Fix Callback URL for staging and prod environments (#4533)

# External (non-OpenAI) Pull Request Requirements

Before opening this Pull Request, please read the dedicated
"Contributing" markdown file or your PR may be closed:
https://github.com/openai/codex/blob/main/docs/contributing.md

If your PR conforms to our contribution guidelines, replace this text
with a detailed and high quality description of your changes.

codex-rs/login/src/device_code_auth.rs

@@ -148,15 +148,14 @@ fn print_colored_warning_device_code() {
 /// Full device code login flow.
 pub async fn run_device_code_login(opts: ServerOptions) -> std::io::Result<()> {
     let client = reqwest::Client::new();
-    let auth_base_url = opts.issuer.trim_end_matches('/').to_owned();
+    let auth_base_url = format!("{}/api/accounts", opts.issuer.trim_end_matches('/'));
     print_colored_warning_device_code();
     println!("⏳ Generating a new 9-digit device code for authentication...\n");
     let uc = request_user_code(&client, &auth_base_url, &opts.client_id).await?;
 
     println!(
         "To authenticate, visit: {}/deviceauth/authorize and enter code: {}",
-        opts.issuer.trim_end_matches('/'),
+        auth_base_url, uc.user_code
-        uc.user_code
     );
 
     let code_resp = poll_for_token(

codex-rs/login/tests/suite/device_code_login.rs

@@ -32,7 +32,7 @@ fn make_jwt(payload: serde_json::Value) -> String {
 
 async fn mock_usercode_success(server: &MockServer) {
     Mock::given(method("POST"))
-        .and(path("/deviceauth/usercode"))
+        .and(path("/api/accounts/deviceauth/usercode"))
         .respond_with(ResponseTemplate::new(200).set_body_json(json!({
             "device_auth_id": "device-auth-123",
             "user_code": "CODE-12345",
@@ -45,7 +45,7 @@ async fn mock_usercode_success(server: &MockServer) {
 
 async fn mock_usercode_failure(server: &MockServer, status: u16) {
     Mock::given(method("POST"))
-        .and(path("/deviceauth/usercode"))
+        .and(path("/api/accounts/deviceauth/usercode"))
         .respond_with(ResponseTemplate::new(status))
         .mount(server)
         .await;
@@ -58,7 +58,7 @@ async fn mock_poll_token_two_step(
 ) {
     let c = counter.clone();
     Mock::given(method("POST"))
-        .and(path("/deviceauth/token"))
+        .and(path("/api/accounts/deviceauth/token"))
         .respond_with(move |_: &Request| {
             let attempt = c.fetch_add(1, Ordering::SeqCst);
             if attempt == 0 {
@@ -214,7 +214,7 @@ async fn device_code_login_integration_handles_error_payload() {
     // // /deviceauth/token → returns error payload with status 401
     mock_poll_token_single(
         &mock_server,
-        "/deviceauth/token",
+        "/api/accounts/deviceauth/token",
         ResponseTemplate::new(401).set_body_json(json!({
             "error": "authorization_declined",
             "error_description": "Denied"