Move auth code into login crate (#15150)

- Move the auth implementation and token data into codex-login. - Keep codex-core re-exporting that surface from codex-login for existing callers. --------- Co-authored-by: Codex <noreply@openai.com>
2026-04-30 03:12:20 +03:00 · 2026-03-19 18:58:17 -07:00
parent ded7854f09
commit 2aa4873802
35 changed files with 262 additions and 209 deletions
--- a/codex-rs/login/src/token_data_tests.rs
+++ b/codex-rs/login/src/token_data_tests.rs
@@ -0,0 +1,109 @@
+use super::*;
+use pretty_assertions::assert_eq;
+use serde::Serialize;
+
+#[test]
+fn id_token_info_parses_email_and_plan() {
+    #[derive(Serialize)]
+    struct Header {
+        alg: &'static str,
+        typ: &'static str,
+    }
+    let header = Header {
+        alg: "none",
+        typ: "JWT",
+    };
+    let payload = serde_json::json!({
+        "email": "user@example.com",
+        "https://api.openai.com/auth": {
+            "chatgpt_plan_type": "pro"
+        }
+    });
+
+    fn b64url_no_pad(bytes: &[u8]) -> String {
+        base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+    }
+
+    let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
+    let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
+    let signature_b64 = b64url_no_pad(b"sig");
+    let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+    let info = parse_chatgpt_jwt_claims(&fake_jwt).expect("should parse");
+    assert_eq!(info.email.as_deref(), Some("user@example.com"));
+    assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));
+}
+
+#[test]
+fn id_token_info_parses_go_plan() {
+    #[derive(Serialize)]
+    struct Header {
+        alg: &'static str,
+        typ: &'static str,
+    }
+    let header = Header {
+        alg: "none",
+        typ: "JWT",
+    };
+    let payload = serde_json::json!({
+        "email": "user@example.com",
+        "https://api.openai.com/auth": {
+            "chatgpt_plan_type": "go"
+        }
+    });
+
+    fn b64url_no_pad(bytes: &[u8]) -> String {
+        base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+    }
+
+    let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
+    let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
+    let signature_b64 = b64url_no_pad(b"sig");
+    let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+    let info = parse_chatgpt_jwt_claims(&fake_jwt).expect("should parse");
+    assert_eq!(info.email.as_deref(), Some("user@example.com"));
+    assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Go"));
+}
+
+#[test]
+fn id_token_info_handles_missing_fields() {
+    #[derive(Serialize)]
+    struct Header {
+        alg: &'static str,
+        typ: &'static str,
+    }
+    let header = Header {
+        alg: "none",
+        typ: "JWT",
+    };
+    let payload = serde_json::json!({ "sub": "123" });
+
+    fn b64url_no_pad(bytes: &[u8]) -> String {
+        base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+    }
+
+    let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
+    let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
+    let signature_b64 = b64url_no_pad(b"sig");
+    let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+    let info = parse_chatgpt_jwt_claims(&fake_jwt).expect("should parse");
+    assert!(info.email.is_none());
+    assert!(info.get_chatgpt_plan_type().is_none());
+}
+
+#[test]
+fn workspace_account_detection_matches_workspace_plans() {
+    let workspace = IdTokenInfo {
+        chatgpt_plan_type: Some(PlanType::Known(KnownPlan::Business)),
+        ..IdTokenInfo::default()
+    };
+    assert_eq!(workspace.is_workspace_account(), true);
+
+    let personal = IdTokenInfo {
+        chatgpt_plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+        ..IdTokenInfo::default()
+    };
+    assert_eq!(personal.is_workspace_account(), false);
+}