Get chatgpt oauth working

Author: jahooma

cli/src/components/chatgpt-connect-banner.tsx

@@ -5,10 +5,11 @@ import { Button } from './button'
 import { useTheme } from '../hooks/use-theme'
 import { useChatStore } from '../state/chat-store'
 import {
+  connectChatGptOAuth,
   disconnectChatGptOAuth,
   exchangeChatGptCodeForTokens,
   getChatGptOAuthStatus,
-  openChatGptOAuthInBrowser,
+  stopChatGptOAuthServer,
 } from '../utils/chatgpt-oauth'
 
 type FlowState =
@@ -32,20 +33,30 @@ export const ChatGptConnectBanner = () => {
     }
 
     setFlowState('waiting-for-code')
-    openChatGptOAuthInBrowser().catch((err) => {
-      setError(err instanceof Error ? err.message : 'Failed to open browser')
-      setFlowState('error')
-    })
+    connectChatGptOAuth()
+      .then(() => {
+        setFlowState('connected')
+      })
+      .catch((err) => {
+        setError(err instanceof Error ? err.message : 'Failed to connect')
+        setFlowState('error')
+      })
+
+    return () => {
+      stopChatGptOAuthServer()
+    }
   }, [])
 
   const handleConnect = async () => {
-    try {
-      setFlowState('waiting-for-code')
-      await openChatGptOAuthInBrowser()
-    } catch (err) {
-      setError(err instanceof Error ? err.message : 'Failed to open browser')
-      setFlowState('error')
-    }
+    setFlowState('waiting-for-code')
+    connectChatGptOAuth()
+      .then(() => {
+        setFlowState('connected')
+      })
+      .catch((err) => {
+        setError(err instanceof Error ? err.message : 'Failed to connect')
+        setFlowState('error')
+      })
   }
 
   const handleDisconnect = () => {
@@ -96,7 +107,8 @@ export const ChatGptConnectBanner = () => {
         <box style={{ flexDirection: 'column', gap: 0 }}>
           <text style={{ fg: theme.info }}>Waiting for ChatGPT authorization</text>
           <text style={{ fg: theme.muted, marginTop: 1 }}>
-            Complete sign-in in your browser, then paste the auth code or callback URL here.
+            Complete sign-in in your browser — it should connect automatically.
+            If not, paste the callback URL here.
           </text>
         </box>
       </BottomBanner>
@@ -121,6 +133,7 @@ export async function handleChatGptAuthCode(code: string): Promise<{
 }> {
   try {
     await exchangeChatGptCodeForTokens(code)
+    stopChatGptOAuthServer()
     return {
       success: true,
       message:

cli/src/utils/chatgpt-oauth.ts

@@ -4,6 +4,7 @@
  */
 
 import crypto from 'crypto'
+import http from 'http'
 
 import {
   CHATGPT_OAUTH_AUTHORIZE_URL,
@@ -95,14 +96,136 @@ export function startChatGptOAuthFlow(): { codeVerifier: string; authUrl: string
   authUrl.searchParams.set('code_challenge_method', 'S256')
   authUrl.searchParams.set('state', state)
   authUrl.searchParams.set('scope', 'openid profile email offline_access')
+  authUrl.searchParams.set('id_token_add_organizations', 'true')
+  authUrl.searchParams.set('codex_cli_simplified_flow', 'true')
+  authUrl.searchParams.set('originator', 'codex_cli_rs')
 
   return { codeVerifier, authUrl: authUrl.toString() }
 }
 
-export async function openChatGptOAuthInBrowser(): Promise<string> {
-  const { authUrl, codeVerifier } = startChatGptOAuthFlow()
-  await open(authUrl)
-  return codeVerifier
+const CALLBACK_SERVER_TIMEOUT_MS = 5 * 60 * 1000
+
+let callbackServer: http.Server | null = null
+
+export function stopChatGptOAuthServer(): void {
+  if (callbackServer) {
+    try { callbackServer.close() } catch { /* ignore */ }
+    callbackServer = null
+  }
+  pendingCodeVerifier = null
+  pendingState = null
+}
+
+function escapeHtml(s: string): string {
+  return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#39;')
+}
+
+function callbackPageHtml(success: boolean, errorMessage?: string): string {
+  const title = success ? 'Connected — Codebuff' : 'Connection Failed — Codebuff'
+  const heading = success ? '✓ Connected to ChatGPT' : 'Connection Failed'
+  const headingColor = success ? '#4ade80' : '#f87171'
+  const body = success
+    ? 'You can close this tab and return to Codebuff.'
+    : `${escapeHtml(errorMessage ?? 'Unknown error')}. Return to Codebuff and try /connect:chatgpt again.`
+  return `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>${title}</title></head>
+<body style="font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#0a0a0a;color:#e5e5e5">
+<div style="text-align:center;padding:2rem">
+<h1 style="color:${headingColor};margin-bottom:0.5rem">${heading}</h1>
+<p style="color:#a3a3a3">${body}</p>
+</div></body></html>`
+}
+
+function startCallbackServer(codeVerifier: string): Promise<ChatGptOAuthCredentials> {
+  const redirectUrl = new URL(CHATGPT_OAUTH_REDIRECT_URI)
+  const port = parseInt(redirectUrl.port, 10)
+  const callbackPath = redirectUrl.pathname
+
+  return new Promise<ChatGptOAuthCredentials>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      stopChatGptOAuthServer()
+      reject(new Error('Timeout waiting for ChatGPT authorization'))
+    }, CALLBACK_SERVER_TIMEOUT_MS)
+
+    const server = http.createServer(async (req, res) => {
+      const reqUrl = new URL(req.url ?? '/', `http://127.0.0.1:${port}`)
+
+      if (reqUrl.pathname !== callbackPath) {
+        res.writeHead(404, { 'Content-Type': 'text/plain' })
+        res.end('Not found')
+        return
+      }
+
+      const code = reqUrl.searchParams.get('code')
+      if (!code) {
+        res.writeHead(400, { 'Content-Type': 'text/html' })
+        res.end(callbackPageHtml(false, 'No authorization code received.'))
+        clearTimeout(timeout)
+        stopChatGptOAuthServer()
+        reject(new Error('No authorization code in callback'))
+        return
+      }
+
+      const state = reqUrl.searchParams.get('state')
+      if (pendingState && (!state || state !== pendingState)) {
+        res.writeHead(400, { 'Content-Type': 'text/html' })
+        res.end(callbackPageHtml(false, 'OAuth state mismatch. Please try again.'))
+        clearTimeout(timeout)
+        stopChatGptOAuthServer()
+        reject(new Error('OAuth state mismatch in callback'))
+        return
+      }
+
+      try {
+        const fullCallbackUrl = `${CHATGPT_OAUTH_REDIRECT_URI}${reqUrl.search}`
+        const credentials = await exchangeChatGptCodeForTokens(fullCallbackUrl, codeVerifier)
+
+        res.writeHead(200, { 'Content-Type': 'text/html' })
+        res.end(callbackPageHtml(true))
+
+        clearTimeout(timeout)
+        stopChatGptOAuthServer()
+        resolve(credentials)
+      } catch (err) {
+        const message = err instanceof Error ? err.message : 'Token exchange failed'
+        res.writeHead(500, { 'Content-Type': 'text/html' })
+        res.end(callbackPageHtml(false, message))
+
+        clearTimeout(timeout)
+        stopChatGptOAuthServer()
+        reject(err instanceof Error ? err : new Error(message))
+      }
+    })
+
+    server.on('error', (err) => {
+      clearTimeout(timeout)
+      callbackServer = null
+      reject(err)
+    })
+
+    server.listen(port, '127.0.0.1', () => {
+      callbackServer = server
+    })
+  })
+}
+
+export function connectChatGptOAuth(): {
+  authUrl: string
+  credentials: Promise<ChatGptOAuthCredentials>
+} {
+  stopChatGptOAuthServer()
+
+  const { codeVerifier, authUrl } = startChatGptOAuthFlow()
+  const credentials = startCallbackServer(codeVerifier)
+
+  open(authUrl).catch(() => {
+    console.debug(
+      'Failed to open browser for ChatGPT OAuth. Manual URL:',
+      authUrl,
+    )
+  })
+
+  return { authUrl, credentials }
 }
 
 function parseAuthCodeInput(input: string): { code: string; state?: string } {
@@ -177,6 +300,7 @@ export async function exchangeChatGptCodeForTokens(
 }
 
 export function disconnectChatGptOAuth(): void {
+  stopChatGptOAuthServer()
   clearChatGptOAuthCredentials()
   resetChatGptOAuthRateLimit()
 }

common/src/constants/chatgpt-oauth.ts

@@ -18,8 +18,8 @@ export const CHATGPT_OAUTH_TOKEN_URL = 'https://auth.openai.com/oauth/token'
 /** Pinned redirect URI for paste-based localhost callback flow. */
 export const CHATGPT_OAUTH_REDIRECT_URI = 'http://localhost:1455/auth/callback'
 
-/** Base URL for direct OpenAI API calls. */
-export const OPENAI_API_BASE_URL = 'https://api.openai.com'
+/** Base URL for ChatGPT backend API (Codex endpoint). */
+export const CHATGPT_BACKEND_BASE_URL = 'https://chatgpt.com/backend-api'
 
 /** Environment variable for OAuth token override. */
 export const CHATGPT_OAUTH_TOKEN_ENV_VAR = 'CODEBUFF_CHATGPT_OAUTH_TOKEN'

sdk/src/__tests__/credentials.test.ts

@@ -527,7 +527,7 @@ describe('credentials', () => {
       }
     })
 
-    test('clears credentials and returns null on refresh failure', async () => {
+    test('preserves credentials and returns null on refresh failure', async () => {
       const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'refresh-fail-test-'))
       const env = { NEXT_PUBLIC_CB_ENVIRONMENT: 'test' } as any
       const originalHomedir = os.homedir
@@ -558,9 +558,10 @@ describe('credentials', () => {
         const result = await refreshClaudeOAuthToken(env)
 
         expect(result).toBeNull()
-        // Credentials should be cleared
+        // Credentials should be preserved (not cleared) so future retries can attempt refresh again
         const saved = JSON.parse(fs.readFileSync(path.join(configDir, 'credentials.json'), 'utf8'))
-        expect(saved.claudeOAuth).toBeUndefined()
+        expect(saved.claudeOAuth).toBeDefined()
+        expect(saved.claudeOAuth.refreshToken).toBe('invalid-refresh')
       } finally {
         ;(os as any).homedir = originalHomedir
         fs.rmSync(tmpDir, { recursive: true })

sdk/src/credentials.ts

@@ -255,8 +255,7 @@ export const refreshClaudeOAuthToken = async (
       )
 
       if (!response.ok) {
-        // Refresh failed, clear credentials
-        clearClaudeOAuthCredentials(clientEnv)
+        console.debug(`Claude OAuth token refresh failed (status ${response.status})`)
         return null
       }
 
@@ -273,9 +272,8 @@ export const refreshClaudeOAuthToken = async (
       saveClaudeOAuthCredentials(newCredentials, clientEnv)
 
       return newCredentials
-    } catch {
-      // Refresh failed, clear credentials
-      clearClaudeOAuthCredentials(clientEnv)
+    } catch (error) {
+      console.debug('Claude OAuth token refresh failed:', error instanceof Error ? error.message : String(error))
       return null
     } finally {
       // Clear the mutex after completion
@@ -434,7 +432,7 @@ export const refreshChatGptOAuthToken = async (
       })
 
       if (!response.ok) {
-        clearChatGptOAuthCredentials(clientEnv)
+        console.debug(`ChatGPT OAuth token refresh failed (status ${response.status})`)
         return null
       }
 
@@ -444,7 +442,7 @@ export const refreshChatGptOAuthToken = async (
         typeof data?.access_token !== 'string' ||
         data.access_token.trim().length === 0
       ) {
-        clearChatGptOAuthCredentials(clientEnv)
+        console.debug('ChatGPT OAuth token refresh returned empty access token')
         return null
       }
 
@@ -461,8 +459,8 @@ export const refreshChatGptOAuthToken = async (
       saveChatGptOAuthCredentials(newCredentials, clientEnv)
 
       return newCredentials
-    } catch {
-      clearChatGptOAuthCredentials(clientEnv)
+    } catch (error) {
+      console.debug('ChatGPT OAuth token refresh failed:', error instanceof Error ? error.message : String(error))
       return null
     } finally {
       chatGptRefreshPromise = null