Skip to content

fix(daemon): update codex auth.json parsing to match actual file format #265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AnnatarHe merged 1 commit into from
Apr 6, 2026
Merged

fix(daemon): update codex auth.json parsing to match actual file format #265

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 11 additions & 19 deletions daemon/codex_ratelimit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,19 +57,16 @@ type codexAuthData struct {

// codexAuthJSON maps the full ~/.codex/auth.json structure
type codexAuthJSON struct {
AuthMode string `json:"authMode"`
APIKey *string `json:"apiKey"`
TokenData *codexAuthTokenData `json:"tokenData"`
OpenAIAPIKey *string `json:"OPENAI_API_KEY"`
Tokens *codexTokenData `json:"tokens"`
LastRefresh string `json:"last_refresh"`
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The LastRefresh field is currently unused and its string type is a potential point of failure if the JSON value is a number (e.g., a Unix timestamp), which is common for such fields. Similarly, IDToken and RefreshToken in codexTokenData are unused. It is generally safer to omit unused fields to make the parsing more robust against format changes or unexpected types.

}

type codexAuthTokenData struct {
AccessToken string `json:"accessToken"`
RefreshToken string `json:"refreshToken"`
IDTokenClaims *codexIDTokenClaims `json:"idTokenClaims"`
}

type codexIDTokenClaims struct {
AccountID string `json:"accountId"`
type codexTokenData struct {
IDToken string `json:"id_token"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
AccountID string `json:"account_id"`
}

func codexConfigDirPath() (string, error) {
Expand Down Expand Up @@ -153,18 +150,13 @@ func loadCodexAuth() (*codexAuthData, error) {
return nil, fmt.Errorf("failed to parse codex auth JSON: %w", err)
}

if auth.TokenData == nil || auth.TokenData.AccessToken == "" {
if auth.Tokens == nil || auth.Tokens.AccessToken == "" {
return nil, errCodexAuthInvalid
}

accountID := ""
if auth.TokenData.IDTokenClaims != nil {
accountID = auth.TokenData.IDTokenClaims.AccountID
}

return &codexAuthData{
AccessToken: auth.TokenData.AccessToken,
AccountID: accountID,
AccessToken: auth.Tokens.AccessToken,
AccountID: auth.Tokens.AccountID,
}, nil
Comment on lines +153 to 160
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current implementation returns errCodexAuthInvalid if tokens is missing, even if a valid OPENAI_API_KEY is present. Since the OpenAIAPIKey field was added to the struct, you can improve robustness by falling back to it when tokens are unavailable. This ensures the daemon works correctly regardless of whether the user authenticated via the web flow or an API key.

	if auth.Tokens != nil && auth.Tokens.AccessToken != "" {
		return &codexAuthData{
			AccessToken: auth.Tokens.AccessToken,
			AccountID:   auth.Tokens.AccountID,
		}, nil
	}

	if auth.OpenAIAPIKey != nil && *auth.OpenAIAPIKey != "" {
		return &codexAuthData{
			AccessToken: *auth.OpenAIAPIKey,
			AccountID:   "",
		}, nil
	}

	return nil, errCodexAuthInvalid

}

Expand Down
Loading