[Auth] Introduce New Auth Storage Abstraction for Codex CLI (#5569)

This PR introduces a new `Auth Storage` abstraction layer that takes care of read, write, and load of auth tokens based on the AuthCredentialsStoreMode. It is similar to how we handle MCP client oauth [here](https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/oauth.rs). Instead of reading and writing directly from disk for auth tokens, Codex CLI workflows now should instead use this auth storage using the public helper functions. This PR is just a refactor of the current code so the behavior stays the same. We will add support for keyring and hybrid mode in follow-up PRs. I have read the CLA Document and I hereby sign the CLA
2025-10-27 11:01:14 -07:00
parent 0c1ff1d3fd
commit eb5b1b627f
12 changed files with 300 additions and 159 deletions
--- a/codex-rs/login/src/lib.rs
+++ b/codex-rs/login/src/lib.rs
@@ -16,9 +16,7 @@ pub use codex_core::auth::AuthDotJson;
 pub use codex_core::auth::CLIENT_ID;
 pub use codex_core::auth::CODEX_API_KEY_ENV_VAR;
 pub use codex_core::auth::OPENAI_API_KEY_ENV_VAR;
-pub use codex_core::auth::get_auth_file;
 pub use codex_core::auth::login_with_api_key;
 pub use codex_core::auth::logout;
-pub use codex_core::auth::try_read_auth_json;
-pub use codex_core::auth::write_auth_json;
+pub use codex_core::auth::save_auth;
 pub use codex_core::token_data::TokenData;
--- a/codex-rs/login/src/server.rs
+++ b/codex-rs/login/src/server.rs
@@ -15,7 +15,7 @@ use crate::pkce::generate_pkce;
 use base64::Engine;
 use chrono::Utc;
 use codex_core::auth::AuthDotJson;
-use codex_core::auth::get_auth_file;
+use codex_core::auth::save_auth;
 use codex_core::default_client::originator;
 use codex_core::token_data::TokenData;
 use codex_core::token_data::parse_id_token;
@@ -540,13 +540,6 @@ pub(crate) async fn persist_tokens_async(
    // Reuse existing synchronous logic but run it off the async runtime.
    let codex_home = codex_home.to_path_buf();
    tokio::task::spawn_blocking(move || {
-        let auth_file = get_auth_file(&codex_home);
-        if let Some(parent) = auth_file.parent()
-            && !parent.exists()
-        {
-            std::fs::create_dir_all(parent).map_err(io::Error::other)?;
-        }
-
        let mut tokens = TokenData {
            id_token: parse_id_token(&id_token).map_err(io::Error::other)?,
            access_token,
@@ -564,7 +557,7 @@ pub(crate) async fn persist_tokens_async(
            tokens: Some(tokens),
            last_refresh: Some(Utc::now()),
        };
-        codex_core::auth::write_auth_json(&auth_file, &auth)
+        save_auth(&codex_home, &auth)
    })
    .await
    .map_err(|e| io::Error::other(format!("persist task failed: {e}")))?
--- a/codex-rs/login/tests/suite/device_code_login.rs
+++ b/codex-rs/login/tests/suite/device_code_login.rs
@@ -1,9 +1,9 @@
 #![allow(clippy::unwrap_used)]

+use anyhow::Context;
 use base64::Engine;
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
-use codex_core::auth::get_auth_file;
-use codex_core::auth::try_read_auth_json;
+use codex_core::auth::load_auth_dot_json;
 use codex_login::ServerOptions;
 use codex_login::run_device_code_login;
 use serde_json::json;
@@ -108,8 +108,8 @@ fn server_opts(codex_home: &tempfile::TempDir, issuer: String) -> ServerOptions
 }

 #[tokio::test]
-async fn device_code_login_integration_succeeds() {
-    skip_if_no_network!();
+async fn device_code_login_integration_succeeds() -> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));

    let codex_home = tempdir().unwrap();
    let mock_server = MockServer::start().await;
@@ -133,19 +133,21 @@ async fn device_code_login_integration_succeeds() {
        .await
        .expect("device code login integration should succeed");

-    let auth_path = get_auth_file(codex_home.path());
-    let auth = try_read_auth_json(&auth_path).expect("auth.json written");
+    let auth = load_auth_dot_json(codex_home.path())
+        .context("auth.json should load after login succeeds")?
+        .context("auth.json written")?;
    // assert_eq!(auth.openai_api_key.as_deref(), Some("api-key-321"));
    let tokens = auth.tokens.expect("tokens persisted");
    assert_eq!(tokens.access_token, "access-token-123");
    assert_eq!(tokens.refresh_token, "refresh-token-123");
    assert_eq!(tokens.id_token.raw_jwt, jwt);
    assert_eq!(tokens.account_id.as_deref(), Some("acct_321"));
+    Ok(())
 }

 #[tokio::test]
-async fn device_code_login_rejects_workspace_mismatch() {
-    skip_if_no_network!();
+async fn device_code_login_rejects_workspace_mismatch() -> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));

    let codex_home = tempdir().unwrap();
    let mock_server = MockServer::start().await;
@@ -172,16 +174,18 @@ async fn device_code_login_rejects_workspace_mismatch() {
        .expect_err("device code login should fail when workspace mismatches");
    assert_eq!(err.kind(), std::io::ErrorKind::PermissionDenied);

-    let auth_path = get_auth_file(codex_home.path());
+    let auth =
+        load_auth_dot_json(codex_home.path()).context("auth.json should load after login fails")?;
    assert!(
-        !auth_path.exists(),
+        auth.is_none(),
        "auth.json should not be created when workspace validation fails"
    );
+    Ok(())
 }

 #[tokio::test]
-async fn device_code_login_integration_handles_usercode_http_failure() {
-    skip_if_no_network!();
+async fn device_code_login_integration_handles_usercode_http_failure() -> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));

    let codex_home = tempdir().unwrap();
    let mock_server = MockServer::start().await;
@@ -201,13 +205,19 @@ async fn device_code_login_integration_handles_usercode_http_failure() {
        "unexpected error: {err:?}"
    );

-    let auth_path = get_auth_file(codex_home.path());
-    assert!(!auth_path.exists());
+    let auth =
+        load_auth_dot_json(codex_home.path()).context("auth.json should load after login fails")?;
+    assert!(
+        auth.is_none(),
+        "auth.json should not be created when login fails"
+    );
+    Ok(())
 }

 #[tokio::test]
-async fn device_code_login_integration_persists_without_api_key_on_exchange_failure() {
-    skip_if_no_network!();
+async fn device_code_login_integration_persists_without_api_key_on_exchange_failure()
+-> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));

    let codex_home = tempdir().unwrap();

@@ -235,18 +245,20 @@ async fn device_code_login_integration_persists_without_api_key_on_exchange_fail
        .await
        .expect("device login should succeed without API key exchange");

-    let auth_path = get_auth_file(codex_home.path());
-    let auth = try_read_auth_json(&auth_path).expect("auth.json written");
+    let auth = load_auth_dot_json(codex_home.path())
+        .context("auth.json should load after login succeeds")?
+        .context("auth.json written")?;
    assert!(auth.openai_api_key.is_none());
    let tokens = auth.tokens.expect("tokens persisted");
    assert_eq!(tokens.access_token, "access-token-123");
    assert_eq!(tokens.refresh_token, "refresh-token-123");
    assert_eq!(tokens.id_token.raw_jwt, jwt);
+    Ok(())
 }

 #[tokio::test]
-async fn device_code_login_integration_handles_error_payload() {
-    skip_if_no_network!();
+async fn device_code_login_integration_handles_error_payload() -> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));

    let codex_home = tempdir().unwrap();

@@ -288,9 +300,11 @@ async fn device_code_login_integration_handles_error_payload() {
        "Expected an authorization_declined / 400 / 404 error, got {err:?}"
    );

-    let auth_path = get_auth_file(codex_home.path());
+    let auth =
+        load_auth_dot_json(codex_home.path()).context("auth.json should load after login fails")?;
    assert!(
-        !auth_path.exists(),
+        auth.is_none(),
        "auth.json should not be created when device auth fails"
    );
+    Ok(())
 }