feat(codex-oauth): manual callback URL paste for SSH / remote sessions (#1288)#1414
Open
0xfandom wants to merge 1 commit into
Open
feat(codex-oauth): manual callback URL paste for SSH / remote sessions (#1288)#14140xfandom wants to merge 1 commit into
0xfandom wants to merge 1 commit into
Conversation
Codex OAuth required the browser to reach the openclaude host's localhost:1455 callback. On SSH / containerized installs that callback resolves to the user's workstation instead of the openclaude host, so the redirect lands on a dead URL and the CLI hangs. Add a manual-paste fallback (mirrors the xAI OAuth recovery path): after authorizing in the browser, the user copies the full redirected URL from the address bar and pastes it into the CLI. CodexOAuthService validates the state parameter against the in-flight flow, races the manual code against the loopback listener, and reuses the same authorization-code → token exchange. SSH_CONNECTION / SSH_CLIENT triggers a warning banner explaining why the loopback redirect failed; non-SSH sessions get a dim hint covering containerized / remote setups. Closes Gitlawb#1288
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #1288.
Codex OAuth needed the browser to reach the openclaude host's
localhost:1455callback. Over SSH / containerized installs that callback resolves to the user's workstation (where nothing is listening), so the redirect lands on a dead URL and the/provider Codexflow hangs with no way to recover exceptCtrl+C/ closing the terminal.This PR mirrors the manual-paste recovery the xAI OAuth flow already has:
CodexOAuthServiceexposessubmitManualCallback(input). It accepts either the full redirected URL or just its query string, parsescode+state, validatesstateagainst the in-flight flow, and resolves the same authorization code the loopback would have produced.startOAuthFlowPromise.races the loopback listener against a manual-paste promise — whichever produces the code first wins; the token-exchange + cleanup path is unchanged.useCodexOAuthFlowsurfacessubmitManualCallbackon thewaitingstatus.CodexOAuthSetup(inProviderManager) renders a paste input under the waiting copy. WhenSSH_CONNECTION/SSH_CLIENTis set, a yellow banner explains why the loopback redirect failed; non-SSH sessions get a dim hint covering containerized / remote setups.code, mismatchedstate,?error=access_denied, unparseable URL) renders inline under the input without unmounting the flow, so users can retry without restarting OAuth.The hook keeps existing test seams intact — the new
submitManualCallbackis added to thePick<CodexOAuthService, …>surface and existing mocks were extended with a one-line stub.Test plan
bun test src/services/api/codexOAuth.test.ts— new manual-paste test covers state mismatch, missing code,?error=…, and the happy pathbun test src/components/useCodexOAuthFlow.test.tsx— 4 existing tests still pass with the extended mock surfacebun test src/components/ProviderManager.test.tsx— 24 tests still pass (no regressions in the Codex setup screen)bun run typecheck— no new errors introduced; preexistingas typeof fetch/FakeAuthCodeListenerInstancecomplaints are upstream/provider→Codex→ copy auth URL → login in laptop browser → paste the redirectedhttp://localhost:1455/auth/callback?code=…&state=…URL into the CLI → tokens persist andCodex OAuthprofile appears