[app-server] read rate limits API (#5302)

Adds a `GET account/rateLimits/read` API to app-server. This calls the codex backend to fetch the user's current rate limits. This would be helpful in checking rate limits without having to send a message. For calling the codex backend usage API, I generated the types and manually copied the relevant ones into `codex-backend-openapi-types`. It'll be nice to extend our internal openapi generator to support Rust so we don't have to run these manual steps. # External (non-OpenAI) Pull Request Requirements Before opening this Pull Request, please read the dedicated "Contributing" markdown file or your PR may be closed: https://github.com/openai/codex/blob/main/docs/contributing.md If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.
2025-10-20 14:11:54 -07:00
parent 39a2446716
commit 5c680c6587
22 changed files with 726 additions and 53 deletions
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -19,11 +19,13 @@ anyhow = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
+codex-backend-client = { workspace = true }
 codex-file-search = { workspace = true }
 codex-login = { workspace = true }
 codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-utils-json-to-toml = { workspace = true }
+chrono = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -9,6 +9,7 @@ use codex_app_server_protocol::ApplyPatchApprovalParams;
 use codex_app_server_protocol::ApplyPatchApprovalResponse;
 use codex_app_server_protocol::ArchiveConversationParams;
 use codex_app_server_protocol::ArchiveConversationResponse;
+use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::AuthStatusChangeNotification;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ConversationSummary;
@@ -18,6 +19,7 @@ use codex_app_server_protocol::ExecOneOffCommandParams;
 use codex_app_server_protocol::ExecOneOffCommandResponse;
 use codex_app_server_protocol::FuzzyFileSearchParams;
 use codex_app_server_protocol::FuzzyFileSearchResponse;
+use codex_app_server_protocol::GetAccountRateLimitsResponse;
 use codex_app_server_protocol::GetUserAgentResponse;
 use codex_app_server_protocol::GetUserSavedConfigResponse;
 use codex_app_server_protocol::GitDiffToRemoteResponse;
@@ -49,6 +51,7 @@ use codex_app_server_protocol::SetDefaultModelParams;
 use codex_app_server_protocol::SetDefaultModelResponse;
 use codex_app_server_protocol::UserInfoResponse;
 use codex_app_server_protocol::UserSavedConfig;
+use codex_backend_client::Client as BackendClient;
 use codex_core::AuthManager;
 use codex_core::CodexConversation;
 use codex_core::ConversationManager;
@@ -87,6 +90,7 @@ use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::InputMessageKind;
+use codex_protocol::protocol::RateLimitSnapshot;
 use codex_protocol::protocol::USER_MESSAGE_BEGIN;
 use codex_protocol::user_input::UserInput as CoreInputItem;
 use codex_utils_json_to_toml::json_to_toml;
@@ -240,6 +244,12 @@ impl CodexMessageProcessor {
            ClientRequest::ExecOneOffCommand { request_id, params } => {
                self.exec_one_off_command(request_id, params).await;
            }
+            ClientRequest::GetAccountRateLimits {
+                request_id,
+                params: _,
+            } => {
+                self.get_account_rate_limits(request_id).await;
+            }
        }
    }

@@ -527,6 +537,53 @@ impl CodexMessageProcessor {
        self.outgoing.send_response(request_id, response).await;
    }

+    async fn get_account_rate_limits(&self, request_id: RequestId) {
+        match self.fetch_account_rate_limits().await {
+            Ok(rate_limits) => {
+                let response = GetAccountRateLimitsResponse { rate_limits };
+                self.outgoing.send_response(request_id, response).await;
+            }
+            Err(error) => {
+                self.outgoing.send_error(request_id, error).await;
+            }
+        }
+    }
+
+    async fn fetch_account_rate_limits(&self) -> Result<RateLimitSnapshot, JSONRPCErrorError> {
+        let Some(auth) = self.auth_manager.auth() else {
+            return Err(JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "codex account authentication required to read rate limits".to_string(),
+                data: None,
+            });
+        };
+
+        if auth.mode != AuthMode::ChatGPT {
+            return Err(JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "chatgpt authentication required to read rate limits".to_string(),
+                data: None,
+            });
+        }
+
+        let client = BackendClient::from_auth(self.config.chatgpt_base_url.clone(), &auth)
+            .await
+            .map_err(|err| JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: format!("failed to construct backend client: {err}"),
+                data: None,
+            })?;
+
+        client
+            .get_rate_limits()
+            .await
+            .map_err(|err| JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: format!("failed to fetch codex rate limits: {err}"),
+                data: None,
+            })
+    }
+
    async fn get_user_saved_config(&self, request_id: RequestId) {
        let toml_value = match load_config_as_toml(&self.config.codex_home).await {
            Ok(val) => val,
--- a/codex-rs/app-server/tests/common/Cargo.toml
+++ b/codex-rs/app-server/tests/common/Cargo.toml
@@ -9,7 +9,10 @@ path = "lib.rs"
 [dependencies]
 anyhow = { workspace = true }
 assert_cmd = { workspace = true }
+base64 = { workspace = true }
+chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
+codex-core = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
--- a/codex-rs/app-server/tests/common/auth_fixtures.rs
+++ b/codex-rs/app-server/tests/common/auth_fixtures.rs
@@ -0,0 +1,131 @@
+use std::path::Path;
+
+use anyhow::Context;
+use anyhow::Result;
+use base64::Engine;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use chrono::DateTime;
+use chrono::Utc;
+use codex_core::auth::AuthDotJson;
+use codex_core::auth::get_auth_file;
+use codex_core::auth::write_auth_json;
+use codex_core::token_data::TokenData;
+use codex_core::token_data::parse_id_token;
+use serde_json::json;
+
+/// Builder for writing a fake ChatGPT auth.json in tests.
+#[derive(Debug, Clone)]
+pub struct ChatGptAuthFixture {
+    access_token: String,
+    refresh_token: String,
+    account_id: Option<String>,
+    claims: ChatGptIdTokenClaims,
+    last_refresh: Option<Option<DateTime<Utc>>>,
+}
+
+impl ChatGptAuthFixture {
+    pub fn new(access_token: impl Into<String>) -> Self {
+        Self {
+            access_token: access_token.into(),
+            refresh_token: "refresh-token".to_string(),
+            account_id: None,
+            claims: ChatGptIdTokenClaims::default(),
+            last_refresh: None,
+        }
+    }
+
+    pub fn refresh_token(mut self, refresh_token: impl Into<String>) -> Self {
+        self.refresh_token = refresh_token.into();
+        self
+    }
+
+    pub fn account_id(mut self, account_id: impl Into<String>) -> Self {
+        self.account_id = Some(account_id.into());
+        self
+    }
+
+    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
+        self.claims.plan_type = Some(plan_type.into());
+        self
+    }
+
+    pub fn email(mut self, email: impl Into<String>) -> Self {
+        self.claims.email = Some(email.into());
+        self
+    }
+
+    pub fn last_refresh(mut self, last_refresh: Option<DateTime<Utc>>) -> Self {
+        self.last_refresh = Some(last_refresh);
+        self
+    }
+
+    pub fn claims(mut self, claims: ChatGptIdTokenClaims) -> Self {
+        self.claims = claims;
+        self
+    }
+}
+
+#[derive(Debug, Clone, Default)]
+pub struct ChatGptIdTokenClaims {
+    pub email: Option<String>,
+    pub plan_type: Option<String>,
+}
+
+impl ChatGptIdTokenClaims {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    pub fn email(mut self, email: impl Into<String>) -> Self {
+        self.email = Some(email.into());
+        self
+    }
+
+    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
+        self.plan_type = Some(plan_type.into());
+        self
+    }
+}
+
+pub fn encode_id_token(claims: &ChatGptIdTokenClaims) -> Result<String> {
+    let header = json!({ "alg": "none", "typ": "JWT" });
+    let mut payload = serde_json::Map::new();
+    if let Some(email) = &claims.email {
+        payload.insert("email".to_string(), json!(email));
+    }
+    if let Some(plan_type) = &claims.plan_type {
+        payload.insert(
+            "https://api.openai.com/auth".to_string(),
+            json!({ "chatgpt_plan_type": plan_type }),
+        );
+    }
+    let payload = serde_json::Value::Object(payload);
+
+    let header_b64 =
+        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&header).context("serialize jwt header")?);
+    let payload_b64 =
+        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&payload).context("serialize jwt payload")?);
+    let signature_b64 = URL_SAFE_NO_PAD.encode(b"signature");
+    Ok(format!("{header_b64}.{payload_b64}.{signature_b64}"))
+}
+
+pub fn write_chatgpt_auth(codex_home: &Path, fixture: ChatGptAuthFixture) -> Result<()> {
+    let id_token_raw = encode_id_token(&fixture.claims)?;
+    let id_token = parse_id_token(&id_token_raw).context("parse id token")?;
+    let tokens = TokenData {
+        id_token,
+        access_token: fixture.access_token,
+        refresh_token: fixture.refresh_token,
+        account_id: fixture.account_id,
+    };
+
+    let last_refresh = fixture.last_refresh.unwrap_or_else(|| Some(Utc::now()));
+
+    let auth = AuthDotJson {
+        openai_api_key: None,
+        tokens: Some(tokens),
+        last_refresh,
+    };
+
+    write_auth_json(&get_auth_file(codex_home), &auth).context("write auth.json")
+}
--- a/codex-rs/app-server/tests/common/lib.rs
+++ b/codex-rs/app-server/tests/common/lib.rs
@@ -1,7 +1,12 @@
+mod auth_fixtures;
 mod mcp_process;
 mod mock_model_server;
 mod responses;

+pub use auth_fixtures::ChatGptAuthFixture;
+pub use auth_fixtures::ChatGptIdTokenClaims;
+pub use auth_fixtures::encode_id_token;
+pub use auth_fixtures::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
 pub use mcp_process::McpProcess;
 pub use mock_model_server::create_mock_chat_completions_server;
--- a/codex-rs/app-server/tests/common/mcp_process.rs
+++ b/codex-rs/app-server/tests/common/mcp_process.rs
@@ -236,6 +236,11 @@ impl McpProcess {
        self.send_request("getUserAgent", None).await
    }

+    /// Send an `account/rateLimits/read` JSON-RPC request.
+    pub async fn send_get_account_rate_limits_request(&mut self) -> anyhow::Result<i64> {
+        self.send_request("account/rateLimits/read", None).await
+    }
+
    /// Send a `userInfo` JSON-RPC request.
    pub async fn send_user_info_request(&mut self) -> anyhow::Result<i64> {
        self.send_request("userInfo", None).await
--- a/codex-rs/app-server/tests/suite/mod.rs
+++ b/codex-rs/app-server/tests/suite/mod.rs
@@ -7,6 +7,7 @@ mod fuzzy_file_search;
 mod interrupt;
 mod list_resume;
 mod login;
+mod rate_limits;
 mod send_message;
 mod set_default_model;
 mod user_agent;
--- a/codex-rs/app-server/tests/suite/rate_limits.rs
+++ b/codex-rs/app-server/tests/suite/rate_limits.rs
@@ -0,0 +1,215 @@
+use anyhow::Context;
+use anyhow::Result;
+use app_test_support::ChatGptAuthFixture;
+use app_test_support::McpProcess;
+use app_test_support::to_response;
+use app_test_support::write_chatgpt_auth;
+use codex_app_server_protocol::GetAccountRateLimitsResponse;
+use codex_app_server_protocol::JSONRPCError;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::LoginApiKeyParams;
+use codex_app_server_protocol::RequestId;
+use codex_protocol::protocol::RateLimitSnapshot;
+use codex_protocol::protocol::RateLimitWindow;
+use pretty_assertions::assert_eq;
+use serde_json::json;
+use std::path::Path;
+use tempfile::TempDir;
+use tokio::time::timeout;
+use wiremock::Mock;
+use wiremock::MockServer;
+use wiremock::ResponseTemplate;
+use wiremock::matchers::header;
+use wiremock::matchers::method;
+use wiremock::matchers::path;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_account_rate_limits_requires_auth() -> Result<()> {
+    let codex_home = TempDir::new().context("create codex home tempdir")?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
+        .await
+        .context("spawn mcp process")?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .context("initialize timeout")?
+        .context("initialize request")?;
+
+    let request_id = mcp
+        .send_get_account_rate_limits_request()
+        .await
+        .context("send account/rateLimits/read")?;
+
+    let error: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .context("account/rateLimits/read timeout")?
+    .context("account/rateLimits/read error")?;
+
+    assert_eq!(error.id, RequestId::Integer(request_id));
+    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
+    assert_eq!(
+        error.error.message,
+        "codex account authentication required to read rate limits"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_account_rate_limits_requires_chatgpt_auth() -> Result<()> {
+    let codex_home = TempDir::new().context("create codex home tempdir")?;
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .context("spawn mcp process")?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .context("initialize timeout")?
+        .context("initialize request")?;
+
+    login_with_api_key(&mut mcp, "sk-test-key").await?;
+
+    let request_id = mcp
+        .send_get_account_rate_limits_request()
+        .await
+        .context("send account/rateLimits/read")?;
+
+    let error: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .context("account/rateLimits/read timeout")?
+    .context("account/rateLimits/read error")?;
+
+    assert_eq!(error.id, RequestId::Integer(request_id));
+    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
+    assert_eq!(
+        error.error.message,
+        "chatgpt authentication required to read rate limits"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
+    let codex_home = TempDir::new().context("create codex home tempdir")?;
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("chatgpt-token")
+            .account_id("account-123")
+            .plan_type("pro"),
+    )
+    .context("write chatgpt auth")?;
+
+    let server = MockServer::start().await;
+    let server_url = server.uri();
+    write_chatgpt_base_url(codex_home.path(), &server_url).context("write chatgpt base url")?;
+
+    let primary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T00:02:00Z")
+        .expect("parse primary reset timestamp")
+        .timestamp();
+    let secondary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T01:00:00Z")
+        .expect("parse secondary reset timestamp")
+        .timestamp();
+    let response_body = json!({
+        "plan_type": "pro",
+        "rate_limit": {
+            "allowed": true,
+            "limit_reached": false,
+            "primary_window": {
+                "used_percent": 42,
+                "limit_window_seconds": 3600,
+                "reset_after_seconds": 120,
+                "reset_at": primary_reset_timestamp,
+            },
+            "secondary_window": {
+                "used_percent": 5,
+                "limit_window_seconds": 86400,
+                "reset_after_seconds": 43200,
+                "reset_at": secondary_reset_timestamp,
+            }
+        }
+    });
+
+    Mock::given(method("GET"))
+        .and(path("/api/codex/usage"))
+        .and(header("authorization", "Bearer chatgpt-token"))
+        .and(header("chatgpt-account-id", "account-123"))
+        .respond_with(ResponseTemplate::new(200).set_body_json(response_body))
+        .mount(&server)
+        .await;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
+        .await
+        .context("spawn mcp process")?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .context("initialize timeout")?
+        .context("initialize request")?;
+
+    let request_id = mcp
+        .send_get_account_rate_limits_request()
+        .await
+        .context("send account/rateLimits/read")?;
+
+    let response: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .context("account/rateLimits/read timeout")?
+    .context("account/rateLimits/read response")?;
+
+    let received: GetAccountRateLimitsResponse =
+        to_response(response).context("deserialize rate limit response")?;
+
+    let expected = GetAccountRateLimitsResponse {
+        rate_limits: RateLimitSnapshot {
+            primary: Some(RateLimitWindow {
+                used_percent: 42.0,
+                window_minutes: Some(60),
+                resets_at: Some(primary_reset_timestamp),
+            }),
+            secondary: Some(RateLimitWindow {
+                used_percent: 5.0,
+                window_minutes: Some(1440),
+                resets_at: Some(secondary_reset_timestamp),
+            }),
+        },
+    };
+    assert_eq!(received, expected);
+
+    Ok(())
+}
+
+async fn login_with_api_key(mcp: &mut McpProcess, api_key: &str) -> Result<()> {
+    let request_id = mcp
+        .send_login_api_key_request(LoginApiKeyParams {
+            api_key: api_key.to_string(),
+        })
+        .await
+        .context("send loginApiKey")?;
+
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .context("loginApiKey timeout")?
+    .context("loginApiKey response")?;
+
+    Ok(())
+}
+
+fn write_chatgpt_base_url(codex_home: &Path, base_url: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(config_toml, format!("chatgpt_base_url = \"{base_url}\"\n"))
+}
--- a/codex-rs/app-server/tests/suite/user_info.rs
+++ b/codex-rs/app-server/tests/suite/user_info.rs
@@ -1,20 +1,13 @@
 use std::time::Duration;

-use anyhow::Context;
+use app_test_support::ChatGptAuthFixture;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
-use base64::Engine;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use app_test_support::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::UserInfoResponse;
-use codex_core::auth::AuthDotJson;
-use codex_core::auth::get_auth_file;
-use codex_core::auth::write_auth_json;
-use codex_core::token_data::IdTokenInfo;
-use codex_core::token_data::TokenData;
 use pretty_assertions::assert_eq;
-use serde_json::json;
 use tempfile::TempDir;
 use tokio::time::timeout;

@@ -24,22 +17,13 @@ const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(10);
 async fn user_info_returns_email_from_auth_json() {
    let codex_home = TempDir::new().expect("create tempdir");

-    let auth_path = get_auth_file(codex_home.path());
-    let mut id_token = IdTokenInfo::default();
-    id_token.email = Some("user@example.com".to_string());
-    id_token.raw_jwt = encode_id_token_with_email("user@example.com").expect("encode id token");
-
-    let auth = AuthDotJson {
-        openai_api_key: None,
-        tokens: Some(TokenData {
-            id_token,
-            access_token: "access".to_string(),
-            refresh_token: "refresh".to_string(),
-            account_id: None,
-        }),
-        last_refresh: None,
-    };
-    write_auth_json(&auth_path, &auth).expect("write auth.json");
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("access")
+            .refresh_token("refresh")
+            .email("user@example.com"),
+    )
+    .expect("write chatgpt auth");

    let mut mcp = McpProcess::new(codex_home.path())
        .await
@@ -65,14 +49,3 @@ async fn user_info_returns_email_from_auth_json() {

    assert_eq!(received, expected);
 }
-
-fn encode_id_token_with_email(email: &str) -> anyhow::Result<String> {
-    let header_b64 = URL_SAFE_NO_PAD.encode(
-        serde_json::to_vec(&json!({ "alg": "none", "typ": "JWT" }))
-            .context("serialize jwt header")?,
-    );
-    let payload =
-        serde_json::to_vec(&json!({ "email": email })).context("serialize jwt payload")?;
-    let payload_b64 = URL_SAFE_NO_PAD.encode(payload);
-    Ok(format!("{header_b64}.{payload_b64}.signature"))
-}