codex-rs/core/src/token_data.rs

use base64::Engine;
use serde::Deserialize;
use serde::Serialize;
use thiserror::Error;

use codex_protocol::mcp_protocol::AuthMode;

#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]
pub struct TokenData {
    /// Flat info parsed from the JWT in auth.json.
    #[serde(
        deserialize_with = "deserialize_id_token",
        serialize_with = "serialize_id_token"
    )]
    pub id_token: IdTokenInfo,

    /// This is a JWT.
    pub access_token: String,

    pub refresh_token: String,

    pub account_id: Option<String>,
}

impl TokenData {
    /// Returns true if this is a plan that should use the traditional
    /// "metered" billing via an API key.
    pub(crate) fn should_use_api_key(
        &self,
        preferred_auth_method: AuthMode,
        is_openai_email: bool,
    ) -> bool {
        if preferred_auth_method == AuthMode::ApiKey {
            return true;
        }
        // If the email is an OpenAI email, use AuthMode::ChatGPT unless preferred_auth_method is AuthMode::ApiKey.
        if is_openai_email {
            return false;
        }

        self.id_token
            .chatgpt_plan_type
            .as_ref()
            .is_none_or(|plan| plan.is_plan_that_should_use_api_key())
    }

    pub fn is_openai_email(&self) -> bool {
        self.id_token
            .email
            .as_deref()
            .is_some_and(|email| email.trim().to_ascii_lowercase().ends_with("@openai.com"))
    }
}

/// Flat subset of useful claims in id_token from auth.json.
#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
pub struct IdTokenInfo {
    pub email: Option<String>,
    /// The ChatGPT subscription plan type
    /// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").
    /// (Note: values may vary by backend.)
    pub(crate) chatgpt_plan_type: Option<PlanType>,
    pub raw_jwt: String,
}

impl IdTokenInfo {
    pub fn get_chatgpt_plan_type(&self) -> Option<String> {
        self.chatgpt_plan_type.as_ref().map(|t| match t {
            PlanType::Known(plan) => format!("{plan:?}"),
            PlanType::Unknown(s) => s.clone(),
        })
    }
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(untagged)]
pub(crate) enum PlanType {
    Known(KnownPlan),
    Unknown(String),
}

impl PlanType {
    fn is_plan_that_should_use_api_key(&self) -> bool {
        match self {
            Self::Known(known) => {
                use KnownPlan::*;
                !matches!(known, Free | Plus | Pro | Team)
            }
            Self::Unknown(_) => {
                // Unknown plans should use the API key.
                true
            }
        }
    }

    pub fn as_string(&self) -> String {
        match self {
            Self::Known(known) => format!("{known:?}").to_lowercase(),
            Self::Unknown(s) => s.clone(),
        }
    }
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub(crate) enum KnownPlan {
    Free,
    Plus,
    Pro,
    Team,
    Business,
    Enterprise,
    Edu,
}

#[derive(Deserialize)]
struct IdClaims {
    #[serde(default)]
    email: Option<String>,
    #[serde(rename = "https://api.openai.com/auth", default)]
    auth: Option<AuthClaims>,
}

#[derive(Deserialize)]
struct AuthClaims {
    #[serde(default)]
    chatgpt_plan_type: Option<PlanType>,
}

#[derive(Debug, Error)]
pub enum IdTokenInfoError {
    #[error("invalid ID token format")]
    InvalidFormat,
    #[error(transparent)]
    Base64(#[from] base64::DecodeError),
    #[error(transparent)]
    Json(#[from] serde_json::Error),
}

pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
    // JWT format: header.payload.signature
    let mut parts = id_token.split('.');
    let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {
        (Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),
        _ => return Err(IdTokenInfoError::InvalidFormat),
    };

    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;

    Ok(IdTokenInfo {
        email: claims.email,
        chatgpt_plan_type: claims.auth.and_then(|a| a.chatgpt_plan_type),
        raw_jwt: id_token.to_string(),
    })
}

fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
where
    D: serde::Deserializer<'de>,
{
    let s = String::deserialize(deserializer)?;
    parse_id_token(&s).map_err(serde::de::Error::custom)
}

fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>
where
    S: serde::Serializer,
{
    serializer.serialize_str(&id_token.raw_jwt)
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde::Serialize;

    #[test]
    fn id_token_info_parses_email_and_plan() {
        #[derive(Serialize)]
        struct Header {
            alg: &'static str,
            typ: &'static str,
        }
        let header = Header {
            alg: "none",
            typ: "JWT",
        };
        let payload = serde_json::json!({
            "email": "user@example.com",
            "https://api.openai.com/auth": {
                "chatgpt_plan_type": "pro"
            }
        });

        fn b64url_no_pad(bytes: &[u8]) -> String {
            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
        }

        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
        let signature_b64 = b64url_no_pad(b"sig");
        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");

        let info = parse_id_token(&fake_jwt).expect("should parse");
        assert_eq!(info.email.as_deref(), Some("user@example.com"));
        assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));
    }

    #[test]
    fn id_token_info_handles_missing_fields() {
        #[derive(Serialize)]
        struct Header {
            alg: &'static str,
            typ: &'static str,
        }
        let header = Header {
            alg: "none",
            typ: "JWT",
        };
        let payload = serde_json::json!({ "sub": "123" });

        fn b64url_no_pad(bytes: &[u8]) -> String {
            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
        }

        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
        let signature_b64 = b64url_no_pad(b"sig");
        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");

        let info = parse_id_token(&fake_jwt).expect("should parse");
        assert!(info.email.is_none());
        assert!(info.get_chatgpt_plan_type().is_none());
    }
}
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`use base64::Engine;`
			`use serde::Deserialize;`
			`use serde::Serialize;`
			`use thiserror::Error;`

Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`use codex_protocol::mcp_protocol::AuthMode;`
Show login options when not signed in with ChatGPT (#2440) Motivation: we have users who uses their API key although they want to use ChatGPT account. We want to give them the chance to always login with their account. This PR displays login options when the user is not signed in with ChatGPT. Even if you have set an OpenAI API key as an environment variable, you will still be prompted to log in with ChatGPT. We’ve also added a new flag, `always_use_api_key_signing` false by default, which ensures you are never asked to log in with ChatGPT and always defaults to using your API key. https://github.com/user-attachments/assets/b61ebfa9-3c5e-4ab7-bf94-395c23a0e0af After ChatGPT sign in: https://github.com/user-attachments/assets/d58b366b-c46a-428f-a22f-2ac230f991c0 2025-08-18 20:22:48 -07:00
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]`
			`pub struct TokenData {`
			`/// Flat info parsed from the JWT in auth.json.`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`#[serde(`
			`deserialize_with = "deserialize_id_token",`
			`serialize_with = "serialize_id_token"`
			`)]`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`pub id_token: IdTokenInfo,`

			`/// This is a JWT.`
			`pub access_token: String,`

			`pub refresh_token: String,`

			`pub account_id: Option<String>,`
			`}`

fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`impl TokenData {`
			`/// Returns true if this is a plan that should use the traditional`
			`/// "metered" billing via an API key.`
Fix login for internal employees (#2528) This PR: - fixes for internal employee because we currently want to prefer SIWC for them. - fixes retrying forever on unauthorized access. we need to break eventually on max retries. 2025-08-20 14:05:20 -07:00			`pub(crate) fn should_use_api_key(`
			`&self,`
			`preferred_auth_method: AuthMode,`
			`is_openai_email: bool,`
			`) -> bool {`
Show login options when not signed in with ChatGPT (#2440) Motivation: we have users who uses their API key although they want to use ChatGPT account. We want to give them the chance to always login with their account. This PR displays login options when the user is not signed in with ChatGPT. Even if you have set an OpenAI API key as an environment variable, you will still be prompted to log in with ChatGPT. We’ve also added a new flag, `always_use_api_key_signing` false by default, which ensures you are never asked to log in with ChatGPT and always defaults to using your API key. https://github.com/user-attachments/assets/b61ebfa9-3c5e-4ab7-bf94-395c23a0e0af After ChatGPT sign in: https://github.com/user-attachments/assets/d58b366b-c46a-428f-a22f-2ac230f991c0 2025-08-18 20:22:48 -07:00			`if preferred_auth_method == AuthMode::ApiKey {`
			`return true;`
			`}`
Fix login for internal employees (#2528) This PR: - fixes for internal employee because we currently want to prefer SIWC for them. - fixes retrying forever on unauthorized access. we need to break eventually on max retries. 2025-08-20 14:05:20 -07:00			`// If the email is an OpenAI email, use AuthMode::ChatGPT unless preferred_auth_method is AuthMode::ApiKey.`
			`if is_openai_email {`
			`return false;`
			`}`
Show login options when not signed in with ChatGPT (#2440) Motivation: we have users who uses their API key although they want to use ChatGPT account. We want to give them the chance to always login with their account. This PR displays login options when the user is not signed in with ChatGPT. Even if you have set an OpenAI API key as an environment variable, you will still be prompted to log in with ChatGPT. We’ve also added a new flag, `always_use_api_key_signing` false by default, which ensures you are never asked to log in with ChatGPT and always defaults to using your API key. https://github.com/user-attachments/assets/b61ebfa9-3c5e-4ab7-bf94-395c23a0e0af After ChatGPT sign in: https://github.com/user-attachments/assets/d58b366b-c46a-428f-a22f-2ac230f991c0 2025-08-18 20:22:48 -07:00
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`self.id_token`
			`.chatgpt_plan_type`
			`.as_ref()`
			`.is_none_or(\|plan\| plan.is_plan_that_should_use_api_key())`
			`}`
Fix login for internal employees (#2528) This PR: - fixes for internal employee because we currently want to prefer SIWC for them. - fixes retrying forever on unauthorized access. we need to break eventually on max retries. 2025-08-20 14:05:20 -07:00
			`pub fn is_openai_email(&self) -> bool {`
			`self.id_token`
			`.email`
			`.as_deref()`
			`.is_some_and(\|email\| email.trim().to_ascii_lowercase().ends_with("@openai.com"))`
			`}`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`}`

feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`/// Flat subset of useful claims in id_token from auth.json.`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`pub struct IdTokenInfo {`
			`pub email: Option<String>,`
			`/// The ChatGPT subscription plan type`
			`/// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").`
Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`/// (Note: values may vary by backend.)`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`pub(crate) chatgpt_plan_type: Option<PlanType>,`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`pub raw_jwt: String,`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`}`

			`impl IdTokenInfo {`
			`pub fn get_chatgpt_plan_type(&self) -> Option<String> {`
			`self.chatgpt_plan_type.as_ref().map(\|t\| match t {`
			`PlanType::Known(plan) => format!("{plan:?}"),`
			`PlanType::Unknown(s) => s.clone(),`
			`})`
			`}`
			`}`

			`#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]`
			`#[serde(untagged)]`
			`pub(crate) enum PlanType {`
			`Known(KnownPlan),`
			`Unknown(String),`
			`}`

			`impl PlanType {`
			`fn is_plan_that_should_use_api_key(&self) -> bool {`
			`match self {`
			`Self::Known(known) => {`
			`use KnownPlan::*;`
			`!matches!(known, Free \| Plus \| Pro \| Team)`
			`}`
			`Self::Unknown(_) => {`
			`// Unknown plans should use the API key.`
			`true`
			`}`
			`}`
			`}`
Adjust error messages (#1969) <img width="1378" height="285" alt="image" src="https://github.com/user-attachments/assets/f0283378-f839-4a1f-8331-909694a04b1f" /> 2025-08-07 18:24:34 -07:00
			`pub fn as_string(&self) -> String {`
			`match self {`
			`Self::Known(known) => format!("{known:?}").to_lowercase(),`
			`Self::Unknown(s) => s.clone(),`
			`}`
			`}`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`}`

			`#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]`
			`#[serde(rename_all = "lowercase")]`
			`pub(crate) enum KnownPlan {`
			`Free,`
			`Plus,`
			`Pro,`
			`Team,`
			`Business,`
			`Enterprise,`
			`Edu,`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`

			`#[derive(Deserialize)]`
			`struct IdClaims {`
			`#[serde(default)]`
			`email: Option<String>,`
			`#[serde(rename = "https://api.openai.com/auth", default)]`
			`auth: Option<AuthClaims>,`
			`}`

			`#[derive(Deserialize)]`
			`struct AuthClaims {`
			`#[serde(default)]`
fix: default to credits from ChatGPT auth, when possible (#1971) Uses this rough strategy for authentication: ``` if auth.json if auth.json.API_KEY is NULL # new auth CHAT else # old auth if plus or pro or team CHAT else API_KEY else OPENAI_API_KEY ``` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1970). * __->__ #1971 * #1970 * #1966 * #1965 * #1962 2025-08-07 18:00:31 -07:00			`chatgpt_plan_type: Option<PlanType>,`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`

			`#[derive(Debug, Error)]`
			`pub enum IdTokenInfoError {`
			`#[error("invalid ID token format")]`
			`InvalidFormat,`
			`#[error(transparent)]`
			`Base64(#[from] base64::DecodeError),`
			`#[error(transparent)]`
			`Json(#[from] serde_json::Error),`
			`}`

Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`// JWT format: header.payload.signature`
			`let mut parts = id_token.split('.');`
			`let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {`
			`(Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),`
			`_ => return Err(IdTokenInfoError::InvalidFormat),`
			`};`

			`let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;`
			`let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;`

			`Ok(IdTokenInfo {`
			`email: claims.email,`
			`chatgpt_plan_type: claims.auth.and_then(\|a\| a.chatgpt_plan_type),`
Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`raw_jwt: id_token.to_string(),`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`})`
			`}`

			`fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>`
			`where`
			`D: serde::Deserializer<'de>,`
			`{`
			`let s = String::deserialize(deserializer)?;`
			`parse_id_token(&s).map_err(serde::de::Error::custom)`
			`}`

Port login server to rust (#2294) Port the login server to rust. --------- Co-authored-by: pakrym-oai <pakrym@openai.com> 2025-08-14 17:11:26 -07:00			`fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>`
			`where`
			`S: serde::Serializer,`
			`{`
			`serializer.serialize_str(&id_token.raw_jwt)`
			`}`

feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`#[cfg(test)]`
			`mod tests {`
			`use super::*;`
			`use serde::Serialize;`

			`#[test]`
			`fn id_token_info_parses_email_and_plan() {`
			`#[derive(Serialize)]`
			`struct Header {`
			`alg: &'static str,`
			`typ: &'static str,`
			`}`
			`let header = Header {`
			`alg: "none",`
			`typ: "JWT",`
			`};`
			`let payload = serde_json::json!({`
			`"email": "user@example.com",`
			`"https://api.openai.com/auth": {`
			`"chatgpt_plan_type": "pro"`
			`}`
			`});`

			`fn b64url_no_pad(bytes: &[u8]) -> String {`
			`base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)`
			`}`

			`let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());`
			`let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());`
			`let signature_b64 = b64url_no_pad(b"sig");`
			`let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");`

			`let info = parse_id_token(&fake_jwt).expect("should parse");`
			`assert_eq!(info.email.as_deref(), Some("user@example.com"));`
Move CodexAuth and AuthManager to the core crate (#3074) Fix a long standing layering issue. 2025-09-02 18:36:19 -07:00			`assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));`
			`}`

			`#[test]`
			`fn id_token_info_handles_missing_fields() {`
			`#[derive(Serialize)]`
			`struct Header {`
			`alg: &'static str,`
			`typ: &'static str,`
			`}`
			`let header = Header {`
			`alg: "none",`
			`typ: "JWT",`
			`};`
			`let payload = serde_json::json!({ "sub": "123" });`

			`fn b64url_no_pad(bytes: &[u8]) -> String {`
			`base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)`
			`}`

			`let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());`
			`let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());`
			`let signature_b64 = b64url_no_pad(b"sig");`
			`let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");`

			`let info = parse_id_token(&fake_jwt).expect("should parse");`
			`assert!(info.email.is_none());`
			`assert!(info.get_chatgpt_plan_type().is_none());`
feat: parse info from auth.json and show in /status (#1923) - `/status` renders ``` signed in with chatgpt login: example@example.com plan: plus ``` - Setup for using this info in a few more places. --------- Co-authored-by: Michael Bolin <mbolin@openai.com> 2025-08-07 01:27:45 -07:00			`}`
			`}`