CodexOAuthClient) -> Self {
        let cached = store.load().unwrap_or(None);
        Self {
            store,
            oauth,
            cached: Arc::new(RwLock::new(cached)),
        }
    }

    /// Returns the currently cached credentials without forcing a refresh.
    #[must_use]
    pub async fn credentials_snapshot(&self) -> Option<Credentials> {
        self.cached.read().await.clone()
    }

    /// Refreshes the current credentials immediately and persists the new tokens.
    ///
    /// # Errors
    ///
    /// Returns an error when no credentials are stored locally, the refresh
    /// request fails, or the refreshed credentials cannot be saved.
    pub async fn refresh(&self) -> Result<Credentials> {
        let mut guard = self.cached.write().await;
        let credentials = guard.clone().or(self.store.load()?).ok_or_else(|| {
            Error::config("not logged in; run `codexia login` before refreshing tokens")
        })?;

        let refreshed = self.refresh_credentials(&credentials).await?;
        self.store.save(&refreshed)?;
        *guard = Some(refreshed.clone());
        drop(guard);
        Ok(refreshed)
    }

    /// Returns valid credentials, refreshing them when they are near expiry.
    ///
    /// # Errors
    ///
    /// Returns an error when no credentials are stored locally, the refresh
    /// request fails, or persisted credentials cannot be loaded or saved.
    pub async fn credentials(&self) -> Result<Credentials> {
        // Check the shared cache first so uncontended reads avoid disk I/O and refresh traffic.
        let cached_credentials = self.cached.read().await.clone();
        if let Some(credentials) = cached_credentials {
            if !credentials.is_expired(REFRESH_SKEW_SECS) {
                return Ok(credentials);
            }
        }

        let mut guard = self.cached.write().await;
        let Some(credentials) = guard.clone().or(self.store.load()?) else {
            return Err(Error::config(
                "not logged in; run `codexia login` before serving requests",
            ));
        };

        // Refresh slightly before the exact expiry time so callers do not race a token timeout.
        if !credentials.is_expired(REFRESH_SKEW_SECS) {
            *guard = Some(credentials.clone());
            return Ok(credentials);
        }

        let refreshed = self.refresh_credentials(&credentials).await?;
        self.store.save(&refreshed)?;
        *guard = Some(refreshed.clone());
        drop(guard);
        Ok(refreshed)
    }

    async fn refresh_credentials(&self, credentials: &Credentials) -> Result<Credentials> {
        self.oauth.refresh_token(&credentials.refresh_token).await
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::config::now_unix;
    use crate::testsupport::TempDir;
    use axum::{Form, Json, Router, routing::post};
    use base64::{Engine, engine::general_purpose::URL_SAFE_NO_PAD};
    use reqwest::Client;
    use serde_json::{Value, json};
    use std::collections::HashMap;
    use tokio::net::TcpListener;

    fn jwt_with_payload(payload: &Value) -> String {
        let encoded = URL_SAFE_NO_PAD.encode(serde_json::to_vec(payload).unwrap());
        format!("header.{encoded}.sig")
    }

    fn jwt_with_account_id(account_id: &str) -> String {
        jwt_with_payload(&json!({
            "https://api.openai.com/auth": { "chatgpt_account_id": account_id }
        }))
    }

    async fn refresh_handler(Form(form): Form<HashMap<String, String>>) -> Json<Value> {
        assert_eq!(form.get("refresh_token").unwrap(), "old_refresh");
        Json(json!({
            "access_token": jwt_with_account_id("acc_refreshed"),
            "refresh_token": "new_refresh",
            "expires_in": 3600
        }))
    }

    async fn spawn_refresh_server() -> String {
        let app = Router::new().route("/token", post(refresh_handler));
        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
        let url = format!("http://{}/token", listener.local_addr().unwrap());
        tokio::spawn(async move {
            axum::serve(listener, app).await.unwrap();
        });

        url
    }

    #[test]
    fn manager_loads_missing_store_without_panic() {
        let dir = TempDir::new().unwrap();
        let store = AuthStore::new(dir.path().join("auth.json"));
        let manager = TokenManager::new(store, CodexOAuthClient::default());

        assert!(manager.cached.blocking_read().is_none());
    }

    #[tokio::test]
    async fn manager_returns_unexpired_credentials() {
        let dir = TempDir::new().unwrap();
        let store = AuthStore::new(dir.path().join("auth.json"));
        let credentials = Credentials {
            access_token: "access".into(),
            refresh_token: "refresh".into(),
            expires_at: now_unix() + 600,
            account_id: "acc".into(),
        };
        store.save(&credentials).unwrap();
        let manager = TokenManager::new(store, CodexOAuthClient::default());

        assert_eq!(manager.credentials().await.unwrap(), credentials);
    }

    #[tokio::test]
    async fn manager_refreshes_expired_credentials_and_saves_them() {
        let dir = TempDir::new().unwrap();
        let store = AuthStore::new(dir.path().join("auth.json"));
        store
            .save(&Credentials {
                access_token: "old_access".into(),
                refresh_token: "old_refresh".into(),
                expires_at: now_unix() - 1,
                account_id: "acc_old".into(),
            })
            .unwrap();
        let oauth =
            CodexOAuthClient::new_with_token_url(Client::new(), spawn_refresh_server().await);
        let manager = TokenManager::new(store.clone(), oauth);

        let credentials = manager.credentials().await.unwrap();

        assert_eq!(credentials.refresh_token, "new_refresh");
        assert_eq!(credentials.account_id, "acc_refreshed");
        assert_eq!(store.load().unwrap(), Some(credentials));
    }

    #[tokio::test]
    async fn manager_refresh_forces_refresh_even_when_credentials_are_unexpired() {
        let dir = TempDir::new().unwrap();
        let store = AuthStore::new(dir.path().join("auth.json"));
        store
            .save(&Credentials {
                access_token: "old_access".into(),
                refresh_token: "old_refresh".into(),
                expires_at: now_unix() + 600,
                account_id: "acc_old".into(),
            })
            .unwrap();
        let oauth =
            CodexOAuthClient::new_with_token_url(Client::new(), spawn_refresh_server().await);
        let manager = TokenManager::new(store.clone(), oauth);

        let credentials = manager.refresh().await.unwrap();

        assert_eq!(credentials.refresh_token, "new_refresh");
        assert_eq!(credentials.account_id, "acc_refreshed");
        assert_eq!(manager.credentials_snapshot().await, Some(credentials));
    }
}