mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-05 05:20:22 +00:00
refactor(auth): remove codex cli parsing from core store
This commit is contained in:
Peter Steinberger
@@ -1,15 +1,11 @@
|
||||
import fs from "node:fs";
|
||||
import path from "node:path";
|
||||
import { withFileLock } from "../../infra/file-lock.js";
|
||||
import { loadJsonFile, saveJsonFile } from "../../infra/json-file.js";
|
||||
import { resolveUserPath } from "../../utils.js";
|
||||
import { saveJsonFile } from "../../infra/json-file.js";
|
||||
import {
|
||||
AUTH_STORE_LOCK_OPTIONS,
|
||||
AUTH_STORE_VERSION,
|
||||
EXTERNAL_CLI_SYNC_TTL_MS,
|
||||
LEGACY_AUTH_FILENAME,
|
||||
log,
|
||||
OPENAI_CODEX_DEFAULT_PROFILE_ID,
|
||||
} from "./constants.js";
|
||||
import { overlayExternalAuthProfiles, shouldPersistExternalAuthProfile } from "./external-auth.js";
|
||||
import { syncExternalCliCredentials } from "./external-cli-sync.js";
|
||||
@@ -169,61 +165,6 @@ export async function updateAuthProfileStoreWithLock(params: {
|
||||
}
|
||||
}
|
||||
|
||||
type CodexCliAuthFile = {
|
||||
auth_mode?: unknown;
|
||||
tokens?: {
|
||||
access_token?: unknown;
|
||||
refresh_token?: unknown;
|
||||
account_id?: unknown;
|
||||
};
|
||||
};
|
||||
|
||||
function resolveCodexCliAuthPath(env: NodeJS.ProcessEnv = process.env): string | undefined {
|
||||
const rawHome = env.CODEX_HOME?.trim();
|
||||
if (!rawHome) {
|
||||
return undefined;
|
||||
}
|
||||
return path.join(resolveUserPath(rawHome, env), LEGACY_AUTH_FILENAME);
|
||||
}
|
||||
|
||||
// Mirror Codex CLI ChatGPT OAuth into the runtime auth view without persisting
|
||||
// copied tokens into auth-profiles.json.
|
||||
function mergeCodexCliAuthFileIntoStore(
|
||||
store: AuthProfileStore,
|
||||
env: NodeJS.ProcessEnv = process.env,
|
||||
): boolean {
|
||||
if (store.profiles[OPENAI_CODEX_DEFAULT_PROFILE_ID]) {
|
||||
return false;
|
||||
}
|
||||
const authPath = resolveCodexCliAuthPath(env);
|
||||
if (!authPath) {
|
||||
return false;
|
||||
}
|
||||
const raw = loadJsonFile(authPath) as CodexCliAuthFile | null;
|
||||
if (!raw || raw.auth_mode !== "chatgpt") {
|
||||
return false;
|
||||
}
|
||||
const access =
|
||||
typeof raw.tokens?.access_token === "string" ? raw.tokens.access_token.trim() : undefined;
|
||||
const refresh =
|
||||
typeof raw.tokens?.refresh_token === "string" ? raw.tokens.refresh_token.trim() : undefined;
|
||||
const accountId =
|
||||
typeof raw.tokens?.account_id === "string" ? raw.tokens.account_id.trim() : undefined;
|
||||
if (!access || !refresh) {
|
||||
return false;
|
||||
}
|
||||
store.profiles[OPENAI_CODEX_DEFAULT_PROFILE_ID] = {
|
||||
type: "oauth",
|
||||
provider: "openai-codex",
|
||||
access,
|
||||
refresh,
|
||||
expires: 0,
|
||||
...(accountId ? { accountId } : {}),
|
||||
managedBy: "codex-cli",
|
||||
};
|
||||
return true;
|
||||
}
|
||||
|
||||
function shouldLogAuthStoreTiming(): boolean {
|
||||
return process.env.OPENCLAW_DEBUG_INGRESS_TIMING === "1";
|
||||
}
|
||||
@@ -248,7 +189,6 @@ export function loadAuthProfileStore(): AuthProfileStore {
|
||||
if (asStore) {
|
||||
// Sync from external CLI tools on every load.
|
||||
syncExternalCliCredentialsTimed(asStore);
|
||||
mergeCodexCliAuthFileIntoStore(asStore);
|
||||
return overlayExternalAuthProfiles(asStore);
|
||||
}
|
||||
const legacy = loadLegacyAuthProfileStore();
|
||||
@@ -259,13 +199,11 @@ export function loadAuthProfileStore(): AuthProfileStore {
|
||||
};
|
||||
applyLegacyAuthStore(store, legacy);
|
||||
syncExternalCliCredentialsTimed(store);
|
||||
mergeCodexCliAuthFileIntoStore(store);
|
||||
return overlayExternalAuthProfiles(store);
|
||||
}
|
||||
|
||||
const store: AuthProfileStore = { version: AUTH_STORE_VERSION, profiles: {} };
|
||||
syncExternalCliCredentialsTimed(store);
|
||||
mergeCodexCliAuthFileIntoStore(store);
|
||||
return overlayExternalAuthProfiles(store);
|
||||
}
|
||||
|
||||
@@ -285,7 +223,6 @@ function loadAuthProfileStoreForAgent(
|
||||
stateMtimeMs,
|
||||
});
|
||||
if (cached) {
|
||||
mergeCodexCliAuthFileIntoStore(cached);
|
||||
return cached;
|
||||
}
|
||||
}
|
||||
@@ -294,7 +231,6 @@ function loadAuthProfileStoreForAgent(
|
||||
// Runtime secret activation must remain read-only:
|
||||
// sync external CLI credentials in-memory, but never persist while readOnly.
|
||||
syncExternalCliCredentialsTimed(asStore, { log: !readOnly });
|
||||
mergeCodexCliAuthFileIntoStore(asStore);
|
||||
if (!readOnly) {
|
||||
writeCachedAuthProfileStore({
|
||||
authPath,
|
||||
@@ -336,7 +272,6 @@ function loadAuthProfileStoreForAgent(
|
||||
const mergedOAuth = mergeOAuthFileIntoStore(store);
|
||||
// Keep external CLI credentials visible in runtime even during read-only loads.
|
||||
syncExternalCliCredentialsTimed(store, { log: !readOnly });
|
||||
mergeCodexCliAuthFileIntoStore(store);
|
||||
const forceReadOnly = process.env.OPENCLAW_AUTH_STORE_READONLY === "1";
|
||||
const shouldWrite = !readOnly && !forceReadOnly && (legacy !== null || mergedOAuth);
|
||||
if (shouldWrite) {
|
||||
@@ -433,7 +368,6 @@ export function saveAuthProfileStore(store: AuthProfileStore, agentDir?: string)
|
||||
savePersistedAuthProfileState(store, agentDir);
|
||||
const runtimeStore = cloneAuthProfileStore(store);
|
||||
syncExternalCliCredentialsTimed(runtimeStore, { log: false });
|
||||
mergeCodexCliAuthFileIntoStore(runtimeStore);
|
||||
writeCachedAuthProfileStore({
|
||||
authPath,
|
||||
authMtimeMs: readAuthStoreMtimeMs(authPath),
|
||||
|
||||
Reference in New Issue
Block a user