[codex] force reauth on workspace-restricted ChatGPT 401#28962
[codex] force reauth on workspace-restricted ChatGPT 401#28962radai-oai wants to merge 4 commits into
Conversation
## Summary - detect workspace-restricted ChatGPT 401 responses before normal auth recovery - clear active Codex-backend auth state and return an Unauthorized reauth error - leave generic 401s, malformed bodies, and API-key auth on existing paths ## Testing - `cargo test -p codex-core workspace_restricted --lib` - `cargo test -p codex-core generic_or_malformed_401_uses_existing_recovery_path --lib` - `cargo fmt` - `git diff --check`
|
All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fe9ea22d74
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 46958de18d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. Delightful! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
@codex security review |
jif-oai
left a comment
jif-oai
left a comment
There was a problem hiding this comment.
I shouldn't be the main reviewer but I just made a first pass to have an idea of what is happenning. Please wait for Celia's approval
| #[derive(Debug, Default)] | ||
| struct WebsocketSession { | ||
| connection: Option<ApiWebSocketConnection>, | ||
| connection_auth: Option<CodexAuth>, |
There was a problem hiding this comment.
Noooooope. This puts raw CodexAuth under the derived Debug. So any format!("{model_client:?}") for example can dump the API key or any other creds. We should either store a redacted version or have a dedicated Debug implementation (I don't think it's fixable using derivation but I might be wrong)
| } | ||
|
|
||
| let removal_result = self.logout_stores_matching_rejected_auth(rejected_auth); | ||
| let cache_changed = self.set_cached_auth(self.load_auth_from_storage().await); |
There was a problem hiding this comment.
load_auth_from_storage() reapplies CODEX_ACCESS_TOKEN, so this can silently fall back to an env PAT/AgentIdentity. Or reload the same rejected env credential....
I might be missing something here? Is this on purpose?
3 participants
Summary
Testing
cargo test -p codex-core workspace_restricted --libcargo test -p codex-core generic_or_malformed_401_uses_existing_recovery_path --libcargo fmtgit diff --checkExternal (non-OpenAI) Pull Request Requirements
External code contributions are by invitation only. Please read the dedicated "Contributing" markdown file for details:
https://github.com/openai/codex/blob/main/docs/contributing.md
If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.
Include a link to a bug report or enhancement request.