vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-29 02:41:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): restore codex oauth refresh fallback

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-27 04:06:20 +00:00
parent b99b16d71e
commit 490b2f881c
5 changed files with 84 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
extensions/openai/openai-codex-provider.runtime.ts
View File

@@ -1,4 +1,7 @@
import { getOAuthApiKey as getOAuthApiKeyFromPi } from "@mariozechner/pi-ai/oauth";
import {
getOAuthApiKey as getOAuthApiKeyFromPi,
refreshOpenAICodexToken as refreshOpenAICodexTokenFromPi,
} from "@mariozechner/pi-ai/oauth";
import { ensureGlobalUndiciEnvProxyDispatcher } from "openclaw/plugin-sdk/infra-runtime";
export async function getOAuthApiKey(
@@ -7,3 +10,10 @@ export async function getOAuthApiKey(
ensureGlobalUndiciEnvProxyDispatcher();
return await getOAuthApiKeyFromPi(...args);
}
export async function refreshOpenAICodexToken(
...args: Parameters<typeof refreshOpenAICodexTokenFromPi>
): Promise<Awaited<ReturnType<typeof refreshOpenAICodexTokenFromPi>>> {
ensureGlobalUndiciEnvProxyDispatcher();
return await refreshOpenAICodexTokenFromPi(...args);
}

11
extensions/openai/openai-codex-provider.ts
View File

@@ -139,16 +139,11 @@ function resolveCodexForwardCompatModel(
async function refreshOpenAICodexOAuthCredential(cred: OAuthCredential) {
try {
const { getOAuthApiKey } = await import("./openai-codex-provider.runtime.js");
const refreshed = await getOAuthApiKey("openai-codex", {
"openai-codex": cred,
});
if (!refreshed) {
throw new Error("OpenAI Codex OAuth refresh returned no credentials.");
}
const { refreshOpenAICodexToken } = await import("./openai-codex-provider.runtime.js");
const refreshed = await refreshOpenAICodexToken(cred.refresh);
return {
...cred,
...refreshed.newCredentials,
...refreshed,
type: "oauth" as const,
provider: PROVIDER_ID,
email: cred.email,

8
extensions/openai/openai-provider.test.ts
View File

@@ -3,10 +3,10 @@ import { describe, expect, it, vi } from "vitest";
import { buildOpenAICodexProviderPlugin } from "./openai-codex-provider.js";
import { buildOpenAIProvider } from "./openai-provider.js";
const getCodexOAuthApiKeyMock = vi.hoisted(() => vi.fn());
const refreshOpenAICodexTokenMock = vi.hoisted(() => vi.fn());
vi.mock("./openai-codex-provider.runtime.js", () => ({
getOAuthApiKey: getCodexOAuthApiKeyMock,
refreshOpenAICodexToken: refreshOpenAICodexTokenMock,
}));
const OPENAI_API_KEY = process.env.OPENAI_API_KEY ?? "";
@@ -239,8 +239,8 @@ describe("buildOpenAIProvider", () => {
expires: Date.now() - 60_000,
};
getCodexOAuthApiKeyMock.mockReset();
getCodexOAuthApiKeyMock.mockRejectedValueOnce(
refreshOpenAICodexTokenMock.mockReset();
refreshOpenAICodexTokenMock.mockRejectedValueOnce(
new Error("Failed to extract accountId from token"),
);

3
src/config/config-misc.test.ts
View File

@@ -476,8 +476,7 @@ describe("config strict validation", () => {
it("flags legacy config entries without auto-migrating", async () => {
await withTempHome(async (home) => {
await writeOpenClawConfig(home, {
agents: { list: [{ id: "pi" }] },
routing: { allowFrom: ["+15555550123"] },
memorySearch: { provider: "local", fallback: "none" },
});
const snap = await readConfigFileSnapshot();

104
src/plugins/contracts/runtime.contract.test.ts
View File

@@ -9,6 +9,7 @@ import { requireProviderContractProvider as requireBundledProviderContractProvid
const CONTRACT_SETUP_TIMEOUT_MS = 300_000;
const getOAuthApiKeyMock = vi.hoisted(() => vi.fn());
const refreshOpenAICodexTokenMock = vi.hoisted(() => vi.fn());
const getOAuthProvidersMock = vi.hoisted(() =>
vi.fn(() => [
{ id: "anthropic", envApiKey: "ANTHROPIC_API_KEY", oauthTokenEnv: "ANTHROPIC_OAUTH_TOKEN" }, // pragma: allowlist secret
@@ -25,11 +26,12 @@ vi.mock("@mariozechner/pi-ai/oauth", async () => {
...actual,
getOAuthApiKey: getOAuthApiKeyMock,
getOAuthProviders: getOAuthProvidersMock,
refreshOpenAICodexToken: refreshOpenAICodexTokenMock,
};
});
vi.mock("../../../extensions/openai/src/openai-codex-provider.runtime.js", () => ({
getOAuthApiKey: getOAuthApiKeyMock,
vi.mock("../../../extensions/openai/openai-codex-provider.runtime.js", () => ({
refreshOpenAICodexToken: refreshOpenAICodexTokenMock,
}));
function createModel(overrides: Partial<ProviderRuntimeModel> & Pick<ProviderRuntimeModel, "id">) {
@@ -55,34 +57,39 @@ describe("provider runtime contract", () => {
beforeEach(() => {
getOAuthApiKeyMock.mockReset();
getOAuthProvidersMock.mockClear();
refreshOpenAICodexTokenMock.mockReset();
}, CONTRACT_SETUP_TIMEOUT_MS);
describe("anthropic", () => {
it("owns anthropic 4.6 forward-compat resolution", () => {
const provider = requireProviderContractProvider("anthropic");
const model = provider.resolveDynamicModel?.({
provider: "anthropic",
modelId: "claude-sonnet-4.6-20260219",
modelRegistry: {
find: (_provider: string, id: string) =>
id === "claude-sonnet-4.5-20260219"
? createModel({
id: id,
api: "anthropic-messages",
provider: "anthropic",
baseUrl: "https://api.anthropic.com",
})
: null,
} as never,
});
it(
"owns anthropic 4.6 forward-compat resolution",
() => {
const provider = requireProviderContractProvider("anthropic");
const model = provider.resolveDynamicModel?.({
provider: "anthropic",
modelId: "claude-sonnet-4.6-20260219",
modelRegistry: {
find: (_provider: string, id: string) =>
id === "claude-sonnet-4.5-20260219"
? createModel({
id: id,
api: "anthropic-messages",
provider: "anthropic",
baseUrl: "https://api.anthropic.com",
})
: null,
} as never,
});
expect(model).toMatchObject({
id: "claude-sonnet-4.6-20260219",
provider: "anthropic",
api: "anthropic-messages",
baseUrl: "https://api.anthropic.com",
});
});
expect(model).toMatchObject({
id: "claude-sonnet-4.6-20260219",
provider: "anthropic",
api: "anthropic-messages",
baseUrl: "https://api.anthropic.com",
});
},
CONTRACT_SETUP_TIMEOUT_MS,
);
it("owns usage auth resolution", async () => {
const provider = requireProviderContractProvider("anthropic");
@@ -519,21 +526,40 @@ describe("provider runtime contract", () => {
});
describe("openai-codex", () => {
it("owns refresh fallback for accountId extraction failures", async () => {
const provider = requireProviderContractProvider("openai-codex");
const credential = {
type: "oauth" as const,
provider: "openai-codex",
access: "cached-access-token",
refresh: "refresh-token",
expires: Date.now() - 60_000,
};
it(
"owns refresh fallback for accountId extraction failures",
async () => {
const provider = requireProviderContractProvider("openai-codex");
const credential = {
type: "oauth" as const,
provider: "openai-codex",
access: "cached-access-token",
refresh: "refresh-token",
expires: Date.now() - 60_000,
};
getOAuthApiKeyMock.mockReset();
getOAuthApiKeyMock.mockRejectedValueOnce(new Error("Failed to extract accountId from token"));
const header = Buffer.from(JSON.stringify({ alg: "HS256", typ: "JWT" })).toString(
"base64url",
);
const payload = Buffer.from(JSON.stringify({})).toString("base64url");
const accessTokenWithoutAccountId = `${header}.${payload}.sig`;
const originalFetch = globalThis.fetch;
globalThis.fetch = vi.fn(async () =>
makeResponse(200, {
access_token: accessTokenWithoutAccountId,
refresh_token: "refreshed-refresh-token",
expires_in: 3600,
}),
) as typeof fetch;
await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(credential);
});
try {
await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(credential);
} finally {
globalThis.fetch = originalFetch;
}
},
CONTRACT_SETUP_TIMEOUT_MS,
);
it("owns forward-compat codex models", () => {
const provider = requireProviderContractProvider("openai-codex");