fix(oauth): fall back to system proxy when OAuth session has no proxy_url

[DeliciousBuding]

Summary

• When adding accounts via OAuth flow, if no proxy_url is provided in either the generate-auth-url step or the exchange-code step, the request to auth.openai.com goes direct — which fails from geo-restricted regions with 403, wrapped by codex2api as 502.
• This PR adds a fallback to h.store.GetProxyURL() (the system default proxy) in both ExchangeOAuthCode and OAuthCallback handlers.

Root cause

The exchange-code endpoint in admin/oauth.go uses sess.ProxyURL (set during generate-auth-url) merged with req.ProxyURL (from the request body). When both are empty, auth.BuildHTTPClient("") creates a direct HTTP client with no proxy, and the call to https://auth.openai.com/oauth/token fails from regions where OpenAI blocks direct access.

Fix

Three lines added across two handlers:

1. ExchangeOAuthCode: after merging session + request proxy_url, if still empty, load h.store.GetProxyURL()
2. OAuthCallback: same fallback, and unified all sess.ProxyURL references to use the resolved proxyURL variable

Verification

• Before fix: exchange-code returns 502 in under 70ms with an HTML error body (direct call → geo-blocked → 403)
• After fix: exchange-code returns a proper JSON error with upstream response body, confirming the proxy is used for the OAuth token exchange

Tested on

• codex2api v2.1.5 (SQLite deployment) behind a proxy pool in a geo-restricted region

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The OAuth handler (admin/oauth.go) now derives effective proxy URLs more reliably in both manual and callback-driven OAuth flows. ExchangeOAuthCode and OAuthCallback both fall back to the store's configured proxy URL when no proxy URL is available in the request or session, ensuring consistent proxy resolution throughout account creation.

Changes

Proxy URL fallback reliability

Layer / File(s)	Summary
Manual exchange proxy URL fallback admin/oauth.go	ExchangeOAuthCode adds a fallback so that when proxyURL is empty, it is set from h.store.GetProxyURL() before OAuth code exchange and account insertion.
OAuth callback proxy URL resolution and application admin/oauth.go	OAuthCallback resolves a local proxyURL from sess.ProxyURL with fallback to h.store.GetProxyURL(), and uses this resolved value consistently when calling doOAuthCodeExchange, inserting the account into the database, and building the final account credential result.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A proxy URL now finds its way,
When sessions sleep or fall away,
The store stands guard, a trusty friend,
Ensuring requests reach their end! 🌐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: adding a fallback to system proxy in OAuth flow when session lacks proxy_url.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.