From da804a074858b07633c585f91c4a765601f142d7 Mon Sep 17 00:00:00 2001 From: qiaoborui Date: Sat, 14 Feb 2026 12:48:16 +0800 Subject: [PATCH] fix(codex): include required instructions and improve account-id extraction --- pkg/auth/oauth.go | 3 +++ pkg/auth/oauth_test.go | 27 +++++++++++++++++++++++++++ pkg/providers/codex_provider.go | 5 +++++ pkg/providers/codex_provider_test.go | 6 ++++++ 4 files changed, 41 insertions(+) diff --git a/pkg/auth/oauth.go b/pkg/auth/oauth.go index 4f26e0e..1a65896 100644 --- a/pkg/auth/oauth.go +++ b/pkg/auth/oauth.go @@ -359,6 +359,9 @@ func parseTokenResponse(body []byte, provider string) (*AuthCredential, error) { if accountID := extractAccountID(tokenResp.AccessToken); accountID != "" { cred.AccountID = accountID + } else if accountID := extractAccountID(tokenResp.IDToken); accountID != "" { + // Recent OpenAI OAuth responses may only include chatgpt_account_id in id_token claims. + cred.AccountID = accountID } return cred, nil diff --git a/pkg/auth/oauth_test.go b/pkg/auth/oauth_test.go index 2348ee2..0d2ccc9 100644 --- a/pkg/auth/oauth_test.go +++ b/pkg/auth/oauth_test.go @@ -1,6 +1,7 @@ package auth import ( + "encoding/base64" "encoding/json" "net/http" "net/http/httptest" @@ -91,6 +92,32 @@ func TestParseTokenResponseNoAccessToken(t *testing.T) { } } +func TestParseTokenResponseAccountIDFromIDToken(t *testing.T) { + idToken := makeJWTWithAccountID("acc-from-id") + resp := map[string]interface{}{ + "access_token": "not-a-jwt", + "refresh_token": "test-refresh-token", + "expires_in": 3600, + "id_token": idToken, + } + body, _ := json.Marshal(resp) + + cred, err := parseTokenResponse(body, "openai") + if err != nil { + t.Fatalf("parseTokenResponse() error: %v", err) + } + + if cred.AccountID != "acc-from-id" { + t.Errorf("AccountID = %q, want %q", cred.AccountID, "acc-from-id") + } +} + +func makeJWTWithAccountID(accountID string) string { + header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"none","typ":"JWT"}`)) + payload := base64.RawURLEncoding.EncodeToString([]byte(`{"https://api.openai.com/auth":{"chatgpt_account_id":"` + accountID + `"}}`)) + return header + "." + payload + ".sig" +} + func TestExchangeCodeForTokens(t *testing.T) { server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/oauth/token" { diff --git a/pkg/providers/codex_provider.go b/pkg/providers/codex_provider.go index 3463389..c0b10bd 100644 --- a/pkg/providers/codex_provider.go +++ b/pkg/providers/codex_provider.go @@ -18,6 +18,8 @@ type CodexProvider struct { tokenSource func() (string, string, error) } +const defaultCodexInstructions = "You are Codex, a coding assistant." + func NewCodexProvider(token, accountID string) *CodexProvider { opts := []option.RequestOption{ option.WithBaseURL("https://chatgpt.com/backend-api/codex"), @@ -138,6 +140,9 @@ func buildCodexParams(messages []Message, tools []ToolDefinition, model string, if instructions != "" { params.Instructions = openai.Opt(instructions) + } else { + // ChatGPT Codex backend requires instructions to be present. + params.Instructions = openai.Opt(defaultCodexInstructions) } if maxTokens, ok := options["max_tokens"].(int); ok { diff --git a/pkg/providers/codex_provider_test.go b/pkg/providers/codex_provider_test.go index 605183d..1a5a8ca 100644 --- a/pkg/providers/codex_provider_test.go +++ b/pkg/providers/codex_provider_test.go @@ -21,6 +21,12 @@ func TestBuildCodexParams_BasicMessage(t *testing.T) { if params.Model != "gpt-4o" { t.Errorf("Model = %q, want %q", params.Model, "gpt-4o") } + if !params.Instructions.Valid() { + t.Fatal("Instructions should be set") + } + if params.Instructions.Or("") != defaultCodexInstructions { + t.Errorf("Instructions = %q, want %q", params.Instructions.Or(""), defaultCodexInstructions) + } } func TestBuildCodexParams_SystemAsInstructions(t *testing.T) {