openai
diff --git a/‎codex-rs/Cargo.lock‎
Lines changed: 24 additions & 0 deletions b/‎codex-rs/Cargo.lock‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎codex-rs/Cargo.toml‎
Lines changed: 2 additions & 0 deletions b/‎codex-rs/Cargo.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎codex-rs/auth/BUILD.bazel‎
Lines changed: 6 additions & 0 deletions b/‎codex-rs/auth/BUILD.bazel‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎codex-rs/auth/Cargo.toml‎
Lines changed: 39 additions & 0 deletions b/‎codex-rs/auth/Cargo.toml‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎codex-rs/auth/src/env_telemetry.rs‎
Lines changed: 52 additions & 0 deletions b/‎codex-rs/auth/src/env_telemetry.rs‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎codex-rs/auth/src/lib.rs‎
Lines changed: 103 additions & 0 deletions b/‎codex-rs/auth/src/lib.rs‎
Lines changed: 103 additions & 0 deletions
@@ -2,6 +2,7 @@
 members = [
     "backend-client",
     "ansi-escape",
+    "auth",
     "async-utils",
     "app-server",
     "app-server-client",
@@ -86,6 +87,7 @@ license = "Apache-2.0"
 app_test_support = { path = "app-server/tests/common" }
 codex-ansi-escape = { path = "ansi-escape" }
 codex-api = { path = "codex-api" }
+codex-auth = { path = "auth" }
 codex-artifacts = { path = "artifacts" }
 codex-package-manager = { path = "package-manager" }
 codex-app-server = { path = "app-server" }
 
@@ -0,0 +1,6 @@
+load("//:defs.bzl", "codex_rust_crate")
+
+codex_rust_crate(
+    name = "auth",
+    crate_name = "codex_auth",
+)
@@ -0,0 +1,39 @@
+[package]
+name = "codex-auth"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+base64 = { workspace = true }
+chrono = { workspace = true, features = ["serde"] }
+codex-app-server-protocol = { workspace = true }
+codex-keyring-store = { workspace = true }
+once_cell = { workspace = true }
+schemars = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
+sha2 = { workspace = true }
+thiserror = { workspace = true }
+tracing = { workspace = true }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+keyring = { workspace = true, features = ["linux-native-async-persistent"] }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+keyring = { workspace = true, features = ["apple-native"] }
+
+[target.'cfg(target_os = "windows")'.dependencies]
+keyring = { workspace = true, features = ["windows-native"] }
+
+[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
+keyring = { workspace = true, features = ["sync-secret-service"] }
+
+[dev-dependencies]
+anyhow = { workspace = true }
+pretty_assertions = { workspace = true }
+tempfile = { workspace = true }
+tokio = { workspace = true, features = ["macros", "rt"] }
@@ -0,0 +1,52 @@
+use crate::CODEX_API_KEY_ENV_VAR;
+use crate::OPENAI_API_KEY_ENV_VAR;
+use crate::REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR;
+
+#[derive(Debug, Clone, Default, PartialEq, Eq)]
+pub struct AuthEnvTelemetry {
+    pub openai_api_key_env_present: bool,
+    pub codex_api_key_env_present: bool,
+    pub codex_api_key_env_enabled: bool,
+    pub provider_env_key_name: Option<String>,
+    pub provider_env_key_present: Option<bool>,
+    pub refresh_token_url_override_present: bool,
+}
+
+pub fn collect_auth_env_telemetry(
+    provider_env_key_configured: bool,
+    provider_env_key: Option<&str>,
+    codex_api_key_env_enabled: bool,
+) -> AuthEnvTelemetry {
+    AuthEnvTelemetry {
+        openai_api_key_env_present: env_var_present(OPENAI_API_KEY_ENV_VAR),
+        codex_api_key_env_present: env_var_present(CODEX_API_KEY_ENV_VAR),
+        codex_api_key_env_enabled,
+        provider_env_key_name: provider_env_key_configured.then(|| "configured".to_string()),
+        provider_env_key_present: provider_env_key.map(env_var_present),
+        refresh_token_url_override_present: env_var_present(REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR),
+    }
+}
+
+fn env_var_present(name: &str) -> bool {
+    match std::env::var(name) {
+        Ok(value) => !value.trim().is_empty(),
+        Err(std::env::VarError::NotUnicode(_)) => true,
+        Err(std::env::VarError::NotPresent) => false,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn collect_auth_env_telemetry_buckets_provider_env_key_name() {
+        let telemetry = collect_auth_env_telemetry(true, Some("sk-should-not-leak"), false);
+
+        assert_eq!(
+            telemetry.provider_env_key_name,
+            Some("configured".to_string())
+        );
+    }
+}
@@ -0,0 +1,103 @@
+mod env_telemetry;
+pub mod storage;
+pub mod token_data;
+
+use std::env;
+use std::path::Path;
+
+use codex_app_server_protocol::AuthMode;
+
+pub use env_telemetry::AuthEnvTelemetry;
+pub use env_telemetry::collect_auth_env_telemetry;
+pub use storage::AuthCredentialsStoreMode;
+pub use storage::AuthDotJson;
+pub use storage::AuthStorageBackend;
+pub use storage::create_auth_storage;
+pub use token_data::IdTokenInfo;
+pub use token_data::IdTokenInfoError;
+pub use token_data::KnownPlan;
+pub use token_data::PlanType;
+pub use token_data::TokenData;
+pub use token_data::parse_chatgpt_jwt_claims;
+
+pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
+pub const CODEX_API_KEY_ENV_VAR: &str = "CODEX_API_KEY";
+pub const REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR: &str = "CODEX_REFRESH_TOKEN_URL_OVERRIDE";
+
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct ExternalAuthTokens {
+    pub access_token: String,
+    pub chatgpt_account_id: String,
+    pub chatgpt_plan_type: Option<String>,
+}
+
+pub fn read_openai_api_key_from_env() -> Option<String> {
+    env::var(OPENAI_API_KEY_ENV_VAR)
+        .ok()
+        .map(|value| value.trim().to_string())
+        .filter(|value| !value.is_empty())
+}
+
+pub fn read_codex_api_key_from_env() -> Option<String> {
+    env::var(CODEX_API_KEY_ENV_VAR)
+        .ok()
+        .map(|value| value.trim().to_string())
+        .filter(|value| !value.is_empty())
+}
+
+pub fn logout(
+    codex_home: &Path,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<bool> {
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    storage.delete()
+}
+
+pub fn login_with_api_key(
+    codex_home: &Path,
+    api_key: &str,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<()> {
+    let auth_dot_json = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some(api_key.to_string()),
+        tokens: None,
+        last_refresh: None,
+    };
+    save_auth(codex_home, &auth_dot_json, auth_credentials_store_mode)
+}
+
+pub fn login_with_chatgpt_auth_tokens(
+    codex_home: &Path,
+    access_token: &str,
+    chatgpt_account_id: &str,
+    chatgpt_plan_type: Option<&str>,
+) -> std::io::Result<()> {
+    let auth_dot_json = AuthDotJson::from_external_access_token(
+        access_token,
+        chatgpt_account_id,
+        chatgpt_plan_type,
+    )?;
+    save_auth(
+        codex_home,
+        &auth_dot_json,
+        AuthCredentialsStoreMode::Ephemeral,
+    )
+}
+
+pub fn save_auth(
+    codex_home: &Path,
+    auth: &AuthDotJson,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<()> {
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    storage.save(auth)
+}
+
+pub fn load_auth_dot_json(
+    codex_home: &Path,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<Option<AuthDotJson>> {
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    storage.load()
+}