fix: support non-OAuth auth in login status check#71
fix: support non-OAuth auth in login status check#71sudev-chirappat wants to merge 5 commits intoopenai:mainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b2083a9efd
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 38a6cbed2c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
`codex login status` only validates OAuth tokens, causing the plugin to reject users who authenticate via OPENAI_API_KEY or a custom model_provider in config.toml (Azure, Bedrock, corporate gateways). Check these auth methods before falling through to `codex login status`. Fixes openai#21 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…port) Replace grep shell-out with safeReadFile to fix Windows compatibility (grep unavailable) and handle single-quoted TOML values for model_provider. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Project config takes precedence over global config, matching Codex CLI behavior for provider resolution. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Note on remaining auth paths: The one potentially missing edge case is |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 20599a2fb0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Use resolveWorkspaceRoot (git toplevel) instead of raw cwd for project-level config lookup, and permit leading whitespace in model_provider regex to handle indented TOML entries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sudev-chirappat
force-pushed
the
fix/custom-provider-auth
branch
from
20599a2 to
958487b
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 958487b3d7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Only read project-level .codex/config.toml when the workspace is marked as trusted in the global config, matching Codex CLI behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 83a32d5f9d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| function isProjectTrusted(globalConfig, workspaceRoot) { | ||
| const escaped = workspaceRoot.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); | ||
| const re = new RegExp(`\\[projects\\."${escaped}"\\][\\s\\S]*?trust_level\\s*=\\s*["']?trusted`); |
There was a problem hiding this comment.
The trust check regex can cross section boundaries, so an untrusted workspace can be treated as trusted if any later [projects."..."] block in ~/.codex/config.toml has trust_level = "trusted". In isProjectTrusted, \[projects\."<path>"\][\s\S]*?trust_level... is not bounded to the current table, and getCodexLoginStatus then reads project .codex/config.toml and may report loggedIn: true for custom providers even though Codex would ignore that untrusted project config.
Useful? React with 👍 / 👎.
getCodexLoginStatus() only validates OAuth tokens via `codex login status`, causing the plugin to reject users authenticated via API key through a custom model_provider (LiteLLM, Azure, Bedrock, etc.). Add detectApiKeyAuth() fallback that reads ~/.codex/config.toml, finds the active model_provider's env_key, and checks if that environment variable is set. Falls back to checking OPENAI_API_KEY directly. Fixes #1 Upstream: openai#58 Upstream PR: openai#71 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getCodexLoginStatus() only validates OAuth tokens via `codex login status`, causing the plugin to reject users authenticated via API key through a custom model_provider (LiteLLM, Azure, Bedrock, etc.). Add detectApiKeyAuth() fallback that reads ~/.codex/config.toml, finds the active model_provider's env_key, and checks if that environment variable is set. Falls back to checking OPENAI_API_KEY directly. Fixes #1 Upstream: openai#58 Upstream PR: openai#71 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
codex login statusonly validates OAuth tokens, causing the plugin to reject users authenticated viaOPENAI_API_KEYor a custommodel_providerinconfig.toml(Azure, Bedrock, corporate gateways, etc.)getCodexLoginStatus()before callingcodex login status:OPENAI_API_KEYenvironment variablemodel_providerin~/.codex/config.toml(detected viagrepto avoid loading secrets into memory)Fixes #21
Fixes #58
Related: #63
Test plan
OPENAI_API_KEYenv var bypasses the OAuth checkmodel_providerin config.toml (e.g. Azure, Bedrock) bypasses the OAuth checkopenaiprovider still falls through tocodex login status/codex:reviewand/codex:taskwork end-to-end with custom provider auth🤖 Generated with Claude Code