1use anyhow::Result;
2use chrono::Utc;
3use nils_common::fs;
4use reqwest::blocking::Client;
5use serde_json::{Map, Value};
6use std::path::{Path, PathBuf};
7use std::time::Duration;
8
9use crate::auth::output::{self, AuthRefreshResult};
10use crate::json;
11use crate::paths;
12
13#[derive(Copy, Clone, Eq, PartialEq)]
14enum RefreshOutputMode {
15 Text,
16 Json,
17 Silent,
18}
19
20pub fn run(args: &[String]) -> Result<i32> {
21 run_with_mode(args, RefreshOutputMode::Text)
22}
23
24pub fn run_with_json(args: &[String], output_json: bool) -> Result<i32> {
25 let mode = if output_json {
26 RefreshOutputMode::Json
27 } else {
28 RefreshOutputMode::Text
29 };
30 run_with_mode(args, mode)
31}
32
33pub fn run_silent(args: &[String]) -> Result<i32> {
34 run_with_mode(args, RefreshOutputMode::Silent)
35}
36
37fn run_with_mode(args: &[String], output_mode: RefreshOutputMode) -> Result<i32> {
38 let output_json = output_mode == RefreshOutputMode::Json;
39 let output_text = output_mode == RefreshOutputMode::Text;
40
41 let target_file = match resolve_target(args, output_json)? {
42 Some(path) => path,
43 None => return Ok(64),
44 };
45
46 if !target_file.is_file() {
47 if output_json {
48 output::emit_error(
49 "auth refresh",
50 "target-not-found",
51 format!("codex-refresh: {} not found", target_file.display()),
52 Some(serde_json::json!({
53 "target_file": target_file.display().to_string(),
54 })),
55 )?;
56 } else if output_text {
57 eprintln!("codex-refresh: {} not found", target_file.display());
58 }
59 return Ok(1);
60 }
61
62 let value = match json::read_json(&target_file) {
63 Ok(value) => value,
64 Err(_) => {
65 if output_json {
66 output::emit_error(
67 "auth refresh",
68 "refresh-token-read-failed",
69 format!(
70 "codex-refresh: failed to read refresh token from {}",
71 target_file.display()
72 ),
73 Some(serde_json::json!({
74 "target_file": target_file.display().to_string(),
75 })),
76 )?;
77 } else if output_text {
78 eprintln!(
79 "codex-refresh: failed to read refresh token from {}",
80 target_file.display()
81 );
82 }
83 return Ok(2);
84 }
85 };
86
87 let refresh_token = refresh_token_from_json(&value);
88 let refresh_token = match refresh_token {
89 Some(token) => token,
90 None => {
91 if output_json {
92 output::emit_error(
93 "auth refresh",
94 "refresh-token-missing",
95 format!(
96 "codex-refresh: failed to read refresh token from {}",
97 target_file.display()
98 ),
99 Some(serde_json::json!({
100 "target_file": target_file.display().to_string(),
101 })),
102 )?;
103 } else if output_text {
104 eprintln!(
105 "codex-refresh: failed to read refresh token from {}",
106 target_file.display()
107 );
108 }
109 return Ok(2);
110 }
111 };
112
113 let now_iso = Utc::now().format("%Y-%m-%dT%H:%M:%SZ").to_string();
114
115 let client_id = std::env::var("CODEX_OAUTH_CLIENT_ID")
116 .unwrap_or_else(|_| "app_EMoamEEZ73f0CkXaXp7hrann".to_string());
117
118 let connect_timeout = env_timeout("CODEX_REFRESH_AUTH_CURL_CONNECT_TIMEOUT_SECONDS", 2);
119 let max_time = env_timeout("CODEX_REFRESH_AUTH_CURL_MAX_TIME_SECONDS", 8);
120
121 let client = Client::builder()
122 .connect_timeout(Duration::from_secs(connect_timeout))
123 .timeout(Duration::from_secs(max_time))
124 .build()?;
125
126 let response = client
127 .post("https://auth.openai.com/oauth/token")
128 .header("Content-Type", "application/x-www-form-urlencoded")
129 .form(&[
130 ("grant_type", "refresh_token"),
131 ("client_id", client_id.as_str()),
132 ("refresh_token", refresh_token.as_str()),
133 ])
134 .send();
135
136 let response = match response {
137 Ok(resp) => resp,
138 Err(_) => {
139 if output_json {
140 output::emit_error(
141 "auth refresh",
142 "token-endpoint-request-failed",
143 format!(
144 "codex-refresh: token endpoint request failed for {}",
145 target_file.display()
146 ),
147 Some(serde_json::json!({
148 "target_file": target_file.display().to_string(),
149 })),
150 )?;
151 } else if output_text {
152 eprintln!(
153 "codex-refresh: token endpoint request failed for {}",
154 target_file.display()
155 );
156 }
157 return Ok(3);
158 }
159 };
160
161 let status = response.status();
162 let body = response.text().unwrap_or_default();
163
164 if status.as_u16() != 200 {
165 let summary = error_summary(&body);
166 if output_json {
167 output::emit_error(
168 "auth refresh",
169 "token-endpoint-failed",
170 format!(
171 "codex-refresh: token endpoint failed (HTTP {}) for {}",
172 status.as_u16(),
173 target_file.display()
174 ),
175 Some(serde_json::json!({
176 "http_status": status.as_u16(),
177 "target_file": target_file.display().to_string(),
178 "summary": summary,
179 })),
180 )?;
181 } else if output_text {
182 if let Some(summary) = summary {
183 eprintln!(
184 "codex-refresh: token endpoint failed (HTTP {}) for {}: {}",
185 status.as_u16(),
186 target_file.display(),
187 summary
188 );
189 } else {
190 eprintln!(
191 "codex-refresh: token endpoint failed (HTTP {}) for {}",
192 status.as_u16(),
193 target_file.display()
194 );
195 }
196 }
197 return Ok(3);
198 }
199
200 let response_json: Value = match serde_json::from_str(&body) {
201 Ok(value) => value,
202 Err(_) => {
203 if output_json {
204 output::emit_error(
205 "auth refresh",
206 "token-endpoint-invalid-json",
207 "codex-refresh: token endpoint returned invalid JSON",
208 None,
209 )?;
210 } else if output_text {
211 eprintln!("codex-refresh: token endpoint returned invalid JSON");
212 }
213 return Ok(4);
214 }
215 };
216
217 let merged = match merge_tokens(&value, &response_json, &now_iso) {
218 Ok(value) => value,
219 Err(_) => {
220 if output_json {
221 output::emit_error(
222 "auth refresh",
223 "merge-failed",
224 "codex-refresh: failed to merge refreshed tokens",
225 None,
226 )?;
227 } else if output_text {
228 eprintln!("codex-refresh: failed to merge refreshed tokens");
229 }
230 return Ok(5);
231 }
232 };
233
234 let output = serde_json::to_vec(&merged)?;
235 fs::write_atomic(&target_file, &output, fs::SECRET_FILE_MODE)?;
236
237 if let Some(timestamp_path) = paths::resolve_secret_timestamp_path(&target_file) {
238 fs::write_timestamp(×tamp_path, Some(&now_iso))?;
239 }
240
241 let mut synced = false;
242 if is_auth_file(&target_file) {
243 let sync_rc = crate::auth::sync::run_with_json(false)?;
244 if sync_rc != 0 {
245 if output_json {
246 output::emit_error(
247 "auth refresh",
248 "sync-failed",
249 "codex-refresh: failed to sync refreshed auth into matching secrets",
250 Some(serde_json::json!({
251 "target_file": target_file.display().to_string(),
252 })),
253 )?;
254 }
255 return Ok(6);
256 }
257 synced = true;
258 }
259
260 if output_json {
261 output::emit_result(
262 "auth refresh",
263 AuthRefreshResult {
264 target_file: target_file.display().to_string(),
265 refreshed: true,
266 synced,
267 refreshed_at: Some(now_iso),
268 },
269 )?;
270 } else if output_text {
271 println!("codex: refreshed {} at {}", target_file.display(), now_iso);
272 }
273 Ok(0)
274}
275
276fn resolve_target(args: &[String], output_json: bool) -> Result<Option<PathBuf>> {
277 if args.is_empty() {
278 return Ok(Some(
279 paths::resolve_auth_file().unwrap_or_else(|| PathBuf::from("auth.json")),
280 ));
281 }
282
283 let secret_name = &args[0];
284 if secret_name.is_empty() || secret_name.contains('/') || secret_name.contains("..") {
285 if output_json {
286 output::emit_error(
287 "auth refresh",
288 "invalid-secret-file-name",
289 format!("codex-refresh: invalid secret file name: {secret_name}"),
290 Some(serde_json::json!({
291 "secret": secret_name,
292 })),
293 )?;
294 } else {
295 eprintln!("codex-refresh: invalid secret file name: {secret_name}");
296 }
297 return Ok(None);
298 }
299
300 let secret_dir = paths::resolve_secret_dir().unwrap_or_default();
301 Ok(Some(secret_dir.join(secret_name)))
302}
303
304fn refresh_token_from_json(value: &Value) -> Option<String> {
305 json::string_at(value, &["tokens", "refresh_token"])
306 .or_else(|| json::string_at(value, &["refresh_token"]))
307}
308
309fn merge_tokens(base: &Value, refresh: &Value, now_iso: &str) -> Result<Value> {
310 let mut root = base.as_object().cloned().unwrap_or_else(Map::new);
311 let mut tokens = root
312 .get("tokens")
313 .and_then(|value| value.as_object())
314 .cloned()
315 .unwrap_or_else(Map::new);
316
317 if let Some(refresh_obj) = refresh.as_object() {
318 for (key, value) in refresh_obj {
319 tokens.insert(key.clone(), value.clone());
320 }
321 } else {
322 return Err(anyhow::anyhow!("refresh payload is not object"));
323 }
324
325 root.insert("tokens".to_string(), Value::Object(tokens));
326 root.insert(
327 "last_refresh".to_string(),
328 Value::String(now_iso.to_string()),
329 );
330 Ok(Value::Object(root))
331}
332
333fn error_summary(body: &str) -> Option<String> {
334 let value: Value = serde_json::from_str(body).ok()?;
335 let mut parts = Vec::new();
336
337 if let Some(error) = value.get("error") {
338 if error.is_object() {
339 if let Some(code) = error.get("code").and_then(|v| v.as_str())
340 && !code.is_empty()
341 {
342 parts.push(code.to_string());
343 }
344 if let Some(message) = error.get("message").and_then(|v| v.as_str())
345 && !message.is_empty()
346 {
347 parts.push(message.to_string());
348 }
349 } else if let Some(error_str) = error.as_str()
350 && !error_str.is_empty()
351 {
352 parts.push(error_str.to_string());
353 }
354 }
355
356 if let Some(desc) = value.get("error_description").and_then(|v| v.as_str())
357 && !desc.is_empty()
358 {
359 parts.push(desc.to_string());
360 }
361
362 if parts.is_empty() {
363 None
364 } else {
365 Some(parts.join(": "))
366 }
367}
368
369fn env_timeout(key: &str, default: u64) -> u64 {
370 std::env::var(key)
371 .ok()
372 .and_then(|raw| raw.parse::<u64>().ok())
373 .unwrap_or(default)
374}
375
376#[cfg(test)]
377fn file_name(path: &Path) -> String {
378 path.file_name()
379 .and_then(|name| name.to_str())
380 .unwrap_or("auth.json")
381 .to_string()
382}
383
384fn is_auth_file(target: &Path) -> bool {
385 if let Some(auth_file) = paths::resolve_auth_file()
386 && auth_file == target
387 {
388 return true;
389 }
390 false
391}
392
393#[cfg(test)]
394mod tests {
395 use super::*;
396 use pretty_assertions::assert_eq;
397
398 struct EnvVarGuard {
399 key: String,
400 previous: Option<std::ffi::OsString>,
401 }
402
403 impl EnvVarGuard {
404 fn set(key: &str, value: &str) -> Self {
405 let previous = std::env::var_os(key);
406 unsafe { std::env::set_var(key, value) };
408 Self {
409 key: key.to_string(),
410 previous,
411 }
412 }
413
414 fn remove(key: &str) -> Self {
415 let previous = std::env::var_os(key);
416 unsafe { std::env::remove_var(key) };
418 Self {
419 key: key.to_string(),
420 previous,
421 }
422 }
423 }
424
425 impl Drop for EnvVarGuard {
426 fn drop(&mut self) {
427 if let Some(previous) = self.previous.take() {
428 unsafe { std::env::set_var(&self.key, previous) };
430 } else {
431 unsafe { std::env::remove_var(&self.key) };
433 }
434 }
435 }
436
437 #[test]
438 fn auth_refresh_error_summary() {
439 let body = r#"{"error":{"code":"invalid_grant","message":"Bad token"}}"#;
440 let summary = error_summary(body).expect("summary");
441 assert_eq!(summary, "invalid_grant: Bad token");
442 }
443
444 #[test]
445 fn auth_refresh_merge_tokens() {
446 let base: Value = serde_json::from_str(r#"{"tokens":{"access_token":"old"}}"#).unwrap();
447 let refresh: Value =
448 serde_json::from_str(r#"{"access_token":"new","refresh_token":"r1"}"#).unwrap();
449 let merged = merge_tokens(&base, &refresh, "2025-01-20T00:00:00Z").unwrap();
450 let tokens = merged.get("tokens").unwrap();
451 assert_eq!(tokens.get("access_token").unwrap(), "new");
452 assert_eq!(tokens.get("refresh_token").unwrap(), "r1");
453 assert_eq!(merged.get("last_refresh").unwrap(), "2025-01-20T00:00:00Z");
454 }
455
456 #[test]
457 fn auth_refresh_resolve_target_defaults_when_no_args() {
458 let args: Vec<String> = Vec::new();
459 let target = resolve_target(&args, false).unwrap().expect("target");
460 assert!(!target.as_os_str().is_empty());
461 }
462
463 #[test]
464 fn auth_refresh_resolve_target_rejects_invalid_secret_names() {
465 for secret in ["", "a/b", "a..b", "../x"] {
466 let args = vec![secret.to_string()];
467 let target = resolve_target(&args, false).unwrap();
468 assert!(target.is_none(), "expected None for secret={secret:?}");
469 }
470 }
471
472 #[test]
473 fn auth_refresh_resolve_target_joins_secret_name() {
474 let secret_name = "my-secret.json";
475 let args = vec![secret_name.to_string()];
476 let target = resolve_target(&args, false).unwrap().expect("target");
477 assert!(target.ends_with(secret_name));
478 }
479
480 #[test]
481 fn auth_refresh_refresh_token_from_json_prefers_nested() {
482 let value = serde_json::json!({
483 "refresh_token": "top",
484 "tokens": { "refresh_token": "nested" }
485 });
486 let token = refresh_token_from_json(&value).expect("token");
487 assert_eq!(token, "nested");
488 }
489
490 #[test]
491 fn auth_refresh_refresh_token_from_json_falls_back_to_top_level() {
492 let value = serde_json::json!({ "refresh_token": "top" });
493 let token = refresh_token_from_json(&value).expect("token");
494 assert_eq!(token, "top");
495 }
496
497 #[test]
498 fn auth_refresh_refresh_token_from_json_none_when_missing() {
499 let value = serde_json::json!({ "tokens": { "access_token": "a1" } });
500 assert!(refresh_token_from_json(&value).is_none());
501 }
502
503 #[test]
504 fn auth_refresh_env_timeout_uses_default_when_missing_or_invalid() {
505 let key = "CODEX_TEST_ENV_TIMEOUT_SECONDS_DEFAULT";
506 let _guard = EnvVarGuard::remove(key);
507 assert_eq!(env_timeout(key, 123), 123);
508
509 let _guard = EnvVarGuard::set(key, "not-a-number");
510 assert_eq!(env_timeout(key, 456), 456);
511
512 let _guard = EnvVarGuard::set(key, "-1");
513 assert_eq!(env_timeout(key, 789), 789);
514 }
515
516 #[test]
517 fn auth_refresh_env_timeout_parses_value() {
518 let key = "CODEX_TEST_ENV_TIMEOUT_SECONDS_PARSE";
519 let _guard = EnvVarGuard::set(key, "42");
520 assert_eq!(env_timeout(key, 1), 42);
521 }
522
523 #[test]
524 fn auth_refresh_file_name_returns_basename() {
525 let path = Path::new("my-auth.json");
526 assert_eq!(file_name(path), "my-auth.json");
527 }
528
529 #[test]
530 fn auth_refresh_file_name_defaults_when_missing() {
531 let path = Path::new("");
532 assert_eq!(file_name(path), "auth.json");
533 }
534
535 #[cfg(unix)]
536 #[test]
537 fn auth_refresh_file_name_defaults_when_non_utf8() {
538 use std::ffi::OsString;
539 use std::os::unix::ffi::OsStringExt;
540
541 let path = PathBuf::from(OsString::from_vec(vec![0xFF]));
542 assert_eq!(file_name(&path), "auth.json");
543 }
544}