1use anyhow::Result;
2use chrono::Utc;
3use nils_common::fs;
4use reqwest::blocking::Client;
5use serde_json::{Map, Value};
6use std::path::{Path, PathBuf};
7use std::time::Duration;
8
9use crate::auth::output::{self, AuthRefreshResult};
10use crate::json;
11use crate::paths;
12
13#[derive(Copy, Clone, Eq, PartialEq)]
14enum RefreshOutputMode {
15 Text,
16 Json,
17 Silent,
18}
19
20pub fn run(args: &[String]) -> Result<i32> {
21 run_with_mode(args, RefreshOutputMode::Text)
22}
23
24pub fn run_with_json(args: &[String], output_json: bool) -> Result<i32> {
25 let mode = if output_json {
26 RefreshOutputMode::Json
27 } else {
28 RefreshOutputMode::Text
29 };
30 run_with_mode(args, mode)
31}
32
33pub fn run_silent(args: &[String]) -> Result<i32> {
34 run_with_mode(args, RefreshOutputMode::Silent)
35}
36
37fn run_with_mode(args: &[String], output_mode: RefreshOutputMode) -> Result<i32> {
38 let output_json = output_mode == RefreshOutputMode::Json;
39 let output_text = output_mode == RefreshOutputMode::Text;
40
41 let target_file = match resolve_target(args, output_json)? {
42 Some(path) => path,
43 None => return Ok(64),
44 };
45
46 if !target_file.is_file() {
47 if output_json {
48 output::emit_error(
49 "auth refresh",
50 "target-not-found",
51 format!("codex-refresh: {} not found", target_file.display()),
52 Some(serde_json::json!({
53 "target_file": target_file.display().to_string(),
54 })),
55 )?;
56 } else if output_text {
57 eprintln!("codex-refresh: {} not found", target_file.display());
58 }
59 return Ok(1);
60 }
61
62 let value = match json::read_json(&target_file) {
63 Ok(value) => value,
64 Err(_) => {
65 if output_json {
66 output::emit_error(
67 "auth refresh",
68 "refresh-token-read-failed",
69 format!(
70 "codex-refresh: failed to read refresh token from {}",
71 target_file.display()
72 ),
73 Some(serde_json::json!({
74 "target_file": target_file.display().to_string(),
75 })),
76 )?;
77 } else if output_text {
78 eprintln!(
79 "codex-refresh: failed to read refresh token from {}",
80 target_file.display()
81 );
82 }
83 return Ok(2);
84 }
85 };
86
87 let refresh_token = refresh_token_from_json(&value);
88 let refresh_token = match refresh_token {
89 Some(token) => token,
90 None => {
91 if output_json {
92 output::emit_error(
93 "auth refresh",
94 "refresh-token-missing",
95 format!(
96 "codex-refresh: failed to read refresh token from {}",
97 target_file.display()
98 ),
99 Some(serde_json::json!({
100 "target_file": target_file.display().to_string(),
101 })),
102 )?;
103 } else if output_text {
104 eprintln!(
105 "codex-refresh: failed to read refresh token from {}",
106 target_file.display()
107 );
108 }
109 return Ok(2);
110 }
111 };
112
113 let now_iso = Utc::now().format("%Y-%m-%dT%H:%M:%SZ").to_string();
114
115 let client_id = std::env::var("CODEX_OAUTH_CLIENT_ID")
116 .unwrap_or_else(|_| "app_EMoamEEZ73f0CkXaXp7hrann".to_string());
117
118 let connect_timeout = env_timeout("CODEX_REFRESH_AUTH_CURL_CONNECT_TIMEOUT_SECONDS", 2);
119 let max_time = env_timeout("CODEX_REFRESH_AUTH_CURL_MAX_TIME_SECONDS", 8);
120
121 let client = Client::builder()
122 .connect_timeout(Duration::from_secs(connect_timeout))
123 .timeout(Duration::from_secs(max_time))
124 .build()?;
125
126 let response = client
127 .post("https://auth.openai.com/oauth/token")
128 .header("Content-Type", "application/x-www-form-urlencoded")
129 .form(&[
130 ("grant_type", "refresh_token"),
131 ("client_id", client_id.as_str()),
132 ("refresh_token", refresh_token.as_str()),
133 ])
134 .send();
135
136 let response = match response {
137 Ok(resp) => resp,
138 Err(_) => {
139 if output_json {
140 output::emit_error(
141 "auth refresh",
142 "token-endpoint-request-failed",
143 format!(
144 "codex-refresh: token endpoint request failed for {}",
145 target_file.display()
146 ),
147 Some(serde_json::json!({
148 "target_file": target_file.display().to_string(),
149 })),
150 )?;
151 } else if output_text {
152 eprintln!(
153 "codex-refresh: token endpoint request failed for {}",
154 target_file.display()
155 );
156 }
157 return Ok(3);
158 }
159 };
160
161 let status = response.status();
162 let body = response.text().unwrap_or_default();
163
164 if status.as_u16() != 200 {
165 let summary = error_summary(&body);
166 if output_json {
167 output::emit_error(
168 "auth refresh",
169 "token-endpoint-failed",
170 format!(
171 "codex-refresh: token endpoint failed (HTTP {}) for {}",
172 status.as_u16(),
173 target_file.display()
174 ),
175 Some(serde_json::json!({
176 "http_status": status.as_u16(),
177 "target_file": target_file.display().to_string(),
178 "summary": summary,
179 })),
180 )?;
181 } else if output_text {
182 if let Some(summary) = summary {
183 eprintln!(
184 "codex-refresh: token endpoint failed (HTTP {}) for {}: {}",
185 status.as_u16(),
186 target_file.display(),
187 summary
188 );
189 } else {
190 eprintln!(
191 "codex-refresh: token endpoint failed (HTTP {}) for {}",
192 status.as_u16(),
193 target_file.display()
194 );
195 }
196 }
197 return Ok(3);
198 }
199
200 let response_json: Value = match serde_json::from_str(&body) {
201 Ok(value) => value,
202 Err(_) => {
203 if output_json {
204 output::emit_error(
205 "auth refresh",
206 "token-endpoint-invalid-json",
207 "codex-refresh: token endpoint returned invalid JSON",
208 None,
209 )?;
210 } else if output_text {
211 eprintln!("codex-refresh: token endpoint returned invalid JSON");
212 }
213 return Ok(4);
214 }
215 };
216
217 let merged = match merge_tokens(&value, &response_json, &now_iso) {
218 Ok(value) => value,
219 Err(_) => {
220 if output_json {
221 output::emit_error(
222 "auth refresh",
223 "merge-failed",
224 "codex-refresh: failed to merge refreshed tokens",
225 None,
226 )?;
227 } else if output_text {
228 eprintln!("codex-refresh: failed to merge refreshed tokens");
229 }
230 return Ok(5);
231 }
232 };
233
234 let output = serde_json::to_vec(&merged)?;
235 fs::write_atomic(&target_file, &output, fs::SECRET_FILE_MODE)?;
236
237 if let Some(timestamp_path) = paths::resolve_secret_timestamp_path(&target_file) {
238 fs::write_timestamp(×tamp_path, Some(&now_iso))?;
239 }
240
241 let mut synced = false;
242 if is_auth_file(&target_file) {
243 let sync_rc = crate::auth::sync::run_with_json(false)?;
244 if sync_rc != 0 {
245 if output_json {
246 output::emit_error(
247 "auth refresh",
248 "sync-failed",
249 "codex-refresh: failed to sync refreshed auth into matching secrets",
250 Some(serde_json::json!({
251 "target_file": target_file.display().to_string(),
252 })),
253 )?;
254 }
255 return Ok(6);
256 }
257 synced = true;
258 }
259
260 if output_json {
261 output::emit_result(
262 "auth refresh",
263 AuthRefreshResult {
264 target_file: target_file.display().to_string(),
265 refreshed: true,
266 synced,
267 refreshed_at: Some(now_iso),
268 },
269 )?;
270 } else if output_text {
271 println!("codex: refreshed {} at {}", target_file.display(), now_iso);
272 }
273 Ok(0)
274}
275
276fn resolve_target(args: &[String], output_json: bool) -> Result<Option<PathBuf>> {
277 if args.is_empty() {
278 return Ok(Some(
279 paths::resolve_auth_file().unwrap_or_else(|| PathBuf::from("auth.json")),
280 ));
281 }
282
283 let secret_name = &args[0];
284 if secret_name.is_empty() || secret_name.contains('/') || secret_name.contains("..") {
285 if output_json {
286 output::emit_error(
287 "auth refresh",
288 "invalid-secret-file-name",
289 "codex-refresh: invalid secret file name".to_string(),
290 None,
291 )?;
292 } else {
293 eprintln!("codex-refresh: invalid secret file name");
294 }
295 return Ok(None);
296 }
297
298 let secret_dir = paths::resolve_secret_dir().unwrap_or_default();
299 Ok(Some(secret_dir.join(secret_name)))
300}
301
302fn refresh_token_from_json(value: &Value) -> Option<String> {
303 json::string_at(value, &["tokens", "refresh_token"])
304 .or_else(|| json::string_at(value, &["refresh_token"]))
305}
306
307fn merge_tokens(base: &Value, refresh: &Value, now_iso: &str) -> Result<Value> {
308 let mut root = base.as_object().cloned().unwrap_or_else(Map::new);
309 let mut tokens = root
310 .get("tokens")
311 .and_then(|value| value.as_object())
312 .cloned()
313 .unwrap_or_else(Map::new);
314
315 if let Some(refresh_obj) = refresh.as_object() {
316 for (key, value) in refresh_obj {
317 tokens.insert(key.clone(), value.clone());
318 }
319 } else {
320 return Err(anyhow::anyhow!("refresh payload is not object"));
321 }
322
323 root.insert("tokens".to_string(), Value::Object(tokens));
324 root.insert(
325 "last_refresh".to_string(),
326 Value::String(now_iso.to_string()),
327 );
328 Ok(Value::Object(root))
329}
330
331fn error_summary(body: &str) -> Option<String> {
332 let value: Value = serde_json::from_str(body).ok()?;
333 let mut parts = Vec::new();
334
335 if let Some(error) = value.get("error") {
336 if error.is_object() {
337 if let Some(code) = error.get("code").and_then(|v| v.as_str())
338 && !code.is_empty()
339 {
340 parts.push(code.to_string());
341 }
342 if let Some(message) = error.get("message").and_then(|v| v.as_str())
343 && !message.is_empty()
344 {
345 parts.push(message.to_string());
346 }
347 } else if let Some(error_str) = error.as_str()
348 && !error_str.is_empty()
349 {
350 parts.push(error_str.to_string());
351 }
352 }
353
354 if let Some(desc) = value.get("error_description").and_then(|v| v.as_str())
355 && !desc.is_empty()
356 {
357 parts.push(desc.to_string());
358 }
359
360 if parts.is_empty() {
361 None
362 } else {
363 Some(parts.join(": "))
364 }
365}
366
367fn env_timeout(key: &str, default: u64) -> u64 {
368 std::env::var(key)
369 .ok()
370 .and_then(|raw| raw.parse::<u64>().ok())
371 .unwrap_or(default)
372}
373
374#[cfg(test)]
375fn file_name(path: &Path) -> String {
376 path.file_name()
377 .and_then(|name| name.to_str())
378 .unwrap_or("auth.json")
379 .to_string()
380}
381
382fn is_auth_file(target: &Path) -> bool {
383 if let Some(auth_file) = paths::resolve_auth_file()
384 && auth_file == target
385 {
386 return true;
387 }
388 false
389}
390
391#[cfg(test)]
392mod tests {
393 use super::*;
394 use pretty_assertions::assert_eq;
395
396 struct EnvVarGuard {
397 key: String,
398 previous: Option<std::ffi::OsString>,
399 }
400
401 impl EnvVarGuard {
402 fn set(key: &str, value: &str) -> Self {
403 let previous = std::env::var_os(key);
404 unsafe { std::env::set_var(key, value) };
406 Self {
407 key: key.to_string(),
408 previous,
409 }
410 }
411
412 fn remove(key: &str) -> Self {
413 let previous = std::env::var_os(key);
414 unsafe { std::env::remove_var(key) };
416 Self {
417 key: key.to_string(),
418 previous,
419 }
420 }
421 }
422
423 impl Drop for EnvVarGuard {
424 fn drop(&mut self) {
425 if let Some(previous) = self.previous.take() {
426 unsafe { std::env::set_var(&self.key, previous) };
428 } else {
429 unsafe { std::env::remove_var(&self.key) };
431 }
432 }
433 }
434
435 #[test]
436 fn auth_refresh_error_summary() {
437 let body = r#"{"error":{"code":"invalid_grant","message":"Bad token"}}"#;
438 let summary = error_summary(body).expect("summary");
439 assert_eq!(summary, "invalid_grant: Bad token");
440 }
441
442 #[test]
443 fn auth_refresh_merge_tokens() {
444 let base: Value = serde_json::from_str(r#"{"tokens":{"access_token":"old"}}"#).unwrap();
445 let refresh: Value =
446 serde_json::from_str(r#"{"access_token":"new","refresh_token":"r1"}"#).unwrap();
447 let merged = merge_tokens(&base, &refresh, "2025-01-20T00:00:00Z").unwrap();
448 let tokens = merged.get("tokens").unwrap();
449 assert_eq!(tokens.get("access_token").unwrap(), "new");
450 assert_eq!(tokens.get("refresh_token").unwrap(), "r1");
451 assert_eq!(merged.get("last_refresh").unwrap(), "2025-01-20T00:00:00Z");
452 }
453
454 #[test]
455 fn auth_refresh_resolve_target_defaults_when_no_args() {
456 let args: Vec<String> = Vec::new();
457 let target = resolve_target(&args, false).unwrap().expect("target");
458 assert!(!target.as_os_str().is_empty());
459 }
460
461 #[test]
462 fn auth_refresh_resolve_target_rejects_invalid_secret_names() {
463 for secret in ["", "a/b", "a..b", "../x"] {
464 let args = vec![secret.to_string()];
465 let target = resolve_target(&args, false).unwrap();
466 assert!(target.is_none(), "expected None for invalid secret input");
467 }
468 }
469
470 #[test]
471 fn auth_refresh_resolve_target_joins_secret_name() {
472 let secret_name = "my-secret.json";
473 let args = vec![secret_name.to_string()];
474 let target = resolve_target(&args, false).unwrap().expect("target");
475 assert!(target.ends_with(secret_name));
476 }
477
478 #[test]
479 fn auth_refresh_refresh_token_from_json_prefers_nested() {
480 let value = serde_json::json!({
481 "refresh_token": "top",
482 "tokens": { "refresh_token": "nested" }
483 });
484 let token = refresh_token_from_json(&value).expect("token");
485 assert_eq!(token, "nested");
486 }
487
488 #[test]
489 fn auth_refresh_refresh_token_from_json_falls_back_to_top_level() {
490 let value = serde_json::json!({ "refresh_token": "top" });
491 let token = refresh_token_from_json(&value).expect("token");
492 assert_eq!(token, "top");
493 }
494
495 #[test]
496 fn auth_refresh_refresh_token_from_json_none_when_missing() {
497 let value = serde_json::json!({ "tokens": { "access_token": "a1" } });
498 assert!(refresh_token_from_json(&value).is_none());
499 }
500
501 #[test]
502 fn auth_refresh_env_timeout_uses_default_when_missing_or_invalid() {
503 let key = "CODEX_TEST_ENV_TIMEOUT_SECONDS_DEFAULT";
504 let _guard = EnvVarGuard::remove(key);
505 assert_eq!(env_timeout(key, 123), 123);
506
507 let _guard = EnvVarGuard::set(key, "not-a-number");
508 assert_eq!(env_timeout(key, 456), 456);
509
510 let _guard = EnvVarGuard::set(key, "-1");
511 assert_eq!(env_timeout(key, 789), 789);
512 }
513
514 #[test]
515 fn auth_refresh_env_timeout_parses_value() {
516 let key = "CODEX_TEST_ENV_TIMEOUT_SECONDS_PARSE";
517 let _guard = EnvVarGuard::set(key, "42");
518 assert_eq!(env_timeout(key, 1), 42);
519 }
520
521 #[test]
522 fn auth_refresh_file_name_returns_basename() {
523 let path = Path::new("my-auth.json");
524 assert_eq!(file_name(path), "my-auth.json");
525 }
526
527 #[test]
528 fn auth_refresh_file_name_defaults_when_missing() {
529 let path = Path::new("");
530 assert_eq!(file_name(path), "auth.json");
531 }
532
533 #[cfg(unix)]
534 #[test]
535 fn auth_refresh_file_name_defaults_when_non_utf8() {
536 use std::ffi::OsString;
537 use std::os::unix::ffi::OsStringExt;
538
539 let path = PathBuf::from(OsString::from_vec(vec![0xFF]));
540 assert_eq!(file_name(&path), "auth.json");
541 }
542}