llmx-rs/core/src/token_data.rs

use base64::Engine;
use serde::Deserialize;
use serde::Serialize;
use thiserror::Error;

#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]
pub struct TokenData {
    /// Flat info parsed from the JWT in auth.json.
    #[serde(
        deserialize_with = "deserialize_id_token",
        serialize_with = "serialize_id_token"
    )]
    pub id_token: IdTokenInfo,

    /// This is a JWT.
    pub access_token: String,

    pub refresh_token: String,

    pub account_id: Option<String>,
}

/// Flat subset of useful claims in id_token from auth.json.
#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
pub struct IdTokenInfo {
    pub email: Option<String>,
    /// The ChatGPT subscription plan type
    /// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").
    /// (Note: values may vary by backend.)
    pub(crate) chatgpt_plan_type: Option<PlanType>,
    /// Organization/workspace identifier associated with the token, if present.
    pub chatgpt_account_id: Option<String>,
    pub raw_jwt: String,
}

impl IdTokenInfo {
    pub fn get_chatgpt_plan_type(&self) -> Option<String> {
        self.chatgpt_plan_type.as_ref().map(|t| match t {
            PlanType::Known(plan) => format!("{plan:?}"),
            PlanType::Unknown(s) => s.clone(),
        })
    }
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(untagged)]
pub(crate) enum PlanType {
    Known(KnownPlan),
    Unknown(String),
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub(crate) enum KnownPlan {
    Free,
    Plus,
    Pro,
    Team,
    Business,
    Enterprise,
    Edu,
}

#[derive(Deserialize)]
struct IdClaims {
    #[serde(default)]
    email: Option<String>,
    #[serde(rename = "https://api.openai.com/auth", default)]
    auth: Option<AuthClaims>,
}

#[derive(Deserialize)]
struct AuthClaims {
    #[serde(default)]
    chatgpt_plan_type: Option<PlanType>,
    #[serde(default)]
    chatgpt_account_id: Option<String>,
}

#[derive(Debug, Error)]
pub enum IdTokenInfoError {
    #[error("invalid ID token format")]
    InvalidFormat,
    #[error(transparent)]
    Base64(#[from] base64::DecodeError),
    #[error(transparent)]
    Json(#[from] serde_json::Error),
}

pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
    // JWT format: header.payload.signature
    let mut parts = id_token.split('.');
    let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {
        (Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),
        _ => return Err(IdTokenInfoError::InvalidFormat),
    };

    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;

    match claims.auth {
        Some(auth) => Ok(IdTokenInfo {
            email: claims.email,
            raw_jwt: id_token.to_string(),
            chatgpt_plan_type: auth.chatgpt_plan_type,
            chatgpt_account_id: auth.chatgpt_account_id,
        }),
        None => Ok(IdTokenInfo {
            email: claims.email,
            raw_jwt: id_token.to_string(),
            chatgpt_plan_type: None,
            chatgpt_account_id: None,
        }),
    }
}

fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
where
    D: serde::Deserializer<'de>,
{
    let s = String::deserialize(deserializer)?;
    parse_id_token(&s).map_err(serde::de::Error::custom)
}

fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>
where
    S: serde::Serializer,
{
    serializer.serialize_str(&id_token.raw_jwt)
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde::Serialize;

    #[test]
    fn id_token_info_parses_email_and_plan() {
        #[derive(Serialize)]
        struct Header {
            alg: &'static str,
            typ: &'static str,
        }
        let header = Header {
            alg: "none",
            typ: "JWT",
        };
        let payload = serde_json::json!({
            "email": "user@example.com",
            "https://api.openai.com/auth": {
                "chatgpt_plan_type": "pro"
            }
        });

        fn b64url_no_pad(bytes: &[u8]) -> String {
            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
        }

        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
        let signature_b64 = b64url_no_pad(b"sig");
        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");

        let info = parse_id_token(&fake_jwt).expect("should parse");
        assert_eq!(info.email.as_deref(), Some("user@example.com"));
        assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));
    }

    #[test]
    fn id_token_info_handles_missing_fields() {
        #[derive(Serialize)]
        struct Header {
            alg: &'static str,
            typ: &'static str,
        }
        let header = Header {
            alg: "none",
            typ: "JWT",
        };
        let payload = serde_json::json!({ "sub": "123" });

        fn b64url_no_pad(bytes: &[u8]) -> String {
            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
        }

        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
        let signature_b64 = b64url_no_pad(b"sig");
        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");

        let info = parse_id_token(&fake_jwt).expect("should parse");
        assert!(info.email.is_none());
        assert!(info.get_chatgpt_plan_type().is_none());
    }
}
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`use base64::Engine;`
			`use serde::Deserialize;`
			`use serde::Serialize;`
			`use thiserror::Error;`

			`#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]`
			`pub struct TokenData {`
			`/// Flat info parsed from the JWT in auth.json.`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`#[serde(`
			`deserialize_with = "deserialize_id_token",`
			`serialize_with = "serialize_id_token"`
			`)]`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`pub id_token: IdTokenInfo,`

			`/// This is a JWT.`
			`pub access_token: String,`

			`pub refresh_token: String,`

			`pub account_id: Option<String>,`
			`}`

			`/// Flat subset of useful claims in id_token from auth.json.`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`pub struct IdTokenInfo {`
			`pub email: Option<String>,`
			`/// The ChatGPT subscription plan type`
			`/// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").`
Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`/// (Note: values may vary by backend.)`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`pub(crate) chatgpt_plan_type: Option<PlanType>,`
Add forced_chatgpt_workspace_id and forced_login_method configuration options (#5303) This PR adds support for configs to specify a forced login method (chatgpt or api) as well as a forced chatgpt account id. This lets enterprises uses [managed configs](https://developers.openai.com/codex/security#managed-configuration) to force all employees to use their company's workspace instead of their own or any other. When a workspace id is set, a query param is sent to the login flow which auto-selects the given workspace or errors if the user isn't a member of it. This PR is large but a large % of it is tests, wiring, and required formatting changes. API login with chatgpt forced <img width="1592" height="116" alt="CleanShot 2025-10-19 at 22 40 04" src="https://github.com/user-attachments/assets/560c6bb4-a20a-4a37-95af-93df39d057dd" /> ChatGPT login with api forced <img width="1018" height="100" alt="CleanShot 2025-10-19 at 22 40 29" src="https://github.com/user-attachments/assets/d010bbbb-9c8d-4227-9eda-e55bf043b4af" /> Onboarding with api forced <img width="892" height="460" alt="CleanShot 2025-10-19 at 22 41 02" src="https://github.com/user-attachments/assets/cc0ed45c-b257-4d62-a32e-6ca7514b5edd" /> Onboarding with ChatGPT forced <img width="1154" height="426" alt="CleanShot 2025-10-19 at 22 41 27" src="https://github.com/user-attachments/assets/41c41417-dc68-4bb4-b3e7-3b7769f7e6a1" /> Logging in with the wrong workspace <img width="2222" height="84" alt="CleanShot 2025-10-19 at 22 42 31" src="https://github.com/user-attachments/assets/0ff4222c-f626-4dd3-b035-0b7fe998a046" /> 2025-10-20 08:50:54 -07:00			`/// Organization/workspace identifier associated with the token, if present.`
			`pub chatgpt_account_id: Option<String>,`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`pub raw_jwt: String,`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`}`

			`impl IdTokenInfo {`
			`pub fn get_chatgpt_plan_type(&self) -> Option<String> {`
			`self.chatgpt_plan_type.as_ref().map(\|t\| match t {`
			`PlanType::Known(plan) => format!("{plan:?}"),`
			`PlanType::Unknown(s) => s.clone(),`
			`})`
			`}`
			`}`

			`#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]`
			`#[serde(untagged)]`
			`pub(crate) enum PlanType {`
			`Known(KnownPlan),`
			`Unknown(String),`
			`}`

			`#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]`
			`#[serde(rename_all = "lowercase")]`
			`pub(crate) enum KnownPlan {`
			`Free,`
			`Plus,`
			`Pro,`
			`Team,`
			`Business,`
			`Enterprise,`
			`Edu,`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`

			`#[derive(Deserialize)]`
			`struct IdClaims {`
			`#[serde(default)]`
			`email: Option<String>,`
			`#[serde(rename = "https://api.openai.com/auth", default)]`
			`auth: Option<AuthClaims>,`
			`}`

			`#[derive(Deserialize)]`
			`struct AuthClaims {`
			`#[serde(default)]`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`chatgpt_plan_type: Option<PlanType>,`
Add forced_chatgpt_workspace_id and forced_login_method configuration options (#5303) This PR adds support for configs to specify a forced login method (chatgpt or api) as well as a forced chatgpt account id. This lets enterprises uses [managed configs](https://developers.openai.com/codex/security#managed-configuration) to force all employees to use their company's workspace instead of their own or any other. When a workspace id is set, a query param is sent to the login flow which auto-selects the given workspace or errors if the user isn't a member of it. This PR is large but a large % of it is tests, wiring, and required formatting changes. API login with chatgpt forced <img width="1592" height="116" alt="CleanShot 2025-10-19 at 22 40 04" src="https://github.com/user-attachments/assets/560c6bb4-a20a-4a37-95af-93df39d057dd" /> ChatGPT login with api forced <img width="1018" height="100" alt="CleanShot 2025-10-19 at 22 40 29" src="https://github.com/user-attachments/assets/d010bbbb-9c8d-4227-9eda-e55bf043b4af" /> Onboarding with api forced <img width="892" height="460" alt="CleanShot 2025-10-19 at 22 41 02" src="https://github.com/user-attachments/assets/cc0ed45c-b257-4d62-a32e-6ca7514b5edd" /> Onboarding with ChatGPT forced <img width="1154" height="426" alt="CleanShot 2025-10-19 at 22 41 27" src="https://github.com/user-attachments/assets/41c41417-dc68-4bb4-b3e7-3b7769f7e6a1" /> Logging in with the wrong workspace <img width="2222" height="84" alt="CleanShot 2025-10-19 at 22 42 31" src="https://github.com/user-attachments/assets/0ff4222c-f626-4dd3-b035-0b7fe998a046" /> 2025-10-20 08:50:54 -07:00			`#[serde(default)]`
			`chatgpt_account_id: Option<String>,`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`

			`#[derive(Debug, Error)]`
			`pub enum IdTokenInfoError {`
			`#[error("invalid ID token format")]`
			`InvalidFormat,`
			`#[error(transparent)]`
			`Base64(#[from] base64::DecodeError),`
			`#[error(transparent)]`
			`Json(#[from] serde_json::Error),`
			`}`

Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`// JWT format: header.payload.signature`
			`let mut parts = id_token.split('.');`
			`let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {`
			`(Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),`
			`_ => return Err(IdTokenInfoError::InvalidFormat),`
			`};`

			`let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;`
			`let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;`

Add forced_chatgpt_workspace_id and forced_login_method configuration options (#5303) This PR adds support for configs to specify a forced login method (chatgpt or api) as well as a forced chatgpt account id. This lets enterprises uses [managed configs](https://developers.openai.com/codex/security#managed-configuration) to force all employees to use their company's workspace instead of their own or any other. When a workspace id is set, a query param is sent to the login flow which auto-selects the given workspace or errors if the user isn't a member of it. This PR is large but a large % of it is tests, wiring, and required formatting changes. API login with chatgpt forced <img width="1592" height="116" alt="CleanShot 2025-10-19 at 22 40 04" src="https://github.com/user-attachments/assets/560c6bb4-a20a-4a37-95af-93df39d057dd" /> ChatGPT login with api forced <img width="1018" height="100" alt="CleanShot 2025-10-19 at 22 40 29" src="https://github.com/user-attachments/assets/d010bbbb-9c8d-4227-9eda-e55bf043b4af" /> Onboarding with api forced <img width="892" height="460" alt="CleanShot 2025-10-19 at 22 41 02" src="https://github.com/user-attachments/assets/cc0ed45c-b257-4d62-a32e-6ca7514b5edd" /> Onboarding with ChatGPT forced <img width="1154" height="426" alt="CleanShot 2025-10-19 at 22 41 27" src="https://github.com/user-attachments/assets/41c41417-dc68-4bb4-b3e7-3b7769f7e6a1" /> Logging in with the wrong workspace <img width="2222" height="84" alt="CleanShot 2025-10-19 at 22 42 31" src="https://github.com/user-attachments/assets/0ff4222c-f626-4dd3-b035-0b7fe998a046" /> 2025-10-20 08:50:54 -07:00			`match claims.auth {`
			`Some(auth) => Ok(IdTokenInfo {`
			`email: claims.email,`
			`raw_jwt: id_token.to_string(),`
			`chatgpt_plan_type: auth.chatgpt_plan_type,`
			`chatgpt_account_id: auth.chatgpt_account_id,`
			`}),`
			`None => Ok(IdTokenInfo {`
			`email: claims.email,`
			`raw_jwt: id_token.to_string(),`
			`chatgpt_plan_type: None,`
			`chatgpt_account_id: None,`
			`}),`
			`}`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`

			`fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>`
			`where`
			`D: serde::Deserializer<'de>,`
			`{`
			`let s = String::deserialize(deserializer)?;`
			`parse_id_token(&s).map_err(serde::de::Error::custom)`
			`}`

Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>`
			`where`
			`S: serde::Serializer,`
			`{`
			`serializer.serialize_str(&id_token.raw_jwt)`
			`}`

feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`#[cfg(test)]`
			`mod tests {`
			`use super::*;`
			`use serde::Serialize;`

			`#[test]`
			`fn id_token_info_parses_email_and_plan() {`
			`#[derive(Serialize)]`
			`struct Header {`
			`alg: &'static str,`
			`typ: &'static str,`
			`}`
			`let header = Header {`
			`alg: "none",`
			`typ: "JWT",`
			`};`
			`let payload = serde_json::json!({`
			`"email": "user@example.com",`
			`"https://api.openai.com/auth": {`
			`"chatgpt_plan_type": "pro"`
			`}`
			`});`

			`fn b64url_no_pad(bytes: &[u8]) -> String {`
			`base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)`
			`}`

			`let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());`
			`let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());`
			`let signature_b64 = b64url_no_pad(b"sig");`
			`let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");`

			`let info = parse_id_token(&fake_jwt).expect("should parse");`
			`assert_eq!(info.email.as_deref(), Some("user@example.com"));`
Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));`
			`}`

			`#[test]`
			`fn id_token_info_handles_missing_fields() {`
			`#[derive(Serialize)]`
			`struct Header {`
			`alg: &'static str,`
			`typ: &'static str,`
			`}`
			`let header = Header {`
			`alg: "none",`
			`typ: "JWT",`
			`};`
			`let payload = serde_json::json!({ "sub": "123" });`

			`fn b64url_no_pad(bytes: &[u8]) -> String {`
			`base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)`
			`}`

			`let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());`
			`let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());`
			`let signature_b64 = b64url_no_pad(b"sig");`
			`let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");`

			`let info = parse_id_token(&fake_jwt).expect("should parse");`
			`assert!(info.email.is_none());`
			`assert!(info.get_chatgpt_plan_type().is_none());`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`
			`}`