Class: Kward::OpenAIOAuth

Inherits:

Object

• Object
• Kward::OpenAIOAuth

Defined in:

lib/kward/auth/openai_oauth.rb

Overview

OAuth helper for ChatGPT/OpenAI Codex credentials.

Constant Summary

ISSUER =

"https://auth.openai.com"

TOKEN_URL =

URI("#{ISSUER}/oauth/token")

DEFAULT_PORT =

1455

CALLBACK_PATH =

"/auth/callback"

SCOPE =

"openid profile email offline_access api.connectors.read api.connectors.invoke"

DEFAULT_CLIENT_ID =

"app_EMoamEEZ73f0CkXaXp7hrann"

Instance Attribute Summary

• #auth_path ⇒ Object readonly

  Returns the value of attribute auth_path.

Class Method Summary

• .default_auth_path ⇒ Object
• .default_config_path ⇒ Object

Instance Method Summary

• #access_token ⇒ Object
• #account_id ⇒ Object
• #authorization_code_from(input, expected_state: nil) ⇒ Object
• #authorization_url(redirect_uri:, code_challenge:, state:) ⇒ Object
• #complete_login_flow(code:, redirect_uri:, code_verifier:) ⇒ Object
• #initialize(auth_path: OpenAIOAuth.default_auth_path, client_id: nil, config_path: OpenAIOAuth.default_config_path, issuer: ISSUER) ⇒ OpenAIOAuth constructor

  Creates an object for OpenAI OAuth credentials.

• #logged_in? ⇒ Boolean
• #login(prompt:, open_browser: true, timeout_seconds: 120) ⇒ Object
• #refresh! ⇒ Object

  Performs refresh for OpenAI OAuth credentials.

• #save_auth(tokens: {}) ⇒ Object
• #start_login_flow ⇒ Object
• #wait_for_login_callback(server, expected_state:, timeout_seconds:) ⇒ Object

Constructor Details

#initialize(auth_path: OpenAIOAuth.default_auth_path, client_id: nil, config_path: OpenAIOAuth.default_config_path, issuer: ISSUER) ⇒ OpenAIOAuth

Creates an object for OpenAI OAuth credentials.

# File 'lib/kward/auth/openai_oauth.rb', line 25

def initialize(auth_path: OpenAIOAuth.default_auth_path, client_id: nil, config_path: OpenAIOAuth.default_config_path, issuer: ISSUER)
  @auth_path = File.expand_path(auth_path)
  @client_id = client_id
  @config_path = File.expand_path(config_path)
  @issuer = issuer.delete_suffix("/")
end

Instance Attribute Details

#auth_path ⇒ Object (readonly)

Returns the value of attribute auth_path.

# File 'lib/kward/auth/openai_oauth.rb', line 22

def auth_path
  @auth_path
end

Class Method Details

.default_auth_path ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 32

def self.default_auth_path
  File.expand_path(ENV["KWARD_AUTH_PATH"] || "~/.kward/auth.json")
end

.default_config_path ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 36

def self.default_config_path
  File.expand_path(ENV["KWARD_CONFIG_PATH"] || "~/.kward/config.json")
end

Instance Method Details

#access_token ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 40

def access_token
  auth = current_auth
  auth&.fetch("tokens", {})&.fetch("access_token", nil)
end

#account_id ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 45

def account_id
  auth = current_auth
  auth&.fetch("account_id", nil) || auth&.fetch("tokens", {})&.fetch("account_id", nil)
end

#authorization_code_from(input, expected_state: nil) ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 119

def authorization_code_from(input, expected_state: nil)
  value = input.strip
  return "" if value.empty?

  uri = URI.parse(value)
  params = URI.decode_www_form(uri.query.to_s).to_h
  if params.key?("code")
    raise "OAuth state mismatch" if expected_state && params["state"] != expected_state

    return params["code"]
  end

  value
rescue URI::InvalidURIError
  value
end

#authorization_url(redirect_uri:, code_challenge:, state:) ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 79

def authorization_url(redirect_uri:, code_challenge:, state:)
  query = URI.encode_www_form(
    response_type: "code",
    client_id: client_id,
    redirect_uri: redirect_uri,
    scope: SCOPE,
    code_challenge: code_challenge,
    code_challenge_method: "S256",
    id_token_add_organizations: "true",
    codex_cli_simplified_flow: "true",
    state: state,
    originator: "kward"
  )
  "#{@issuer}/oauth/authorize?#{query}"
end

#complete_login_flow(code:, redirect_uri:, code_verifier:) ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 113

def complete_login_flow(code:, redirect_uri:, code_verifier:)
  tokens = exchange_code_for_tokens(code: code, redirect_uri: redirect_uri, code_verifier: code_verifier)
  save_auth(tokens: tokens)
  tokens
end

#logged_in? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/kward/auth/openai_oauth.rb', line 50

def logged_in?
  !access_token.to_s.empty?
end

#login(prompt:, open_browser: true, timeout_seconds: 120) ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 54

def login(prompt:, open_browser: true, timeout_seconds: 120)
  flow = start_login_flow
  pkce = flow[:pkce]
  state = flow[:state]
  server = flow[:server]
  redirect_uri = flow[:redirect_uri]
  url = flow[:authorization_url]

  prompt.say("OpenAI login URL:\n#{url}\n")
  prompt.say("Waiting for browser login. If it does not complete, paste the callback URL when prompted.")
  browser_opened = open_browser && open_url(url)

  code = wait_for_callback(server, expected_state: state, timeout_seconds: browser_opened ? timeout_seconds : 5)
  unless code
    input = prompt.ask("Paste callback URL or authorization code:")
    code = authorization_code_from(input.to_s, expected_state: state)
  end
  raise "Missing authorization code" if code.to_s.empty?

  complete_login_flow(code: code, redirect_uri: redirect_uri, code_verifier: pkce[:verifier])
  auth_path
ensure
  server&.close unless server&.closed?
end

#refresh! ⇒ Object

Performs refresh for OpenAI OAuth credentials.

# File 'lib/kward/auth/openai_oauth.rb', line 150

def refresh!
  auth = load_auth || raise("OpenAI OAuth login not found")
  refresh_token = auth.fetch("tokens", {}).fetch("refresh_token", nil)
  raise "OpenAI OAuth refresh token not found" if refresh_token.to_s.empty?

  response = post_json(TOKEN_URL,
    client_id: client_id,
    grant_type: "refresh_token",
    refresh_token: refresh_token)
  refreshed = parse_successful_json(response, "OpenAI OAuth token refresh")
  save_auth(tokens: (auth.fetch("tokens", {}) || {}).merge(refreshed))
  load_auth
end

#save_auth(tokens: {}) ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 136

def save_auth(tokens: {})
  account_id = extract_account_id(tokens)
  data = {
    "auth_mode" => "openai_oauth",
    "tokens" => account_id ? tokens.merge("account_id" => account_id) : tokens,
    "account_id" => account_id,
    "saved_at" => Time.now.utc.iso8601,
    "expires_at" => expires_at_for(tokens)
  }.compact

  AuthFile.write_json(@auth_path, data)
end

#start_login_flow ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 95

def start_login_flow
  pkce = generate_pkce
  state = random_urlsafe(32)
  server = start_callback_server
  redirect_uri = "http://localhost:#{server.addr[1]}#{CALLBACK_PATH}"
  {
    pkce: pkce,
    state: state,
    server: server,
    redirect_uri: redirect_uri,
    authorization_url: authorization_url(redirect_uri: redirect_uri, code_challenge: pkce[:challenge], state: state)
  }
end

#wait_for_login_callback(server, expected_state:, timeout_seconds:) ⇒ Object

# File 'lib/kward/auth/openai_oauth.rb', line 109

def wait_for_login_callback(server, expected_state:, timeout_seconds:)
  wait_for_callback(server, expected_state: expected_state, timeout_seconds: timeout_seconds)
end