Home Verkennen Help
Inloggen
AI
/
opencode
spiegel van https://github.com/anomalyco/opencode.git
2
0
Vork 0
Bestanden Issues 0 Wiki
Boom: 343a564183
Aftakkingen Labels
opencode
/
packages
/
opencode
/
src
/
plugin
/
codex.ts

codex.ts 19 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606 
  1. import type { Hooks, PluginInput } from "@opencode-ai/plugin"
    2. 

  2. import { Log } from "../util"
    3. 

  3. import { Installation } from "../installation"
    4. 

  4. import { OAUTH_DUMMY_KEY } from "../auth"
    5. 

  5. import os from "os"
    6. 

  6. import { setTimeout as sleep } from "node:timers/promises"
    7. 

  7. import { createServer } from "http"
    8. 

  8. 

  9. const log = Log.create({ service: "plugin.codex" })
    10. 

  10. 

  11. const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
    12. 

  12. const ISSUER = "https://auth.openai.com"
    13. 

  13. const CODEX_API_ENDPOINT = "https://chatgpt.com/backend-api/codex/responses"
    14. 

  14. const OAUTH_PORT = 1455
    15. 

  15. const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000
    16. 

  16. 

  17. interface PkceCodes {
    18. 

  18.   verifier: string
    19. 

  19.   challenge: string
    20. 

  20. }
    21. 

  21. 

  22. async function generatePKCE(): Promise<PkceCodes> {
    23. 

  23.   const verifier = generateRandomString(43)
    24. 

  24.   const encoder = new TextEncoder()
    25. 

  25.   const data = encoder.encode(verifier)
    26. 

  26.   const hash = await crypto.subtle.digest("SHA-256", data)
    27. 

  27.   const challenge = base64UrlEncode(hash)
    28. 

  28.   return { verifier, challenge }
    29. 

  29. }
    30. 

  30. 

  31. function generateRandomString(length: number): string {
    32. 

  32.   const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"
    33. 

  33.   const bytes = crypto.getRandomValues(new Uint8Array(length))
    34. 

  34.   return Array.from(bytes)
    35. 

  35.     .map((b) => chars[b % chars.length])
    36. 

  36.     .join("")
    37. 

  37. }
    38. 

  38. 

  39. function base64UrlEncode(buffer: ArrayBuffer): string {
    40. 

  40.   const bytes = new Uint8Array(buffer)
    41. 

  41.   const binary = String.fromCharCode(...bytes)
    42. 

  42.   return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "")
    43. 

  43. }
    44. 

  44. 

  45. function generateState(): string {
    46. 

  46.   return base64UrlEncode(crypto.getRandomValues(new Uint8Array(32)).buffer)
    47. 

  47. }
    48. 

  48. 

  49. export interface IdTokenClaims {
    50. 

  50.   chatgpt_account_id?: string
    51. 

  51.   organizations?: Array<{ id: string }>
    52. 

  52.   email?: string
    53. 

  53.   "https://api.openai.com/auth"?: {
    54. 

  54.     chatgpt_account_id?: string
    55. 

  55.   }
    56. 

  56. }
    57. 

  57. 

  58. export function parseJwtClaims(token: string): IdTokenClaims | undefined {
    59. 

  59.   const parts = token.split(".")
    60. 

  60.   if (parts.length !== 3) return undefined
    61. 

  61.   try {
    62. 

  62.     return JSON.parse(Buffer.from(parts[1], "base64url").toString())
    63. 

  63.   } catch {
    64. 

  64.     return undefined
    65. 

  65.   }
    66. 

  66. }
    67. 

  67. 

  68. export function extractAccountIdFromClaims(claims: IdTokenClaims): string | undefined {
    69. 

  69.   return (
    70. 

  70.     claims.chatgpt_account_id ||
    71. 

  71.     claims["https://api.openai.com/auth"]?.chatgpt_account_id ||
    72. 

  72.     claims.organizations?.[0]?.id
    73. 

  73.   )
    74. 

  74. }
    75. 

  75. 

  76. export function extractAccountId(tokens: TokenResponse): string | undefined {
    77. 

  77.   if (tokens.id_token) {
    78. 

  78.     const claims = parseJwtClaims(tokens.id_token)
    79. 

  79.     const accountId = claims && extractAccountIdFromClaims(claims)
    80. 

  80.     if (accountId) return accountId
    81. 

  81.   }
    82. 

  82.   if (tokens.access_token) {
    83. 

  83.     const claims = parseJwtClaims(tokens.access_token)
    84. 

  84.     return claims ? extractAccountIdFromClaims(claims) : undefined
    85. 

  85.   }
    86. 

  86.   return undefined
    87. 

  87. }
    88. 

  88. 

  89. function buildAuthorizeUrl(redirectUri: string, pkce: PkceCodes, state: string): string {
    90. 

  90.   const params = new URLSearchParams({
    91. 

  91.     response_type: "code",
    92. 

  92.     client_id: CLIENT_ID,
    93. 

  93.     redirect_uri: redirectUri,
    94. 

  94.     scope: "openid profile email offline_access",
    95. 

  95.     code_challenge: pkce.challenge,
    96. 

  96.     code_challenge_method: "S256",
    97. 

  97.     id_token_add_organizations: "true",
    98. 

  98.     codex_cli_simplified_flow: "true",
    99. 

  99.     state,
    100. 

  100.     originator: "opencode",
    101. 

  101.   })
    102. 

  102.   return `${ISSUER}/oauth/authorize?${params.toString()}`
    103. 

  103. }
    104. 

  104. 

  105. interface TokenResponse {
    106. 

  106.   id_token: string
    107. 

  107.   access_token: string
    108. 

  108.   refresh_token: string
    109. 

  109.   expires_in?: number
    110. 

  110. }
    111. 

  111. 

  112. async function exchangeCodeForTokens(code: string, redirectUri: string, pkce: PkceCodes): Promise<TokenResponse> {
    113. 

  113.   const response = await fetch(`${ISSUER}/oauth/token`, {
    114. 

  114.     method: "POST",
    115. 

  115.     headers: { "Content-Type": "application/x-www-form-urlencoded" },
    116. 

  116.     body: new URLSearchParams({
    117. 

  117.       grant_type: "authorization_code",
    118. 

  118.       code,
    119. 

  119.       redirect_uri: redirectUri,
    120. 

  120.       client_id: CLIENT_ID,
    121. 

  121.       code_verifier: pkce.verifier,
    122. 

  122.     }).toString(),
    123. 

  123.   })
    124. 

  124.   if (!response.ok) {
    125. 

  125.     throw new Error(`Token exchange failed: ${response.status}`)
    126. 

  126.   }
    127. 

  127.   return response.json()
    128. 

  128. }
    129. 

  129. 

  130. async function refreshAccessToken(refreshToken: string): Promise<TokenResponse> {
    131. 

  131.   const response = await fetch(`${ISSUER}/oauth/token`, {
    132. 

  132.     method: "POST",
    133. 

  133.     headers: { "Content-Type": "application/x-www-form-urlencoded" },
    134. 

  134.     body: new URLSearchParams({
    135. 

  135.       grant_type: "refresh_token",
    136. 

  136.       refresh_token: refreshToken,
    137. 

  137.       client_id: CLIENT_ID,
    138. 

  138.     }).toString(),
    139. 

  139.   })
    140. 

  140.   if (!response.ok) {
    141. 

  141.     throw new Error(`Token refresh failed: ${response.status}`)
    142. 

  142.   }
    143. 

  143.   return response.json()
    144. 

  144. }
    145. 

  145. 

  146. const HTML_SUCCESS = `<!doctype html>
    147. 

  147. <html>
    148. 

  148.   <head>
    149. 

  149.     <title>OpenCode - Codex Authorization Successful</title>
    150. 

  150.     <style>
    151. 

  151.       body {
    152. 

  152.         font-family:
    153. 

  153.           system-ui,
    154. 

  154.           -apple-system,
    155. 

  155.           sans-serif;
    156. 

  156.         display: flex;
    157. 

  157.         justify-content: center;
    158. 

  158.         align-items: center;
    159. 

  159.         height: 100vh;
    160. 

  160.         margin: 0;
    161. 

  161.         background: #131010;
    162. 

  162.         color: #f1ecec;
    163. 

  163.       }
    164. 

  164.       .container {
    165. 

  165.         text-align: center;
    166. 

  166.         padding: 2rem;
    167. 

  167.       }
    168. 

  168.       h1 {
    169. 

  169.         color: #f1ecec;
    170. 

  170.         margin-bottom: 1rem;
    171. 

  171.       }
    172. 

  172.       p {
    173. 

  173.         color: #b7b1b1;
    174. 

  174.       }
    175. 

  175.     </style>
    176. 

  176.   </head>
    177. 

  177.   <body>
    178. 

  178.     <div class="container">
    179. 

  179.       <h1>Authorization Successful</h1>
    180. 

  180.       <p>You can close this window and return to OpenCode.</p>
    181. 

  181.     </div>
    182. 

  182.     <script>
    183. 

  183.       setTimeout(() => window.close(), 2000)
    184. 

  184.     </script>
    185. 

  185.   </body>
    186. 

  186. </html>`
    187. 

  187. 

  188. const HTML_ERROR = (error: string) => `<!doctype html>
    189. 

  189. <html>
    190. 

  190.   <head>
    191. 

  191.     <title>OpenCode - Codex Authorization Failed</title>
    192. 

  192.     <style>
    193. 

  193.       body {
    194. 

  194.         font-family:
    195. 

  195.           system-ui,
    196. 

  196.           -apple-system,
    197. 

  197.           sans-serif;
    198. 

  198.         display: flex;
    199. 

  199.         justify-content: center;
    200. 

  200.         align-items: center;
    201. 

  201.         height: 100vh;
    202. 

  202.         margin: 0;
    203. 

  203.         background: #131010;
    204. 

  204.         color: #f1ecec;
    205. 

  205.       }
    206. 

  206.       .container {
    207. 

  207.         text-align: center;
    208. 

  208.         padding: 2rem;
    209. 

  209.       }
    210. 

  210.       h1 {
    211. 

  211.         color: #fc533a;
    212. 

  212.         margin-bottom: 1rem;
    213. 

  213.       }
    214. 

  214.       p {
    215. 

  215.         color: #b7b1b1;
    216. 

  216.       }
    217. 

  217.       .error {
    218. 

  218.         color: #ff917b;
    219. 

  219.         font-family: monospace;
    220. 

  220.         margin-top: 1rem;
    221. 

  221.         padding: 1rem;
    222. 

  222.         background: #3c140d;
    223. 

  223.         border-radius: 0.5rem;
    224. 

  224.       }
    225. 

  225.     </style>
    226. 

  226.   </head>
    227. 

  227.   <body>
    228. 

  228.     <div class="container">
    229. 

  229.       <h1>Authorization Failed</h1>
    230. 

  230.       <p>An error occurred during authorization.</p>
    231. 

  231.       <div class="error">${error}</div>
    232. 

  232.     </div>
    233. 

  233.   </body>
    234. 

  234. </html>`
    235. 

  235. 

  236. interface PendingOAuth {
    237. 

  237.   pkce: PkceCodes
    238. 

  238.   state: string
    239. 

  239.   resolve: (tokens: TokenResponse) => void
    240. 

  240.   reject: (error: Error) => void
    241. 

  241. }
    242. 

  242. 

  243. let oauthServer: ReturnType<typeof createServer> | undefined
    244. 

  244. let pendingOAuth: PendingOAuth | undefined
    245. 

  245. 

  246. async function startOAuthServer(): Promise<{ port: number; redirectUri: string }> {
    247. 

  247.   if (oauthServer) {
    248. 

  248.     return { port: OAUTH_PORT, redirectUri: `http://localhost:${OAUTH_PORT}/auth/callback` }
    249. 

  249.   }
    250. 

  250. 

  251.   oauthServer = createServer((req, res) => {
    252. 

  252.     const url = new URL(req.url || "/", `http://localhost:${OAUTH_PORT}`)
    253. 

  253. 

  254.     if (url.pathname === "/auth/callback") {
    255. 

  255.       const code = url.searchParams.get("code")
    256. 

  256.       const state = url.searchParams.get("state")
    257. 

  257.       const error = url.searchParams.get("error")
    258. 

  258.       const errorDescription = url.searchParams.get("error_description")
    259. 

  259. 

  260.       if (error) {
    261. 

  261.         const errorMsg = errorDescription || error
    262. 

  262.         pendingOAuth?.reject(new Error(errorMsg))
    263. 

  263.         pendingOAuth = undefined
    264. 

  264.         res.writeHead(200, { "Content-Type": "text/html" })
    265. 

  265.         res.end(HTML_ERROR(errorMsg))
    266. 

  266.         return
    267. 

  267.       }
    268. 

  268. 

  269.       if (!code) {
    270. 

  270.         const errorMsg = "Missing authorization code"
    271. 

  271.         pendingOAuth?.reject(new Error(errorMsg))
    272. 

  272.         pendingOAuth = undefined
    273. 

  273.         res.writeHead(400, { "Content-Type": "text/html" })
    274. 

  274.         res.end(HTML_ERROR(errorMsg))
    275. 

  275.         return
    276. 

  276.       }
    277. 

  277. 

  278.       if (!pendingOAuth || state !== pendingOAuth.state) {
    279. 

  279.         const errorMsg = "Invalid state - potential CSRF attack"
    280. 

  280.         pendingOAuth?.reject(new Error(errorMsg))
    281. 

  281.         pendingOAuth = undefined
    282. 

  282.         res.writeHead(400, { "Content-Type": "text/html" })
    283. 

  283.         res.end(HTML_ERROR(errorMsg))
    284. 

  284.         return
    285. 

  285.       }
    286. 

  286. 

  287.       const current = pendingOAuth
    288. 

  288.       pendingOAuth = undefined
    289. 

  289. 

  290.       exchangeCodeForTokens(code, `http://localhost:${OAUTH_PORT}/auth/callback`, current.pkce)
    291. 

  291.         .then((tokens) => current.resolve(tokens))
    292. 

  292.         .catch((err) => current.reject(err))
    293. 

  293. 

  294.       res.writeHead(200, { "Content-Type": "text/html" })
    295. 

  295.       res.end(HTML_SUCCESS)
    296. 

  296.       return
    297. 

  297.     }
    298. 

  298. 

  299.     if (url.pathname === "/cancel") {
    300. 

  300.       pendingOAuth?.reject(new Error("Login cancelled"))
    301. 

  301.       pendingOAuth = undefined
    302. 

  302.       res.writeHead(200)
    303. 

  303.       res.end("Login cancelled")
    304. 

  304.       return
    305. 

  305.     }
    306. 

  306. 

  307.     res.writeHead(404)
    308. 

  308.     res.end("Not found")
    309. 

  309.   })
    310. 

  310. 

  311.   await new Promise<void>((resolve, reject) => {
    312. 

  312.     oauthServer!.listen(OAUTH_PORT, () => {
    313. 

  313.       log.info("codex oauth server started", { port: OAUTH_PORT })
    314. 

  314.       resolve()
    315. 

  315.     })
    316. 

  316.     oauthServer!.on("error", reject)
    317. 

  317.   })
    318. 

  318. 

  319.   return { port: OAUTH_PORT, redirectUri: `http://localhost:${OAUTH_PORT}/auth/callback` }
    320. 

  320. }
    321. 

  321. 

  322. function stopOAuthServer() {
    323. 

  323.   if (oauthServer) {
    324. 

  324.     oauthServer.close(() => {
    325. 

  325.       log.info("codex oauth server stopped")
    326. 

  326.     })
    327. 

  327.     oauthServer = undefined
    328. 

  328.   }
    329. 

  329. }
    330. 

  330. 

  331. function waitForOAuthCallback(pkce: PkceCodes, state: string): Promise<TokenResponse> {
    332. 

  332.   return new Promise((resolve, reject) => {
    333. 

  333.     const timeout = setTimeout(
    334. 

  334.       () => {
    335. 

  335.         if (pendingOAuth) {
    336. 

  336.           pendingOAuth = undefined
    337. 

  337.           reject(new Error("OAuth callback timeout - authorization took too long"))
    338. 

  338.         }
    339. 

  339.       },
    340. 

  340.       5 * 60 * 1000,
    341. 

  341.     ) // 5 minute timeout
    342. 

  342. 

  343.     pendingOAuth = {
    344. 

  344.       pkce,
    345. 

  345.       state,
    346. 

  346.       resolve: (tokens) => {
    347. 

  347.         clearTimeout(timeout)
    348. 

  348.         resolve(tokens)
    349. 

  349.       },
    350. 

  350.       reject: (error) => {
    351. 

  351.         clearTimeout(timeout)
    352. 

  352.         reject(error)
    353. 

  353.       },
    354. 

  354.     }
    355. 

  355.   })
    356. 

  356. }
    357. 

  357. 

  358. export async function CodexAuthPlugin(input: PluginInput): Promise<Hooks> {
    359. 

  359.   return {
    360. 

  360.     auth: {
    361. 

  361.       provider: "openai",
    362. 

  362.       async loader(getAuth, provider) {
    363. 

  363.         const auth = await getAuth()
    364. 

  364.         if (auth.type !== "oauth") return {}
    365. 

  365. 

  366.         // Filter models to only allowed Codex models for OAuth
    367. 

  367.         const allowedModels = new Set([
    368. 

  368.           "gpt-5.1-codex",
    369. 

  369.           "gpt-5.1-codex-max",
    370. 

  370.           "gpt-5.1-codex-mini",
    371. 

  371.           "gpt-5.2",
    372. 

  372.           "gpt-5.2-codex",
    373. 

  373.           "gpt-5.3-codex",
    374. 

  374.           "gpt-5.4",
    375. 

  375.           "gpt-5.4-mini",
    376. 

  376.         ])
    377. 

  377.         for (const [modelId, model] of Object.entries(provider.models)) {
    378. 

  378.           if (modelId.includes("codex")) continue
    379. 

  379.           if (allowedModels.has(model.api.id)) continue
    380. 

  380.           delete provider.models[modelId]
    381. 

  381.         }
    382. 

  382. 

  383.         // Zero out costs for Codex (included with ChatGPT subscription)
    384. 

  384.         for (const model of Object.values(provider.models)) {
    385. 

  385.           model.cost = {
    386. 

  386.             input: 0,
    387. 

  387.             output: 0,
    388. 

  388.             cache: { read: 0, write: 0 },
    389. 

  389.           }
    390. 

  390.         }
    391. 

  391. 

  392.         return {
    393. 

  393.           apiKey: OAUTH_DUMMY_KEY,
    394. 

  394.           async fetch(requestInput: RequestInfo | URL, init?: RequestInit) {
    395. 

  395.             // Remove dummy API key authorization header
    396. 

  396.             if (init?.headers) {
    397. 

  397.               if (init.headers instanceof Headers) {
    398. 

  398.                 init.headers.delete("authorization")
    399. 

  399.                 init.headers.delete("Authorization")
    400. 

  400.               } else if (Array.isArray(init.headers)) {
    401. 

  401.                 init.headers = init.headers.filter(([key]) => key.toLowerCase() !== "authorization")
    402. 

  402.               } else {
    403. 

  403.                 delete init.headers["authorization"]
    404. 

  404.                 delete init.headers["Authorization"]
    405. 

  405.               }
    406. 

  406.             }
    407. 

  407. 

  408.             const currentAuth = await getAuth()
    409. 

  409.             if (currentAuth.type !== "oauth") return fetch(requestInput, init)
    410. 

  410. 

  411.             // Cast to include accountId field
    412. 

  412.             const authWithAccount = currentAuth as typeof currentAuth & { accountId?: string }
    413. 

  413. 

  414.             // Check if token needs refresh
    415. 

  415.             if (!currentAuth.access || currentAuth.expires < Date.now()) {
    416. 

  416.               log.info("refreshing codex access token")
    417. 

  417.               const tokens = await refreshAccessToken(currentAuth.refresh)
    418. 

  418.               const newAccountId = extractAccountId(tokens) || authWithAccount.accountId
    419. 

  419.               await input.client.auth.set({
    420. 

  420.                 path: { id: "openai" },
    421. 

  421.                 body: {
    422. 

  422.                   type: "oauth",
    423. 

  423.                   refresh: tokens.refresh_token,
    424. 

  424.                   access: tokens.access_token,
    425. 

  425.                   expires: Date.now() + (tokens.expires_in ?? 3600) * 1000,
    426. 

  426.                   ...(newAccountId && { accountId: newAccountId }),
    427. 

  427.                 },
    428. 

  428.               })
    429. 

  429.               currentAuth.access = tokens.access_token
    430. 

  430.               authWithAccount.accountId = newAccountId
    431. 

  431.             }
    432. 

  432. 

  433.             // Build headers
    434. 

  434.             const headers = new Headers()
    435. 

  435.             if (init?.headers) {
    436. 

  436.               if (init.headers instanceof Headers) {
    437. 

  437.                 init.headers.forEach((value, key) => headers.set(key, value))
    438. 

  438.               } else if (Array.isArray(init.headers)) {
    439. 

  439.                 for (const [key, value] of init.headers) {
    440. 

  440.                   if (value !== undefined) headers.set(key, String(value))
    441. 

  441.                 }
    442. 

  442.               } else {
    443. 

  443.                 for (const [key, value] of Object.entries(init.headers)) {
    444. 

  444.                   if (value !== undefined) headers.set(key, String(value))
    445. 

  445.                 }
    446. 

  446.               }
    447. 

  447.             }
    448. 

  448. 

  449.             // Set authorization header with access token
    450. 

  450.             headers.set("authorization", `Bearer ${currentAuth.access}`)
    451. 

  451. 

  452.             // Set ChatGPT-Account-Id header for organization subscriptions
    453. 

  453.             if (authWithAccount.accountId) {
    454. 

  454.               headers.set("ChatGPT-Account-Id", authWithAccount.accountId)
    455. 

  455.             }
    456. 

  456. 

  457.             // Rewrite URL to Codex endpoint
    458. 

  458.             const parsed =
    459. 

  459.               requestInput instanceof URL
    460. 

  460.                 ? requestInput
    461. 

  461.                 : new URL(typeof requestInput === "string" ? requestInput : requestInput.url)
    462. 

  462.             const url =
    463. 

  463.               parsed.pathname.includes("/v1/responses") || parsed.pathname.includes("/chat/completions")
    464. 

  464.                 ? new URL(CODEX_API_ENDPOINT)
    465. 

  465.                 : parsed
    466. 

  466. 

  467.             return fetch(url, {
    468. 

  468.               ...init,
    469. 

  469.               headers,
    470. 

  470.             })
    471. 

  471.           },
    472. 

  472.         }
    473. 

  473.       },
    474. 

  474.       methods: [
    475. 

  475.         {
    476. 

  476.           label: "ChatGPT Pro/Plus (browser)",
    477. 

  477.           type: "oauth",
    478. 

  478.           authorize: async () => {
    479. 

  479.             const { redirectUri } = await startOAuthServer()
    480. 

  480.             const pkce = await generatePKCE()
    481. 

  481.             const state = generateState()
    482. 

  482.             const authUrl = buildAuthorizeUrl(redirectUri, pkce, state)
    483. 

  483. 

  484.             const callbackPromise = waitForOAuthCallback(pkce, state)
    485. 

  485. 

  486.             return {
    487. 

  487.               url: authUrl,
    488. 

  488.               instructions: "Complete authorization in your browser. This window will close automatically.",
    489. 

  489.               method: "auto" as const,
    490. 

  490.               callback: async () => {
    491. 

  491.                 const tokens = await callbackPromise
    492. 

  492.                 stopOAuthServer()
    493. 

  493.                 const accountId = extractAccountId(tokens)
    494. 

  494.                 return {
    495. 

  495.                   type: "success" as const,
    496. 

  496.                   refresh: tokens.refresh_token,
    497. 

  497.                   access: tokens.access_token,
    498. 

  498.                   expires: Date.now() + (tokens.expires_in ?? 3600) * 1000,
    499. 

  499.                   accountId,
    500. 

  500.                 }
    501. 

  501.               },
    502. 

  502.             }
    503. 

  503.           },
    504. 

  504.         },
    505. 

  505.         {
    506. 

  506.           label: "ChatGPT Pro/Plus (headless)",
    507. 

  507.           type: "oauth",
    508. 

  508.           authorize: async () => {
    509. 

  509.             const deviceResponse = await fetch(`${ISSUER}/api/accounts/deviceauth/usercode`, {
    510. 

  510.               method: "POST",
    511. 

  511.               headers: {
    512. 

  512.                 "Content-Type": "application/json",
    513. 

  513.                 "User-Agent": `opencode/${Installation.VERSION}`,
    514. 

  514.               },
    515. 

  515.               body: JSON.stringify({ client_id: CLIENT_ID }),
    516. 

  516.             })
    517. 

  517. 

  518.             if (!deviceResponse.ok) throw new Error("Failed to initiate device authorization")
    519. 

  519. 

  520.             const deviceData = (await deviceResponse.json()) as {
    521. 

  521.               device_auth_id: string
    522. 

  522.               user_code: string
    523. 

  523.               interval: string
    524. 

  524.             }
    525. 

  525.             const interval = Math.max(parseInt(deviceData.interval) || 5, 1) * 1000
    526. 

  526. 

  527.             return {
    528. 

  528.               url: `${ISSUER}/codex/device`,
    529. 

  529.               instructions: `Enter code: ${deviceData.user_code}`,
    530. 

  530.               method: "auto" as const,
    531. 

  531.               async callback() {
    532. 

  532.                 while (true) {
    533. 

  533.                   const response = await fetch(`${ISSUER}/api/accounts/deviceauth/token`, {
    534. 

  534.                     method: "POST",
    535. 

  535.                     headers: {
    536. 

  536.                       "Content-Type": "application/json",
    537. 

  537.                       "User-Agent": `opencode/${Installation.VERSION}`,
    538. 

  538.                     },
    539. 

  539.                     body: JSON.stringify({
    540. 

  540.                       device_auth_id: deviceData.device_auth_id,
    541. 

  541.                       user_code: deviceData.user_code,
    542. 

  542.                     }),
    543. 

  543.                   })
    544. 

  544. 

  545.                   if (response.ok) {
    546. 

  546.                     const data = (await response.json()) as {
    547. 

  547.                       authorization_code: string
    548. 

  548.                       code_verifier: string
    549. 

  549.                     }
    550. 

  550. 

  551.                     const tokenResponse = await fetch(`${ISSUER}/oauth/token`, {
    552. 

  552.                       method: "POST",
    553. 

  553.                       headers: { "Content-Type": "application/x-www-form-urlencoded" },
    554. 

  554.                       body: new URLSearchParams({
    555. 

  555.                         grant_type: "authorization_code",
    556. 

  556.                         code: data.authorization_code,
    557. 

  557.                         redirect_uri: `${ISSUER}/deviceauth/callback`,
    558. 

  558.                         client_id: CLIENT_ID,
    559. 

  559.                         code_verifier: data.code_verifier,
    560. 

  560.                       }).toString(),
    561. 

  561.                     })
    562. 

  562. 

  563.                     if (!tokenResponse.ok) {
    564. 

  564.                       throw new Error(`Token exchange failed: ${tokenResponse.status}`)
    565. 

  565.                     }
    566. 

  566. 

  567.                     const tokens: TokenResponse = await tokenResponse.json()
    568. 

  568. 

  569.                     return {
    570. 

  570.                       type: "success" as const,
    571. 

  571.                       refresh: tokens.refresh_token,
    572. 

  572.                       access: tokens.access_token,
    573. 

  573.                       expires: Date.now() + (tokens.expires_in ?? 3600) * 1000,
    574. 

  574.                       accountId: extractAccountId(tokens),
    575. 

  575.                     }
    576. 

  576.                   }
    577. 

  577. 

  578.                   if (response.status !== 403 && response.status !== 404) {
    579. 

  579.                     return { type: "failed" as const }
    580. 

  580.                   }
    581. 

  581. 

  582.                   await sleep(interval + OAUTH_POLLING_SAFETY_MARGIN_MS)
    583. 

  583.                 }
    584. 

  584.               },
    585. 

  585.             }
    586. 

  586.           },
    587. 

  587.         },
    588. 

  588.         {
    589. 

  589.           label: "Manually enter API Key",
    590. 

  590.           type: "api",
    591. 

  591.         },
    592. 

  592.       ],
    593. 

  593.     },
    594. 

  594.     "chat.headers": async (input, output) => {
    595. 

  595.       if (input.model.providerID !== "openai") return
    596. 

  596.       output.headers.originator = "opencode"
    597. 

  597.       output.headers["User-Agent"] = `opencode/${Installation.VERSION} (${os.platform()} ${os.release()}; ${os.arch()})`
    598. 

  598.       output.headers.session_id = input.sessionID
    599. 

  599.     },
    600. 

  600.     "chat.params": async (input, output) => {
    601. 

  601.       if (input.model.providerID !== "openai") return
    602. 

  602.       // Match codex cli
    603. 

  603.       output.maxOutputTokens = undefined
    604. 

  604.     },
    605. 

  605.   }
    606. 

  606. }
    607.